1--------------------------------------- 2This file is old and not up-to-date !!! 3--------------------------------------- 4 5AMaViS & virus scanners 6*********************** 7 8Contents: 91 List of supported antivirus products 102 Setting up the commandline options 113 Antivirus product information 123.1 Specific Antivirus product information 133.1.1 How to use Kaspersky Anti-Virus AVPDaemon 143.1.2 Kaspersky Anti-Virus 153.1.3 VirusBuster (Daemon / Client) 163.2 Return codes 174 Updates 184.1 Update scripts 194.1.1 Script for Sophos Sweep 204.2.2 Script for NAI uvscan 214.2.3 Script for Kaspersky Anti-Virus 225 Why AMaViS will never stop all viruses 235.1 Blocking certain file(s) / file type(s) 24 25 261 List of supported antivirus products 27AMaViS currently supports the following antivirus products (mostly for Linux) 28 29* CyberSoft VFind 30* F-Secure Inc. (former DataFellows) F-Secure AV 31* H+BEDV AntiVir/X 32* Kaspersky Anti-Virus (kavscanner and kavdaemon) 33* Network Associates Virus Scan for Linux 34* Sophos Sweep 35* Trend Micro FileScanner 36* CAI InoculateIT (currently only the old 4.x version is supported!) 37* GeCAD RAV AntiVirus 8 (engine version 8.5 or better required!) 38* ESET Software NOD32 (command line scanner and daemon/client) 39* Command AntiVirus for Linux 40* VirusBuster 41* Sophie, using Sophos AntiVirus Interface 42* Trophie, using Trend Micro API 43* FRISK F-Prot / F-Prot Daemon 44* OpenAntiVirus ScannerDaemon 45* DrWeb Antivirus for Linux/FreeBSD/Solaris (no support for DrWeb Daemon yet) 46* MkS_Vir for Linux 47* CentralCommand Vexira 48* Norman Virus Control for Linux 49 50If you miss support for a specific product, please write to 51Rainer Link <link@suse.de>. 52For an up-to-date product list, see http://www.openantivirus.org/ 53 54 552 Setting up the commandline option 56I advise you to look at the commandline parameters for the scanner(s) you use 57with AMaViS. Each scanner has its own section at the beginning of the scanmails 58script and the commandline options can be set with <product_name>_cmdl, i.e. 59antvir_cmdl. Please read the documentation of your antivirus software 60carefully and add (or remove) specific options. 61If an antivirus product provides the functionally to scan inside (run-time) 62compressed files (i.e. Diet, LzExe, PkLite, UPX) and archived files 63(i.e. PkZIP, RAR), I would advise to switch this on, if it's not on by default. 64 653 Antivirus product information 663.1 Specific Antivirus product information 673.1.1 How to use Kaspersky Anti-Virus AVPDaemon 68 69Two possible setups exist: 70a) AVPDaemon and AVPDaemonClient (in new package renamed to AvpDaemonTst) 71switch into AVPDaemon/DaemonClients and compile AvpDaemonClient.cpp (new 72location seems to be Sample) with a simple "make". Then copy this file to 73the location where AVPDaemon is installed (i.e. /usr/local/avp or /opt/AVP). 74Run configure, make and make install. 75 76b) AVPDaemon alone (AVPDaemon works in daemon mode and client mode) 77symlink AvpDaemonClient to AvpDaemon, as configure searches for AvpDaemonClient 78(and AvpDaemonTst). In amavis/av/avpdc, change the line 79 80 $output = `$avpdc $TEMPDIR/parts`; 81 82to 83 84 $output = `$avpdc -o{$TEMPDIR/parts/}`; 85 86run ./configure, make and make install. 87Well, AVPDaemon (in client mode) shows no output and it can not be switched 88to verbose mode. Therefore setup a) is the one I currently recommend, 89otherwise your logfiles don't show which file(s) is/are infected. 90 91NOTE: AvpDaemon must be running as a daemon, so it should be started at 92boot time via an init script (or whatver) as <path>/AvpDaemon -* /var/amavis 93 943.1.2 Kaspersky Anti-Virus 95AvpLinx fills the log with a lot of trash because of a simple progress 96bar by loading the AVC files. 