---------------------------------------
This file is old and not up-to-date !!!
---------------------------------------
AMaViS & virus scanners
***********************
Contents:
1 List of supported antivirus products
2 Setting up the commandline options
3 Antivirus product information
3.1 Specific Antivirus product information
3.1.1 How to use Kaspersky Anti-Virus AVPDaemon
3.1.2 Kaspersky Anti-Virus
3.1.3 VirusBuster (Daemon / Client)
3.2 Return codes
4 Updates
4.1 Update scripts
4.1.1 Script for Sophos Sweep
4.2.2 Script for NAI uvscan
4.2.3 Script for Kaspersky Anti-Virus
5 Why AMaViS will never stop all viruses
5.1 Blocking certain file(s) / file type(s)
1 List of supported antivirus products
AMaViS currently supports the following antivirus products (mostly for Linux)
* CyberSoft VFind
* F-Secure Inc. (former DataFellows) F-Secure AV
* H+BEDV AntiVir/X
* Kaspersky Anti-Virus (kavscanner and kavdaemon)
* Network Associates Virus Scan for Linux
* Sophos Sweep
* Trend Micro FileScanner
* CAI InoculateIT (currently only the old 4.x version is supported!)
* GeCAD RAV AntiVirus 8 (engine version 8.5 or better required!)
* ESET Software NOD32 (command line scanner and daemon/client)
* Command AntiVirus for Linux
* VirusBuster
* Sophie, using Sophos AntiVirus Interface
* Trophie, using Trend Micro API
* FRISK F-Prot / F-Prot Daemon
* OpenAntiVirus ScannerDaemon
* DrWeb Antivirus for Linux/FreeBSD/Solaris (no support for DrWeb Daemon yet)
* MkS_Vir for Linux
* CentralCommand Vexira
* Norman Virus Control for Linux
If you miss support for a specific product, please write to
Rainer Link <link@suse.de>.
For an up-to-date product list, see http://www.openantivirus.org/
2 Setting up the commandline option
I advise you to look at the commandline parameters for the scanner(s) you use
with AMaViS. Each scanner has its own section at the beginning of the scanmails
script and the commandline options can be set with <product_name>_cmdl, i.e.
antvir_cmdl. Please read the documentation of your antivirus software
carefully and add (or remove) specific options.
If an antivirus product provides the functionally to scan inside (run-time)
compressed files (i.e. Diet, LzExe, PkLite, UPX) and archived files
(i.e. PkZIP, RAR), I would advise to switch this on, if it's not on by default.
3 Antivirus product information
3.1 Specific Antivirus product information
3.1.1 How to use Kaspersky Anti-Virus AVPDaemon
Two possible setups exist:
a) AVPDaemon and AVPDaemonClient (in new package renamed to AvpDaemonTst)
switch into AVPDaemon/DaemonClients and compile AvpDaemonClient.cpp (new
location seems to be Sample) with a simple "make". Then copy this file to
the location where AVPDaemon is installed (i.e. /usr/local/avp or /opt/AVP).
Run configure, make and make install.
b) AVPDaemon alone (AVPDaemon works in daemon mode and client mode)
symlink AvpDaemonClient to AvpDaemon, as configure searches for AvpDaemonClient
(and AvpDaemonTst). In amavis/av/avpdc, change the line
$output = `$avpdc $TEMPDIR/parts`;
to
$output = `$avpdc -o{$TEMPDIR/parts/}`;
run ./configure, make and make install.
Well, AVPDaemon (in client mode) shows no output and it can not be switched
to verbose mode. Therefore setup a) is the one I currently recommend,
otherwise your logfiles don't show which file(s) is/are infected.
NOTE: AvpDaemon must be running as a daemon, so it should be started at
boot time via an init script (or whatver) as <path>/AvpDaemon -* /var/amavis
3.1.2 Kaspersky Anti-Virus
AvpLinx fills the log with a lot of trash because of a simple progress
bar by loading the AVC files.
If you do not want to have "log flooding", you may set
LongStrings=Yes
in file defUnix.prf, section Options. This will reduce the output when
AvpLinux is loading the AVC files.
