G'Day,
I use both anomy and Sophos.
Here is a sample of the sanitizer.rc in my implementation
file_list_1_scanner = 0:2:3:/usr/local/bin/check_for_virus %FILENAME
%REPLY_TO virusmanager 65221@xyz.molar.is %HEADER(to)
%HEADER(subject)
file_list_1_policy = unknown:mangle:save:save
file_list_1 = (?i)(winmail\.dat
file_list_1 +=
|\.(exe|vb[es]|zip|lnk|cmd|c(om|hm)|bat|pif|s(ys|cr)
file_list_1 += |do[ct]|pp[tas]|xl[scidiklmtvwba]|doch|rtf|wiz
file_list_1 += |sct|inf|js|jse|ms[ip]|ws[chf])
file_list_1 += (\.g?z|\.bz\d?)*)$
The script looks something like this.
--------------------------------------- Cut Here ------------------
#!/bin/sh
# Script for the Sanitizer
# Using either F-PROT, AVP, Sweep or VirusScan antivirus systems
# Version: 1.01, Xavier Roche/Serianet
# Hacked about by: Me
# Usage: check_for_virus <filename> <reply to> <virusmanger email
address> <Who you wish to show as sender> <Who it was going to>
<subject>
# Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
# Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
# This script is under GPL
########################################################################
######
# Instructions (copied from e-mail from Xavier by Bjarni):
#
# I tested various AV systems (avp, f-prot..) and attached to this mail
# a simple script which recognizes the four most used av scanners on
# linux systems (the script can be freely used and spread, of course).
#
# The use is simple: check_for_virus <filename>
# which will return 0 (OK), 2 (warning), or 3 (danger)
#
# For example, I use the main policy:
#
# file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
# file_list_1_policy = unknown:mangle:save:save
# file_list_1 = (?i).*
#
########################################################################
####
#
# Since I have rooted around with the script I'm not sure if the other
# AV systems still work. By this is running on SCO Openserver, sendmail
# and Sophos.
Tag=`echo "-t $$"`
VirLog=/tmp/vir$$
. /usr/local/anomy/etc/check.cfg
logger $Tag "check $1"
if test -n "$1"; then
if test -f "$1"; then
# Process the arguments and make sane.
# Usage: checkfor_viruses {File} {Reply} {Admin} {From} {To}
{Subject}
#
# File ---- Full patch of file
# Reply --- The senders reply address
# Admin --- The Admin who gets the CC of virus alert
# From ---- The sender email address to be placed on the virus
alert
# To ------ The email address from the header of recpient
# Subject - The subject of the email from header
# FILENAME
Filename=`basename $1 | cut -c5-`
# REPLY_TO
if [ "$2" = "" ]
then
Reply="$VirusAdmin"
else
reply="$2"
if echo "$reply" | grep "<" 2>&1 >/dev/null
then
Reply=`echo "$reply" | awk -F\< '{ print $2 }' | awk
-F\> '{ print $1 }' | sed 's/^_//'`
else
Reply=`echo "$reply" | sed 's/^_//'`
fi
fi
# ERROR_TO
if [ "$3" = "" ]
then
Admin="$VirusAdmin"
else
admin="$3"
if echo "$admin" | grep "<" 2>&1 >/dev/null
then
Admin=`echo "$admin" | awk -F\< '{ print $2 }' | awk
-F\> '{ print $1 }'`
else
Admin=`echo "$admin"`
fi
fi
# FROM
if [ "$4" = "" ]
then
From="$VirusAdmin"
else
from="$4"
if echo "$from" | grep "<" 2>&1 >/dev/null
then
From=`echo "$from" | awk -F\< '{ print $2 }' | awk -F\>
'{ print $1 }'`
else
From=`echo "$from"`
fi
fi
# RECEIVER
if [ "$5" = "" ]
then
To="$VirusAdmin"
else
to="$5"
if echo "$to" | grep "<" 2>&1 >/dev/null
then
To=`echo "$to" | awk -F\< '{ print $2 }' | awk -F\> '{
print $1 }'`
else
To=`echo "$to"`
fi
fi
# SUBJECT
subject=`echo "$6" | tr -d "[\r\n]"`
if [ "$subject" = "" ]
then
Subject="No Subject"
else
Subject=`echo "$subject"`
fi
Header="From: $From\nTo: $Reply\nCc: $Admin\nSubject:
$Subject\n\n"
Message="WARNING!!! WARNING!!! WARNING!!!!\n\nThe email
addressed to \"$To\" with the subject \n\"$Subject\" contained a Virus
infected file attachment.\n\nThe filename was \"$Filename\" and has been
deleted from the email.\n\nYou may wish to check you system for viruses.
