1---------------------------------------
2This file is old and not up-to-date !!!
3---------------------------------------
4
5AMaViS & virus scanners
6***********************
7
8Contents:
91 List of supported antivirus products
102 Setting up the commandline options
113 Antivirus product information
123.1 Specific Antivirus product information
133.1.1 How to use Kaspersky Anti-Virus AVPDaemon
143.1.2 Kaspersky Anti-Virus
153.1.3 VirusBuster (Daemon / Client)
163.2 Return codes
174 Updates
184.1 Update scripts
194.1.1 Script for Sophos Sweep
204.2.2 Script for NAI uvscan
214.2.3 Script for Kaspersky Anti-Virus
225 Why AMaViS will never stop all viruses
235.1 Blocking certain file(s) / file type(s)
24
25
261 List of supported antivirus products
27AMaViS currently supports the following antivirus products (mostly for Linux)
28
29* CyberSoft VFind
30* F-Secure Inc. (former DataFellows) F-Secure AV
31* H+BEDV AntiVir/X
32* Kaspersky Anti-Virus (kavscanner and kavdaemon)
33* Network Associates Virus Scan for Linux
34* Sophos Sweep
35* Trend Micro FileScanner
36* CAI InoculateIT (currently only the old 4.x version is supported!)
37* GeCAD RAV AntiVirus 8 (engine version 8.5 or better required!)
38* ESET Software NOD32 (command line scanner and daemon/client)
39* Command AntiVirus for Linux
40* VirusBuster
41* Sophie, using Sophos AntiVirus Interface
42* Trophie, using Trend Micro API
43* FRISK F-Prot / F-Prot Daemon
44* OpenAntiVirus ScannerDaemon
45* DrWeb Antivirus for Linux/FreeBSD/Solaris (no support for DrWeb Daemon yet)
46* MkS_Vir for Linux
47* CentralCommand Vexira
48* Norman Virus Control for Linux
49
50If you miss support for a specific product, please write to
51Rainer Link <link@suse.de>.
52For an up-to-date product list, see http://www.openantivirus.org/
53
54
552 Setting up the commandline option
56I advise you to look at the commandline parameters for the scanner(s) you use
57with AMaViS. Each scanner has its own section at the beginning of the scanmails
58script and the commandline options can be set with <product_name>_cmdl, i.e.
59antvir_cmdl. Please read the documentation of your antivirus software
60carefully and add (or remove) specific options.
61If an antivirus product provides the functionally to scan inside (run-time)
62compressed files (i.e. Diet, LzExe, PkLite, UPX) and archived files
63(i.e. PkZIP, RAR), I would advise to switch this on, if it's not on by default.
64
653 Antivirus product information
663.1 Specific Antivirus product information
673.1.1 How to use Kaspersky Anti-Virus AVPDaemon
68
69Two possible setups exist:
70a) AVPDaemon and AVPDaemonClient (in new package renamed to AvpDaemonTst)
71switch into AVPDaemon/DaemonClients and compile AvpDaemonClient.cpp (new
72location seems to be Sample) with a simple "make". Then copy this file to
73the location where AVPDaemon is installed (i.e. /usr/local/avp or /opt/AVP).
74Run configure, make and make install.
75
76b) AVPDaemon alone (AVPDaemon works in daemon mode and client mode)
77symlink AvpDaemonClient to AvpDaemon, as configure searches for AvpDaemonClient
78(and AvpDaemonTst). In amavis/av/avpdc, change the line
79
80 $output = `$avpdc $TEMPDIR/parts`;
81
82to
83
84 $output = `$avpdc -o{$TEMPDIR/parts/}`;
85
86run ./configure, make and make install.
87Well, AVPDaemon (in client mode) shows no output and it can not be switched
88to verbose mode. Therefore setup a) is the one I currently recommend,
89otherwise your logfiles don't show which file(s) is/are infected.
