[pmg-devel] Avast Support

Wed Feb 21 07:11:21 CET 2018

First, thanks for that patch. Comments inline...

Note: We prefer patches formatted with "git format-patch" on this list.

See:

# man git-format-patch
# man git-send-email

> Put simpy: to scan a file i ran: scan path_of_the file.
> Of course a service in backgroud (like clamd) should be up ad running
> (/bin/avast)
> 
> 
> I've modified sub analyze_virus :
> 
>   my ($queue, $filename, $pmg_cfg, $testmode) = @_;
> 
>     my $virus = undef ;
>     my $enable_avast  = 1 ;
>     my $enable_clamav = 1 ;
> 
>     # first analyze with avast
>     if ( $enable_avast ) {
>          syslog('info', "Starting Avast Scanning...");
>          $virus = analyze_virus_avast($queue, $filename, $pmg_cfg) ;
>     }
> 
>     if ( ! defined $virus && $enable_clamav ) {
>         syslog('info', "Starting Clamav Scanning...");
>         $virus = analyze_virus_clam($queue, $filename, $pmg_cfg) ;
>     }
> 
>     return $virus ;
> 
> DESC: I've privileged the use of avast vs clamd , so if avast does not find
> nothing (so $virus is undef) i'm calling the second scan.

looks OK

> 
> Now the sub analyze_virus_avast:
> 
>  my ($queue, $dname, $pmg_cfg) = @_;
> 
>     my $timeout = 60*5;
>     my $vinfo;
> 
>     my $clamdscan_opts = "";
> 
>     my ($csec, $usec) = gettimeofday();
> 
>     my $previous_alarm;
> 
>     eval {
> 
>         $previous_alarm = alarm($timeout);
> 
>      $SIG{ALRM} = sub {
>             die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " .
>                 "virus analyze (avast) failed: ERROR";
>         };
> 
>         open(CMD, "/bin/scan '$dname'|") ||
>             die "$queue->{logid}: can't exec avast: $! : ERROR";
> 
>         my $ifiles;
> 
>         my $response = '';
>         #syslog('info', "file is" . $dname);
>         #sleep(300);
>         while ( defined(my $line = <CMD>) ) {
>             if ($line =~ m/^$dname\s+(.*)\s+$/) {
>                 # output is: /tmp/pippo.txt EICAR Test-NOT virus!!!
> #syslog('info', "grepped virus line is" . $1);
>                 # we just use the first detected virus name
>                 $vinfo = $1 if !$vinfo;
> $ifiles = 1 ;
>             }
> 
>             $response .= $line;
>         }

Do they have some documentation about the output format?

> 
> close(CMD);
> 
>         alarm(0); # avoid race conditions
> 
> $ifiles = 0 if ( !$vinfo ) ;
> 
>         if (!defined($ifiles)) {
>             die "$queue->{logid}: got undefined output from " .
>                 "virus detector: $response : ERROR";

maybe we can mention 'avast' in above error message?

>         }
> 
>         if ($vinfo) {
>             syslog('info', "$queue->{logid}: virus detected: $vinfo
> (avast)");
>         }
>     };
>     my $err = $@;
> 
>   alarm($previous_alarm);
> 
>     my ($csec_end, $usec_end) = gettimeofday();
>     $queue->{ptime_clam} =
>         int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000);
> 
>     if ($err) {
>         syslog ('err', $err);
>         $vinfo = undef;
>         $queue->{errors} = 1;
>     }
> 
>     $queue->{vinfo_clam} = $vinfo;
> 
>     return $vinfo ? "$vinfo (avast)" : undef;
> }
> 
> DESC: as you can see is mostly equal to clamav one, i've just modified the
> regexp.
> 1 question: is the sub expected to be called on every single part/file of
> the undecoded mail ?

No. This is called on the raw email data (.eml file).

> 2 question: would I expect from the while ONLY one line of output (this is
> just a natural follow up of question1)

I guess no. But we need to find some documentation about the output format...