antivirus check refactored

Change-Id: I47d599239dac13f7bc455070dd5a84dd034cbb42
Signed-off-by: SJ <sj@acts.hu>
This commit is contained in:
SJ 2017-01-25 22:19:12 +01:00
parent 10c2d59183
commit 2c55ff96f7
5 changed files with 16 additions and 174 deletions

View File

@ -20,60 +20,6 @@
#define CLAMD_RESP_INFECTED "FOUND" #define CLAMD_RESP_INFECTED "FOUND"
#define CLAMD_RESP_ERROR "ERROR" #define CLAMD_RESP_ERROR "ERROR"
int clamd_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg); int clamd_scan(char *tmpfile, struct __config *cfg);
int clamd_net_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg);
// Dr.Web stuff
#define DRWEB_RESP_VIRUS 0x20
#define DRWEB_VIRUS_HAS_FOUND_MESSAGE "Virus has been found in message. See drwebd.log for details"
int drweb_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg);
// avast! stuff
#define AVAST_READY "220"
#define AVAST_CMD_QUIT "QUIT\r\n"
#define AVAST_RESP_OK "200"
#define AVAST_RESP_ENGINE_ERROR "451"
#define AVAST_RESP_SYNTAX_ERROR "501"
#define AVAST_RESP_CLEAN "[+]"
#define AVAST_RESP_INFECTED "[L]"
int avast_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg);
int avast_cmd_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg);
// Kaspersky stuff
#define KAV_CMD_QUIT "QUIT\r\n"
#define KAV_READY "201 "
#define KAV_RESP_CLEAN "220 File is clean"
#define KAV_RESP_INFECTED "230 File is infected"
#define KAV_RESP_INFECTED_NAME "322-"
#define KAV_RESP_NOT_FOUND "525 File not found"
int kav_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg);
// avg stuff
#define AVG_READY "220"
#define AVG_CMD_QUIT "QUIT\r\n"
#define AVG_RESP_OK "200"
#define AVG_RESP_VIRUS "403"
#define AVG_RESP_NOT_FOUND "404"
#define AVG_RESP_ERROR "501"
#define AVG_NOT_FOUND 404
int avg_scan(char *tmpdir, char *tmpfile, char *engine, char *avinfo, struct __config *cfg);
int moveMessageToQuarantine(struct session_data *sdata, struct __config *cfg);
void sendNotificationToPostmaster(struct session_data *sdata, char *rcpttoemail, char *fromemail, char *virusinfo, char *avengine, struct __config *cfg);
#endif /* _AV_H */ #endif /* _AV_H */

View File

@ -10,51 +10,12 @@
#include <piler.h> #include <piler.h>
int do_av_check(struct session_data *sdata, char *virusinfo, struct __data *data, struct __config *cfg){ int do_av_check(char *filename, struct __config *cfg){
int rav = AVIR_OK; int rav = AVIR_OK;
char avengine[SMALLBUFSIZE];
struct timezone tz;
struct timeval tv1, tv2;
gettimeofday(&tv1, &tz); if(clamd_scan(filename, cfg) == AV_VIRUS) rav = AVIR_VIRUS;
memset(avengine, 0, SMALLBUFSIZE); if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: done virus scanning", filename);
#ifdef HAVE_LIBCLAMAV
const char *virname;
unsigned int options=0;
options = CL_SCAN_STDOPT | CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2;
if(cfg->use_libclamav_block_max_feature == 1) options |= CL_SCAN_BLOCKMAX;
if(cfg->clamav_block_encrypted_archives == 1) options |= CL_SCAN_BLOCKENCRYPTED;
if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: trying to pass to libclamav", sdata->ttmpfile);
if(cl_scanfile(sdata->ttmpfile, &virname, NULL, data->engine, options) == CL_VIRUS){
memset(virusinfo, 0, SMALLBUFSIZE);
strncpy(virusinfo, virname, SMALLBUFSIZE-1);
rav = AVIR_VIRUS;
snprintf(avengine, SMALLBUFSIZE-1, "libClamAV");
}
if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: virus info: '%s'", sdata->ttmpfile, virname);
#endif
#ifdef HAVE_CLAMD
if(strlen(cfg->clamd_addr) > 3 && cfg->clamd_port > 0){
if(clamd_net_scan(sdata->ttmpfile, avengine, virusinfo, cfg) == AV_VIRUS) rav = AVIR_VIRUS;
} else {
if(clamd_scan(sdata->ttmpfile, avengine, virusinfo, cfg) == AV_VIRUS) rav = AVIR_VIRUS;
}
#endif
if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: done virus scanning", sdata->ttmpfile);
gettimeofday(&tv2, &tz);
sdata->__av = tvdiff(tv2, tv1);
return rav; return rav;
} }