3.1.3 Virus Buster (Daemon + Client)
Please keep in mind the VirusBuster Daemon has to run under the same
user id AMaViS runs as. Moreover, VirusBuster returns 3 for an infection
(which is not in sync with the man page).
3.1.4 Sophie / Trophie
By default, Sophie/Trophie creates a socket in /var/run, owned by root, group
uucp (read/writeable by owner and group). As AMaViS runs as user amavis,
it cannot connect to the socket. Please change the group
accordingly in sophie.h/trophie.h and re-compile.
If Sophie/Trophie is installed, but configure doesn't detect it, you need
to upgrade to version 1.15/1.03, resp., or better.
3.1.5 GeCAD RAV AntiVirus 8
The command line options changed with a new version of the virus scanning
engine. Therefore, you need at least engine version 8.5. If your engine is
too old, please update it (i.e. "ravav -UPDATE"). Just as a side note, with
the new engine, an update is later done with -u.
3.1.6 MkS_Vir for Linux
MkS expects its config file mks_vir.cfg in /etc.
3.2 Return codes
-----------------------------------------------------------------------
NAI VirusScan (uvscan) return codes:
-----------------------------------------------------------------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
as of version 4.x documentation "uvscan.pdf" or "unix403.pdf":
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 No errors occured; no viruses were found.
2 Driver integrity check failed.
6 A general problem.
8 Could not find a driver.
10 A virus was found in memory.
13 One or more viruses or hostile objects were found.
15 VirusScan self-check failed; it may be infected or damaged.
102 User quit via ESC-X, ^C or Exit button.
Exit code 102 occurs where the scan encounters an unespected error, such as
denied access or memory shortage. On these occasions, the scan exits
immediately and does not finish the scan.
-----------------------------------------------------------------------
Sophos Sweep Return Codes:
-----------------------------------------------------------------------
Bernhard Nowotny <nowotny@sigma-c.de> writes:
Error codes returned by SWEEP (thanks to christian.weber@sophos.com):
SWEEP returns error codes if there is an error or if a virus is found
SWEEP returns:
0 If no errors are encountered and no viruses are found
1 If the user interrupts the execution by pressing ESC
2 If some error preventing further execution is discovered, or if
compressed files have been found when using the -WC command line
qualifier
3 If viruses or virus fragments are discovered
A different set of error codes will be returned if SWEEP is run with the
-eec command line qualifier.
0 If no errors are encountered and no viruses are found
8 If survivable errors have occured
12 If compressed files have been found and decompressed
16 If compressed files have been found and not decompressed
20 If viruses have been found and disinfected
24 If viruses have been found and not disinfected
28 If viruses have been found in memory
32 If there has been an integrity check failure
36 If unsurvivable errors have occured
40 If execution has been interrupted
-------------------------------------------------------------------------
Kaspersky Anti-Virus (formerly AntiViral Toolkit Pro):
-------------------------------------------------------------------------
return codes of AvpLinux and AvpDaemonClient according to Readme.txt
0 No viruses were found
1 Virus scan was not complete
3 Suspicious objects were found
4 Known viruses were detected
5 All detected viruses have been deleted
7 File AvpLinux is corrupted
--------------------------------------------------------------------------
DataFellows F-Secure AntiVirus:
--------------------------------------------------------------------------
return codes of F-Secure AV according to fsav_lin.pdf documentation
0 Normal exit; no viruses or suspicious files found.
1 Abnormal termination; unrecoverable error.
(Usually a missing or corrupted file.)
2 Self-test failed; program has been modified.
3 A boot virus or file virus found.
5 Program was terminated by pressing CTRL-C,
or by a sigterm or suspend event.
6 At least one virus was removed.
7 Out of memory.
8 Suspicious files found;
these are not necessarily infected by a virus.
------------------------------------------------------------------------
H+BEDV AntiVir/X
-------------------------------------------------------------------------
NOTE: Since AntiVir 6.12.x you must have a (valid) license key! Either
a free license for private use or a commercial license. Otherwise
AntiVir/X returns always 214 - regardless if a virus was found or not
and this is quite useless for AMaViS.