90
91NOTE: AvpDaemon must be running as a daemon, so it should be started at
92boot time via an init script (or whatver) as <path>/AvpDaemon -* /var/amavis
93
943.1.2 Kaspersky Anti-Virus
95AvpLinx fills the log with a lot of trash because of a simple progress
96bar by loading the AVC files.
97If you do not want to have "log flooding", you may set
98
99LongStrings=Yes
100
101in file defUnix.prf, section Options. This will reduce the output when
102AvpLinux is loading the AVC files.
103
1043.1.3 Virus Buster (Daemon + Client)
105Please keep in mind the VirusBuster Daemon has to run under the same
106user id AMaViS runs as. Moreover, VirusBuster returns 3 for an infection
107(which is not in sync with the man page).
108
1093.1.4 Sophie / Trophie
110By default, Sophie/Trophie creates a socket in /var/run, owned by root, group
111uucp (read/writeable by owner and group). As AMaViS runs as user amavis,
112it cannot connect to the socket. Please change the group
113accordingly in sophie.h/trophie.h and re-compile.
114If Sophie/Trophie is installed, but configure doesn't detect it, you need
115to upgrade to version 1.15/1.03, resp., or better.
116
1173.1.5 GeCAD RAV AntiVirus 8
118
119The command line options changed with a new version of the virus scanning
120engine. Therefore, you need at least engine version 8.5. If your engine is
121too old, please update it (i.e. "ravav -UPDATE"). Just as a side note, with
122the new engine, an update is later done with -u.
123
1243.1.6 MkS_Vir for Linux
125
126MkS expects its config file mks_vir.cfg in /etc.
127
128
1293.2 Return codes
130-----------------------------------------------------------------------
131 NAI VirusScan (uvscan) return codes:
132-----------------------------------------------------------------------
133- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
134as of version 4.x documentation "uvscan.pdf" or "unix403.pdf":
135- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
136
137    0  No errors occured; no viruses were found.
138    2  Driver integrity check failed.
139    6  A general problem.
140    8  Could not find a driver.
141   10  A virus was found in memory.
142   13  One or more viruses or hostile objects were found.
143   15  VirusScan self-check failed; it may be infected or damaged.
144  102  User quit via ESC-X, ^C or Exit button.
145
146  Exit code 102 occurs where the scan encounters an unespected error, such as
147  denied access or memory shortage. On these occasions, the scan exits
148  immediately and does not finish the scan.
149
150-----------------------------------------------------------------------
151 Sophos Sweep Return Codes:
152-----------------------------------------------------------------------
153Bernhard Nowotny <nowotny@sigma-c.de> writes:
154Error codes returned by SWEEP (thanks to christian.weber@sophos.com):
155  SWEEP returns error codes if there is an error or if a virus is found
156  SWEEP returns:
157    0  If no errors are encountered and no viruses are found
158    1  If the user interrupts the execution by pressing ESC
159    2  If some error preventing further execution is discovered, or if
160       compressed files have been found when using the -WC command line
161       qualifier
162    3  If viruses or virus fragments are discovered
163
164  A different set of error codes will be returned if SWEEP is run with the
165  -eec command line qualifier.
166    0  If no errors are encountered and no viruses are found
167    8  If survivable errors have occured
168   12  If compressed files have been found and decompressed
169   16  If compressed files have been found and not decompressed
170   20  If viruses have been found and disinfected
171   24  If viruses have been found and not disinfected
172   28  If viruses have been found in memory
173   32  If there has been an integrity check failure
174   36  If unsurvivable errors have occured
175   40  If execution has been interrupted
176
177-------------------------------------------------------------------------
178 Kaspersky Anti-Virus (formerly AntiViral Toolkit Pro):
179-------------------------------------------------------------------------
180 return codes of AvpLinux and AvpDaemonClient according to Readme.txt
181
182    0  No viruses were found
183    1  Virus scan was not complete
184    3  Suspicious objects were found
185    4  Known viruses were detected
186    5  All detected viruses have been deleted
187    7  File AvpLinux is corrupted
188
189
190--------------------------------------------------------------------------
191 DataFellows F-Secure AntiVirus:
192--------------------------------------------------------------------------
193 return codes of F-Secure AV according to fsav_lin.pdf documentation
194
195
196    0   Normal exit; no viruses or suspicious files found.