97If you do not want to have "log flooding", you may set 98 99LongStrings=Yes 100 101in file defUnix.prf, section Options. This will reduce the output when 102AvpLinux is loading the AVC files. 103 1043.1.3 Virus Buster (Daemon + Client) 105Please keep in mind the VirusBuster Daemon has to run under the same 106user id AMaViS runs as. Moreover, VirusBuster returns 3 for an infection 107(which is not in sync with the man page). 108 1093.1.4 Sophie / Trophie 110By default, Sophie/Trophie creates a socket in /var/run, owned by root, group 111uucp (read/writeable by owner and group). As AMaViS runs as user amavis, 112it cannot connect to the socket. Please change the group 113accordingly in sophie.h/trophie.h and re-compile. 114If Sophie/Trophie is installed, but configure doesn't detect it, you need 115to upgrade to version 1.15/1.03, resp., or better. 116 1173.1.5 GeCAD RAV AntiVirus 8 118 119The command line options changed with a new version of the virus scanning 120engine. Therefore, you need at least engine version 8.5. If your engine is 121too old, please update it (i.e. "ravav -UPDATE"). Just as a side note, with 122the new engine, an update is later done with -u. 123 1243.1.6 MkS_Vir for Linux 125 126MkS expects its config file mks_vir.cfg in /etc. 127 128 1293.2 Return codes 130----------------------------------------------------------------------- 131 NAI VirusScan (uvscan) return codes: 132----------------------------------------------------------------------- 133- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 134as of version 4.x documentation "uvscan.pdf" or "unix403.pdf": 135- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 136 137 0 No errors occured; no viruses were found. 138 2 Driver integrity check failed. 139 6 A general problem. 140 8 Could not find a driver. 141 10 A virus was found in memory. 142 13 One or more viruses or hostile objects were found. 143 15 VirusScan self-check failed; it may be infected or damaged. 144 102 User quit via ESC-X, ^C or Exit button. 145 146 Exit code 102 occurs where the scan encounters an unespected error, such as 147 denied access or memory shortage. On these occasions, the scan exits 148 immediately and does not finish the scan. 149 150----------------------------------------------------------------------- 151 Sophos Sweep Return Codes: 152----------------------------------------------------------------------- 153Bernhard Nowotny <nowotny@sigma-c.de> writes: 154Error codes returned by SWEEP (thanks to christian.weber@sophos.com): 155 SWEEP returns error codes if there is an error or if a virus is found 156 SWEEP returns: 157 0 If no errors are encountered and no viruses are found 158 1 If the user interrupts the execution by pressing ESC 159 2 If some error preventing further execution is discovered, or if 160 compressed files have been found when using the -WC command line 161 qualifier 162 3 If viruses or virus fragments are discovered 163 164 A different set of error codes will be returned if SWEEP is run with the 165 -eec command line qualifier. 166 0 If no errors are encountered and no viruses are found 167 8 If survivable errors have occured 168 12 If compressed files have been found and decompressed 169 16 If compressed files have been found and not decompressed 170 20 If viruses have been found and disinfected 171 24 If viruses have been found and not disinfected 172 28 If viruses have been found in memory 173 32 If there has been an integrity check failure 174 36 If unsurvivable errors have occured 175 40 If execution has been interrupted 176 177------------------------------------------------------------------------- 178 Kaspersky Anti-Virus (formerly AntiViral Toolkit Pro): 179------------------------------------------------------------------------- 180 return codes of AvpLinux and AvpDaemonClient according to Readme.txt 181 182 0 No viruses were found 183 1 Virus scan was not complete 184 3 Suspicious objects were found 185 4 Known viruses were detected 186 5 All detected viruses have been deleted 187 7 File AvpLinux is corrupted 188 189 190-------------------------------------------------------------------------- 191 DataFellows F-Secure AntiVirus: 192-------------------------------------------------------------------------- 193 return codes of F-Secure AV according to fsav_lin.pdf documentation 194 195 196 0 Normal exit; no viruses or suspicious files found. 