"Fossies" - the Fresh Open Source Software Archive

Member "amavisd-new-2.11.1/README_FILES/README.old.scanners" (24 Apr 2005, 30275 Bytes) of package /linux/misc/amavisd-new-2.11.1.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ---------------------------------------
    2 This file is old and not up-to-date !!!
    3 ---------------------------------------
    4 
    5 AMaViS & virus scanners
    6 ***********************
    7 
    8 Contents:
    9 1 List of supported antivirus products
   10 2 Setting up the commandline options
   11 3 Antivirus product information
   12 3.1 Specific Antivirus product information
   13 3.1.1 How to use Kaspersky Anti-Virus AVPDaemon
   14 3.1.2 Kaspersky Anti-Virus
   15 3.1.3 VirusBuster (Daemon / Client)
   16 3.2 Return codes
   17 4 Updates
   18 4.1 Update scripts
   19 4.1.1 Script for Sophos Sweep
   20 4.2.2 Script for NAI uvscan
   21 4.2.3 Script for Kaspersky Anti-Virus
   22 5 Why AMaViS will never stop all viruses
   23 5.1 Blocking certain file(s) / file type(s)
   24 
   25 
   26 1 List of supported antivirus products
   27 AMaViS currently supports the following antivirus products (mostly for Linux)
   28 
   29 * CyberSoft VFind
   30 * F-Secure Inc. (former DataFellows) F-Secure AV
   31 * H+BEDV AntiVir/X
   32 * Kaspersky Anti-Virus (kavscanner and kavdaemon)
   33 * Network Associates Virus Scan for Linux
   34 * Sophos Sweep
   35 * Trend Micro FileScanner
   36 * CAI InoculateIT (currently only the old 4.x version is supported!)
   37 * GeCAD RAV AntiVirus 8 (engine version 8.5 or better required!)
   38 * ESET Software NOD32 (command line scanner and daemon/client)
   39 * Command AntiVirus for Linux
   40 * VirusBuster
   41 * Sophie, using Sophos AntiVirus Interface
   42 * Trophie, using Trend Micro API
   43 * FRISK F-Prot / F-Prot Daemon
   44 * OpenAntiVirus ScannerDaemon
   45 * DrWeb Antivirus for Linux/FreeBSD/Solaris (no support for DrWeb Daemon yet)
   46 * MkS_Vir for Linux
   47 * CentralCommand Vexira
   48 * Norman Virus Control for Linux
   49 
   50 If you miss support for a specific product, please write to
   51 Rainer Link <link@suse.de>.
   52 For an up-to-date product list, see http://www.openantivirus.org/
   53 
   54 
   55 2 Setting up the commandline option
   56 I advise you to look at the commandline parameters for the scanner(s) you use
   57 with AMaViS. Each scanner has its own section at the beginning of the scanmails
   58 script and the commandline options can be set with <product_name>_cmdl, i.e.
   59 antvir_cmdl. Please read the documentation of your antivirus software
   60 carefully and add (or remove) specific options.
   61 If an antivirus product provides the functionally to scan inside (run-time)
   62 compressed files (i.e. Diet, LzExe, PkLite, UPX) and archived files
   63 (i.e. PkZIP, RAR), I would advise to switch this on, if it's not on by default.
   64 
   65 3 Antivirus product information
   66 3.1 Specific Antivirus product information
   67 3.1.1 How to use Kaspersky Anti-Virus AVPDaemon
   68 
   69 Two possible setups exist:
   70 a) AVPDaemon and AVPDaemonClient (in new package renamed to AvpDaemonTst)
   71 switch into AVPDaemon/DaemonClients and compile AvpDaemonClient.cpp (new
   72 location seems to be Sample) with a simple "make". Then copy this file to
   73 the location where AVPDaemon is installed (i.e. /usr/local/avp or /opt/AVP).
   74 Run configure, make and make install.
   75 
   76 b) AVPDaemon alone (AVPDaemon works in daemon mode and client mode)
   77 symlink AvpDaemonClient to AvpDaemon, as configure searches for AvpDaemonClient
   78 (and AvpDaemonTst). In amavis/av/avpdc, change the line
   79 
   80  $output = `$avpdc $TEMPDIR/parts`;
   81 
   82 to
   83 
   84  $output = `$avpdc -o{$TEMPDIR/parts/}`;
   85 
   86 run ./configure, make and make install.