197    1   Abnormal termination; unrecoverable error.
198        (Usually a missing or corrupted file.)
199    2   Self-test failed; program has been modified.
200    3   A boot virus or file virus found.
201    5   Program was terminated by pressing CTRL-C,
202        or by a sigterm or suspend event.
203    6   At least one virus was removed.
204    7   Out of memory.
205    8   Suspicious files found;
206        these are not necessarily infected by a virus.
207
208
209------------------------------------------------------------------------
210 H+BEDV AntiVir/X
211-------------------------------------------------------------------------
212
213NOTE: Since AntiVir 6.12.x you must have a (valid) license key! Either
214a free license for private use or a commercial license. Otherwise
215AntiVir/X returns always 214 - regardless if a virus was found or not
216and this is quite useless for AMaViS.
217
218 AntiVir/X return codes according to antivir --help
219
220   0: Normales Programmende, kein Virus, kein Fehler
221   0: normal program termination, no virus, no error
222   1: Virus in Datei (oder Bootsektor) gefunden
223   1: found virus in file (or bootsector)
224   2: Virus (evtl. aktiv) im Speicher gefunden
225   2: found virus (active?) in memory
226 100: AntiVir hat nur den Hilfetext angezeigt
227 100: AntiVir displays only help text
228 101: Es wurde ein Makro in einer Datei gefunden
229 101: macro found in a file
230 102: Der Parameter -once war angegeben und AntiVir lief bereits
231 102: parameter -once used, but AntiVir runs already before
232 200: Programmabbruch wegen Speichermangel
233 200: not enough memory - program termination
234 201: Die angegeben Responsedatei wurde nicht gefunden
235 201: response file not found
236 202: Innerhalb einer Responsedatei wurde @<rsp> angegeben
237 202: a respons file contains @<rsp>
238 203: Ungueltiger Parameter angegeben
239 203: unknown option
240 204: Ungueltiges Verzeichnis angegeben
241 204: directory not found
242 205: Die angegebene Reportdatei konnte nicht erzeugt werden
243 205: could not generate a report file
244 210: AntiVir hat eine benoetigte DLL nicht gefunden
245 210: AntiVir could not found a required lib
246 211: Programm abgebrochen, da Selbstpruefung fehlgeschlagen
247 211: Program termination - self check failed
248 212: Die Datei antivir.vdf nicht gefunden oder Lesefehler
249 212: File antivir.vdf not found or read error
250 213: Initialisierungsfehler
251 213: program init failed
252 214: Lizenzdatei nicht gefunden
253 214: License key not found
254
255-----------------------------------------------------------------------
256 Trend Micro FileScanner (vscan) return codes:
257-----------------------------------------------------------------------
258
259     0: no virus found
260     1: virus found
261     2: virus found
262
263 I do not have a list of return codes. Consider three files a, b and c. a and
264 b are infected, c is not infected:
265 /etc/iscan/vscan /tmp/test/a - return code: 1
266 /etc/iscan/vscan -a /tmp/test/* - return code: 2
267 /etc/iscan/vscan -a /tmp/test/ - return code: 0 (although two viruses
268 were detected)
269
270-----------------------------------------------------------------------
271 Cybersoft VFind Return Codes:
272-----------------------------------------------------------------------
273    0  If no errors are encountered and no viruses are found
274   23  If viruses or virus fragments are discovered
275  138  License expired or invalid.
276  255  A general error.
277
278-----------------------------------------------------------------------
279 CAI InoculateIT - inocucmd command line utility 4.0:
280-----------------------------------------------------------------------
281        100 - A virus was detected.
282         >2 - Some type of scan failure.
283          1 - User pressed cntrl-C.
284          0 - The scan has completed. No viruses were detected.
