[pmg-devel] Spam scanning after virus is found

Davide Bozzelli davide.bozzelli at gmail.com
Wed Apr 18 11:19:07 CEST 2018 

What about this code:

 # if quick mode is disabled then consider clamav heuristic
    if (my $hit = $queue->{clamav_heuristic} && !$enable_quick_av_mode ) {
        my $score = $queue->{clamav_heuristic_score};
        my $descr = "ClamAV heuristic test: $hit";
        my $rule = 'ClamAVHeuristics';
        $sa_score += $score;
        $list .= $list ? ",$rule" : $rule;
        push @$sa_scores, { score => $score, rule => $rule, desc => $descr
};
    }

   # do not run SA if avast have found virus
   if (  ($queue->{vinfo_avast} ||  $queue->{vinfo_clamav} ) &&
$enable_quick_av_mode ) {
        my $score = 5 ;
        my $descr = "Virus Scanner Engines have found on or more viruses";
        my $rule = 'AV_Virus_Found';
        $sa_score += $score;
        $list .= $list ? ",$rule" : $rule;
        push @$sa_scores, { score => $score, rule => $rule, desc => $descr
};
   }

Basically:

1) add enable_quick_av_mode (1|0)
2) when is 0 then all works as before: heuristic clamav is detected
3) when is 1 and clam or avast found virus AND quick_av_mode is 1 score is
set to 5 which disable the sa scan

Thx

On Wed, Apr 18, 2018 at 10:17 AM, Dietmar Maurer <dietmar at proxmox.com>
wrote:

> > Seems that the sa scan is not triggered ony if clamav heuristic is in
> place.
> > I've added something like just before the if :
> >
> >
> >    if (  $queue->{vinfo_avast} ) {
> >         my $score = 5 ;
> >         my $descr = "Avast Virus: 1";
> >         my $rule = 'AvastVirusFound';
> >         $sa_score += $score;
> >         $list .= $list ? ",$rule" : $rule;
> >         push @$sa_scores, { score => $score, rule => $rule, desc =>
> $descr
> > };
> >    }
> >
> > And in this way when avast found eicar the spam scan is not triggered and
> > the only rule found is AvastVirusFound.
>
> You could simply add:
>
>             return undef if $queue->{vinfo};
>
> but this also skips user blacklist/whitelist, so the whole rule systems
> does not
> work
> as expected in that case ...
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>



-- 
Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pmg-devel/attachments/20180418/457331da/attachment-0001.html>

More information about the pmg-devel mailing list