197 1 Abnormal termination; unrecoverable error. 198 (Usually a missing or corrupted file.) 199 2 Self-test failed; program has been modified. 200 3 A boot virus or file virus found. 201 5 Program was terminated by pressing CTRL-C, 202 or by a sigterm or suspend event. 203 6 At least one virus was removed. 204 7 Out of memory. 205 8 Suspicious files found; 206 these are not necessarily infected by a virus. 207 208 209------------------------------------------------------------------------ 210 H+BEDV AntiVir/X 211------------------------------------------------------------------------- 212 213NOTE: Since AntiVir 6.12.x you must have a (valid) license key! Either 214a free license for private use or a commercial license. Otherwise 215AntiVir/X returns always 214 - regardless if a virus was found or not 216and this is quite useless for AMaViS. 217 218 AntiVir/X return codes according to antivir --help 219 220 0: Normales Programmende, kein Virus, kein Fehler 221 0: normal program termination, no virus, no error 222 1: Virus in Datei (oder Bootsektor) gefunden 223 1: found virus in file (or bootsector) 224 2: Virus (evtl. aktiv) im Speicher gefunden 225 2: found virus (active?) in memory 226 100: AntiVir hat nur den Hilfetext angezeigt 227 100: AntiVir displays only help text 228 101: Es wurde ein Makro in einer Datei gefunden 229 101: macro found in a file 230 102: Der Parameter -once war angegeben und AntiVir lief bereits 231 102: parameter -once used, but AntiVir runs already before 232 200: Programmabbruch wegen Speichermangel 233 200: not enough memory - program termination 234 201: Die angegeben Responsedatei wurde nicht gefunden 235 201: response file not found 236 202: Innerhalb einer Responsedatei wurde @<rsp> angegeben 237 202: a respons file contains @<rsp> 238 203: Ungueltiger Parameter angegeben 239 203: unknown option 240 204: Ungueltiges Verzeichnis angegeben 241 204: directory not found 242 205: Die angegebene Reportdatei konnte nicht erzeugt werden 243 205: could not generate a report file 244 210: AntiVir hat eine benoetigte DLL nicht gefunden 245 210: AntiVir could not found a required lib 246 211: Programm abgebrochen, da Selbstpruefung fehlgeschlagen 247 211: Program termination - self check failed 248 212: Die Datei antivir.vdf nicht gefunden oder Lesefehler 249 212: File antivir.vdf not found or read error 250 213: Initialisierungsfehler 251 213: program init failed 252 214: Lizenzdatei nicht gefunden 253 214: License key not found 254 255----------------------------------------------------------------------- 256 Trend Micro FileScanner (vscan) return codes: 257----------------------------------------------------------------------- 258 259 0: no virus found 260 1: virus found 261 2: virus found 262 263 I do not have a list of return codes. Consider three files a, b and c. a and 264 b are infected, c is not infected: 265 /etc/iscan/vscan /tmp/test/a - return code: 1 266 /etc/iscan/vscan -a /tmp/test/* - return code: 2 267 /etc/iscan/vscan -a /tmp/test/ - return code: 0 (although two viruses 268 were detected) 269 270----------------------------------------------------------------------- 271 Cybersoft VFind Return Codes: 272----------------------------------------------------------------------- 273 0 If no errors are encountered and no viruses are found 274 23 If viruses or virus fragments are discovered 275 138 License expired or invalid. 276 255 A general error. 