285
286-----------------------------------------------------------------------
287 Command AntiVirus for Linux Return Codes:
288-----------------------------------------------------------------------
289Code  Description
290---   -----------
2910-13: Fatal exceptions occurred. Abnormal termination.
2925:    Break signaled. The user interrupted the scan process
293      via the Break key.
29413:   The program performed GPF (General Protection Fault).
295
29650:   Nothing found.
29751:   At least one infection found.
29852:   At least one suspicious file found.
29953:   At least one virus was disinfected.
300
301100:  Scan engine shared library is incorrect or incompatible.
302      No scan was performed.
303101:  Scan engine failed to initialize. Insufficient memory
304      or critical condition. No scan was performed.
305102:  sign.def is either missing or is corrupt.
306103:  macro.def is either missing or is corrupt.
307104:  -virlist or -virno specified on the command line
308105:  -today has been specified and a scan has already been made
309      this day.
310106:  english.tx1 is either missing or is corrupt. NOTE: This
311      applies only to CSAV versions 4.57 or higher.
312
313-----------------------------------------------------------------------
314 Virus Buster for Linux Return Codes:
315-----------------------------------------------------------------------
316Error codes according man page
317
318        OK      (0) = everything is ok, no viruses.
319
320        VIRKILLED
321                (1) = Virus found and killed.
322        VIRNOTKILLED
323                (2) = Virus found not killed.
324        HEFOUND
325                (3) = heuristically Suspicious
326        HEUDOCFOUND
327                (4) = heuristically suspicious DOC file=20
328        PACKER
329                (5) = Packed file
330        IMMUNIZER
331                (6) = Immunizing hit
332        VSKMSG  (7) = VSK message
333        SCANERROR
334                (64)= Error during scanning
335        ENGERROR
336                (65)= Engine error
337        EMPTYFNAME
338                (66)= There is no filename to scan
339        NOSUCCDMSTOP
340                (67)= Unable to stop the daemon
341        NOSUCCSTART
342                (68)= Unable to start the daemon
343        STATUSFAIL
344                (69)= Unable to ask the status
345        NOENARG (70)= Too less orr wrong parameters
346        UNKNCOMM
347                (71)= Unknown command
348        UNKNOPT (72)= Unknown option
349        DMTIMEOUT
350                (73)= Unable to connect to the daemon (timeout)
351        NOTREGISPRG
352                (74)= The program is not registered. You can't
353                      start the client.
354
355-----------------------------------------------------------------------
356 FRISK F-Prot for Linux Return Codes:
357-----------------------------------------------------------------------
358
359        0  Normal exit.  Nothing found, nothing done.
360        1  Unrecoverable error (for example, missing SIGN.DEF).
361        2  Selftest failed (program has been modified).
362        3  At least one virus-infected object was found.
363        4  <not used>
364        5  Abnormal termination (scanning did not finish).
365        6  At least one virus was removed.
366        7  Error, out of memory (should never happen, but well...)
367        8  Something suspicious was found, but no recognized virus.
