[Qmail-scanner-general]sub-uvscan.pl failing open?

Tue, 17 Jan 2006 14:35:03 -0800

We have seen a few errors ("corrupt or unknown MacAfee scanner error or memory/resource/perms problem") that are generated by this routine. It looks to me like if MacAfee fails because of a vulnerability or resource exhaustion this check fails open and allows the message to pass. Is this the case and is it the desired behavior? 

Nick


sub uvscan_scanner {
 #MacAfee scanner
 &debug("uvscan: starting scan of directory \"$ENV{'TMPDIR'}\"...");
 my ($start_uvscan_time)=[gettimeofday];
my ($DD,$uvscan_status,$euvscan_status,$stop_uvscan_time,$uvscan_time,$uvscan_verbose); 
 $uvscan_verbose="-v" if ($DEBUG);
&debug("run $uvscan_binary $uvscan_verbose -r --secure --fam --unzip --macro-heuristics $ENV{'TMPDIR'} 2>&1"); $DD=`$uvscan_binary $uvscan_verbose -r --secure --fam --unzip --macro-heuristics $ENV{'TMPDIR'} 2>&1`; 
 $uvscan_status=$?;
 $euvscan_status=($uvscan_status >> 8);

 &debug("--output of uvscan was:\n$DD--");
 if ( $euvscan_status > 0  ) {
   if ($DD =~ /^\s+Found(.*)$/m) {
     $quarantine_description=$1;
     &debug("There be a virus! ($quarantine_description)");
     ($quarantine_event=$quarantine_description)=~s/\s/_/g;
     $quarantine_event="UVSCAN:".substr($quarantine_event,0,$QE_LEN);
     $description .= "\n---uvscan results ---\n$DD";
     #    print "virus \"$virus\"\n";
   } else {
     #This implies a corrupt set of DAT files or resource problems...
&error_condition("corrupt or unknown MacAfee scanner error or memory/resource/perms problem - exit status $uvscan_status/$euvscan_status"); 
   }
 } elsif ($uvscan_status > 0) {
   #This implies a corrupt set of DAT files or resource problems...
&error_condition("corrupt or unknown MacAfee scanner error or memory/resource/perms problem - exit status $uvscan_status/$euvscan_status"); 
 }
 $stop_uvscan_time=[gettimeofday];
 $uvscan_time = tv_interval ($start_uvscan_time, $stop_uvscan_time);
&debug("uvscan: finished scan of dir \"$ENV{'TMPDIR'}\" in $uvscan_time secs"); 
}



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to