   87 Well, AVPDaemon (in client mode) shows no output and it can not be switched
   88 to verbose mode. Therefore setup a) is the one I currently recommend,
   89 otherwise your logfiles don't show which file(s) is/are infected.
   90 
   91 NOTE: AvpDaemon must be running as a daemon, so it should be started at
   92 boot time via an init script (or whatver) as <path>/AvpDaemon -* /var/amavis
   93 
   94 3.1.2 Kaspersky Anti-Virus
   95 AvpLinx fills the log with a lot of trash because of a simple progress
   96 bar by loading the AVC files.
   97 If you do not want to have "log flooding", you may set
   98 
   99 LongStrings=Yes
  100 
  101 in file defUnix.prf, section Options. This will reduce the output when
  102 AvpLinux is loading the AVC files.
  103 
  104 3.1.3 Virus Buster (Daemon + Client)
  105 Please keep in mind the VirusBuster Daemon has to run under the same
  106 user id AMaViS runs as. Moreover, VirusBuster returns 3 for an infection
  107 (which is not in sync with the man page).
  108 
  109 3.1.4 Sophie / Trophie
  110 By default, Sophie/Trophie creates a socket in /var/run, owned by root, group
  111 uucp (read/writeable by owner and group). As AMaViS runs as user amavis,
  112 it cannot connect to the socket. Please change the group
  113 accordingly in sophie.h/trophie.h and re-compile.
  114 If Sophie/Trophie is installed, but configure doesn't detect it, you need
  115 to upgrade to version 1.15/1.03, resp., or better.
  116 
  117 3.1.5 GeCAD RAV AntiVirus 8
  118 
  119 The command line options changed with a new version of the virus scanning
  120 engine. Therefore, you need at least engine version 8.5. If your engine is
  121 too old, please update it (i.e. "ravav -UPDATE"). Just as a side note, with
  122 the new engine, an update is later done with -u.
  123 
  124 3.1.6 MkS_Vir for Linux
  125 
  126 MkS expects its config file mks_vir.cfg in /etc.
  127 
  128 
  129 3.2 Return codes
  130 -----------------------------------------------------------------------
  131  NAI VirusScan (uvscan) return codes:
  132 -----------------------------------------------------------------------
  133 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  134 as of version 4.x documentation "uvscan.pdf" or "unix403.pdf":
  135 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  136 
  137     0  No errors occured; no viruses were found.
  138     2  Driver integrity check failed.
  139     6  A general problem.
  140     8  Could not find a driver.
  141    10  A virus was found in memory.
  142    13  One or more viruses or hostile objects were found.
  143    15  VirusScan self-check failed; it may be infected or damaged.
  144   102  User quit via ESC-X, ^C or Exit button.
  145 
  146   Exit code 102 occurs where the scan encounters an unexpected error, such as
  147   denied access or memory shortage. On these occasions, the scan exits
  148   immediately and does not finish the scan.
  149 
  150 -----------------------------------------------------------------------
  151  Sophos Sweep Return Codes:
  152 -----------------------------------------------------------------------
  153 Bernhard Nowotny <nowotny@sigma-c.de> writes:
  154 Error codes returned by SWEEP (thanks to christian.weber@sophos.com):
  155   SWEEP returns error codes if there is an error or if a virus is found
  156   SWEEP returns:
  157     0  If no errors are encountered and no viruses are found
  158     1  If the user interrupts the execution by pressing ESC
  159     2  If some error preventing further execution is discovered, or if
  160        compressed files have been found when using the -WC command line
  161        qualifier
  162     3  If viruses or virus fragments are discovered
  163 
  164   A different set of error codes will be returned if SWEEP is run with the
  165   -eec command line qualifier.
  166     0  If no errors are encountered and no viruses are found
  167     8  If survivable errors have occured
  168    12  If compressed files have been found and decompressed
  169    16  If compressed files have been found and not decompressed
  170    20  If viruses have been found and disinfected
  171    24  If viruses have been found and not disinfected
  172    28  If viruses have been found in memory
  173    32  If there has been an integrity check failure
  174    36  If unsurvivable errors have occured
  175    40  If execution has been interrupted
  176 
  177 -------------------------------------------------------------------------
  178  Kaspersky Anti-Virus (formerly AntiViral Toolkit Pro):
  179 -------------------------------------------------------------------------
  180  return codes of AvpLinux and AvpDaemonClient according to Readme.txt
  181 
  182     0  No viruses were found
  183     1  Virus scan was not complete
  184     3  Suspicious objects were found
  185     4  Known viruses were detected
  186     5  All detected viruses have been deleted
  187     7  File AvpLinux is corrupted
  188 
  189 
  190 --------------------------------------------------------------------------
  191  DataFellows F-Secure AntiVirus:
  192 --------------------------------------------------------------------------
  193  return codes of F-Secure AV according to fsav_lin.pdf documentation
  194 
  195 
  196     0   Normal exit; no viruses or suspicious files found.