368
369
370-----------------------------------------------------------------------
371 GECAD RAV AntiVirus for Linux Return Codes:
372-----------------------------------------------------------------------
373#FILE_OK              1
374#FILE_INFECTED        2
375#FILE_SUSPICIOUS      3
376#FILE_CLEANED         4
377#FILE_CLEAN_FAIL      5
378#FILE_DELETED         6
379#FILE_DELETE_FAIL     7
380#FILE_COPIED          8
381#FILE_COPY_FAIL       9
382#FILE_MOVED           10
383#FILE_MOVE_FAIL       11
384#FILE_RENAMED         12
385#FILE_RENAMED_FAIL    13
386
387#NO_FILES             20
388
389#ENG_ERROR            30
390#SINTAX_ERR           31
391#HELP_MSG             32
392#VIR_LIST             33
393
394
395-----------------------------------------------------------------------
396 ESET Software NOD32 for Linux Return Codes:
397-----------------------------------------------------------------------
398
399NOD32_EXIT_CODE_OK               0
400NOD32_EXIT_CODE_VIRUS            1
401NOD32_EXIT_CODE_CLEANED          2
402NOD32_EXIT_INTERNAL_ERROR        10
403
404
405-----------------------------------------------------------------------
406 CentralCommand Vexira/Linux Return Codes:
407-----------------------------------------------------------------------
408Vexira is based on H+BEDV AntiVir/Linux, therefore the command line
409parameters and return values seem to be completly identical
410
411   0: Normal program termination, no virus, no error
412   1: Virus found in a file or boot sector
413   2: A virus signature was found in memory
414 100: Vexira Antivirus only has displayed this help text
415 101: A macro was found in a document file
416 102: The option -once was gven and Vexira Antivirus already ran today
417 200: Program aborted, not enough memory available
418 201: The given response file could not be found
419 202: Within a response file another @<rsp> directive was found
420 203: Invalid option
421 204: Invalid (non-existent) directory given at command line
422 205: The log file could not be created
423 210: Vexira Antivirus could not find a necessary dll file
424 211: Programm aborted, because the self check failed
425 212: The file vexira.vdf could not be read
426 213: An error occured during initialisation
427 214: License key not found
428
429
430--------------------------------------------------------------------------
431 Norman Virus Control for Linux:
432--------------------------------------------------------------------------
433 return codes of Norman Virus Control according to man page
434
435       0  - No error
436       1  - File or boot sector virus found
437       2  - Virus detected in memory
438       3  - No scan area given
439       4  - Configuration file changed
440       5  - Bad argument
441       6  - I/O error
442       8  - Program error
443       10 - Files skipped
444       14 - virus detected and removed
445
446
447
4484 Updates
449Some antivirus companies provide updates for the virus definition files
450(pattern files) for the latest virus/latest viruses in (a) small extra
451file(s), i.e. Sophos Anti-Virus virus identities (IDE).  See
452http://www.sophos.com/downloads/ide/ for more information about IDE files.
453For versions of sweep older than 3.37, these files are located in the
454directory ide/ below your Sophos tree, i.e. /opt/sophos/ide and the
455environment variable SAV_IDE should therefore be set to SAV_IDE=/opt/sophos/ide
456in the AMaViS script.  From sweep version 3.37 on, this is no longer necessary,
457as sweep reads the ide directory location from /etc/sav.conf.  The default is
458/usr/local/sav.
459
460NAI provides an extra driver, which has to be specified on the command line
461via --extra /path-to/EXTRA.DAT
462
463
464Please keep in mind that your antivirus software needs regular updates. Set up
465a cron job with the appropriate ftp/ncftp/wget commands for automatic updates.
466NAI provides a script in their PDF manual. F-Secure AV comes with their own
467update program. I would also strongly recommand to subscribe to an alert
468mailinglist, which most AV companies offer, to get information about the
469latest virus outbreaks.
470
471Note: please keep in mind an update process may fail. So, your script
472should do first a backup, download the file(s) and after that starting
473the virus scanner to check the eicar test file virus. If the virus scanner
474does not exit with exit code "virus found" then your script should do
475a roll-back and send an alert message to virusalert indication update
476process failed.
477
4784.1 Update scripts
479The scripts are provided by users without any warranty. Use them on your
480own risk.
481
482For Sophos, see also http://www.sophos.com/support/faqs/autodown.html
483("How to automate the downloading of IDE files").