AntiVir/X return codes according to antivir --help
0: Normales Programmende, kein Virus, kein Fehler
0: normal program termination, no virus, no error
1: Virus in Datei (oder Bootsektor) gefunden
1: found virus in file (or bootsector)
2: Virus (evtl. aktiv) im Speicher gefunden
2: found virus (active?) in memory
100: AntiVir hat nur den Hilfetext angezeigt
100: AntiVir displays only help text
101: Es wurde ein Makro in einer Datei gefunden
101: macro found in a file
102: Der Parameter -once war angegeben und AntiVir lief bereits
102: parameter -once used, but AntiVir runs already before
200: Programmabbruch wegen Speichermangel
200: not enough memory - program termination
201: Die angegeben Responsedatei wurde nicht gefunden
201: response file not found
202: Innerhalb einer Responsedatei wurde @<rsp> angegeben
202: a respons file contains @<rsp>
203: Ungueltiger Parameter angegeben
203: unknown option
204: Ungueltiges Verzeichnis angegeben
204: directory not found
205: Die angegebene Reportdatei konnte nicht erzeugt werden
205: could not generate a report file
210: AntiVir hat eine benoetigte DLL nicht gefunden
210: AntiVir could not found a required lib
211: Programm abgebrochen, da Selbstpruefung fehlgeschlagen
211: Program termination - self check failed
212: Die Datei antivir.vdf nicht gefunden oder Lesefehler
212: File antivir.vdf not found or read error
213: Initialisierungsfehler
213: program init failed
214: Lizenzdatei nicht gefunden
214: License key not found
-----------------------------------------------------------------------
Trend Micro FileScanner (vscan) return codes:
-----------------------------------------------------------------------
0: no virus found
1: virus found
2: virus found
I do not have a list of return codes. Consider three files a, b and c. a and
b are infected, c is not infected:
/etc/iscan/vscan /tmp/test/a - return code: 1
/etc/iscan/vscan -a /tmp/test/* - return code: 2
/etc/iscan/vscan -a /tmp/test/ - return code: 0 (although two viruses
were detected)
-----------------------------------------------------------------------
Cybersoft VFind Return Codes:
-----------------------------------------------------------------------
0 If no errors are encountered and no viruses are found
23 If viruses or virus fragments are discovered
138 License expired or invalid.
255 A general error.
-----------------------------------------------------------------------
CAI InoculateIT - inocucmd command line utility 4.0:
-----------------------------------------------------------------------
100 - A virus was detected.
>2 - Some type of scan failure.
1 - User pressed cntrl-C.
0 - The scan has completed. No viruses were detected.
-----------------------------------------------------------------------
Command AntiVirus for Linux Return Codes:
-----------------------------------------------------------------------
Code Description
--- -----------
0-13: Fatal exceptions occurred. Abnormal termination.
5: Break signaled. The user interrupted the scan process
via the Break key.
13: The program performed GPF (General Protection Fault).
50: Nothing found.
51: At least one infection found.
52: At least one suspicious file found.
53: At least one virus was disinfected.
100: Scan engine shared library is incorrect or incompatible.
No scan was performed.
101: Scan engine failed to initialize. Insufficient memory
or critical condition. No scan was performed.
102: sign.def is either missing or is corrupt.
103: macro.def is either missing or is corrupt.
104: -virlist or -virno specified on the command line
105: -today has been specified and a scan has already been made
this day.
106: english.tx1 is either missing or is corrupt. NOTE: This
applies only to CSAV versions 4.57 or higher.
-----------------------------------------------------------------------
Virus Buster for Linux Return Codes:
-----------------------------------------------------------------------
Error codes according man page
OK (0) = everything is ok, no viruses.
VIRKILLED
(1) = Virus found and killed.
VIRNOTKILLED
(2) = Virus found not killed.