  197     1   Abnormal termination; unrecoverable error.
  198         (Usually a missing or corrupted file.)
  199     2   Self-test failed; program has been modified.
  200     3   A boot virus or file virus found.
  201     5   Program was terminated by pressing CTRL-C,
  202         or by a sigterm or suspend event.
  203     6   At least one virus was removed.
  204     7   Out of memory.
  205     8   Suspicious files found;
  206         these are not necessarily infected by a virus.
  207 
  208 
  209 ------------------------------------------------------------------------
  210  H+BEDV AntiVir/X
  211 -------------------------------------------------------------------------
  212 
  213 NOTE: Since AntiVir 6.12.x you must have a (valid) license key! Either
  214 a free license for private use or a commercial license. Otherwise
  215 AntiVir/X returns always 214 - regardless if a virus was found or not
  216 and this is quite useless for AMaViS.
  217 
  218  AntiVir/X return codes according to antivir --help
  219 
  220    0: Normales Programmende, kein Virus, kein Fehler
  221    0: normal program termination, no virus, no error
  222    1: Virus in Datei (oder Bootsektor) gefunden
  223    1: found virus in file (or bootsector)
  224    2: Virus (evtl. aktiv) im Speicher gefunden
  225    2: found virus (active?) in memory
  226  100: AntiVir hat nur den Hilfetext angezeigt
  227  100: AntiVir displays only help text
  228  101: Es wurde ein Makro in einer Datei gefunden
  229  101: macro found in a file
  230  102: Der Parameter -once war angegeben und AntiVir lief bereits
  231  102: parameter -once used, but AntiVir runs already before
  232  200: Programmabbruch wegen Speichermangel
  233  200: not enough memory - program termination
  234  201: Die angegeben Responsedatei wurde nicht gefunden
  235  201: response file not found
  236  202: Innerhalb einer Responsedatei wurde @<rsp> angegeben
  237  202: a respons file contains @<rsp>
  238  203: Ungueltiger Parameter angegeben
  239  203: unknown option
  240  204: Ungueltiges Verzeichnis angegeben
  241  204: directory not found
  242  205: Die angegebene Reportdatei konnte nicht erzeugt werden
  243  205: could not generate a report file
  244  210: AntiVir hat eine benoetigte DLL nicht gefunden
  245  210: AntiVir could not found a required lib
  246  211: Programm abgebrochen, da Selbstpruefung fehlgeschlagen
  247  211: Program termination - self check failed
  248  212: Die Datei antivir.vdf nicht gefunden oder Lesefehler
  249  212: File antivir.vdf not found or read error
  250  213: Initialisierungsfehler
  251  213: program init failed
  252  214: Lizenzdatei nicht gefunden
  253  214: License key not found
  254 
  255 -----------------------------------------------------------------------
  256  Trend Micro FileScanner (vscan) return codes:
  257 -----------------------------------------------------------------------
  258 
  259      0: no virus found
  260      1: virus found
  261      2: virus found
  262 
  263  I do not have a list of return codes. Consider three files a, b and c. a and
  264  b are infected, c is not infected:
  265  /etc/iscan/vscan /tmp/test/a - return code: 1
  266  /etc/iscan/vscan -a /tmp/test/* - return code: 2
  267  /etc/iscan/vscan -a /tmp/test/ - return code: 0 (although two viruses
  268  were detected)
  269 
  270 -----------------------------------------------------------------------
  271  Cybersoft VFind Return Codes:
  272 -----------------------------------------------------------------------
  273     0  If no errors are encountered and no viruses are found
  274    23  If viruses or virus fragments are discovered
  275   138  License expired or invalid.
  276   255  A general error.
  277 
  278 -----------------------------------------------------------------------
  279  CAI InoculateIT - inocucmd command line utility 4.0:
  280 -----------------------------------------------------------------------
  281         100 - A virus was detected.
  282          >2 - Some type of scan failure.
  283           1 - User pressed cntrl-C.
  284           0 - The scan has completed. No viruses were detected.