484
4854.1.1 Script for Sophos Sweep by Reiner Keller
486#!/bin/bash
487
488#cd $SAV_IDE
489cd /usr/local/lib/sweep-IDE
490
491/usr/bin/wget -q -N `/usr/local/bin/sweep -v |/usr/bin/grep "Product version"
492|/usr/bin/sed -e "s/.*: \(.\)\.\(..\)$/
493http:\/\/www.sophos.com\/downloads\/ide\/\1\2_ides.zip/"`
494/usr/bin/unzip -q -n "???_ides.zip"
495
496chmod 644 *
497
498
4994.1.2.1 Script for NAI (McAfee) uvscan by Matt Burke
500#!/bin/bash
501
502rm -f .listing*
503
504datdir="ftp://ftp.mcafee.com/pub/datfiles/english/"
505uvdir=/usr/local/mcafee
506
507wget -q -O $uvdir/latest-dat.tar $datdir/`wget -qnr $datdir && grep tar
508.listing | awk {'print $4'}`
509
510tar --overwrite --directory=$uvdir -xf $uvdir/latest-dat.tar
511
5124.1.2.2 Script for NAI uvscan by Brian K. West
513#!/usr/bin/perl
514# dailyupdate.pl
515# Auto Update Daily DAT files from NAI uvscan for *nix
516# By: Brian K. West <brian@bkw.org>
517# Version 1.0.3
518#
519#  This is used for Daily Dat file from NAI for early prevention.
520#  This version will email the admin when the DAT files are updated!
521#  I have also done some touchups to make the code cleaner.
522#  Also: $adminemail = "user\@domain.com";  you must escape the "@"
523#
524use LWP::Simple;
525use Archive::Zip;
526
527# Settings
528$location = "http://download.nai.com/products/mcafee-avert/daily_dats/DAILYDAT.ZIP";
529$tmpdir = "/tmp";
530$uvscandir = "/usr/local/uvscan";
531$mailprog = "/bin/mail";
532$adminemail = "brian\@bkw.org";
533
534$check = head("$location");
535if($check) {
536# Lets grab the next version if its ready!
537print "Downloading DAILYDAT.ZIP ...\n";
538$datfile = mirror("$location", "$tmpdir/DAILYDAT.ZIP");
539if($datfile == "404") {
540print "No Daily Dat Update avaliable!\n";
541exit;
542}
543if($datfile == "304") {
544print "You have the latest Daily Dat file installed!\n";
545exit;
546}
547
548} else {
549print "No Daily Dat Updates avaliable!\n";
550exit;
551}
552
553
554my $zip = Archive::Zip->new("$tmpdir/DAILYDAT.ZIP") || die("error");
555my @list = $zip->memberNames();
556my $file;
557print "Extracting DAILYDAT.ZIP to $uvscandir ...\n";
558foreach $file (@list) {
559        if (!($file =~ /.*\/$/)) {
560                my $data = $zip->contents($file);
561                $file = lc($file);
562                my $newpart = "$tmpdir/$file";
563                print "Installing: $file\n";
564                open(OUTPART, ">$uvscandir/$file");
565                print(OUTPART $data);
566                close(OUTPART);
567                }
568        }
569#unlink("$tmpdir/DAILYDAT.ZIP");
570$check = `$uvscandir/uvscan --version | $mailprog -s \"Virus Scan Daily DAT Updated\" $adminemail`;
571print "Daily Dat Installed!\n";
572
573
574#!/usr/bin/perl
575#
576# Auto Update DAT files from NAI uvscan for *nix
577# By: Brian K. West <brian@bkw.org>
578# Version 1.0.1
579#
580use LWP::Simple;
581use Archive::Tar;
582
583# Settings
584$location = "http://download.nai.com/products/datfiles/4.x/nai";
585$tmpdir = "/tmp";
586$uvscandir = "/usr/local/uvscan";
587
588
589# Get Current Version of dat file.
590$current = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
591print "Current version installed: $current";
592#$current = 4085;
593
594# Increase version number by 1
595$needed = $current + 1;
596
597$check = head("$location/dat-$needed.tar");
598if($check) {
599# Lets grab the next version if its ready!