View File

@ -18,20 +18,18 @@
#include <piler.h> #include <piler.h>
int clamd_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg){ int clamd_scan(char *tmpfile, struct __config *cfg){
int s, n; int s, n;
char *p, *q, buf[MAXBUFSIZE], scan_cmd[SMALLBUFSIZE]; char *p, *q, buf[MAXBUFSIZE], scan_cmd[SMALLBUFSIZE];
struct sockaddr_un server; struct sockaddr_un server;
memset(avinfo, 0, SMALLBUFSIZE);
chmod(tmpfile, 0644); chmod(tmpfile, 0644);
strcpy(server.sun_path, cfg->clamd_socket); strcpy(server.sun_path, cfg->clamd_socket);
server.sun_family = AF_UNIX; server.sun_family = AF_UNIX;
if((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1){ if((s = socket(AF_UNIX, SOCK_STREAM, 0)) == -1){
syslog(LOG_PRIORITY, "ERR: create socket"); syslog(LOG_PRIORITY, "ERR: create socket to %s", cfg->clamd_socket);
return AV_ERROR; return AV_ERROR;
} }
@ -66,7 +64,7 @@ int clamd_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg){
if(q){ if(q){
*q = '\0'; *q = '\0';
p++; p++;
strncpy(avinfo, p, SMALLBUFSIZE-1); syslog(LOG_PRIORITY, "VIRUS <%s> found in %s", p, tmpfile);
} }
} }
@ -75,74 +73,3 @@ int clamd_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg){
return AV_OK; return AV_OK;
} }
int clamd_net_scan(char *tmpfile, char *engine, char *avinfo, struct __config *cfg){
int n, psd, rc, ret=AV_OK;
char *p, *q, buf[MAXBUFSIZE], scan_cmd[SMALLBUFSIZE];
char port_string[6];
struct addrinfo hints, *res;
memset(avinfo, 0, SMALLBUFSIZE);
chmod(tmpfile, 0644);
if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: trying to pass to clamd", tmpfile);
snprintf(port_string, sizeof(port_string)-1, "%d", cfg->clamd_port);
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((rc = getaddrinfo(cfg->clamd_addr, port_string, &hints, &res)) != 0){
syslog(LOG_PRIORITY, "%s: getaddrinfo for '%s': %s\n", tmpfile, cfg->clamd_addr, gai_strerror(rc));
return AV_ERROR;
}
if((psd = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1){
syslog(LOG_PRIORITY, "%s: ERR: create socket", tmpfile);
ret = AV_ERROR;
goto ENDE_CLAMD;
}
if(connect(psd, res->ai_addr, res->ai_addrlen) == -1){
syslog(LOG_PRIORITY, "%s: CLAMD ERR: connect to %s %d", tmpfile, cfg->clamd_addr, cfg->clamd_port);
ret = AV_ERROR;
goto ENDE_CLAMD;
}
memset(scan_cmd, 0, SMALLBUFSIZE);
snprintf(scan_cmd, SMALLBUFSIZE-1, "SCAN %s/%s\r\n", cfg->workdir, tmpfile);
if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: CLAMD CMD: %s", tmpfile, scan_cmd);
send(psd, scan_cmd, strlen(scan_cmd), 0);
n = recvtimeout(psd, buf, MAXBUFSIZE, TIMEOUT);
close(psd);
if(cfg->verbosity >= _LOG_DEBUG) syslog(LOG_PRIORITY, "%s: CLAMD DEBUG: %d %s", tmpfile, n, buf);
if(strcasestr(buf, CLAMD_RESP_INFECTED)){
p = strchr(buf, ' ');
if(p){
q = strrchr(p, ' ');
if(q){
*q = '\0';
p++;
strncpy(avinfo, p, SMALLBUFSIZE-1);
}
}
ret = AV_VIRUS;
}
ENDE_CLAMD:
freeaddrinfo(res);
return ret;
}

View File

@ -102,6 +102,14 @@ int process_email(char *filename, struct session_data *sdata, struct __data *dat
bzero(&counters, sizeof(counters)); bzero(&counters, sizeof(counters));
#ifdef HAVE_ANTIVIRUS
if(do_av_check(filename, cfg) == AVIR_VIRUS){
syslog(LOG_PRIORITY, "%s: discarding: virus", filename);
unlink(filename);
return OK;
}
#endif
init_session_data(sdata, cfg); init_session_data(sdata, cfg);
sdata->tot_len = size; sdata->tot_len = size;

View File

@ -32,7 +32,7 @@ void insert_offset(struct session_data *sdata, int server_id);
void tear_down_client(int n); void tear_down_client(int n);
int do_av_check(struct session_data *sdata, char *virusinfo, struct __data *data, struct __config *cfg); int do_av_check(char *filename, struct __config *cfg);
int make_digests(struct session_data *sdata, struct __config *cfg); int make_digests(struct session_data *sdata, struct __config *cfg);
void digest_file(char *filename, char *digest); void digest_file(char *filename, char *digest);