API tools faq
paste
Advertisement
Guest User

echosnet

a guest
Dec 6th, 2010
551
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 27.13 KB | None | 0 0
raw download clone embed print report
  1. use strict;
  2. $MYHOME = '/var/amavis'; # (default is '/var/amavis'), -H
  3. $mydomain = 'echosnetwork.com'; # (no useful default)
  4. $myhostname = 'server.echosnetwork.com'; # fqdn of this host, default by uname(3)
  5. $daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
  6. $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
  7. $TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?
  8. $ENV{TMPDIR} = $TEMPBASE; # used for SA temporary files, by some decoders, etc.
  9. $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
  10. $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
  11. $enable_dkim_verification = 0; # enable DKIM signatures verification
  12. $enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key
  13. $forward_method = 'smtp:[127.0.0.1]:10025'; # where to forward checked mail
  14. $notify_method = $forward_method; # where to submit notifications
  15. $max_servers = 15; # num of pre-forked children (2..30 is common), -m
  16. $max_requests = 20; # retire a child after that many accepts (default 20)
  17. $child_timeout=5*60; # abort child if it does not complete its processing in
  18. # approximately n seconds (default: 8*60 seconds)
  19. $smtpd_timeout = 120; # disconnect session if client is idle for too long
  20. # (default: 8*60 seconds); should be higher than a
  21. # Postfix setting max_idle (default 100s)
  22. @bypass_spam_checks_maps = (1); # controls running of anti-spam code
  23. @local_domains_maps = ( [".$mydomain"] ); # $mydomain and its subdomains
  24. $insert_received_line = 0; # behave like MTA: insert 'Received:' header
  25. # (does not apply to sendmail/milter)
  26. # (default is true)
  27. $unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
  28. # (default is undef, i.e. disabled)
  29. # (usual setting is $MYHOME/amavisd.sock)
  30. $inet_socket_port = 10024; # accept SMTP on this local TCP port
  31. # (default is undef, i.e. disabled)
  32. $inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface
  33. # (default is '127.0.0.1')
  34. @inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP
  35. # (default is qw(127.0.0.1 [::1]) )
  36. $DO_SYSLOG = 1; # (defaults to 0)
  37. $syslog_ident = 'amavis'; # Syslog ident string (defaults to 'amavis')
  38. $syslog_facility = 'mail'; # Syslog facility as a string
  39. # e.g.: mail, daemon, user, local0, ... local7, ...
  40. $syslog_priority = 'debug'; # Syslog base (minimal) priority as a string,
  41. # choose from: emerg, alert, crit, err, warning, notice, info, debug
  42. $LOGFILE = "$MYHOME/amavis.log"; # (defaults to empty, no log)
  43. $log_level = 5; # (defaults to 0), -d
  44. $log_recip_templ = undef; # undef disables by-recipient level-0 log entries
  45. $hdr_encoding = 'iso-8859-1'; # MIME charset (default: 'iso-8859-1')
  46. $hdr_encoding_qb = 'Q'; # MIME encoding: quoted-printable (default)
  47. $hdr_encoding_qb = 'B'; # MIME encoding: base64
  48. $bdy_encoding = 'iso-8859-1'; # (default: 'iso-8859-1')
  49. %final_destiny_by_ccat = (
  50. CC_VIRUS, D_DISCARD,
  51. CC_BANNED, D_BOUNCE,
  52. CC_UNCHECKED, D_PASS,
  53. CC_SPAM, D_DISCARD,
  54. CC_BADH, D_PASS,
  55. CC_OVERSIZED, D_BOUNCE,
  56. CC_CLEAN, D_PASS,
  57. CC_CATCHALL, D_PASS,
  58. );
  59. @viruses_that_fake_sender_maps = (new_RE(
  60. qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
  61. qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
  62. qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
  63. qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
  64. qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
  65. qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
  66. [qr/^/ => 1], # true by default (remove or comment-out if undesired)
  67. ));
  68. $virus_admin = "meat\@$mydomain";
  69. $spam_admin = undef; # do not send spam admin notifications (default)
  70. $mailfrom_notify_admin = "amavis\@$mydomain";
  71. $mailfrom_notify_recip = "amavis\@$mydomain";
  72. $mailfrom_notify_spamadmin = "spam\@$mydomain";
  73. $mailfrom_to_quarantine = ' '; # override sender address with null return path
  74. $QUARANTINEDIR = "$MYHOME/quarantine";
  75. $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
  76. $virus_quarantine_method = 'sql'; # default
  77. $spam_quarantine_method = 'sql'; # default
  78. $banned_files_quarantine_method = 'sql'; # default
  79. $bad_header_quarantine_method = 'sql'; # default