600print "Downloading dat-$needed.tar ...\n";
601$datfile = mirror("$location/dat-$needed.tar", "$tmpdir/dat-$needed.tar");
602
603if($datfile == "404") {
604print "No updates avaliable!\n";
605exit;
606}
607
608} else {
609print "No updates avaliable!\n";
610exit;
611}
612
613
614my $tar = Archive::Tar->new("$tmpdir/dat-$needed.tar") || die("error");
615my @list = $tar->list_files();
616my $file;
617print "Extracting dat-$needed.tar to $uvscandir ...\n";
618foreach $file (@list) {
619        if (!($file =~ /.*\/$/)) {
620                my $data = $tar->get_content($file);
621                my $newpart = "$tmpdir/$file";
622                print "Installing: $file\n";
623                open(OUTPART, ">$uvscandir/$file");
624                print(OUTPART $data);
625                close(OUTPART);
626                }
627        }
628unlink("$tmpdir/dat-$needed.tar");
629
630$new = `$uvscandir/uvscan --version | grep \"Virus data file\" | awk '{ print substr(\$4,2,4) }'`;
631if($new == $current) {
632print "Update Failed!\n";
633print "You may have to do it manually!\n";
634exit;
635}
636print "New installed version: $new";
637
6384.1.2.3 Script for NAI DAT-files by Julio Cesar Covolato
639(please have a look at http://www.psi.com.br/~julio/uvscan/ for the latest
640version)
641
642#!/bin/sh
643###################################################################
644#################        UVUPDATE-1.2       #######################
645###################################################################
646#   Script to automate downloading and install new dat files
647#   from ftp.nai.com for the uvscan 4.x virus scanner.
648###################################################################
649#   $date	Fri Mar 16 01:12:43 EST 2001
650###################################################################
651#   Written by Julio Cesar Covolato <julio@psi.com.br>
652###################################################################
653#	Read the files README, INSTALL and CHANGES before install
654###################################################################
655#
656#
657#
658###################################################################
659#	MAKE THE CHANGES BELOW TO SUIT YOUR SISTEM
660###################################################################
661#
662################################################
663# Where are your binary uvscan and datfiles ???
664################################################
665
666uvscan_dir=/usr/local/uvscan/
667
668####################################
669# setup our commonly used programs
670####################################
671
672grep=/bin/grep
673mail=/bin/mail
674wget=/usr/bin/wget
675cut=/usr/bin/cut
676tar=/bin/tar
677rm=/bin/rm
678ls=/bin/ls
679chmod=/bin/chmod
680sed=/bin/sed
681
682#################################################################
683# Setup email and subject to notify news versions, or problems :(
684#################################################################
685
686mail_to="root@localhost"
687subject_ok=" UVSCAN - We got a new dat-file"
688subject_bad=" UVSCAN - Something goes wrong :(( "
689subject_nonew=" UVSCAN - No new dat-file for today"
690
691############################################################
692# Setup wget flags ( see "man 1 wget" ).
693# If you are behind a firewall, you can add " --passive-ftp"
694# Thanks to Viraj Alankar <valankar@ifxcorp.com>
695############################################################
696
697wget_opt="-N -q -t 30"
698
699###################################################################
700#	You don't need make changes below
701###################################################################
702
703cd ${uvscan_dir}
704
705# Get the actual running version of the datfile
706
707DATVERSION=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
708
709# Get the latest txt file info (delta.ini) from NAI, if there are a new one.
710${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/delta.ini
711
712# Extract the dat-version from the file delta.ini
713
714DATVERSIONEW=$(${grep} CurrentVersion delta.ini|${cut} -c 16-19)
715
716if [ ${DATVERSION} = ${DATVERSIONEW} ];
717	then
718		echo -e "\n\n\n\tThe uvscan has the latest version yet!"|${mail} -s "${subject_nonew}" ${mail_to}
719		exit # No new version! :(( Maybe tomorrow! )
720	else
721		# Get and Install it!!!
722		${wget} ${wget_opt} ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/dat-${DATVERSIONEW}.tar
723		${tar} xf dat-${DATVERSIONEW}.tar
724		${chmod} 744 *.dat
725fi
726
727# We got the new version installed! Test it...
728
729NEWDAT=$(./uvscan --version|grep "Virus data file"|${cut} -c 18-21)
730
731if [ ${NEWDAT} = ${DATVERSIONEW} ];
732	then
733		# Send an email to me, notifying the new version!
