F-Prot v6.x

Hello list

I don't know if any one of you has tried the new F-Prot
version 6.x with Amavis? I downloaded yesterday the new
version and Amavis did not work with it. I think the code in
amavisd.conf is not made to recognize it. I added the block
below to amavisd.conf in order to recognize the v6.x
version:
  ### http://www.f-prot.com/   -
backs up F-Prot Daemon
  ['FRISK F-Prot Antivirus', ['fpscan'],
    '-s 4 -u 3 -z 10 --adware --applications --report {}',
[0,8], [3,6],   # or: [0], [3,6,8],
    qr/^[(Founds+(possibles+)?(false positive|clean
program
file|trojan|virus|worm|joke|backdoor|spyware|exploit|securit
y risk|dialer|virus tool|application|downloader|password
stealer|adware|garbage|network worm|trojan proxy|archive
bomb|P2P worm Based on a remote template))|Contains
macros|Misdisinfected virus|Possibly contains macros]s+/
],

I have no clue if the syntax is right? I just doubled the
original F-Prot code block and changed the regexp to match
the returning text of the new version and changed the scan
parameters. Is that the proper way?

// Steve
-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free
SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/
de/go/freemail

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

F-PROTD is also very different now as well.

Mike


Steve wrote:
> Hello list
> 
> I don't know if any one of you has tried the new F-Prot
version 6.x with Amavis? I downloaded yesterday the new
version and Amavis did not work with it. I think the code in
amavisd.conf is not made to recognize it. I added the block
below to amavisd.conf in order to recognize the v6.x
version:
>   ### http://www.f-prot.com/   -
backs up F-Prot Daemon
>   ['FRISK F-Prot Antivirus', ['fpscan'],
>     '-s 4 -u 3 -z 10 --adware --applications --report
{}', [0,8], [3,6],   # or: [0], [3,6,8],
>     qr/^[(Founds+(possibles+)?(false positive|clean
program
file|trojan|virus|worm|joke|backdoor|spyware|exploit|securit
y risk|dialer|virus tool|application|downloader|password
stealer|adware|garbage|network worm|trojan proxy|archive
bomb|P2P worm Based on a remote template))|Contains
macros|Misdisinfected virus|Possibly contains macros]s+/
],
> 
> I have no clue if the syntax is right? I just doubled
the original F-Prot code block and changed the regexp to
match the returning text of the new version and changed the
scan parameters. Is that the proper way?
> 
> // Steve


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

-------- Original-Nachricht --------
> Datum: Mon, 24 Dec 2007 09:49:05 -0500
> Von: Michael Katz <mknewsmessagepartners.com>
> An: 
> CC: amavis-userlists.sourceforge.net
> Betreff: Re: [AMaViS-user] F-Prot v6.x

> F-PROTD is also very different now as well.
> 
Have you digged into this? Do you have any snipplet to add
into amavisd.conf for recognizing the new daemon?


> Mike
> 
Steve


> 
> Steve wrote:
> > Hello list
> > 
> > I don't know if any one of you has tried the new
F-Prot version 6.x with
> Amavis? I downloaded yesterday the new version and
Amavis did not work
> with it. I think the code in amavisd.conf is not made
to recognize it. I added
> the block below to amavisd.conf in order to recognize
the v6.x version:
> >   ### http://www.f-prot.com/   -
backs up F-Prot Daemon
> >   ['FRISK F-Prot Antivirus', ['fpscan'],
> >     '-s 4 -u 3 -z 10 --adware --applications
--report {}', [0,8], [3,6],
>   # or: [0], [3,6,8],
> >     qr/^[(Founds+(possibles+)?(false
positive|clean program
>
file|trojan|virus|worm|joke|backdoor|spyware|exploit|securit
y risk|dialer|virus
> tool|application|downloader|password
stealer|adware|garbage|network worm|trojan
> proxy|archive bomb|P2P worm Based on a remote
template))|Contains
> macros|Misdisinfected virus|Possibly contains
macros]s+/ ],
> > 
> > I have no clue if the syntax is right? I just
doubled the original
> F-Prot code block and changed the regexp to match the
returning text of the new
> version and changed the scan parameters. Is that the
proper way?
> > 
> > // Steve
> 
> 
>
------------------------------------------------------------
-------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-userlists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amavis-user

> AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/ho
wto/

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free
SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/
de/go/freemail

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

Bruno, Steve,

> I was looking for a option how to make my new f-prot
working with amavis.
> And I've found your thread
> http://marc.info/?l=amavis-user&m=1193083752043
61&w=2
>
> I want to give a try to the Mark code. But as I don't
really understand yet
> the amavis code after the call to fpscan ...
>     [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
> what means the (1,2,3 .... )

amavisd.conf-sample:

# av_scanners is a list of n-tuples, where fields
semantics is:
...
# 5. an array ref of av scanner exit status values, or a
regexp (to be
#    matched against scanner output), indicating VIRUSES
WERE FOUND;
#    a value undef may be used and it never matches (for
consistency with 4.);
#    Note: the virus match prevails over a 'not found'
match, so it is safe
#    even if the no. 4. matches for viruses too;

> I give some manual try with real virus (easily found by
clamd)
> here's the result :

Thanks for samples.

So what was still missing was an updated regexp to collect
virus names
from the output of a virus scanner.

Try this one (with some options from the other thread,
suggested by Steve):

  ### http://www.f-prot.com/
F-PROT Antivirus Command-Line Scanner, V6
  ['F-PROT Antivirus for UNIX', ['fpscan'],
    '--report --adware --mount {}', # consider:
--applications -s 4 -u 3 -z 10
    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3,
12+1,12+2,12+3],
    qr/^[Founds+[^]]*]s+<([^ t(>]*)/ ],


Mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/