anomy-list

RE: Sanitizer + Sophos question

From: Peter Williams (65090@xyz.molar.is)
Date: Fri 15 Nov 2002 - 03:46:25 GMT

  • Next message: Tom Vandepoel: "Re: Annoucing sanitizer.pl, revision 1.57 (was Re: filename parsing issue)"

    G'Day,

    I use both anomy and Sophos.

    Here is a sample of the sanitizer.rc in my implementation

    file_list_1_scanner = 0:2:3:/usr/local/bin/check_for_virus %FILENAME
    %REPLY_TO virusmanager 65221@xyz.molar.is %HEADER(to)
    %HEADER(subject)
    file_list_1_policy = unknown:mangle:save:save
    file_list_1 = (?i)(winmail\.dat
    file_list_1 +=
    |\.(exe|vb[es]|zip|lnk|cmd|c(om|hm)|bat|pif|s(ys|cr)
    file_list_1 += |do[ct]|pp[tas]|xl[scidiklmtvwba]|doch|rtf|wiz
    file_list_1 += |sct|inf|js|jse|ms[ip]|ws[chf])
    file_list_1 += (\.g?z|\.bz\d?)*)$

    The script looks something like this.

    --------------------------------------- Cut Here ------------------
    #!/bin/sh
    # Script for the Sanitizer
    # Using either F-PROT, AVP, Sweep or VirusScan antivirus systems
    # Version: 1.01, Xavier Roche/Serianet
    # Hacked about by: Me
    # Usage: check_for_virus <filename> <reply to> <virusmanger email
    address> <Who you wish to show as sender> <Who it was going to>
    <subject>
    # Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
    # Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
    # This script is under GPL

    ########################################################################
    ######
    # Instructions (copied from e-mail from Xavier by Bjarni):
    #
    # I tested various AV systems (avp, f-prot..) and attached to this mail
    # a simple script which recognizes the four most used av scanners on
    # linux systems (the script can be freely used and spread, of course).
    #
    # The use is simple: check_for_virus <filename>
    # which will return 0 (OK), 2 (warning), or 3 (danger)
    #
    # For example, I use the main policy:
    #
    # file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
    # file_list_1_policy = unknown:mangle:save:save
    # file_list_1 = (?i).*
    #
    ########################################################################
    ####
    #
    # Since I have rooted around with the script I'm not sure if the other
    # AV systems still work. By this is running on SCO Openserver, sendmail
    # and Sophos.

    Tag=`echo "-t $$"`
    VirLog=/tmp/vir$$
    . /usr/local/anomy/etc/check.cfg

    logger $Tag "check $1"

    if test -n "$1"; then
        if test -f "$1"; then

            # Process the arguments and make sane.
            # Usage: checkfor_viruses {File} {Reply} {Admin} {From} {To}
    {Subject}
            #
            # File ---- Full patch of file
            # Reply --- The senders reply address
            # Admin --- The Admin who gets the CC of virus alert
            # From ---- The sender email address to be placed on the virus
    alert
            # To ------ The email address from the header of recpient
            # Subject - The subject of the email from header

            # FILENAME
            Filename=`basename $1 | cut -c5-`

            # REPLY_TO
            if [ "$2" = "" ]
            then
                Reply="$VirusAdmin"
            else
                reply="$2"
                if echo "$reply" | grep "<" 2>&1 >/dev/null
                then
                    Reply=`echo "$reply" | awk -F\< '{ print $2 }' | awk
    -F\> '{ print $1 }' | sed 's/^_//'`
                else
                    Reply=`echo "$reply" | sed 's/^_//'`
                fi
            fi

            # ERROR_TO
            if [ "$3" = "" ]
            then
                Admin="$VirusAdmin"
            else
                admin="$3"
                if echo "$admin" | grep "<" 2>&1 >/dev/null
                then
                    Admin=`echo "$admin" | awk -F\< '{ print $2 }' | awk
    -F\> '{ print $1 }'`
                else
                    Admin=`echo "$admin"`
                fi
            fi

            # FROM
            if [ "$4" = "" ]
            then
                From="$VirusAdmin"
            else
                from="$4"
                if echo "$from" | grep "<" 2>&1 >/dev/null
                then
                    From=`echo "$from" | awk -F\< '{ print $2 }' | awk -F\>
    '{ print $1 }'`
                else
                    From=`echo "$from"`
                fi
            fi

            # RECEIVER
            if [ "$5" = "" ]
            then
                To="$VirusAdmin"
            else
                to="$5"
                if echo "$to" | grep "<" 2>&1 >/dev/null
                then
                    To=`echo "$to" | awk -F\< '{ print $2 }' | awk -F\> '{
    print $1 }'`
                else
                    To=`echo "$to"`
                fi
            fi

            # SUBJECT
            subject=`echo "$6" | tr -d "[\r\n]"`
            if [ "$subject" = "" ]
            then
                Subject="No Subject"
            else
                Subject=`echo "$subject"`
            fi

            Header="From: $From\nTo: $Reply\nCc: $Admin\nSubject:
    $Subject\n\n"
            Message="WARNING!!! WARNING!!! WARNING!!!!\n\nThe email
    addressed to \"$To\" with the subject \n\"$Subject\" contained a Virus
    infected file attachment.\n\nThe filename was \"$Filename\" and has been
    deleted from the email.\n\nYou may wish to check you system for viruses.
    \n\n"