HEFOUND
(3) = heuristically Suspicious
HEUDOCFOUND
(4) = heuristically suspicious DOC file=20
PACKER
(5) = Packed file
IMMUNIZER
(6) = Immunizing hit
VSKMSG (7) = VSK message
SCANERROR
(64)= Error during scanning
ENGERROR
(65)= Engine error
EMPTYFNAME
(66)= There is no filename to scan
NOSUCCDMSTOP
(67)= Unable to stop the daemon
NOSUCCSTART
(68)= Unable to start the daemon
STATUSFAIL
(69)= Unable to ask the status
NOENARG (70)= Too less orr wrong parameters
UNKNCOMM
(71)= Unknown command
UNKNOPT (72)= Unknown option
DMTIMEOUT
(73)= Unable to connect to the daemon (timeout)
NOTREGISPRG
(74)= The program is not registered. You can't
start the client.
-----------------------------------------------------------------------
FRISK F-Prot for Linux Return Codes:
-----------------------------------------------------------------------
0 Normal exit. Nothing found, nothing done.
1 Unrecoverable error (for example, missing SIGN.DEF).
2 Selftest failed (program has been modified).
3 At least one virus-infected object was found.
4 <not used>
5 Abnormal termination (scanning did not finish).
6 At least one virus was removed.
7 Error, out of memory (should never happen, but well...)
8 Something suspicious was found, but no recognized virus.
-----------------------------------------------------------------------
GECAD RAV AntiVirus for Linux Return Codes:
-----------------------------------------------------------------------
#FILE_OK 1
#FILE_INFECTED 2
#FILE_SUSPICIOUS 3
#FILE_CLEANED 4
#FILE_CLEAN_FAIL 5
#FILE_DELETED 6
#FILE_DELETE_FAIL 7
#FILE_COPIED 8
#FILE_COPY_FAIL 9
#FILE_MOVED 10
#FILE_MOVE_FAIL 11
#FILE_RENAMED 12
#FILE_RENAMED_FAIL 13
#NO_FILES 20
#ENG_ERROR 30
#SINTAX_ERR 31
#HELP_MSG 32
#VIR_LIST 33
-----------------------------------------------------------------------
ESET Software NOD32 for Linux Return Codes:
-----------------------------------------------------------------------
NOD32_EXIT_CODE_OK 0
NOD32_EXIT_CODE_VIRUS 1
NOD32_EXIT_CODE_CLEANED 2
NOD32_EXIT_INTERNAL_ERROR 10
-----------------------------------------------------------------------
CentralCommand Vexira/Linux Return Codes:
-----------------------------------------------------------------------
Vexira is based on H+BEDV AntiVir/Linux, therefore the command line
parameters and return values seem to be completly identical
0: Normal program termination, no virus, no error
1: Virus found in a file or boot sector
2: A virus signature was found in memory
100: Vexira Antivirus only has displayed this help text
101: A macro was found in a document file
102: The option -once was gven and Vexira Antivirus already ran today
200: Program aborted, not enough memory available
201: The given response file could not be found
202: Within a response file another @<rsp> directive was found
203: Invalid option
204: Invalid (non-existent) directory given at command line
205: The log file could not be created
210: Vexira Antivirus could not find a necessary dll file
211: Programm aborted, because the self check failed
212: The file vexira.vdf could not be read
213: An error occured during initialisation
214: License key not found
--------------------------------------------------------------------------
Norman Virus Control for Linux:
--------------------------------------------------------------------------
return codes of Norman Virus Control according to man page
0 - No error
1 - File or boot sector virus found
2 - Virus detected in memory
3 - No scan area given
4 - Configuration file changed
5 - Bad argument
6 - I/O error
8 - Program error
10 - Files skipped
14 - virus detected and removed
4 Updates
Some antivirus companies provide updates for the virus definition files
(pattern files) for the latest virus/latest viruses in (a) small extra
file(s), i.e. Sophos Anti-Virus virus identities (IDE). See
http://www.sophos.com/downloads/ide/ for more information about IDE files.
For versions of sweep older than 3.37, these files are located in the
directory ide/ below your Sophos tree, i.e. /opt/sophos/ide and the
environment variable SAV_IDE should therefore be set to SAV_IDE=/opt/sophos/ide
in the AMaViS script. From sweep version 3.37 on, this is no longer necessary,
as sweep reads the ide directory location from /etc/sav.conf. The default is
/usr/local/sav.