  285 
  286 -----------------------------------------------------------------------
  287  Command AntiVirus for Linux Return Codes:
  288 -----------------------------------------------------------------------
  289 Code  Description
  290 ---   -----------
  291 0-13: Fatal exceptions occurred. Abnormal termination.
  292 5:    Break signaled. The user interrupted the scan process
  293       via the Break key.
  294 13:   The program performed GPF (General Protection Fault).
  295 
  296 50:   Nothing found.
  297 51:   At least one infection found.
  298 52:   At least one suspicious file found.
  299 53:   At least one virus was disinfected.
  300 
  301 100:  Scan engine shared library is incorrect or incompatible.
  302       No scan was performed.
  303 101:  Scan engine failed to initialize. Insufficient memory
  304       or critical condition. No scan was performed.
  305 102:  sign.def is either missing or is corrupt.
  306 103:  macro.def is either missing or is corrupt.
  307 104:  -virlist or -virno specified on the command line
  308 105:  -today has been specified and a scan has already been made
  309       this day.
  310 106:  english.tx1 is either missing or is corrupt. NOTE: This
  311       applies only to CSAV versions 4.57 or higher.
  312 
  313 -----------------------------------------------------------------------
  314  Virus Buster for Linux Return Codes:
  315 -----------------------------------------------------------------------
  316 Error codes according man page
  317 
  318         OK      (0) = everything is ok, no viruses.
  319 
  320         VIRKILLED
  321                 (1) = Virus found and killed.
  322         VIRNOTKILLED
  323                 (2) = Virus found not killed.
  324         HEFOUND
  325                 (3) = heuristically Suspicious
  326         HEUDOCFOUND
  327                 (4) = heuristically suspicious DOC file=20
  328         PACKER
  329                 (5) = Packed file
  330         IMMUNIZER
  331                 (6) = Immunizing hit
  332         VSKMSG  (7) = VSK message
  333         SCANERROR
  334                 (64)= Error during scanning
  335         ENGERROR
  336                 (65)= Engine error
  337         EMPTYFNAME
  338                 (66)= There is no filename to scan
  339         NOSUCCDMSTOP
  340                 (67)= Unable to stop the daemon
  341         NOSUCCSTART
  342                 (68)= Unable to start the daemon
  343         STATUSFAIL
  344                 (69)= Unable to ask the status
  345         NOENARG (70)= Too less orr wrong parameters
  346         UNKNCOMM
  347                 (71)= Unknown command
  348         UNKNOPT (72)= Unknown option
  349         DMTIMEOUT
  350                 (73)= Unable to connect to the daemon (timeout)
  351         NOTREGISPRG
  352                 (74)= The program is not registered. You can't
  353                       start the client.
  354 
  355 -----------------------------------------------------------------------
  356  FRISK F-Prot for Linux Return Codes:
  357 -----------------------------------------------------------------------
  358 
  359         0  Normal exit.  Nothing found, nothing done.
  360         1  Unrecoverable error (for example, missing SIGN.DEF).
  361         2  Selftest failed (program has been modified).
  362         3  At least one virus-infected object was found.
  363         4  <not used>
  364         5  Abnormal termination (scanning did not finish).
  365         6  At least one virus was removed.
  366         7  Error, out of memory (should never happen, but well...)
  367         8  Something suspicious was found, but no recognized virus.
