anomy-list

Re: Sanitizer + Sophos question

From: 65526@xyz.molar.is
Date: Fri 15 Nov 2002 - 16:02:10 GMT

  • Next message: Jon Gabrielson: "removing application/octet-stream"

    It works for me. I'm using the extended error codes (one of the command
    line options), to make it a bit more cautious. My config looks like:

      # Defang and scan exe files
      #
      file_list_5_scanner = 0:20:8,16,24,28,32,36,40:/usr/local/bin/sweep -di
    -archive -all -loopback -sc -eec -ss -f %FILENAME
      file_list_5_policy = defang:defang:save:save
      file_list_5 = (?i)\.(exe|com)$

    Note that I do not pass exe or com files, without defanging them first. I
    prefer people to zip up their mails.
    I have a similar setup in a larger file list, except that the first policy
    is to accept, so clean zips, and docs, etc will get straight through.

    Also, note that I am not using a script to call sweep. I'm calling sweep
    directly. This probably speeds things up (but only a little bit), but it
    also has a disadvantage, in that it doesn't send administrative alerts
    about the virus, it just quietly quarantines it. Then there is no log of
    who that quarantined file was destined for.

    ONE IMPORTANT NOTE. The way this is set up, I have it quarantining files
    that it is unable to scan, due to ANY issues.
    Because of that, encrypted zip files, and excrypted documents will be
    quarantined, and I occasionally have to manually send them off to their
    destination.
      _______________________________________
     /\ \
    | |\ Robert C. Litman \
    | | | |
    \/__| |
        | http://www.rlitman.com |
      __| ftp://ftp.rlitman.com |
     /\ | |
    | | | 65567@xyz.molar.is |
    | |/ /
    \/_______________________________________/

    |---------+---------------------------->
    | | Corey Appleby |
    | | <corey@aspstation|
    | | .net> |
    | | |
    | | 11/14/2002 10:25 |
    | | PM |
    | | |
    |---------+---------------------------->
    >------------------------------------------------------------------------------------------------------------------|
      | |
      | To: 65476@xyz.molar.is |
      | cc: |
      | Subject: [anomy-list]: Sanitizer + Sophos question |
    >------------------------------------------------------------------------------------------------------------------|

    Hello,

    I'm running the Sanitizer with Sophos' virus scanner. The scanner is
    working, and the sanitizer is working, but I can't get them to work
    together. Here's my setup:

    My sanitizer.rc file calls a wrapper script for sweep.

    sanitizer.rc:
    file_list_3_scanner = 0:20:24:/usr/local/bin/sweep.sh %FILENAME
    file_list_3_policy = accept:accept:drop:save
    file_list_3 = (?i)\.(com)$

    here's the contents of that wrapper.
    sweep.sh:
    #!/bin/sh

    [ "$1" = "" ] && exit 21
    [ -f "$1" ] || exit 22
    exec /usr/local/bin/sweep -di -eec -nc -p=/var/log/sophos_sweep.log $1
    2>/dev/null > /dev/null

    But when I send myself a .com file, Sanitizer does whatever the default
    policy is for that rule (in this case it saves it) Here's the
    SANITIZER-LOG output:

       Part (pos="962"):
         SanitizeFile (filename="test.com", mimetype="TEXT/PLAIN"):
           Match (rule="3"):
             ScanFile (file="/var/spool/quarantine/SM-test.com"):
               Unknown exit code: 9216

             Enforced policy: save

    Obviously that exit code isn't what I should be getting. Sophos sweep
    should return one of the codes I have listed. Anyone have any idea why
    I'm getting that code? I modeled my wrapper script on the avp.sh
    script in the Sanitizer "real world configuration" example on Anomy's
    website.

    Any help would be greatly appriciated.

    Thanks,
    corey



    hosted by molar.is