277 278----------------------------------------------------------------------- 279 CAI InoculateIT - inocucmd command line utility 4.0: 280----------------------------------------------------------------------- 281 100 - A virus was detected. 282 >2 - Some type of scan failure. 283 1 - User pressed cntrl-C. 284 0 - The scan has completed. No viruses were detected. 285 286----------------------------------------------------------------------- 287 Command AntiVirus for Linux Return Codes: 288----------------------------------------------------------------------- 289Code Description 290--- ----------- 2910-13: Fatal exceptions occurred. Abnormal termination. 2925: Break signaled. The user interrupted the scan process 293 via the Break key. 29413: The program performed GPF (General Protection Fault). 295 29650: Nothing found. 29751: At least one infection found. 29852: At least one suspicious file found. 29953: At least one virus was disinfected. 300 301100: Scan engine shared library is incorrect or incompatible. 302 No scan was performed. 303101: Scan engine failed to initialize. Insufficient memory 304 or critical condition. No scan was performed. 305102: sign.def is either missing or is corrupt. 306103: macro.def is either missing or is corrupt. 307104: -virlist or -virno specified on the command line 308105: -today has been specified and a scan has already been made 309 this day. 310106: english.tx1 is either missing or is corrupt. NOTE: This 311 applies only to CSAV versions 4.57 or higher. 312 313----------------------------------------------------------------------- 314 Virus Buster for Linux Return Codes: 315----------------------------------------------------------------------- 316Error codes according man page 317 318 OK (0) = everything is ok, no viruses. 319 320 VIRKILLED 321 (1) = Virus found and killed. 322 VIRNOTKILLED 323 (2) = Virus found not killed. 324 HEFOUND 325 (3) = heuristically Suspicious 326 HEUDOCFOUND 327 (4) = heuristically suspicious DOC file=20 328 PACKER 329 (5) = Packed file 330 IMMUNIZER 331 (6) = Immunizing hit 332 VSKMSG (7) = VSK message 333 SCANERROR 334 (64)= Error during scanning 335 ENGERROR 336 (65)= Engine error 337 EMPTYFNAME 338 (66)= There is no filename to scan 339 NOSUCCDMSTOP 340 (67)= Unable to stop the daemon 341 NOSUCCSTART 342 (68)= Unable to start the daemon 343 STATUSFAIL 344 (69)= Unable to ask the status 345 NOENARG (70)= Too less orr wrong parameters 346 UNKNCOMM 347 (71)= Unknown command 348 UNKNOPT (72)= Unknown option 349 DMTIMEOUT 350 (73)= Unable to connect to the daemon (timeout) 351 NOTREGISPRG 352 (74)= The program is not registered. You can't 353 start the client. 354 355----------------------------------------------------------------------- 356 FRISK F-Prot for Linux Return Codes: 357----------------------------------------------------------------------- 358 359 0 Normal exit. Nothing found, nothing done. 360 1 Unrecoverable error (for example, missing SIGN.DEF). 361 2 Selftest failed (program has been modified). 362 3 At least one virus-infected object was found. 363 4 <not used> 364 5 Abnormal termination (scanning did not finish). 365 6 At least one virus was removed. 366 7 Error, out of memory (should never happen, but well...) 367 8 Something suspicious was found, but no recognized virus. 368 369 370----------------------------------------------------------------------- 371 GECAD RAV AntiVirus for Linux Return Codes: 372----------------------------------------------------------------------- 373#FILE_OK 1 374#FILE_INFECTED 2 375#FILE_SUSPICIOUS 3 376#FILE_CLEANED 4 377#FILE_CLEAN_FAIL 5 378#FILE_DELETED 6 379#FILE_DELETE_FAIL 7 380#FILE_COPIED 8 381#FILE_COPY_FAIL 9 382#FILE_MOVED 10 383#FILE_MOVE_FAIL 11 384#FILE_RENAMED 12 385#FILE_RENAMED_FAIL 13 386 387#NO_FILES 20 388 389#ENG_ERROR 30 390#SINTAX_ERR 31 391#HELP_MSG 32 392#VIR_LIST 33 393 394 395----------------------------------------------------------------------- 