  368 
  369 
  370 -----------------------------------------------------------------------
  371  GECAD RAV AntiVirus for Linux Return Codes:
  372 -----------------------------------------------------------------------
  373 #FILE_OK              1
  374 #FILE_INFECTED        2
  375 #FILE_SUSPICIOUS      3
  376 #FILE_CLEANED         4
  377 #FILE_CLEAN_FAIL      5
  378 #FILE_DELETED         6
  379 #FILE_DELETE_FAIL     7
  380 #FILE_COPIED          8
  381 #FILE_COPY_FAIL       9
  382 #FILE_MOVED           10
  383 #FILE_MOVE_FAIL       11
  384 #FILE_RENAMED         12
  385 #FILE_RENAMED_FAIL    13
  386 
  387 #NO_FILES             20
  388 
  389 #ENG_ERROR            30
  390 #SINTAX_ERR           31
  391 #HELP_MSG             32
  392 #VIR_LIST             33
  393 
  394 
  395 -----------------------------------------------------------------------
  396  ESET Software NOD32 for Linux Return Codes:
  397 -----------------------------------------------------------------------
  398 
  399 NOD32_EXIT_CODE_OK               0
  400 NOD32_EXIT_CODE_VIRUS            1
  401 NOD32_EXIT_CODE_CLEANED          2
  402 NOD32_EXIT_INTERNAL_ERROR        10
  403 
  404 
  405 -----------------------------------------------------------------------
  406  CentralCommand Vexira/Linux Return Codes:
  407 -----------------------------------------------------------------------
  408 Vexira is based on H+BEDV AntiVir/Linux, therefore the command line
  409 parameters and return values seem to be completly identical
  410 
  411    0: Normal program termination, no virus, no error
  412    1: Virus found in a file or boot sector
  413    2: A virus signature was found in memory
  414  100: Vexira Antivirus only has displayed this help text
  415  101: A macro was found in a document file
  416  102: The option -once was gven and Vexira Antivirus already ran today
  417  200: Program aborted, not enough memory available
  418  201: The given response file could not be found
  419  202: Within a response file another @<rsp> directive was found
  420  203: Invalid option
  421  204: Invalid (non-existent) directory given at command line
  422  205: The log file could not be created
  423  210: Vexira Antivirus could not find a necessary dll file
  424  211: Programm aborted, because the self check failed
  425  212: The file vexira.vdf could not be read
  426  213: An error occured during initialisation
  427  214: License key not found
  428 
  429 
  430 --------------------------------------------------------------------------
  431  Norman Virus Control for Linux:
  432 --------------------------------------------------------------------------
  433  return codes of Norman Virus Control according to man page
  434 
  435        0  - No error
  436        1  - File or boot sector virus found
  437        2  - Virus detected in memory
  438        3  - No scan area given
  439        4  - Configuration file changed
  440        5  - Bad argument
  441        6  - I/O error
  442        8  - Program error
  443        10 - Files skipped
  444        14 - virus detected and removed
  445 
  446 
  447 
  448 4 Updates
  449 Some antivirus companies provide updates for the virus definition files
  450 (pattern files) for the latest virus/latest viruses in (a) small extra
  451 file(s), i.e. Sophos Anti-Virus virus identities (IDE).  See
  452 http://www.sophos.com/downloads/ide/ for more information about IDE files.
  453 For versions of sweep older than 3.37, these files are located in the
  454 directory ide/ below your Sophos tree, i.e. /opt/sophos/ide and the
  455 environment variable SAV_IDE should therefore be set to SAV_IDE=/opt/sophos/ide
  456 in the AMaViS script.  From sweep version 3.37 on, this is no longer necessary,
  457 as sweep reads the ide directory location from /etc/sav.conf.  The default is
  458 /usr/local/sav.
  459 
  460 NAI provides an extra driver, which has to be specified on the command line
  461 via --extra /path-to/EXTRA.DAT
  462 
  463 
  464 Please keep in mind that your antivirus software needs regular updates. Set up
  465 a cron job with the appropriate ftp/ncftp/wget commands for automatic updates.
  466 NAI provides a script in their PDF manual. F-Secure AV comes with their own
  467 update program. I would also strongly recommand to subscribe to an alert
  468 mailinglist, which most AV companies offer, to get information about the
  469 latest virus outbreaks.
  470 
  471 Note: please keep in mind an update process may fail. So, your script
  472 should do first a backup, download the file(s) and after that starting
  473 the virus scanner to check the eicar test file virus. If the virus scanner
  474 does not exit with exit code "virus found" then your script should do
  475 a roll-back and send an alert message to virusalert indication update
  476 process failed.
  477 
  478 4.1 Update scripts
  479 The scripts are provided by users without any warranty. Use them on your
  480 own risk.
  481 
  482 For Sophos, see also http://www.sophos.com/support/faqs/autodown.html
  483 ("How to automate the downloading of IDE files").