NAI provides an extra driver, which has to be specified on the command line
via --extra /path-to/EXTRA.DAT
Please keep in mind that your antivirus software needs regular updates. Set up
a cron job with the appropriate ftp/ncftp/wget commands for automatic updates.
NAI provides a script in their PDF manual. F-Secure AV comes with their own
update program. I would also strongly recommand to subscribe to an alert
mailinglist, which most AV companies offer, to get information about the
latest virus outbreaks.
Note: please keep in mind an update process may fail. So, your script
should do first a backup, download the file(s) and after that starting
the virus scanner to check the eicar test file virus. If the virus scanner
does not exit with exit code "virus found" then your script should do
a roll-back and send an alert message to virusalert indication update
process failed.
4.1 Update scripts
The scripts are provided by users without any warranty. Use them on your
own risk.
For Sophos, see also http://www.sophos.com/support/faqs/autodown.html
("How to automate the downloading of IDE files").
4.1.1 Script for Sophos Sweep by Reiner Keller
#!/bin/bash
#cd $SAV_IDE
cd /usr/local/lib/sweep-IDE
/usr/bin/wget -q -N `/usr/local/bin/sweep -v |/usr/bin/grep "Product version"
|/usr/bin/sed -e "s/.*: \(.\)\.\(..\)$/
http:\/\/www.sophos.com\/downloads\/ide\/\1\2_ides.zip/"`
/usr/bin/unzip -q -n "???_ides.zip"
chmod 644 *
4.1.2.1 Script for NAI (McAfee) uvscan by Matt Burke
#!/bin/bash
rm -f .listing*
datdir="ftp://ftp.mcafee.com/pub/datfiles/english/"
uvdir=/usr/local/mcafee
wget -q -O $uvdir/latest-dat.tar $datdir/`wget -qnr $datdir && grep tar
.listing | awk {'print $4'}`
tar --overwrite --directory=$uvdir -xf $uvdir/latest-dat.tar
4.1.2.2 Script for NAI uvscan by Brian K. West
#!/usr/bin/perl
# dailyupdate.pl
# Auto Update Daily DAT files from NAI uvscan for *nix
# By: Brian K. West <brian@bkw.org>
# Version 1.0.3
#
# This is used for Daily Dat file from NAI for early prevention.
# This version will email the admin when the DAT files are updated!
# I have also done some touchups to make the code cleaner.
# Also: $adminemail = "user\@domain.com"; you must escape the "@"
#
use LWP::Simple;
use Archive::Zip;
# Settings
$location = "http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP";
$tmpdir = "/tmp";
$uvscandir = "/usr/local/uvscan";
$mailprog = "/bin/mail";
$adminemail = "brian\@bkw.org";
$check = head("$location");
if($check) {
# Lets grab the next version if its ready!
print "Downloading DAILYDAT.ZIP ...\n";
$datfile = mirror("$location", "$tmpdir/DAILYDAT.ZIP");
if($datfile == "404") {
print "No Daily Dat Update avaliable!\n";
exit;
}
if($datfile == "304") {
print "You have the latest Daily Dat file installed!\n";
exit;
}
} else {
print "No Daily Dat Updates avaliable!\n";
exit;
}
my $zip = Archive::Zip->new("$tmpdir/DAILYDAT.ZIP") || die("error");
my @list = $zip->memberNames();
my $file;
print "Extracting DAILYDAT.ZIP to $uvscandir ...\n";
foreach $file (@list) {
if (!($file =~ /.*\/$/)) {
my $data = $zip->contents($file);
$file = lc($file);
my $newpart = "$tmpdir/$file";
print "Installing: $file\n";
open(OUTPART, ">$uvscandir/$file");
print(OUTPART $data);
close(OUTPART);
}
}
#unlink("$tmpdir/DAILYDAT.ZIP");
$check = `$uvscandir/uvscan --version | $mailprog -s \"Virus Scan Daily DAT Updated\" $adminemail`;
print "Daily Dat Installed!\n";
#!/usr/bin/perl
#
# Auto Update DAT files from NAI uvscan for *nix
# By: Brian K. West <brian@bkw.org>
# Version 1.0.1
#
use LWP::Simple;
use Archive::Tar;
# Settings
$location = "http://download.nai.com/products/datfiles/4.x/nai";
$tmpdir = "/tmp";
$uvscandir = "/usr/local/uvscan";
