Re: [Qmail-scanner-general]Qmail-Scanner 1.24 Patch for Command Software Scanner

Thu, 06 Jan 2005 13:12:49 -0800 

Hi,

To search for "Infection:" is not sufficient to detect infections detected by CSAV. You will have to search for "Infection:", "is a destructive program", "is a boot sector virus dropper", "is a virus dropper", "is a security risk or a "backdoor" program", "is a dropper for %s", "is a destructive program named %s", "is a dropper for %s", "is a security risk named %s", "is a virus tool named %s", "is a joke program", "Contains %s exploit", "Contains the exploit named %s", "Contains a known exploit" or a number of other possible strings. This excludes heuristic detection. This also excludes translated versions of our product.

If "$quarantine_description" is really important, either append the complete $DD to it, generate a very complex regex search or generate a generic string like "CSAV detected a virus".

Something that may help keep the size of $DD down is if you drop the "-list" command-line parameter. Then only the header, the footer and the infected files will be shown.

Robert Sandilands

Jason Haar wrote:

Robert Sandilands wrote:

Hi,

Attached is a patch to the currently release 1.24 version to allow it to work with CSAV for Linux/FreeBSD. It does better version detection, adds a required command-line switch and handles the return codes from the scanner better.

Thanks for that.

- if ($DD =~ / Infection: (.*)/) {
+ if ( $ecsav_status > 50 && $ecsav_status < 54 ) {
$quarantine_description=$1;
&debug("There be a virus! ($quarantine_description)");
($quarantine_event=$quarantine_description)=~s/\s/_/g;


Spot of bother there. Where's $1 after your change? Should it be

if ( $ecsav_status > 50 && $ecsav_status < 54 ) {
$DD =~ / Infection: (.*)/;
$quarantine_description=$1;
...


--
---------------------------------------------------------------------
Robert Sandilands: Software Engineer
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to