  484 
  485 4.1.1 Script for Sophos Sweep by Reiner Keller
  486 #!/bin/bash
  487 
  488 #cd $SAV_IDE
  489 cd /usr/local/lib/sweep-IDE
  490 
  491 /usr/bin/wget -q -N `/usr/local/bin/sweep -v |/usr/bin/grep "Product version"
  492 |/usr/bin/sed -e "s/.*: \(.\)\.\(..\)$/
  493 http:\/\/www.sophos.com\/downloads\/ide\/\1\2_ides.zip/"`
  494 /usr/bin/unzip -q -n "???_ides.zip"
  495 
  496 chmod 644 *
  497 
  498 
  499 4.1.2.1 Script for NAI (McAfee) uvscan by Matt Burke
  500 #!/bin/bash
  501 
  502 rm -f .listing*
  503 
  504 datdir="ftp://ftp.mcafee.com/pub/datfiles/english/"
  505 uvdir=/usr/local/mcafee
  506 
  507 wget -q -O $uvdir/latest-dat.tar $datdir/`wget -qnr $datdir && grep tar
  508 .listing | awk {'print $4'}`
  509 
  510 tar --overwrite --directory=$uvdir -xf $uvdir/latest-dat.tar
  511 
  512 4.1.2.2 Script for NAI uvscan by Brian K. West
  513 #!/usr/bin/perl
  514 # dailyupdate.pl
  515 # Auto Update Daily DAT files from NAI uvscan for *nix
  516 # By: Brian K. West <brian@bkw.org>
  517 # Version 1.0.3
  518 #
  519 #  This is used for Daily Dat file from NAI for early prevention.
  520 #  This version will email the admin when the DAT files are updated!
  521 #  I have also done some touchups to make the code cleaner.
  522 #  Also: $adminemail = "user\@domain.com";  you must escape the "@"
  523 #
  524 use LWP::Simple;
  525 use Archive::Zip;
  526 
  527 # Settings
  528 $location = "http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP";
  529 $tmpdir = "/tmp";
  530 $uvscandir = "/usr/local/uvscan";
  531 $mailprog = "/bin/mail";
  532 $adminemail = "brian\@bkw.org";
  533 
  534 $check = head("$location");
  535 if($check) {
  536 # Lets grab the next version if its ready!
  537 print "Downloading DAILYDAT.ZIP ...\n";
  538 $datfile = mirror("$location", "$tmpdir/DAILYDAT.ZIP");
  539 if($datfile == "404") {
  540 print "No Daily Dat Update avaliable!\n";
  541 exit;
  542 }
  543 if($datfile == "304") {
  544 print "You have the latest Daily Dat file installed!\n";
  545 exit;
  546 }
  547 
  548 } else {
  549 print "No Daily Dat Updates avaliable!\n";
  550 exit;
  551 }
  552 
  553 
  554 my $zip = Archive::Zip->new("$tmpdir/DAILYDAT.ZIP") || die("error");
  555 my @list = $zip->memberNames();
  556 my $file;
  557 print "Extracting DAILYDAT.ZIP to $uvscandir ...\n";
  558 foreach $file (@list) {
  559         if (!($file =~ /.*\/$/)) {
  560                 my $data = $zip->contents($file);
  561                 $file = lc($file);
  562                 my $newpart = "$tmpdir/$file";
  563                 print "Installing: $file\n";
  564                 open(OUTPART, ">$uvscandir/$file");
  565                 print(OUTPART $data);
  566                 close(OUTPART);
  567                 }
  568         }
  569 #unlink("$tmpdir/DAILYDAT.ZIP");
  570 $check = `$uvscandir/uvscan --version | $mailprog -s \"Virus Scan Daily DAT Updated\" $adminemail`;
  571 print "Daily Dat Installed!\n";
  572 
  573 
  574 #!/usr/bin/perl
  575 #
  576 # Auto Update DAT files from NAI uvscan for *nix
  577 # By: Brian K. West <brian@bkw.org>
  578 # Version 1.0.1
  579 #
  580 use LWP::Simple;
  581 use Archive::Tar;
  582 
  583 # Settings
  584 $location = "http://download.nai.com/products/datfiles/4.x/nai";
  585 $tmpdir = "/tmp";
  586 $uvscandir = "/usr/local/uvscan";
  587 
  588 
  589 # Get Current Version of dat file.
  590 $current = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
  591 print "Current version installed: $current";
  592 #$current = 4085;
  593 
  594 # Increase version number by 1
  595 $needed = $current + 1;
  596 
  597 $check = head("$location/dat-$needed.tar");
  598 if($check) {
  599 # Lets grab the next version if its ready!
