интересная мысль была высказана автором exiscan-acl, надо будет обкатать ее
чтобы была понятна предыстория, сначала я приведу письмо Peter Bowyer,
начавшего тред, потом ответ Tom Kistner...
-------- Original Message --------
Subject: Re: [exiscanusers] Multiple malware scanners
Date: Tue, 17 Aug 2004 18:57:21 +0100
From: Peter Bowyer <peter на bowyer.org>
To: <exiscanusers на duncanthrax.net>
References: <SIMEON.10408171627.H на supc19.rdg.ac.uk>
Chris Wakelin <c.d.wakelin на reading.ac.uk> wrote:
> You can do this with a custom command line running a script, but that
> misses out Exiscan's native support for various daemons.
..and means that if I want to make multiple references to the scan result
in ACLs I have to remember the results myself, rather than relying on
Exiscan's result caching.
(Well, not exactly myself, but you know what I mean...)
> I like the idea of specifying which scanner in the ACL entry, as you
> could deal with the known viruses in your favourite scanner first,
> and deal with suspect attachments that get past that with backup
> scanner(s).
>
> Something like:-
>
> acl_check_mime:
> ..
> warn set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
> warn log_message = Executable Attachment ($acl_m1) - $mime_filename
> condition = ${if \
>
match{$acl_m1}{\N^(vbs|vbe|wsf|wsh|js|jse|exe|com|cmd|shs|hta|bat|scr|lnk|pi
f)$\N}{1}{0}}
> set acl_m3 = $acl_m1
>
> acl_check_content:
> ..
>
> deny message = This contains $malware_name
> log_message = stopped $malware_name
> malware = * : sophie
>
> deny message = This contains $malware_name
> log_message = $malware_name got past Sophie!
> condition = ${if !eq{$acl_m3}{} {1}{0}}
> malware = * : clamav
>
> deny message = This contains a potentially executable ($acl_m3)
> attachment condition = ${if !eq{$acl_m3}{} {1}{0}}
Yes, that's exactly the sort of thing I have in mind.
Tom, are you there?
Peter
-------- Original Message --------
Subject: Re: [exiscanusers] Multiple malware scanners
Date: Wed, 18 Aug 2004 09:55:00 +0200
From: Tom Kistner <tom на duncanthrax.net>
To: Peter Bowyer <peter на bowyer.org>
CC: exiscanusers на duncanthrax.net
References: <SIMEON.10408171627.H на supc19.rdg.ac.uk>
<0d1b01c48483$a6071240$0a46a8c0 на pbdesktop>
Peter Bowyer wrote:
> Tom, are you there?
Yes. I can make the following proposal:
The main av_scanner variable (where you define the global scanner to
use) will be expanded before being used. Then you can set:
av_scanner = $acl_m0
And in the ACL:
deny message = Sophos detected virus ($malware_name)
set acl_m0 = sophie
malware = *
deny message = ClamAV detected virus ($malware_name)
set acl_m0 = clamd
malware = *
Also, caching will only work if the scanner string has not changed after
expansion.
So I don't have to make changes to the syntax and the coding overhead is
relatively low.
/tom
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Best wishes Victor Ustugov mailto:victor на corvax.kiev.ua
public GnuPG/PGP key: http://victor.corvax.kiev.ua/corvax.asc
ICQ: 77186900, 32418694 CRV2-RIPE, CRV-UANIC