\n\n"
RET=0
# F-PROT (FRISK Software F-Prot Antivirus for Linux)
if test -x /usr/local/bin/f-prot; then
STATUS=
/usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB -ARCHIVE -PACKED
"$1" 2>/dev/null >/dev/null
RETURNCODE=$?
if test $RETURNCODE -eq 3; then
STATUS="virus found"
RET=3
fi
if test -n "$STATUS"; then
INFO=`/usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB
-ARCHIVE -PACKED "$1" 2>/dev/null | grep -iE "infection:"|sed -e
's/.*infection:\(.*\)/\1/i' -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
echo "VIRUS : $INFO"
else
logger $Tag "virus check for $1: ok"
echo "CLEAN : OK"
fi
# AVP (Kaspersky Anti-Virus for Linux)
elif test -x /usr/bin/kavscanner; then
STATUS=
/usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null >/dev/null
RETURNCODE=$?
if test $RETURNCODE -eq 2; then
STATUS="suspicious file, maybe altered virus"
RET=2
elif test $RETURNCODE -eq 3; then
STATUS="suspicious file"
RET=2
elif test $RETURNCODE -eq 4; then
STATUS="virus found"
RET=3
fi
if test -n "$STATUS"; then
INFO=`/usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null |
grep -iE "infected:"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
echo "VIRUS : $INFO"
logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
else
logger $Tag "virus check for $1: ok"
echo "CLEAN : OK"
fi
# Sophos Sweep Antivirus (SWEEP virus detection utility 3.47)
elif test -x /usr/local/bin/sweep; then
/usr/local/bin/sweep -ndi -s -ss -archive
--no-follow-symlinks --skip-special --no-quarantine "$1" 2>$VirLog
>$VirLog
if test $? -eq 3; then
INFO=`/usr/local/bin/sweep -ndi -s -ss -archive
--no-follow-symlinks --skip-special --no-quarantine "$1" 2>/dev/null |
grep -iE "Found.*virus"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
echo "VIRUS : test $INFO"
VirusName=`cat $VirLog | grep "$Filename" | cut -d\'
-f2`
logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
(
echo "$Header"
echo "$Message"
echo "The Virus type detected was
\"$VirusName\".\n\n\nThankyou"
) | /usr/lib/sendmail -t
logger $Tag "VIRUS FOUND!! To: $To"
logger $Tag "VIRUS FOUND!! From: $2 ($Reply)"
logger $Tag "VIRUS FOUND!! Subject: $Subject"
logger $Tag "VIRUS FOUND!! Virus Type: $VirusName"
logger $Tag "VIRUS FOUND!! Advised: $Admin"
RET=3
else
logger $Tag "virus check for $1: ok"
echo "CLEAN : OK"
fi
# NAI VirusScan (McAfee VirusScan for Unix Linux 4.14.0)
elif test -x /usr/local/bin/uvscan; then
/usr/local/bin/uvscan --analyze --noexpire "$1" 2>/dev/null
>/dev/null
if test $? -eq 13; then
INFO=`/usr/local/bin/uvscan --analyze --noexpire "$1"
2>/dev/null | grep -iE "Found.*virus"|sed -e 's/^[ ]*//g' -e 's/[
]*$//g'`
echo "VIRUS : $INFO"
logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
RET=3
else
logger $Tag "virus check for $1: ok"
echo "CLEAN : OK"
fi
fi
rm -f $VirLog
exit $RET
fi
fi
echo "ERROR"
exit 0
------------------------- Cut End ------------------------------
Kind Regards
Peter
> -----Original Message-----
> From: Corey Appleby [mailto:65131@xyz.molar.is]
> Sent: Friday, November 15, 2002 2:25 PM
> To: 65171@xyz.molar.is
> Subject: [anomy-list]: Sanitizer + Sophos question
>
>
> Hello,
>
> I'm running the Sanitizer with Sophos' virus scanner. The scanner is
> working, and the sanitizer is working, but I can't get them to work
> together. Here's my setup:
>
>
> My sanitizer.rc file calls a wrapper script for sweep.
>
> sanitizer.rc:
> file_list_3_scanner = 0:20:24:/usr/local/bin/sweep.sh %FILENAME
> file_list_3_policy = accept:accept:drop:save
> file_list_3 = (?i)\.(com)$
>
>
> here's the contents of that wrapper.
> sweep.sh:
> #!/bin/sh
>
> [ "$1" = "" ] && exit 21
> [ -f "$1" ] || exit 22
> exec /usr/local/bin/sweep -di -eec -nc -p=/var/log/sophos_sweep.log $1
> 2>/dev/null > /dev/null
>
> But when I send myself a .com file, Sanitizer does whatever the
default
> policy is for that rule (in this case it saves it) Here's the
> SANITIZER-LOG output:
>
> Part (pos="962"):
> SanitizeFile (filename="test.com", mimetype="TEXT/PLAIN"):
> Match (rule="3"):
> ScanFile (file="/var/spool/quarantine/SM-test.com"):
> Unknown exit code: 9216
>
> Enforced policy: save
>
> Obviously that exit code isn't what I should be getting. Sophos sweep
> should return one of the codes I have listed. Anyone have any idea
why
> I'm getting that code? I modeled my wrapper script on the avp.sh
> script in the Sanitizer "real world configuration" example on Anomy's
> website.
>
> Any help would be greatly appriciated.
>
> Thanks,
> corey
>
>