# Get Current Version of dat file.
$current = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
print "Current version installed: $current";
#$current = 4085;
# Increase version number by 1
$needed = $current + 1;
$check = head("$location/dat-$needed.tar");
if($check) {
# Lets grab the next version if its ready!
print "Downloading dat-$needed.tar ...\n";
$datfile = mirror("$location/dat-$needed.tar", "$tmpdir/dat-$needed.tar");
if($datfile == "404") {
print "No updates avaliable!\n";
exit;
}
} else {
print "No updates avaliable!\n";
exit;
}
my $tar = Archive::Tar->new("$tmpdir/dat-$needed.tar") || die("error");
my @list = $tar->list_files();
my $file;
print "Extracting dat-$needed.tar to $uvscandir ...\n";
foreach $file (@list) {
if (!($file =~ /.*\/$/)) {
my $data = $tar->get_content($file);
my $newpart = "$tmpdir/$file";
print "Installing: $file\n";
open(OUTPART, ">$uvscandir/$file");
print(OUTPART $data);
close(OUTPART);
}
}
unlink("$tmpdir/dat-$needed.tar");
$new = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
if($new == $current) {
print "Update Failed!\n";
print "You may have to do it manually!\n";
exit;
}
print "New installed version: $new";
4.1.2.3 Script for NAI DAT-files by Julio Cesar Covolato
(please have a look at http://www.psi.com.br/~julio/uvscan/ for the latest
version)
#!/bin/sh
###################################################################
################# UVUPDATE-1.2 #######################
###################################################################
# Script to automate downloading and install new dat files
# from ftp.nai.com for the uvscan 4.x virus scanner.
###################################################################
# $date Fri Mar 16 01:12:43 EST 2001
###################################################################
# Written by Julio Cesar Covolato <julio@psi.com.br>
###################################################################
# Read the files README, INSTALL and CHANGES before install
###################################################################
#
#
#
###################################################################
# MAKE THE CHANGES BELOW TO SUIT YOUR SISTEM
###################################################################
#
################################################
# Where are your binary uvscan and datfiles ???
################################################
uvscan_dir=/usr/local/uvscan/
####################################
# setup our commonly used programs
####################################
grep=/bin/grep
mail=/bin/mail
wget=/usr/bin/wget
cut=/usr/bin/cut
tar=/bin/tar
rm=/bin/rm
ls=/bin/ls
chmod=/bin/chmod
sed=/bin/sed
#################################################################
# Setup email and subject to notify news versions, or problems :(
#################################################################
mail_to="root@localhost"
subject_ok=" UVSCAN - We got a new dat-file"
subject_bad=" UVSCAN - Something goes wrong :(( "
subject_nonew=" UVSCAN - No new dat-file for today"
############################################################
# Setup wget flags ( see "man 1 wget" ).
# If you are behind a firewall, you can add " --passive-ftp"
# Thanks to Viraj Alankar <valankar@ifxcorp.com>
############################################################
wget_opt="-N -q -t 30"
###################################################################
# You don't need make changes below
###################################################################
cd ${uvscan_dir}
# Get the actual running version of the datfile
DATVERSION=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
# Get the latest txt file info (delta.ini) from NAI, if there are a new one.
${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/delta.ini
# Extract the dat-version from the file delta.ini
DATVERSIONEW=$(${grep} CurrentVersion delta.ini|${cut} -c 16-19)
if [ ${DATVERSION} = ${DATVERSIONEW} ];
then
echo -e "\n\n\n\tThe uvscan has the latest version yet!"|${mail} -s "${subject_nonew}" ${mail_to}
exit # No new version! :(( Maybe tomorrow! )