396 ESET Software NOD32 for Linux Return Codes: 397----------------------------------------------------------------------- 398 399NOD32_EXIT_CODE_OK 0 400NOD32_EXIT_CODE_VIRUS 1 401NOD32_EXIT_CODE_CLEANED 2 402NOD32_EXIT_INTERNAL_ERROR 10 403 404 405----------------------------------------------------------------------- 406 CentralCommand Vexira/Linux Return Codes: 407----------------------------------------------------------------------- 408Vexira is based on H+BEDV AntiVir/Linux, therefore the command line 409parameters and return values seem to be completly identical 410 411 0: Normal program termination, no virus, no error 412 1: Virus found in a file or boot sector 413 2: A virus signature was found in memory 414 100: Vexira Antivirus only has displayed this help text 415 101: A macro was found in a document file 416 102: The option -once was gven and Vexira Antivirus already ran today 417 200: Program aborted, not enough memory available 418 201: The given response file could not be found 419 202: Within a response file another @<rsp> directive was found 420 203: Invalid option 421 204: Invalid (non-existent) directory given at command line 422 205: The log file could not be created 423 210: Vexira Antivirus could not find a necessary dll file 424 211: Programm aborted, because the self check failed 425 212: The file vexira.vdf could not be read 426 213: An error occured during initialisation 427 214: License key not found 428 429 430-------------------------------------------------------------------------- 431 Norman Virus Control for Linux: 432-------------------------------------------------------------------------- 433 return codes of Norman Virus Control according to man page 434 435 0 - No error 436 1 - File or boot sector virus found 437 2 - Virus detected in memory 438 3 - No scan area given 439 4 - Configuration file changed 440 5 - Bad argument 441 6 - I/O error 442 8 - Program error 443 10 - Files skipped 444 14 - virus detected and removed 445 446 447 4484 Updates 449Some antivirus companies provide updates for the virus definition files 450(pattern files) for the latest virus/latest viruses in (a) small extra 451file(s), i.e. Sophos Anti-Virus virus identities (IDE). See 452http://www.sophos.com/downloads/ide/ for more information about IDE files. 453For versions of sweep older than 3.37, these files are located in the 454directory ide/ below your Sophos tree, i.e. /opt/sophos/ide and the 455environment variable SAV_IDE should therefore be set to SAV_IDE=/opt/sophos/ide 456in the AMaViS script. From sweep version 3.37 on, this is no longer necessary, 457as sweep reads the ide directory location from /etc/sav.conf. The default is 458/usr/local/sav. 459 460NAI provides an extra driver, which has to be specified on the command line 461via --extra /path-to/EXTRA.DAT 462 463 464Please keep in mind that your antivirus software needs regular updates. Set up 465a cron job with the appropriate ftp/ncftp/wget commands for automatic updates. 466NAI provides a script in their PDF manual. F-Secure AV comes with their own 467update program. I would also strongly recommand to subscribe to an alert 468mailinglist, which most AV companies offer, to get information about the 469latest virus outbreaks. 470 471Note: please keep in mind an update process may fail. So, your script 472should do first a backup, download the file(s) and after that starting 473the virus scanner to check the eicar test file virus. If the virus scanner 474does not exit with exit code "virus found" then your script should do 475a roll-back and send an alert message to virusalert indication update 476process failed. 477 4784.1 Update scripts 479The scripts are provided by users without any warranty. Use them on your 480own risk. 481 482For Sophos, see also http://www.sophos.com/support/faqs/autodown.html 483("How to automate the downloading of IDE files"). 