Re: Updated Clam AV monitor

Sat, 31 Oct 2009 21:42:23 -0700 

Sorry, I should have posted the clamd.monitor used at my shop.

The one from http://www.cmpublishers.com/oss/ checks the TCP
banner, complains if the socket isn't answered or if you're running
an outdated clamd (the latter a nice feature which is not in the
one I've been using).

However, the clamd monitor attached to this message goes through
the steps to actually submit a piece of email for virus scanning,
and uses the EICAR "fake virus" to test whether clamd is actually
going through the message.  That goes a bit deeper into the internals
and might turn up problems that a simple socket open/close wouldn't.

We use a similar monitor for SpamAssassin that uses the corresponding
"fake spam signature" to test whether spamd is checking messages - if
anyone's interested, let me know.

        -- Ed

#!/usr/local/bin/perl5.6.1

# clamd.monitor - make sure clamd recognizes the EICAR test virus

# Written by Jed Davis.  Released to public (license is GPL) courtesy of
# PANIX Public Access Networks, http://www.panix.com

require 5.006;
use strict;
use Getopt::Std;
use ClamAV::Client;
use IO::String;

my $usage = "clamd.monitor [-d] [-p port] [-t timeout] host [host...]\n";
our ($opt_t, $opt_p, $opt_d);
getopts("p:t:d") || die $usage;
my $tcpport = $opt_p || 9001;
my $timeout = $opt_t || 30;
my $debugp = $opt_d;

# Standard "test" virus - broken up into two lines to avoid triggering
# anti-virus systems (cough, cough)
my $virus = 'x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-' .
                        'ANTIVIRUS-TEST-FILE!$H+H*';

my (@failures);
for my $host (@ARGV) {
        my $result = undef;
        eval {
                alarm $timeout;
                $SIG{ALRM} = sub { die "Timeout ($timeout seconds)\n" };
                my $scanner = ClamAV::Client->new(
                    socket_host => $host,
                    socket_port => $tcpport);
                $result = $scanner->scan_stream(IO::String->new($virus));
                print STDERR "DEBUG: $host: $result\n" if $debugp;
        };
        if ($@) {
                chomp $@;
                $@ =~ s/^(Could not establish socket connection), tried UNIX 
domain and TCP sockets at .*/$1/;
                push @failures, [$host, "Exception: $@"];
        } elsif (!$result) {
                push @failures, [$host, "Responded, but failed to recognize 
test virus"];
        } elsif ($result ne "Eicar-Test-Signature") {
                push @failures, [$host, "Unexpected response: $result"];
        }
}

print join(" ",map{$$_[...@failures)."\n";
print join("",map{"$$_[0]: $$_[1]\n"}...@failures);

exit ($#failures>=0);

_______________________________________________
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon

Reply via email to