  600 print "Downloading dat-$needed.tar ...\n";
  601 $datfile = mirror("$location/dat-$needed.tar", "$tmpdir/dat-$needed.tar");
  602 
  603 if($datfile == "404") {
  604 print "No updates avaliable!\n";
  605 exit;
  606 }
  607 
  608 } else {
  609 print "No updates avaliable!\n";
  610 exit;
  611 }
  612 
  613 
  614 my $tar = Archive::Tar->new("$tmpdir/dat-$needed.tar") || die("error");
  615 my @list = $tar->list_files();
  616 my $file;
  617 print "Extracting dat-$needed.tar to $uvscandir ...\n";
  618 foreach $file (@list) {
  619         if (!($file =~ /.*\/$/)) {
  620                 my $data = $tar->get_content($file);
  621                 my $newpart = "$tmpdir/$file";
  622                 print "Installing: $file\n";
  623                 open(OUTPART, ">$uvscandir/$file");
  624                 print(OUTPART $data);
  625                 close(OUTPART);
  626                 }
  627         }
  628 unlink("$tmpdir/dat-$needed.tar");
  629 
  630 $new = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
  631 if($new == $current) {
  632 print "Update Failed!\n";
  633 print "You may have to do it manually!\n";
  634 exit;
  635 }
  636 print "New installed version: $new";
  637 
  638 4.1.2.3 Script for NAI DAT-files by Julio Cesar Covolato
  639 (please have a look at http://www.psi.com.br/~julio/uvscan/ for the latest
  640 version)
  641 
  642 #!/bin/sh
  643 ###################################################################
  644 #################        UVUPDATE-1.2       #######################
  645 ###################################################################
  646 #   Script to automate downloading and install new dat files
  647 #   from ftp.nai.com for the uvscan 4.x virus scanner.
  648 ###################################################################
  649 #   $date	Fri Mar 16 01:12:43 EST 2001
  650 ###################################################################
  651 #   Written by Julio Cesar Covolato <julio@psi.com.br>
  652 ###################################################################
  653 #	Read the files README, INSTALL and CHANGES before install
  654 ###################################################################
  655 #
  656 #
  657 #
  658 ###################################################################
  659 #	MAKE THE CHANGES BELOW TO SUIT YOUR SISTEM
  660 ###################################################################
  661 #
  662 ################################################
  663 # Where are your binary uvscan and datfiles ???
  664 ################################################
  665 
  666 uvscan_dir=/usr/local/uvscan/
  667 
  668 ####################################
  669 # setup our commonly used programs
  670 ####################################
  671 
  672 grep=/bin/grep
  673 mail=/bin/mail
  674 wget=/usr/bin/wget
  675 cut=/usr/bin/cut
  676 tar=/bin/tar
  677 rm=/bin/rm
  678 ls=/bin/ls
  679 chmod=/bin/chmod
  680 sed=/bin/sed
  681 
  682 #################################################################
  683 # Setup email and subject to notify news versions, or problems :(
  684 #################################################################
  685 
  686 mail_to="root@localhost"
  687 subject_ok=" UVSCAN - We got a new dat-file"
  688 subject_bad=" UVSCAN - Something goes wrong :(( "
  689 subject_nonew=" UVSCAN - No new dat-file for today"
  690 
  691 ############################################################
  692 # Setup wget flags ( see "man 1 wget" ).
  693 # If you are behind a firewall, you can add " --passive-ftp"
  694 # Thanks to Viraj Alankar <valankar@ifxcorp.com>
  695 ############################################################
  696 
  697 wget_opt="-N -q -t 30"
  698 
  699 ###################################################################
  700 #	You don't need make changes below
  701 ###################################################################
  702 
  703 cd ${uvscan_dir}
  704 
  705 # Get the actual running version of the datfile
  706 
  707 DATVERSION=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
  708 
  709 # Get the latest txt file info (delta.ini) from NAI, if there are a new one.
  710 ${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/delta.ini
  711 
  712 # Extract the dat-version from the file delta.ini
  713 
  714 DATVERSIONEW=$(${grep} CurrentVersion delta.ini|${cut} -c 16-19)
  715 
  716 if [ ${DATVERSION} = ${DATVERSIONEW} ];
  717 	then
  718 		echo -e "\n\n\n\tThe uvscan has the latest version yet!"|${mail} -s "${subject_nonew}" ${mail_to}
  719 		exit # No new version! :(( Maybe tomorrow! )
  720 	else
  721 		# Get and Install it!!!
  722 		${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/dat-${DATVERSIONEW}.tar
  723 		${tar} xf dat-${DATVERSIONEW}.tar
  724 		${chmod} 744 *.dat
  725 fi
  726 
  727 # We got the new version installed! Test it...
  728 
  729 NEWDAT=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
  730 
  731 if [ ${NEWDAT} = ${DATVERSIONEW} ];
  732 	then
  733 		# Send an email to me, notifying the new version!
