qmail-scanner handles the interaction between anti-virus or spam scanners
and qmail. This page lists all the supported scanners
http://qmail-scanner.sf.net. I had my sights on possibly providing mailets
or matchers for all of them in order to facilitate someone who wants to
migrate from qmail to James, such as myself. I started with SpamAssassin and
Clam AntiVirus.
I looked at standardizing the way a scanner would send a message to a daemon
running on a TCP port for scanning. However, after evaluating spamd and
clamd, I felt the difference between the two was too vast to benefit from a
standardized interface.
I wanted to use Mail.setAttribute to allow an anti-virus matcher to pass
along the names of the virus(es) it found. Then Notify* and ToRepository
could be used to provide a customized action to an infect message. It would
be really neat if the message attribute of AbstractNotify could parse ${}
style arguments to get the Mail.getAttribute list of viruses. This is where
I got stuck since this should probably be provided by a much larger
integration with Jelly. My alternative was going to just to write one big
mailet to do everything from virus scanning to ToRepository-ing.
Analysis-paralysis, no?
Josh
----- Original Message -----
From: "Noel J. Bergman" <[EMAIL PROTECTED]>
To: "James-Dev Mailing List" <[EMAIL PROTECTED]>
Sent: Monday, August 25, 2003 2:30 PM
Subject: Anti-Virus filters
> For those who are writing Anti-Virus matchers, here is some information
> provided by Martin Kraemer (bcc'd), with permission.
>
> Not included, but worth noting, would be the spamd protocol. We have one
> submission for that already, which I'll try to get into CVS.
>
> > The german computer magazine c't (http://www.heise.de/ct/)
> > reviewed a couple of Linux virus scanners (free and commercial)
> > in its latest copy, with not-so-good results for the OSS scanners...
> > Most of the commercial scanners received positive results.
> > I don't have the copy here, but I could supply its info
> > tomorrow if you want.
>
> Yes, please. That might be helpful.
>
> > I know of 3 commercial AV-Filters which run (in part under the Linux
> > emulation) on FreeBSD, and which can be tied into the normal mail
transfer
> > and delivery process by using, e.g., amavis:
> >
> >
>
============================================================================
> > * Trend Micro (http://www.trendmicro.com/) -- my company bought a
> > company-wide license for that one:
> >
> > # /etc/iscan/vscan
> >
> > +----------------------------------------------------+
> > | VSCAN for Linux Ver 1.31 |
> > | |
> > | Copyright (c) 1990 - 2001 Trend Micro Inc. |
> > | |
> > | Rewrite by Sunsa Lue for VSAPI Engine Testing |
> > +----------------------------------------------------+
> >
> > VSCANLINUX usage:
> > vscan [/|-option] Drive:[path[filename|@script]]
> [Drive:[path[filename]] ...]
> >
> > option: -S - Scan all files in specified dir and all
> > subdirs.
> > option: -C - Clean virus-infected files without any
> prompting.
> > option: -D - Delete virus-infected files without any
> prompting.
> > option: -B - Scan boot/partition area only.
> > option: -P - Scan hard disk partition only.
> > option: -NM - Do not scan memory.
> > option: -NB - Do not scan boot sector/partition area
of
> disk.
> > option: -NC - Scan only, do not take any action on
virus
> files.
> > option: -BK[+|-] - Clean virus infected files backup
switch.
> > option: -L[=file] - Write the scan results to a file.
> > option: -P=path - Specifiy virus pattern path.
> > option: -P=file[;file...] - Specifiy virus pattern file(s).
> >
> >
>
============================================================================
> > * F-PROT Antivirus for Linux (http://www.f-prot.com/)
> > http://www.frisk.is/
> >
> > # f-prot -h
> > Usage: f-prot [drive, file or directory] [options]
> >
> > -ai Enable neural-network virus detection.
> > -append Append to existing report file.
> > -archive Scan inside .ZIP and .ARJ files.
> > -auto Automatic virus removal.
> > -collect Scan a virus collection.
> > -delete Delete infected files.
> > -disinf Disinfect whenever possible.
> > -dumb Do a "dumb" scan of all files.
> > -ext Scan only files with default extensions.
> > -follow Follow symbolic links.
> > -help Display this list.
> > -list List all files checked.
> > -nobreak Do not abort scan if ESC is pressed.
> > -noheur Disable heuristics.
> > -nosub Do not scan subdirectories.
> > -old Do not complain when using outdated DEF files.
> > -onlyheur Only use heuristics, not "normal" scanning.
> > -packed Unpack compressed executables.
> > -page Pause after each page.
> > -rename Rename infected COM/EXE files to VOM/VXE.
> > -report= Send the output to a file.
> > -silent Do not generate any screen output.
> > -type Select files by type. (default)
> > -virlist List the known viruses.
> > -virno Count the known viruses.
> > -wrap Wrap text so the report fits in 78 columns.
> > Special macro virus options:
> > -nomacro Do not scan for macro viruses.
> > -onlymacro Only scan for macro viruses.
> > -removeall Remove all macros from all documents.
> > -removenew Remove new variants of macro viruses by
> > removing all macros from infected documents.
> > -saferemove Remove all macros from documents, if a known
> > virus is found.
> >
> >
>
============================================================================
> > * NAI McAfee uvscan (http://www.networkassociates.com/us/downloads/)
> >
> > Available for FreeBSD native, but I have to LD_PRELOAD libc.so
> > to satisfy the symbol __stderrp: without the preload, I get
> > /usr/libexec/ld-elf.so.1: /usr/lib/libm.so.2: Undefined symbol
> "__stderrp")
> >
> > # uvscan --version
> > Virus Scan for BSD v4.24.0
> > Copyright (c) 1992-2003 Networks Associates Technology Inc. All
rights
> reserved.
> > (408) 988-3832 EVALUATION COPY - Jan 27 2003
> >
> > Scan engine v4.2.40 for BSD.
> > Virus data file v4284 created Aug 11 2003
> > Scanning for 77928 viruses, trojans and variants.
> >
> > Usage:
> > uvscan [--allole] [--analyse | --analyze]
> > [-c | --clean] [--cleandocall] [--config file]
> > [--dam] [-d | --dat | --data-directory] [--delete]
> > [--exclude file] [-e | --exit-on-error] [--extlist]
> > [--extensions EXT1[,EXT2...]] [--extra file]
> > [--fam] [-f | --file file] [--floppya] [--floppyb]
> > [-h | --help] [--ignore-compressed] [--ignore-links] [--load
> file]
> > [--manalyse | --manalyze | --macro-heuristics]
> > [--maxfilesize XXX] [--mime] [--mailbox] [-m | --move
> directory]
> > [--noboot] [--nocomp] [--nodecrypt] [--nodoc] [--noexpire]
> > [--norename] [--one-file-system]
> > [--panalyse | --panalyze] [-p | --atime-preserve | --plad]
> > [--program] [-r | --recursive | --sub]
> > [--secure] [-s | --selected] [--summary]
> > [-u | --unzip] [-v | --verbose] [--version] [--virus-list]
> > [-] {file / directory}
> >
> >
>
============================================================================
> > The CPU consumption of these virus filters (in combination with
> > avavisd-new and avavisd-milter on FreeBSD) varies, but is considerable.
> > Also, the quality of virus detection varies. We might think of
evaluating
> > one or the other and ask the vendors for a free "for dot Org" copy...
> >
> > Martin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