484 4854.1.1 Script for Sophos Sweep by Reiner Keller 486#!/bin/bash 487 488#cd $SAV_IDE 489cd /usr/local/lib/sweep-IDE 490 491/usr/bin/wget -q -N `/usr/local/bin/sweep -v |/usr/bin/grep "Product version" 492|/usr/bin/sed -e "s/.*: \(.\)\.\(..\)$/ 493http:\/\/www.sophos.com\/downloads\/ide\/\1\2_ides.zip/"` 494/usr/bin/unzip -q -n "???_ides.zip" 495 496chmod 644 * 497 498 4994.1.2.1 Script for NAI (McAfee) uvscan by Matt Burke 500#!/bin/bash 501 502rm -f .listing* 503 504datdir="ftp://ftp.mcafee.com/pub/datfiles/english/" 505uvdir=/usr/local/mcafee 506 507wget -q -O $uvdir/latest-dat.tar $datdir/`wget -qnr $datdir && grep tar 508.listing | awk {'print $4'}` 509 510tar --overwrite --directory=$uvdir -xf $uvdir/latest-dat.tar 511 5124.1.2.2 Script for NAI uvscan by Brian K. West 513#!/usr/bin/perl 514# dailyupdate.pl 515# Auto Update Daily DAT files from NAI uvscan for *nix 516# By: Brian K. West <brian@bkw.org> 517# Version 1.0.3 518# 519# This is used for Daily Dat file from NAI for early prevention. 520# This version will email the admin when the DAT files are updated! 521# I have also done some touchups to make the code cleaner. 522# Also: $adminemail = "user\@domain.com"; you must escape the "@" 523# 524use LWP::Simple; 525use Archive::Zip; 526 527# Settings 528$location = "http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP"; 529$tmpdir = "/tmp"; 530$uvscandir = "/usr/local/uvscan"; 531$mailprog = "/bin/mail"; 532$adminemail = "brian\@bkw.org"; 533 534$check = head("$location"); 535if($check) { 536# Lets grab the next version if its ready! 537print "Downloading DAILYDAT.ZIP ...\n"; 538$datfile = mirror("$location", "$tmpdir/DAILYDAT.ZIP"); 539if($datfile == "404") { 540print "No Daily Dat Update avaliable!\n"; 541exit; 542} 543if($datfile == "304") { 544print "You have the latest Daily Dat file installed!\n"; 545exit; 546} 547 548} else { 549print "No Daily Dat Updates avaliable!\n"; 550exit; 551} 552 553 554my $zip = Archive::Zip->new("$tmpdir/DAILYDAT.ZIP") || die("error"); 555my @list = $zip->memberNames(); 556my $file; 557print "Extracting DAILYDAT.ZIP to $uvscandir ...\n"; 558foreach $file (@list) { 559 if (!($file =~ /.*\/$/)) { 560 my $data = $zip->contents($file); 561 $file = lc($file); 562 my $newpart = "$tmpdir/$file"; 563 print "Installing: $file\n"; 564 open(OUTPART, ">$uvscandir/$file"); 565 print(OUTPART $data); 566 close(OUTPART); 567 } 568 } 569#unlink("$tmpdir/DAILYDAT.ZIP"); 570$check = `$uvscandir/uvscan --version | $mailprog -s \"Virus Scan Daily DAT Updated\" $adminemail`; 571print "Daily Dat Installed!\n"; 572 573 574#!/usr/bin/perl 575# 576# Auto Update DAT files from NAI uvscan for *nix 577# By: Brian K. West <brian@bkw.org> 578# Version 1.0.1 579# 580use LWP::Simple; 581use Archive::Tar; 582 583# Settings 584$location = "http://download.nai.com/products/datfiles/4.x/nai"; 585$tmpdir = "/tmp"; 586$uvscandir = "/usr/local/uvscan"; 587 588 589# Get Current Version of dat file. 590$current = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`; 591print "Current version installed: $current"; 592#$current = 4085; 593 594# Increase version number by 1 595$needed = $current + 1; 596 597$check = head("$location/dat-$needed.tar"); 598if($check) { 599# Lets grab the next version if its ready! 600print "Downloading dat-$needed.tar ...\n"; 601$datfile = mirror("$location/dat-$needed.tar", "$tmpdir/dat-$needed.tar"); 602 603if($datfile == "404") { 604print "No updates avaliable!\n"; 605exit; 606} 607 608} else { 609print "No updates avaliable!\n"; 610exit; 611} 612 613 614my $tar = Archive::Tar->new("$tmpdir/dat-$needed.tar") || die("error"); 615my @list = $tar->list_files(); 616my $file; 617print "Extracting dat-$needed.tar to $uvscandir ...\n"; 618foreach $file (@list) { 619 if (!($file =~ /.