Jerry Durand wrote:
At 11:43 PM 7/23/2007, Nigel Frankcom wrote:
ClamD with http://www.sanesecurity.co.uk/ work pretty well here.
Be sure and read http://www.sanesecurity.co.uk/clamav/usage.htm
Warning to Mac users:
I tried to use their automated script in OS X Server and got a script
error (SED error). I contacted the person who wrote the script and he
gave me some suggestions. I patched it, still got the error, hard-coded
the db path on my system, then other parts failed. I gave up.
I think OS X is just too weird for this script and I haven't the time to
figure one out on my own at the moment.
This is what I use on OS X 10.3.x. Be careful of the linewraps (the
lines with "$retcode =" and "$diffout =" each should be one long line).
If you're using clamd, you'll need to tell it to reload. And you'll
need to install wget, or change the wget line to do the equivalent
mechanics with curl.
The configuration I have is going to grab sanesecurity, msrbl, and mbl.
You can just remove entries from %urls for ones you don't want to use.
The first time you run it, it'll complain about the diff output I think.
But I think if you just run it once or twice by hand, then you can
just run it with -all via cron. I do that about every 4 hours.
#!/usr/local/bin/perl
my $chmod = "/bin/chmod";
my $mv = "/bin/mv";
my $cp = "/bin/cp";
my $gunzip = "/usr/bin/gunzip";
my $clamscan = "/usr/local/bin/clamscan";
my $testfile = "/bin/sh";
my $diff = "/usr/bin/diff";
my $clamdbdir = "/usr/local/share/clamav";
my %methods =
("http" => "/usr/local/bin/wget -qN",
"rsync" => "/usr/bin/rsync -qt");
my %urls =
("msrbl-spam" => "rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb",
"msrbl-imgs" =>
"rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb",
"mbl" =>
"http://www.malware.com.br/cgi/submit?action=list_clamav";,
"sane-phish" =>
"http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz";,
"sane-scam" =>
"http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz";);
my %basedirs =
("msrbl-spam" => $clamdbdir . "/msrbl",
"msrbl-imgs" => $clamdbdir . "/msrbl",
"mbl" => $clamdbdir . "/mbl",
"sane-phish" => $clamdbdir . "/sanesecurity",
"sane-scam" => $clamdbdir . "/sanesecurity");
# even though these are all the same now, in the future, I may separate
# them into different directories used by different programs.
my %destdirs =
("msrbl-spam" => $clamdbdir,
"msrbl-imgs" => $clamdbdir,
"mbl" => $clamdbdir,
"sane-phish" => $clamdbdir,
"sane-scam" => $clamdbdir);
my (@distros, $dist, $tmpdir, $proto, $method, $file, $retcode);
my ($ufile, $diffout, $destdir, $basedir);
if ($ARGV[0] =~ "--?al?l?") {
@distros = keys(%urls);
}
else {
@distros = @ARGV;
}
foreach $dist (sort (@distros)) {
$basedir = $basedirs{$dist};
$tmpdir = $basedir . "/tmp";
$destdir = $destdirs{$dist};
$url = $urls{$dist};
$proto = $url; $proto =~ s/:.*$//;
$method = $methods{$proto};
$file = $url; $file =~ s"^.*/([^/]*)$"$1";
$ufile = $file; $ufile =~ s/\.gz$//;
if ((-e $basedir) && (!(-d $basedir))) {
rename ($basedir, ($basedir . ".bad"))
|| die "basedir $basedir isn't a directory, can't rename it";
mkdir ($basedir) || die "can't make basedir $basedir";
}
elsif (! (-e $basedir)) {
mkdir ($basedir) || die "can't make basedir $basedir";
}
system ("$chmod 755 $basedir");
if ((-e $tmpdir) && (!(-d $tmpdir))) {
rename ($tmpdir, ($tmpdir . ".bad"))
|| die "tmpdir $tmpdir isn't a directory, can't rename it";
mkdir ($tmpdir) || die "can't make tmpdir $tmpdir";
}
elsif (! (-e $tmpdir)) {
mkdir ($tmpdir) || die "can't make tmpdir $tmpdir";
}
system ("$chmod 755 $tmpdir");
if ((-e $destdir) && (!(-d $destdir))) {
rename ($destdir, ($destdir . ".bad"))
|| die "destdir $destdir isn't a directory, can't rename it";
mkdir ($destdir) || die "can't make destdir $destdir";
}
elsif (! (-e $destdir)) {
mkdir ($destdir) || die "can't make destdir $tmpdir";
}
system ("$chmod 775 $destdir");
chdir ($tmpdir);
# attempting to download signature file
if ($proto eq "rsync") {
system("$method $url $file");
}
elsif ($proto eq "http") {
system("$method $url");
}
else {
print " unknown protocol for $dist\n";
last;
}
unless (-e $file) {
print " $file for $dist doesn't appear to exist\n";
last;
}
if ($dist eq "mbl") {
rename ($file, "mbl.db");
$file = "mbl.db";
$ufile = $file;
}
if ($file =~ /\.gz$/) {
if (-e $ufile) {
unlink ($ufile);
}
system("$gunzip -c $file > $ufile");
$file = $ufile;
}
# test against clamav
$retcode = system("$clamscan --database=$tmpdir $testfile >
/dev/null 2>&1")
/ 256;
if ($retcode == 0) {
# clamscan of testfile worked and didn't find a virus
# now lets see if it's different from the production copy
$diffout = (system("$diff --brief --speed-large-files
$tmpdir/$file $destdir/$file > /dev/null 2>/dev/null")) / 256;
if ($diffout != 0) {
# move to destination
system("$chmod 644 $tmpdir/$file");
system("$cp -p $tmpdir/$file $destdir/$file");
#system("$chmod 644 $destdir/$file");
}
}
elsif ($retcode == 1) {
print " found a virus in $testfile while testing $dist\n";
}
else {
print " new $dist download $file appears to be corrupt\n";
}
}
