Bug#622848: amavisd-new: failing ESET CLI scanner results in false positive virus detection on every mail

Thomas Liske Fri, 15 Apr 2011 00:06:19 -0700

Package: amavisd-new
Version: 1:2.6.4-3
Severity: important
Tags: patch


Hi,

the default configuration in /etc/amavis/conf.d/15-av_scanners contains the
following configuration for the ESET CLI scanner:

  ### http://www.eset.com/, version 3.0
  ['ESET Software ESETS Command Line Interface',
    ['/usr/bin/esets_cli', 'esets_cli'],
    '--subdir {}', [0], [1,2,3],
    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
  ### http://www.nod32.com/,  NOD32LFS version 2.5 and above

The return value 1 is treated as virus is detected. The esets_cli shows the
following description of the return values:

> $ esets_cli -v
> esets_cli (esets) 3.0.22

> $ esets_cli -h
> Usage: esets_cli [OPTIONS..] FILES..
> ESETS_CLI is the command line interface for scanning files
> 
> ESETS Module common options:
>   -h, --help                          display this help and exit
>   -v, --version                       output version information and exit
> 
>   Return values:
>     0  accept
>     1  defer
>     2  discard
>     3  reject
> 
>     (c) ESET, spol. s r.o.
>     In order to report bugs, please visit http://www.eset.com/support

The return value 1 does *not* indicate a detected virus. There are ESET
installations which do not have the license to use the CLI scanner (i.e.
Gateway Security which only scan http/ftp traffic):

> $ esets_cli /dev/null 
> error[2d360000]: Cannot get setup from daemon: No license for agent

The trival fix is to remove return value 1 (so amavis detects the error):

  ### http://www.eset.com/, version 3.0
  ['ESET Software ESETS Command Line Interface',
    ['/usr/bin/esets_cli', 'esets_cli'],
    '--subdir {}', [0], [2,3],
    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
  ### http://www.nod32.com/,  NOD32LFS version 2.5 and above


Regards,
Thomas

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages amavisd-new depends on:
ii  adduser                  3.112+nmu2      add and remove users and groups
ii  debconf [debconf-2.0]    1.5.36.1        Debian configuration management sy
ii  file                     5.04-5          Determines file type using "magic"
ii  libarchive-zip-perl      1.30-3          Perl module for manipulation of ZI
ii  libberkeleydb-perl       0.42-1~squeeze1 use Berkeley DB 4 databases from P
ii  libcompress-raw-zlib-per 2.026-1         low-level interface to zlib compre
ii  libconvert-tnef-perl     0.17-9          Perl module to read TNEF files
ii  libconvert-uulib-perl    1.12-1          Perl interface to the uulib librar
pn  libdigest-md5-perl       <none>          (no description available)
ii  libio-stringy-perl       2.110-4         Perl modules for IO from scalars a
ii  libmail-dkim-perl        0.38-1          cryptographically identify the sen
ii  libmailtools-perl        2.06-1          Manipulate email in perl programs
pn  libmime-base64-perl      <none>          (no description available)
ii  libmime-tools-perl       5.428-1         Perl5 modules for MIME-compliant m
ii  libnet-server-perl       0.97-1          An extensible, general perl server
ii  libunix-syslog-perl      1.1-2           Perl interface to the UNIX syslog(
ii  pax                      1:20090728-1    Portable Archive Interchange
ii  perl [libtime-hires-perl 5.10.1-17       Larry Wall's Practical Extraction 
ii  perl-modules [libarchive 5.10.1-17       Core Perl modules

amavisd-new recommends no packages.

Versions of packages amavisd-new suggests:
ii  apt-listchanges    2.85.7                package change history notificatio
ii  arj                3.10.22-9             archiver for .arj files
ii  cabextract         1.3-1                 a program to extract Microsoft Cab
ii  clamav             0.97+dfsg-2~squeeze1  anti-virus utility for Unix - comm
pn  clamav-daemon      <none>                (no description available)
ii  cpio               2.11-4                GNU cpio -- a program to manage ar
pn  dspam              <none>                (no description available)
ii  lha                1.14i-10.3            lzh archiver
pn  libauthen-sasl-per <none>                (no description available)
pn  libdbi-perl        <none>                (no description available)
ii  libmail-dkim-perl  0.38-1                cryptographically identify the sen
ii  libnet-ldap-perl   1:0.4001-2            client interface to LDAP servers
pn  libsnmp-perl       <none>                (no description available)
ii  lzop               1.02~rc1-2            fast compression program
ii  nomarch            1.4-3                 Unpacks .ARC and .ARK MS-DOS archi
ii  p7zip              9.04~dfsg.1-1         7zr file archiver with high compre
ii  rpm                4.8.1-6               package manager for RPM
ii  spamassassin       3.3.1-1               Perl-based spam filter using text 
ii  unrar              1:3.9.10-1            Unarchiver for .rar files (non-fre
ii  unrar-free         1:0.0.1+cvs20071127-1 Unarchiver for .rar files
ii  zoo                2.10-22               manipulate zoo archives



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#622848: amavisd-new: failing ESET CLI scanner results in false positive virus detection on every mail

Reply via email to