[pmg-devel] Avast Support
Davide Bozzelli
davide.bozzelli at gmail.com
Wed Feb 21 09:10:21 CET 2018
You will find the docs here: http://deb.avast.com/lin/doc/techdoc.pdf
On Appendix A you will find the description of the scan utility and the
output:
Here just an excerpt:
Every detected malicious file is reported on a separate line in the format:
PATH INFECTION where PATH and INFECTION are separated by a TAB character.
If all files are printed using the -a option, then the clean files have a
"[OK]" string as the infection name and files that could not be scanned
(insufficient permissions, corrupted archives, ...) have an "[ERROR]"
string as the infection name. Files, that were excluded from the scan using
the -e option have a "[EXCLUDED]" string as the infection name. If the -p
option is set, PATH contains the archive path delimited by a "|>" delimiter
in case of an archive.
On Wed, Feb 21, 2018 at 7:11 AM, Dietmar Maurer <dietmar at proxmox.com> wrote:
> First, thanks for that patch. Comments inline...
>
> Note: We prefer patches formatted with "git format-patch" on this list.
>
> See:
>
> # man git-format-patch
> # man git-send-email
>
> > Put simpy: to scan a file i ran: scan path_of_the file.
> > Of course a service in backgroud (like clamd) should be up ad running
> > (/bin/avast)
> >
> >
> > I've modified sub analyze_virus :
> >
> > my ($queue, $filename, $pmg_cfg, $testmode) = @_;
> >
> > my $virus = undef ;
> > my $enable_avast = 1 ;
> > my $enable_clamav = 1 ;
> >
> > # first analyze with avast
> > if ( $enable_avast ) {
> > syslog('info', "Starting Avast Scanning...");
> > $virus = analyze_virus_avast($queue, $filename, $pmg_cfg) ;
> > }
> >
> > if ( ! defined $virus && $enable_clamav ) {
> > syslog('info', "Starting Clamav Scanning...");
> > $virus = analyze_virus_clam($queue, $filename, $pmg_cfg) ;
> > }
> >
> > return $virus ;
> >
> > DESC: I've privileged the use of avast vs clamd , so if avast does not
> find
> > nothing (so $virus is undef) i'm calling the second scan.
>
> looks OK
>
> >
> > Now the sub analyze_virus_avast:
> >
> > my ($queue, $dname, $pmg_cfg) = @_;
> >
> > my $timeout = 60*5;
> > my $vinfo;
> >
> > my $clamdscan_opts = "";
> >
> > my ($csec, $usec) = gettimeofday();
> >
> > my $previous_alarm;
> >
> > eval {
> >
> > $previous_alarm = alarm($timeout);
> >
> > $SIG{ALRM} = sub {
> > die "$queue->{logid}: Maximum time ($timeout sec) exceeded.
> " .
> > "virus analyze (avast) failed: ERROR";
> > };
> >
> > open(CMD, "/bin/scan '$dname'|") ||
> > die "$queue->{logid}: can't exec avast: $! : ERROR";
> >
> > my $ifiles;
> >
> > my $response = '';
> > #syslog('info', "file is" . $dname);
> > #sleep(300);
> > while ( defined(my $line = <CMD>) ) {
> > if ($line =~ m/^$dname\s+(.*)\s+$/) {
> > # output is: /tmp/pippo.txt EICAR Test-NOT virus!!!
> > #syslog('info', "grepped virus line is" . $1);
> > # we just use the first detected virus name
> > $vinfo = $1 if !$vinfo;
> > $ifiles = 1 ;
> > }
> >
> > $response .= $line;
> > }
>
> Do they have some documentation about the output format?
>
> >
> > close(CMD);
> >
> > alarm(0); # avoid race conditions
> >
> > $ifiles = 0 if ( !$vinfo ) ;
> >
> > if (!defined($ifiles)) {
> > die "$queue->{logid}: got undefined output from " .
> > "virus detector: $response : ERROR";
>
> maybe we can mention 'avast' in above error message?
>
> > }
> >
> > if ($vinfo) {
> > syslog('info', "$queue->{logid}: virus detected: $vinfo
> > (avast)");
> > }
> > };
> > my $err = $@;
> >
> > alarm($previous_alarm);
> >
> > my ($csec_end, $usec_end) = gettimeofday();
> > $queue->{ptime_clam} =
> > int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000);
> >
> > if ($err) {
> > syslog ('err', $err);
> > $vinfo = undef;
> > $queue->{errors} = 1;
> > }
> >
> > $queue->{vinfo_clam} = $vinfo;
> >
> > return $vinfo ? "$vinfo (avast)" : undef;
> > }
> >
> > DESC: as you can see is mostly equal to clamav one, i've just modified
> the
> > regexp.
> > 1 question: is the sub expected to be called on every single part/file of
> > the undecoded mail ?
>
> No. This is called on the raw email data (.eml file).
>
> > 2 question: would I expect from the while ONLY one line of output (this
> is
> > just a natural follow up of question1)
>
> I guess no. But we need to find some documentation about the output
> format...
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>
--
Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pmg-devel/attachments/20180221/b993fdc0/attachment.html>
More information about the pmg-devel
mailing list