[pmg-devel] Avast Support

Davide Bozzelli davide.bozzelli at gmail.com
Wed Feb 21 09:10:21 CET 2018


You will find the docs here: http://deb.avast.com/lin/doc/techdoc.pdf
On Appendix A you will find the description of the scan utility and the
output:

Here just an excerpt:

Every detected malicious file is reported on a separate line in the format:
PATH INFECTION where PATH and INFECTION are separated by a TAB character.
If all files are printed using the -a option, then the clean files have a
"[OK]" string as the infection name and files that could not be scanned
(insufficient permissions, corrupted archives, ...) have an "[ERROR]"
string as the infection name. Files, that were excluded from the scan using
the -e option have a "[EXCLUDED]" string as the infection name. If the -p
option is set, PATH contains the archive path delimited by a "|>" delimiter
in case of an archive.

On Wed, Feb 21, 2018 at 7:11 AM, Dietmar Maurer <dietmar at proxmox.com> wrote:

> First, thanks for that patch. Comments inline...
>
> Note: We prefer patches formatted with "git format-patch" on this list.
>
> See:
>
> # man git-format-patch
> # man git-send-email
>
> > Put simpy: to scan a file i ran: scan path_of_the file.
> > Of course a service in backgroud (like clamd) should be up ad running
> > (/bin/avast)
> >
> >
> > I've modified sub analyze_virus :
> >
> >   my ($queue, $filename, $pmg_cfg, $testmode) = @_;
> >
> >     my $virus = undef ;
> >     my $enable_avast  = 1 ;
> >     my $enable_clamav = 1 ;
> >
> >     # first analyze with avast
> >     if ( $enable_avast ) {
> >          syslog('info', "Starting Avast Scanning...");
> >          $virus = analyze_virus_avast($queue, $filename, $pmg_cfg) ;
> >     }
> >
> >     if ( ! defined $virus && $enable_clamav ) {
> >         syslog('info', "Starting Clamav Scanning...");
> >         $virus = analyze_virus_clam($queue, $filename, $pmg_cfg) ;
> >     }
> >
> >     return $virus ;
> >
> > DESC: I've privileged the use of avast vs clamd , so if avast does not
> find
> > nothing (so $virus is undef) i'm calling the second scan.
>
> looks OK
>
> >
> > Now the sub analyze_virus_avast:
> >
> >  my ($queue, $dname, $pmg_cfg) = @_;
> >
> >     my $timeout = 60*5;
> >     my $vinfo;
> >
> >     my $clamdscan_opts = "";
> >
> >     my ($csec, $usec) = gettimeofday();
> >
> >     my $previous_alarm;
> >
> >     eval {
> >
> >         $previous_alarm = alarm($timeout);
> >
> >      $SIG{ALRM} = sub {
> >             die "$queue->{logid}: Maximum time ($timeout sec) exceeded.
> " .
> >                 "virus analyze (avast) failed: ERROR";
> >         };
> >
> >         open(CMD, "/bin/scan '$dname'|") ||
> >             die "$queue->{logid}: can't exec avast: $! : ERROR";
> >
> >         my $ifiles;
> >
> >         my $response = '';
> >         #syslog('info', "file is" . $dname);
> >         #sleep(300);
> >         while ( defined(my $line = <CMD>) ) {
> >             if ($line =~ m/^$dname\s+(.*)\s+$/) {
> >                 # output is: /tmp/pippo.txt EICAR Test-NOT virus!!!
> > #syslog('info', "grepped virus line is" . $1);
> >                 # we just use the first detected virus name
> >                 $vinfo = $1 if !$vinfo;
> > $ifiles = 1 ;
> >             }
> >
> >             $response .= $line;
> >         }
>
> Do they have some documentation about the output format?
>
> >
> > close(CMD);
> >
> >         alarm(0); # avoid race conditions
> >
> > $ifiles = 0 if ( !$vinfo ) ;
> >
> >         if (!defined($ifiles)) {
> >             die "$queue->{logid}: got undefined output from " .
> >                 "virus detector: $response : ERROR";
>
> maybe we can mention 'avast' in above error message?
>
> >         }
> >
> >         if ($vinfo) {
> >             syslog('info', "$queue->{logid}: virus detected: $vinfo
> > (avast)");
> >         }
> >     };
> >     my $err = $@;
> >
> >   alarm($previous_alarm);
> >
> >     my ($csec_end, $usec_end) = gettimeofday();
> >     $queue->{ptime_clam} =
> >         int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000);
> >
> >     if ($err) {
> >         syslog ('err', $err);
> >         $vinfo = undef;
> >         $queue->{errors} = 1;
> >     }
> >
> >     $queue->{vinfo_clam} = $vinfo;
> >
> >     return $vinfo ? "$vinfo (avast)" : undef;
> > }
> >
> > DESC: as you can see is mostly equal to clamav one, i've just modified
> the
> > regexp.
> > 1 question: is the sub expected to be called on every single part/file of
> > the undecoded mail ?
>
> No. This is called on the raw email data (.eml file).
>
> > 2 question: would I expect from the while ONLY one line of output (this
> is
> > just a natural follow up of question1)
>
> I guess no. But we need to find some documentation about the output
> format...
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>



-- 
Got problems with Windows? - ReBooT
Got problems with Linux? - Be RooT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pmg-devel/attachments/20180221/b993fdc0/attachment.html>


More information about the pmg-devel mailing list