            RET=0

            # F-PROT (FRISK Software F-Prot Antivirus for Linux)
            if test -x /usr/local/bin/f-prot; then
                STATUS=
                /usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB -ARCHIVE -PACKED
    "$1" 2>/dev/null >/dev/null
                RETURNCODE=$?
                if test $RETURNCODE -eq 3; then
                    STATUS="virus found"
                    RET=3
                fi
                if test -n "$STATUS"; then
                    INFO=`/usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB
    -ARCHIVE -PACKED "$1" 2>/dev/null | grep -iE "infection:"|sed -e
    's/.*infection:\(.*\)/\1/i' -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
                    logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
                    echo "VIRUS : $INFO"
                else
                    logger $Tag "virus check for $1: ok"
                    echo "CLEAN : OK"
                fi
            # AVP (Kaspersky Anti-Virus for Linux)
            elif test -x /usr/bin/kavscanner; then
                STATUS=
                /usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null >/dev/null
                RETURNCODE=$?
                if test $RETURNCODE -eq 2; then
                    STATUS="suspicious file, maybe altered virus"
                    RET=2
                elif test $RETURNCODE -eq 3; then
                    STATUS="suspicious file"
                    RET=2
                elif test $RETURNCODE -eq 4; then
                    STATUS="virus found"
                    RET=3
                fi
                if test -n "$STATUS"; then
                    INFO=`/usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null |
    grep -iE "infected:"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
                    echo "VIRUS : $INFO"
                    logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
                else
                    logger $Tag "virus check for $1: ok"
                    echo "CLEAN : OK"
                fi
            # Sophos Sweep Antivirus (SWEEP virus detection utility 3.47)
            elif test -x /usr/local/bin/sweep; then
                /usr/local/bin/sweep -ndi -s -ss -archive
    --no-follow-symlinks --skip-special --no-quarantine "$1" 2>$VirLog
    >$VirLog
                if test $? -eq 3; then
                    INFO=`/usr/local/bin/sweep -ndi -s -ss -archive
    --no-follow-symlinks --skip-special --no-quarantine "$1" 2>/dev/null |
    grep -iE "Found.*virus"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
                    echo "VIRUS : test $INFO"
                    VirusName=`cat $VirLog | grep "$Filename" | cut -d\'
    -f2`
                    logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
                    (
                       echo "$Header"
                       echo "$Message"
                       echo "The Virus type detected was
    \"$VirusName\".\n\n\nThankyou"
                    ) | /usr/lib/sendmail -t
                    logger $Tag "VIRUS FOUND!! To: $To"
                    logger $Tag "VIRUS FOUND!! From: $2 ($Reply)"
                    logger $Tag "VIRUS FOUND!! Subject: $Subject"
                    logger $Tag "VIRUS FOUND!! Virus Type: $VirusName"
                    logger $Tag "VIRUS FOUND!! Advised: $Admin"
                    RET=3
                else
                    logger $Tag "virus check for $1: ok"
                    echo "CLEAN : OK"
                fi
            # NAI VirusScan (McAfee VirusScan for Unix Linux 4.14.0)
            elif test -x /usr/local/bin/uvscan; then
                /usr/local/bin/uvscan --analyze --noexpire "$1" 2>/dev/null
    >/dev/null
                if test $? -eq 13; then
                    INFO=`/usr/local/bin/uvscan --analyze --noexpire "$1"
    2>/dev/null | grep -iE "Found.*virus"|sed -e 's/^[ ]*//g' -e 's/[
    ]*$//g'`
                    echo "VIRUS : $INFO"
                    logger $Tag "virus check for $1: VIRUS FOUND!! - $INFO"
                    RET=3
                else
                    logger $Tag "virus check for $1: ok"
                    echo "CLEAN : OK"
                fi
            fi
            rm -f $VirLog
            exit $RET

        fi
    fi
    echo "ERROR"
    exit 0
    ------------------------- Cut End ------------------------------

    Kind Regards

    Peter

    > -----Original Message-----
    > From: Corey Appleby [mailto:65131@xyz.molar.is]
    > Sent: Friday, November 15, 2002 2:25 PM
    > To: 65171@xyz.molar.is
    > Subject: [anomy-list]: Sanitizer + Sophos question
    >
    >
    > Hello,
    >
    > I'm running the Sanitizer with Sophos' virus scanner. The scanner is
    > working, and the sanitizer is working, but I can't get them to work
    > together. Here's my setup:
    >
    >
    > My sanitizer.rc file calls a wrapper script for sweep.
    >
    > sanitizer.rc:
    > file_list_3_scanner = 0:20:24:/usr/local/bin/sweep.sh %FILENAME
    > file_list_3_policy = accept:accept:drop:save
    > file_list_3 = (?i)\.(com)$
    >
    >
    > here's the contents of that wrapper.
    > sweep.sh:
    > #!/bin/sh
    >
    > [ "$1" = "" ] && exit 21
    > [ -f "$1" ] || exit 22
    > exec /usr/local/bin/sweep -di -eec -nc -p=/var/log/sophos_sweep.log $1
    > 2>/dev/null > /dev/null
    >
    > But when I send myself a .com file, Sanitizer does whatever the
    default
    > policy is for that rule (in this case it saves it) Here's the
    > SANITIZER-LOG output:
    >
    > Part (pos="962"):
    > SanitizeFile (filename="test.com", mimetype="TEXT/PLAIN"):
    > Match (rule="3"):
    > ScanFile (file="/var/spool/quarantine/SM-test.com"):
    > Unknown exit code: 9216
    >
    > Enforced policy: save
    >
    > Obviously that exit code isn't what I should be getting. Sophos sweep
    > should return one of the codes I have listed. Anyone have any idea
    why
    > I'm getting that code? I modeled my wrapper script on the avp.sh
    > script in the Sanitizer "real world configuration" example on Anomy's
    > website.
    >
    > Any help would be greatly appriciated.
    >
    > Thanks,
    > corey
    >
    >



    hosted by molar.is