  734 		echo -e "\n\n\n\tNew dat file is: ${NEWDAT}\n\n\n" > newvirus.txt
  735 		$(sed) -n '/\* DV2/,/\* DV3/p' readme.txt >> newvirus.txt
  736 		cat newvirus.txt|${mail} -s "${subject_ok}" ${mail_to}
  737 		${rm} -f dat-$DATVERSION.tar # we don't need anymore the old version
  738 	else
  739 		# Send an email to me, notifying that anything goes wrong... :((
  740 		echo "Go there: ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/"|\
  741 		${mail} -s "${subject_bad}" ${mail_to}
  742 fi
  743 exit
  744 
  745 
  746 
  747 
  748 4.1.3 Script for KasperskyLab AVP by Andy Wallace
  749 #!/usr/bin/perl
  750 
  751 use Net::FTP;
  752 # in the libnet package - you may have to get it from CPAN - I did.
  753 
  754 # Directory to download into
  755 $DIR="/usr/local/AvpLinux";
  756 
  757 # Get current time and date
  758 ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
  759 
  760 # I just want this stuff so I can save each daily.zip as a different
  761 filename with a date attached, so I know I haven't missed any. Format is
  762 dailyddmmyy.zip (yes I'm British), so I need to make a few changes.
  763 
  764 # Jan = 0, so add 1 to $mon
  765 $mon++;
  766 if ($mon<10) {
  767     $mon="0$mon";
  768 }
  769 
  770 # Days of month are 1-31, so that's OK
  771 if($mday<10) {
  772     $mday="0$mday";
  773 }
  774 
  775 # gmtime thinks this year is 100! At least in my version of Perl...so
  776 don't
  777 use this script after 2099 :-)
  778 $year -= 100;
  779 if($year<10) {
  780     $year="0$year";
  781 }
  782 
  783 # Connect to FTP server and download daily.zip
  784 $ftp = NET::FTP->new("ftp.kasperskylab.ru", Passive, 1);
  785 $ftp->login("ftp", someone\@somewhere.com");
  786 $ftp->cwd("/bases");
  787 $ftp->binary;
  788 $ftp->get("daily.zip", "$DIR/daily$mday$mon$year.zip");
  789 $ftp->quit;
  790 
  791 # Check it turned up OK, if so unzip it, if not send an email
  792 if (-e "$DIR/daily$mday$mon$year.zip") {
  793     system("/usr/bin/unzip -o -qq $DIR/daily$mday$mon$year.zip -d
  794 $DIR");
  795 }
  796 else {
  797     system("/bin/mail -s \"Antivirus daily update failure!\" root");
  798 }
  799 
  800 # Now restart AVP daemon to load updated virus library
  801 system("/usr/local/AvpLinux/AvpDaemon -k");
  802 system("/usr/local/AvpLinux/AvpDaemon -* /var/amavis");
  803 
  804 # End of perl script
  805 
  806 Put a call to this in your root crontab to run it every day. e.g.
  807 
  808 00 20 * * * /usr/local/bin/getupdate.pl
  809 
  810 
  811 
  812 5 Why AMaViS will never stop all viruses
  813 AMaViS is not an antivirus scanner, it's only an "interface" for virus
  814 scanning at the eMail gateway in combination with one (or even) more of the
  815 virus scanners listed above. Virus detection and stopping depends therefore on
  816 the quality of the virus scanner. To get an impression about the detection
  817 rate of antivirus products, please have a look at Virus Bulletin
  818 (www.virusbtn.com), Virus Test Center (http://agn-www.informatik.uni-hamburg.de/)
  819 or AV-Test (www.av-test.com).
  820 Please keep in mind that viruses in encrypted eMails/attachments cannot be
  821 detected! Also, if an infected attachment file is compressed with a
  822 compression format for which AMaViS is not configured (we believe that the
  823 most important formats are covered, though), it gets through, unless the
  824 virus scanner(s) used is/are able to decode/uncompress it.
  825 If this happens, it's the job of your client-side anti-virus software to
  826 detect and stop the virus from spreading when the attachment gets decrypted
  827 or uncompressed.
  828 
  829 
  830 5.1 Blocking certain file(s) / file type(s)
  831 AMaViS does not currently support blocking certain files by type or extension,
  832 e.g. .vbs or .exe. Such a capability may be added in the future. But please
  833 keep in mind that the file extension can be forged as easily as the MIME-type.
  834 I advise you to read a posting to NTBugTraq from Nick FitzGerald, online
  835 at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=11152.