anomy-list

RE: clamav (was: Re: more sanitizer questions)

From: Peter Mueller (129447@xyz.molar.is)
Date: Fri 18 Jun 2004 - 17:33:21 GMT

  • Next message: Bjarni R. Einarsson: "Regarding the debian virus-name patch"

    Sorry for my format, I am on webmail. The post is from Jun 2:
    http://mailtools.anomy.net/archives/anomy-list/2004-06/0000.shtml
     
    Note they aren't my scripts, its just what I have setup. The AV script header says it is from " Xavier Roche/Serianet ", so thank you very much! The setup is with help from very nice people on this list. I don't know perl at all, it looks greek to me ;-). Give me a nice shell script instead any day..
     
    Regards,
     
    P

    ________________________________

    From: Paolo [mailto:129489@xyz.molar.is]
    Sent: Wed 6/16/2004 12:18 AM
    To: 129537@xyz.molar.is
    Subject: Re: clamav (was: Re: [anomy-list]: more sanitizer questions)

    On Tue, Jun 15, 2004 at 05:55:35PM +0200, Luis Miguel wrote:
    ...
    > Anyone is using the patch to show the virusname with sanitizer? (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=235352), I have patched Sanitizer.pm and created a wrapper for my antivirus (clamav), but dont know how to pass the virus name from the wrapper to sanitizer.

    don't know where Peter's scripts are - have checked archive list but could
    not find any - perhaps his stuff may be more complete.
    Anyway, here's mine - very rough, I'm not interested in doing anything fancy
    with suspect email.
    One note reg. clamav, it may be tricky to run clam[d]scan from anomy script
    as in some distro (eg Debian) clam*scan runs as user clamav, hence is unable
    to read anomy's tempfiles that should be mode 600 - that's why I'm feeding
    clamdscan from stdin.

    8<---[.sanitizer.cfg]-----
    ...
    msg_file_drop += X-Anomy|Eventuale codice maligno rilevato: %VIRUSNAME.\n
    ...
    file_list_3 = (?i)\.(doc|dot|xls|xlw|sxi|sdc|sdw|sxw
    file_list_3 += |zip
    file_list_3 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)$
    file_list_3_policy = unknown:drop:drop:drop
    file_list_3_scanner = 0:1:2:/usr/share/sanitizer/filters/filtro_av.sh %FILENAME
    ...
    8<---[/.sanitizer.cfg]----

    8<---[/usr/share/sanitizer/filters/filtro_av.sh]-----
    #!/bin/sh
    # need anomy with VIRUSNAME patch
    #exit 0
    VN=
    [ -x /usr/bin/clamdscan ] && {
      AVR=`cat $1 | /usr/bin/clamdscan - 2>&1`
      R=$?
      VN=`echo $AVR | grep ": .* FOUND" | sed "s/.*: \([^ ]*\) FOUND.*/\1/"`
      # something went bad
      [ "$VN" ] || [ $R = 0 ] || \
        echo -e "$0:\nR=$R\nAVR=$AVR" | mail -s"clamdscan, errore: $R" root
    }
    [ "$VN" ] && {
      echo Anomy-FileScan-VirusName: $VN
      exit 1
    }
    exit 0
    8<---[//usr/share/sanitizer/filters/filtro_av.sh]----

    e.g.:

    echo "blah blah" | mutt -a eicarsignature.sxw -stest-clamav paolo
    ...
    [-- Allegato #1 --]
    [-- Tipo: text/plain, Codifica: 7bit, Dimensioni: 0,1K --]

    blah blah
    [-- Allegato #2 --]
    [-- Tipo: text/plain, Codifica: 8bit, Dimensioni: 0,4K --]

    X-Anomy|*****
    ...
    X-Anomy|Eventuale codice maligno rilevato: Eicar-Test-Signature.
                                               ^^^^^^^^^^^^^^^^^^^^
    ...
    X-Anomy|*****

    --
     paolo
    

    GPG/PGP id:0x21426690 kfp:EDFB 0103 A8D8 4180 8AB5 D59E 9771 0F28 2142 6690

    Attachments: + http://mailtools.anomy.net/archives/anomy-list//1a/5c/40d32841/01.unnamed.html



    hosted by molar.is