Hello, f-protd (demonized F-Prot) has a quirk.
The scanner returns these result codes: # 0 Not scanned, unable to handle the object. # 1 Not scanned due to an I/O error. # 2 Not scanned, as the scanner ran out of memory. # 3 X The object is not of a type the scanner knows. This # may either mean it was misidentified or that it is # corrupted. # 4 X The object was valid, but encrypted and could not # be scanned. # 5 Scanning of the object was interrupted. # 7 X The object was identified as an "innocent" object. # 9 X The object was successfully scanned and nothing was # found. # 11 The object is infected. # 13 The object was disinfected.Now I found a reason for code #0 not acceptable to be blocked by the server: The code is triggered by compiled Java classes (*.class).
I have therefore changed the logic of mimedefang.pl in order to assume the same behaviour of code 0 as code 3 -- corrupt or unknown archive.
Code 3 is also returned by some binary text file, like Word .doc.Maybe, it would be good to have an user-controlled way to react on the return codes, because:
- fprotd cannot scan directories awohle, but you have to feed it one file after another, therefore there is a loop to do so. - when one item is triggering "not ok" (whatever reason), the loop is terminated and the non-ok value is returned. - So when you have one item of code0 (til now it returns "tempfail"), message_contains_virus() returns (900, "cannot-execute", "tempfail")
If you let it pass, because of code 900 (actually, the code is the scanner code + 900), there might be some not scanned items, because the loop had been terminated.
So, I would suggest to revamp all the scanner codes, at least those ones that recurse the Work directory themselves to:
a) use the same recursion code,& b) either: b1) scan all items and score the results, e.g.: ok -> score 0 suspicious -> score 1 quarantine -> score 10 virus -> score 100and return the result with the highest score. (Actually one can break when the maximal score had been found).
b2) Don't score the result by the code in mimedefang.pl at all, but by an user-supplied function - with defaults, if none is supplied. The easiest method would be to have a global array - one needs to define such array for those scanners only, which are installed, hence, there should be no memory overhead.
b3) Add a "mixed-result" code, which contains all results of all items, maybe compressed, like return code OK had been found three times, tempfail, because of code 0 five times a.s.o.
Actually, I'd prefer implementing variant 2, because it might open for a more generic handling of unknown attachments, e.g. when the virus scanner returns code 0 (unkown), one could bounce the message with the text "Invalid attachment, retransmit wrapped up in a ZIP archive". Well, I do not scan no archives, so they would pass and will be scanned by the virus scanner on the computer of the recipient, if the sender retries at all.
Any opinions? Bye, -- Steffen Kaiser
fprotd_code0.patch.gz
Description: F-protd code0 patch
_______________________________________________ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