734		echo -e "\n\n\n\tNew dat file is: ${NEWDAT}\n\n\n" > newvirus.txt
735		$(sed) -n '/\* DV2/,/\* DV3/p' readme.txt >> newvirus.txt
736		cat newvirus.txt|${mail} -s "${subject_ok}" ${mail_to}
737		${rm} -f dat-$DATVERSION.tar # we don't need anymore the old version
738	else
739		# Send an email to me, notifying that anything goes wrong... :((
740		echo "Go there: ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/"|\
741		${mail} -s "${subject_bad}" ${mail_to}
742fi
743exit
744
745
746
747
7484.1.3 Script for KasperskyLab AVP by Andy Wallace
749#!/usr/bin/perl
750
751use Net::FTP;
752# in the libnet package - you may have to get it from CPAN - I did.
753
754# Directory to download into
755$DIR="/usr/local/AvpLinux";
756
757# Get current time and date
758($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
759
760# I just want this stuff so I can save each daily.zip as a different
761filename with a date attached, so I know I haven't missed any. Format is
762dailyddmmyy.zip (yes I'm British), so I need to make a few changes.
763
764# Jan = 0, so add 1 to $mon
765$mon++;
766if ($mon<10) {
767    $mon="0$mon";
768}
769
770# Days of month are 1-31, so that's OK
771if($mday<10) {
772    $mday="0$mday";
773}
774
775# gmtime thinks this year is 100! At least in my version of Perl...so
776don't
777use this script after 2099 :-)
778$year -= 100;
779if($year<10) {
780    $year="0$year";
781}
782
783# Connect to FTP server and download daily.zip
784$ftp = NET::FTP->new("ftp.kasperskylab.ru", Passive, 1);
785$ftp->login("ftp", someone\@somewhere.com");
786$ftp->cwd("/bases");
787$ftp->binary;
788$ftp->get("daily.zip", "$DIR/daily$mday$mon$year.zip");
789$ftp->quit;
790
791# Check it turned up OK, if so unzip it, if not send an email
792if (-e "$DIR/daily$mday$mon$year.zip") {
793    system("/usr/bin/unzip -o -qq $DIR/daily$mday$mon$year.zip -d
794$DIR");
795}
796else {
797    system("/bin/mail -s \"Antivirus daily update failure!\" root");
798}
799
800# Now restart AVP daemon to load updated virus library
801system("/usr/local/AvpLinux/AvpDaemon -k");
802system("/usr/local/AvpLinux/AvpDaemon -* /var/amavis");
803
804# End of perl script
805
806Put a call to this in your root crontab to run it every day. e.g.
807
80800 20 * * * /usr/local/bin/getupdate.pl
809
810
811
8125 Why AMaViS will never stop all viruses
813AMaViS is not an antivirus scanner, it's only an "interface" for virus
814scanning at the eMail gateway in combination with one (or even) more of the
815virus scanners listed above. Virus detection and stopping depends therefore on
816the quality of the virus scanner. To get an impression about the detection
817rate of antivirus products, please have a look at Virus Bulletin
818(www.virusbtn.com), Virus Test Center (http://agn-www.informatik.uni-hamburg.de/)
819or AV-Test (www.av-test.com).
820Please keep in mind that viruses in encrypted eMails/attachments cannot be
821detected! Also, if an infected attachment file is compressed with a
822compression format for which AMaViS is not configured (we believe that the
823most important formats are covered, though), it gets through, unless the
824virus scanner(s) used is/are able to decode/uncompress it.
825If this happens, it's the job of your client-side anti-virus software to
826detect and stop the virus from spreading when the attachment gets decrypted
827or uncompressed.
828
829
8305.1 Blocking certain file(s) / file type(s)
831AMaViS does not currently support blocking certain files by type or extension,
832e.g. .vbs or .exe. Such a capability may be added in the future. But please
833keep in mind that the file extension can be forged as easily as the MIME-type.
834I advise you to read a posting to NTBugTraq from Nick FitzGerald, online
835at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=11152.
836