else
# Get and Install it!!!
${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/dat-${DATVERSIONEW}.tar
${tar} xf dat-${DATVERSIONEW}.tar
${chmod} 744 *.dat
fi
# We got the new version installed! Test it...
NEWDAT=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
if [ ${NEWDAT} = ${DATVERSIONEW} ];
then
# Send an email to me, notifying the new version!
echo -e "\n\n\n\tNew dat file is: ${NEWDAT}\n\n\n" > newvirus.txt
$(sed) -n '/\* DV2/,/\* DV3/p' readme.txt >> newvirus.txt
cat newvirus.txt|${mail} -s "${subject_ok}" ${mail_to}
${rm} -f dat-$DATVERSION.tar # we don't need anymore the old version
else
# Send an email to me, notifying that anything goes wrong... :((
echo "Go there: ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/"|\
${mail} -s "${subject_bad}" ${mail_to}
fi
exit
4.1.3 Script for KasperskyLab AVP by Andy Wallace
#!/usr/bin/perl
use Net::FTP;
# in the libnet package - you may have to get it from CPAN - I did.
# Directory to download into
$DIR="/usr/local/AvpLinux";
# Get current time and date
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
# I just want this stuff so I can save each daily.zip as a different
filename with a date attached, so I know I haven't missed any. Format is
dailyddmmyy.zip (yes I'm British), so I need to make a few changes.
# Jan = 0, so add 1 to $mon
$mon++;
if ($mon<10) {
$mon="0$mon";
}
# Days of month are 1-31, so that's OK
if($mday<10) {
$mday="0$mday";
}
# gmtime thinks this year is 100! At least in my version of Perl...so
don't
use this script after 2099 :-)
$year -= 100;
if($year<10) {
$year="0$year";
}
# Connect to FTP server and download daily.zip
$ftp = NET::FTP->new("ftp.kasperskylab.ru", Passive, 1);
$ftp->login("ftp", someone\@somewhere.com");
$ftp->cwd("/bases");
$ftp->binary;
$ftp->get("daily.zip", "$DIR/daily$mday$mon$year.zip");
$ftp->quit;
# Check it turned up OK, if so unzip it, if not send an email
if (-e "$DIR/daily$mday$mon$year.zip") {
system("/usr/bin/unzip -o -qq $DIR/daily$mday$mon$year.zip -d
$DIR");
}
else {
system("/bin/mail -s \"Antivirus daily update failure!\" root");
}
# Now restart AVP daemon to load updated virus library
system("/usr/local/AvpLinux/AvpDaemon -k");
system("/usr/local/AvpLinux/AvpDaemon -* /var/amavis");
# End of perl script
Put a call to this in your root crontab to run it every day. e.g.
00 20 * * * /usr/local/bin/getupdate.pl
5 Why AMaViS will never stop all viruses
AMaViS is not an antivirus scanner, it's only an "interface" for virus
scanning at the eMail gateway in combination with one (or even) more of the
virus scanners listed above. Virus detection and stopping depends therefore on
the quality of the virus scanner. To get an impression about the detection
rate of antivirus products, please have a look at Virus Bulletin
(www.virusbtn.com), Virus Test Center (http://agn-www.informatik.uni-hamburg.de/)
or AV-Test (www.av-test.com).
Please keep in mind that viruses in encrypted eMails/attachments cannot be
detected! Also, if an infected attachment file is compressed with a
compression format for which AMaViS is not configured (we believe that the
most important formats are covered, though), it gets through, unless the
virus scanner(s) used is/are able to decode/uncompress it.
If this happens, it's the job of your client-side anti-virus software to
detect and stop the virus from spreading when the attachment gets decrypted
or uncompressed.
5.1 Blocking certain file(s) / file type(s)
AMaViS does not currently support blocking certain files by type or extension,
e.g. .vbs or .exe. Such a capability may be added in the future. But please
keep in mind that the file extension can be forged as easily as the MIME-type.
I advise you to read a posting to NTBugTraq from Nick FitzGerald, online
at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=11152.
