Re: [exim] Need help with exiscan and generic command line s…

Top Pagina
Delete this message
Reply to this message
Auteur: Ralf G. R. Bergs
Datum:  
Aan: Jeremy Harris, exim-users
Onderwerp: Re: [exim] Need help with exiscan and generic command line scanner interface
Hi Jeremy.

Thanks for your reply.

On 2013-09-22 20:09 , Jeremy Harris wrote:
> On 18/09/13 14:08, Ralf G. R. Bergs wrote:
>>>    warn  message         = This message contains malware
>>> ($malware_name)
>>>          set acl_m0      = cmdline:/usr/lib/AntiVir/guard/avscan -s
>>> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
>>> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N

>
> I suspect that just setting acl_m0 to that string doesn't do what you
> think. Have a look at
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html
>
>
> - maybe it should be involved with the av_scanner global option,

Actually I do use this already -- I left it out for briefness.
> but I doubt the bit with "echo" will work there.

As I said the other three scanners are working just fine, and I'm
already using a similar construct (i. e. the below fragment does work
well!):
>  warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/bin/avgscan --arc %s; echo -e
> \N"\navg_retval $?"\N:\
>                           avg_retval 5:\
>                           \NVirus identified *(.*)$\N
>         malware         = *
>         log_message     = This message contains malware
> (avg:$malware_name)

Any idea why the below is not working?
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:/usr/lib/AntiVir/guard/avscan -s
> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
>         malware         = *
>         log_message     = This message contains malware
> (avira:$malware_name)

Thanks for kindly looking into this again (please also refer to my
original message, reattached for your convenience).

KR,

Ralf
[Resending this msg since mod seems not to have released my original msg
yet]

Hi guys.

I can't figure out what's going wrong with my below config snippet to
make my Debian version of Exim 4.80 use Avira AntiVirus 3.1 as a generic
command line virus scanner:
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:/usr/lib/AntiVir/guard/avscan -s
> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
>         malware         = *
>         log_message     = This message contains malware
> (avira:$malware_name)

When I manually invoke the command line scanner I get the following output:
> # /usr/lib/AntiVir/guard/avscan -s --batch --scan-mode=all eicar.com.txt
> Avira AntiVir Personal (ondemand scanner)
> Copyright (C) 2010 by Avira GmbH.
> All rights reserved.
>
> SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.12.120
> VDF-Version: 7.11.102.248 created 20130918
>
> AntiVir license: 0000XXXXXX
>
> Info: automatically excluding /sys/ from scan (special fs)
> Info: automatically excluding /proc/ from scan (special fs)
> Info: automatically excluding /var/lib/antivir/quarantine/ from scan
> (quarantine)
>
>   file: /root/work/eicar.com.txt
>     last modified on  date: 2013-09-18  time: 10:50:02,  size: 68 bytes
>     ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
>     ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature
>   no action taken

>
> ------ scan results ------
>    directories: 0
>  scanned files: 1
>         alerts: 1
>     suspicious: 0
>       repaired: 0
>        deleted: 0
>        renamed: 0
>          moved: 0
>      scan time: 00:00:01
> --------------------------

The below is the list of codes Avira possibly returns, when I launched
the above test with the EICAR dummy virus I indeed got a result code of 1:
> list of return codes:
>    0: Normal program termination, nothing found, no error
>    1: Found concerning file
>    3: Suspicious file found
>    4: Warnings were issued
>  255: Internal error
>  254: Configuration error (invalid parameter in command-line
>       or configuration file)
>  253: Error while preparing on-demand scan
>  252: The avguard daemon is not running
>  251: The avguard daemon is not accessible
>  250: Cannot initialize scan process
>  249: Scan process not completed
>  248: No valid license found
>  211: Program aborted, because the self check failed

This is the virus scanner version:
> # /usr/lib/AntiVir/guard/avscan --version
> product kind: Avira AntiVir Personal (ondemand scanner)
> product version: 3.1.3.5
> VDF version: 7.11.102.248
> VDF date: 2013-09-18
> AVE version: 8.2.12.120
> operating system: Linux 3.2.0-4-amd64 x86_64
> binary target: linux_glibc22
> The program is running in fully functional mode.

Debian version:
> # cat /etc/debian_version
> 7.1

I'm fiddling with this since almost 2 hours now and can't figure out
what's going wrong... :-(

I'm already using a couple of command line scanners as follows which are
all working fine (which I can tell from Exim's mainlog, they all trigger
on the EICAR dummy virus):
>  warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/bin/avgscan --arc %s; echo -e
> \N"\navg_retval $?"\N:\
>                           avg_retval 5:\
>                           \NVirus identified *(.*)$\N
>         malware         = *
>         log_message     = This message contains malware
> (avg:$malware_name)
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/local/bin/fpscan --report %s; echo -e
> \N"\nfprot_retval $?"\N:\
>                           fprot_retval 1:\
>                           <([^>]*)>
>         malware         = *
>         log_message     = This message contains malware
> (f-prot:$malware_name)
>   warn  message         = This message contains malware ($malware_name)
>         set acl_m0      = cmdline:\
>                           /usr/bin/antivir --allfiles -z -rs %s:\
>                           ALERT:\
>                           [[](.+)\[]]
>         malware         = *
>         log_message     = This message contains malware
> (antivir:$malware_name)

I'm sure I'm missing s/t obvious, but it's been ages since I was really
"fluent speaking Exim", so your help would be much appreciated.

Thank you!

KR,

Ralf