[exim] [RESENT] Need help with exiscan and generic command l…

Góra strony
Delete this message
Reply to this message
Autor: Ralf G. R. Bergs
Data:  
Dla: Exim-users
Temat: [exim] [RESENT] Need help with exiscan and generic command line scanner interface
[Resending this msg since mod seems not to have released my original msg
yet]

Hi guys.

I can't figure out what's going wrong with my below config snippet to
make my Debian version of Exim 4.80 use Avira AntiVirus 3.1 as a generic
command line virus scanner:
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:/usr/lib/AntiVir/guard/avscan -s
> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
>         malware         = *
>         log_message     = This message contains malware
> (avira:$malware_name)

When I manually invoke the command line scanner I get the following output:
> # /usr/lib/AntiVir/guard/avscan -s --batch --scan-mode=all eicar.com.txt
> Avira AntiVir Personal (ondemand scanner)
> Copyright (C) 2010 by Avira GmbH.
> All rights reserved.
>
> SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.12.120
> VDF-Version: 7.11.102.248 created 20130918
>
> AntiVir license: 0000XXXXXX
>
> Info: automatically excluding /sys/ from scan (special fs)
> Info: automatically excluding /proc/ from scan (special fs)
> Info: automatically excluding /var/lib/antivir/quarantine/ from scan
> (quarantine)
>
>   file: /root/work/eicar.com.txt
>     last modified on  date: 2013-09-18  time: 10:50:02,  size: 68 bytes
>     ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
>     ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature
>   no action taken

>
> ------ scan results ------
>    directories: 0
>  scanned files: 1
>         alerts: 1
>     suspicious: 0
>       repaired: 0
>        deleted: 0
>        renamed: 0
>          moved: 0
>      scan time: 00:00:01
> --------------------------

The below is the list of codes Avira possibly returns, when I launched
the above test with the EICAR dummy virus I indeed got a result code of 1:
> list of return codes:
>    0: Normal program termination, nothing found, no error
>    1: Found concerning file
>    3: Suspicious file found
>    4: Warnings were issued
>  255: Internal error
>  254: Configuration error (invalid parameter in command-line
>       or configuration file)
>  253: Error while preparing on-demand scan
>  252: The avguard daemon is not running
>  251: The avguard daemon is not accessible
>  250: Cannot initialize scan process
>  249: Scan process not completed
>  248: No valid license found
>  211: Program aborted, because the self check failed

This is the virus scanner version:
> # /usr/lib/AntiVir/guard/avscan --version
> product kind: Avira AntiVir Personal (ondemand scanner)
> product version: 3.1.3.5
> VDF version: 7.11.102.248
> VDF date: 2013-09-18
> AVE version: 8.2.12.120
> operating system: Linux 3.2.0-4-amd64 x86_64
> binary target: linux_glibc22
> The program is running in fully functional mode.

Debian version:
> # cat /etc/debian_version
> 7.1

I'm fiddling with this since almost 2 hours now and can't figure out
what's going wrong... :-(

I'm already using a couple of command line scanners as follows which are
all working fine (which I can tell from Exim's mainlog, they all trigger
on the EICAR dummy virus):
>  warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/bin/avgscan --arc %s; echo -e
> \N"\navg_retval $?"\N:\
>                           avg_retval 5:\
>                           \NVirus identified *(.*)$\N
>         malware         = *
>         log_message     = This message contains malware
> (avg:$malware_name)
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/local/bin/fpscan --report %s; echo -e
> \N"\nfprot_retval $?"\N:\
>                           fprot_retval 1:\
>                           <([^>]*)>
>         malware         = *
>         log_message     = This message contains malware
> (f-prot:$malware_name)
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/bin/antivir --allfiles -z -rs %s:\
>                           ALERT:\
>                           [[](.+)\[]]
>         malware         = *
>         log_message     = This message contains malware
> (antivir:$malware_name)

I'm sure I'm missing s/t obvious, but it's been ages since I was really
"fluent speaking Exim", so your help would be much appreciated.

Thank you!

KR,

Ralf