*\/$/)) { 620 my $data = $tar->get_content($file); 621 my $newpart = "$tmpdir/$file"; 622 print "Installing: $file\n"; 623 open(OUTPART, ">$uvscandir/$file"); 624 print(OUTPART $data); 625 close(OUTPART); 626 } 627 } 628unlink("$tmpdir/dat-$needed.tar"); 629 630$new = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`; 631if($new == $current) { 632print "Update Failed!\n"; 633print "You may have to do it manually!\n"; 634exit; 635} 636print "New installed version: $new"; 637 6384.1.2.3 Script for NAI DAT-files by Julio Cesar Covolato 639(please have a look at http://www.psi.com.br/~julio/uvscan/ for the latest 640version) 641 642#!/bin/sh 643################################################################### 644################# UVUPDATE-1.2 ####################### 645################################################################### 646# Script to automate downloading and install new dat files 647# from ftp.nai.com for the uvscan 4.x virus scanner. 648################################################################### 649# $date Fri Mar 16 01:12:43 EST 2001 650################################################################### 651# Written by Julio Cesar Covolato <julio@psi.com.br> 652################################################################### 653# Read the files README, INSTALL and CHANGES before install 654################################################################### 655# 656# 657# 658################################################################### 659# MAKE THE CHANGES BELOW TO SUIT YOUR SISTEM 660################################################################### 661# 662################################################ 663# Where are your binary uvscan and datfiles ??? 664################################################ 665 666uvscan_dir=/usr/local/uvscan/ 667 668#################################### 669# setup our commonly used programs 670#################################### 671 672grep=/bin/grep 673mail=/bin/mail 674wget=/usr/bin/wget 675cut=/usr/bin/cut 676tar=/bin/tar 677rm=/bin/rm 678ls=/bin/ls 679chmod=/bin/chmod 680sed=/bin/sed 681 682################################################################# 683# Setup email and subject to notify news versions, or problems :( 684################################################################# 685 686mail_to="root@localhost" 687subject_ok=" UVSCAN - We got a new dat-file" 688subject_bad=" UVSCAN - Something goes wrong :(( " 689subject_nonew=" UVSCAN - No new dat-file for today" 690 691############################################################ 692# Setup wget flags ( see "man 1 wget" ). 693# If you are behind a firewall, you can add " --passive-ftp" 694# Thanks to Viraj Alankar <valankar@ifxcorp.com> 695############################################################ 696 697wget_opt="-N -q -t 30" 698 699################################################################### 700# You don't need make changes below 701################################################################### 702 703cd ${uvscan_dir} 704 705# Get the actual running version of the datfile 706 707DATVERSION=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21) 708 709# Get the latest txt file info (delta.ini) from NAI, if there are a new one. 710${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/delta.ini 711 712# Extract the dat-version from the file delta.ini 713 714DATVERSIONEW=$(${grep} CurrentVersion delta.ini|${cut} -c 16-19) 715 716if [ ${DATVERSION} = ${DATVERSIONEW} ]; 717 then 718 echo -e "\n\n\n\tThe uvscan has the latest version yet!"|${mail} -s "${subject_nonew}" ${mail_to} 719 exit # No new version! :(( Maybe tomorrow! ) 720 else 721 # Get and Install it!!! 722 ${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/dat-${DATVERSIONEW}.tar 723 ${tar} xf dat-${DATVERSIONEW}.tar 724 ${chmod} 744 *.dat 725fi 726 727# We got the new version installed! Test it... 728 729NEWDAT=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21) 730 731if [ ${NEWDAT} = ${DATVERSIONEW} ]; 732 then 733 # Send an email to me, notifying the new version! 734 echo -e "\n\n\n\tNew dat file is: ${NEWDAT}\n\n\n" > newvirus.txt 735 $(sed) -n '/\* DV2/,/\* DV3/p' readme.txt >> newvirus.txt 736 cat newvirus.txt|${mail} -s "${subject_ok}" ${mail_to} 737 ${rm} -f dat-$DATVERSION.tar # we don't need anymore the old version 738 else 739 # Send an email to me, notifying that anything goes wrong... :(( 740 echo "Go there: ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/"|\ 741 ${mail} -s "${subject_bad}" ${mail_to} 742fi 743exit 744 745 746 747 7484.1.3 Script for KasperskyLab AVP by Andy Wallace 749#!/usr/bin/perl 750 751use Net::FTP; 752# in the libnet package - you may have to get it from CPAN - I did. 753 754# Directory to download into 755$DIR="/usr/local/AvpLinux"; 756 757# Get current time and date 758($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time); 759 760# I just want this stuff so I can save each daily.zip as a different 761filename with a date attached, so I know I haven't missed any. Format is 762dailyddmmyy.zip (yes I'm British), so I need to make a few changes. 763 764# Jan = 0, so add 1 to $mon 765$mon++; 766if ($mon<10) { 767 $mon="0$mon"; 768} 769 770# Days of month are 1-31, so that's OK 771if($mday<10) { 772 $mday="0$mday"; 773} 774 775# gmtime thinks this year is 100! At least in my version of Perl...so 776don't 777use this script after 2099 :-) 778$year -= 100; 779if($year<10) { 780 $year="0$year"; 781} 782 783# Connect to FTP server and download daily.zip 784$ftp = NET::FTP->new("ftp.kasperskylab.ru", Passive, 1); 785$ftp->login("ftp", someone\@somewhere.com"); 786$ftp->cwd("/bases"); 787$ftp->binary; 788$ftp->get("daily.zip", "$DIR/daily$mday$mon$year.zip"); 789$ftp->quit; 790 791# Check it turned up OK, if so unzip it, if not send an email 792if (-e "$DIR/daily$mday$mon$year.zip") { 793 system("/usr/bin/unzip -o -qq $DIR/daily$mday$mon$year.zip -d 794$DIR"); 795} 796else { 797 system("/bin/mail -s \"Antivirus daily update failure!\" root"); 798} 799 800# Now restart AVP daemon to load updated virus library 801system("/usr/local/AvpLinux/AvpDaemon -k"); 802system("/usr/local/AvpLinux/AvpDaemon -* /var/amavis"); 803 804# End of perl script 805 806Put a call to this in your root crontab to run it every day. e.g. 807 80800 20 * * * /usr/local/bin/getupdate.pl 809 810 811 8125 Why AMaViS will never stop all viruses 813AMaViS is not an antivirus scanner, it's only an "interface" for virus 814scanning at the eMail gateway in combination with one (or even) more of the 815virus scanners listed above. Virus detection and stopping depends therefore on 816the quality of the virus scanner. To get an impression about the detection 817rate of antivirus products, please have a look at Virus Bulletin 818(www.virusbtn.com), Virus Test Center (http://agn-www.informatik.uni-hamburg.de/) 819or AV-Test (www.av-test.com). 820Please keep in mind that viruses in encrypted eMails/attachments cannot be 821detected! Also, if an infected attachment file is compressed with a 822compression format for which AMaViS is not configured (we believe that the 823most important formats are covered, though), it gets through, unless the 824virus scanner(s) used is/are able to decode/uncompress it. 825If this happens, it's the job of your client-side anti-virus software to 826detect and stop the virus from spreading when the attachment gets decrypted 827or uncompressed. 828 829 8305.1 Blocking certain file(s) / file type(s) 831AMaViS does not currently support blocking certain files by type or extension, 832e.g. .vbs or .exe. Such a capability may be added in the future. But please 833keep in mind that the file extension can be forged as easily as the MIME-type. 834I advise you to read a posting to NTBugTraq from Nick FitzGerald, online 835at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=11152. 836