  80. $virus_quarantine_to = 'virus-quarantine'; # traditional local quarantine
  81. $banned_quarantine_to = 'banned-quarantine'; # local quarantine
  82. $bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
  83. $spam_quarantine_to = 'spam-quarantine'; # local quarantine
  84. $sa_quarantine_cutoff_level = 50; # dflt: undef, which disables this feature
  85. $X_HEADER_TAG = 'X-ClamAV-Scanned'; # (default: 'X-Virus-Scanned')
  86. $undecipherable_subject_tag = '***ENCRYPTED*** '; # undef disables it
  87. $defang_virus = 1; # default is false: don't modify mail body
  88. $defang_banned = 1; # default is false: don't modify mail body
  89. $remove_existing_x_scanned_headers = 1; # leave existing X-Virus-Scanned alone
  90. # (defaults to false)
  91. $remove_existing_spam_headers = 1; # remove existing spam headers if
  92. # spam scanning is enabled (default)
  93. $allow_fixing_improper_header_folding = 1; # (default is true)
  94. @keep_decoded_original_maps = (new_RE(
  95. qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains undecipherables
  96. qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
  97. ));
  98. $banned_filename_re = new_RE(
  99. qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
  100. [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
  101. qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
  102. qr'^application/x-msdownload$'i, # block these MIME types
  103. qr'^application/x-msdos-program$'i,
  104. qr'^application/hta$'i,
  105. # block certain double extensions in filenames
  106. qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
  107. qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
  108. );
  109. $banned_namepath_re = new_RE(
  110. qr'(?# BLOCK Microsoft EXECUTABLES and DLL )
  111. ^ (.*\t)? T=(exe-ms|dll) (\t.*)? $'xm, # banned file(1) types, rudimentary
  112. # within traditional Unix archives allow any name and type
  113. [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ], # allow
  114. # banned filename extensions (in declared names) anywhere - rudimentary
  115. qr'(?# BLOCK COMMON NAME EXENSIONS )
  116. ^ (.*\t)? N= [^\t\n]* \. (pif|scr) (\t.*)? $'xmi,
  117. # block these MIME types
  118. qr'(?#NO X-MSDOWNLOAD) ^(.*\t)? M=application/x-msdownload (\t.*)? $'xmi,
  119. qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,
  120. qr'(?#NO HTA) ^(.*\t)? M=application/hta (\t.*)? $'xmi,
  121. # block certain double extensions in filenames
  122. qr'(?# BLOCK DOUBLE-EXTENSIONS )
  123. ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \. \ *
  124. (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) [. ]* (\t.*)? $'xmi,
  125. [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )
  126. ^ (.*\t)? M=application/(octet-stream|x-msdownload|x-msdos-program)
  127. \t(.*\t)* T=empty (\t.*)? $'xmi
  128. => 'DISCARD' ],
  129. # banned filename extensions (in suggested names) anywhere - basic
  130. qr'(?# BLOCK COMMON NAME EXENSIONS )
  131. ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|cpl) (\t.*)? $'xmi,
  132. );
  133. $banned_namepath_re = undef; # to disable new-style
  134. %banned_rules = (
  135. 'MYNETS-DEFAULT' => new_RE( # permissive set of rules for internal hosts
  136. [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any name/type in Unix archives
  137. qr'.\.(vbs|pif|scr)$'i, # banned extension - rudimentary
  138. ),
  139. 'DEFAULT' => $banned_filename_re,
  140. );
  141. @bypass_spam_checks_maps = (1);
  142. @storage_sql_dsn = ( ['DBI:mysql:amavis:localhost', 'amavis', 'PASSWORD'] ) ; # none, same, or separate database
  143. $sql_select_white_black_list = undef; # undef disables SQL white/blacklisting
  144. $localpart_is_case_sensitive = 0; # (default is false)
  145. @score_sender_maps = ({ # a by-recipient hash lookup table
  146. # site-wide opinions about senders (the '.' matches any recipient)
  147. '.' => [ # the _first_ matching sender determines the score boost
  148. new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
  149. [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
  150. [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
  151. [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
  152. [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
  153. [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
  154. [qr'^(your_friend|greatoffers)@'i => 5.0],
  155. [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
  156. ),
  157. { # a hash-type lookup table (associative array)
  158. '[email protected]' => -3.0,
  159. '[email protected]' => -3.0,
  160. '[email protected]' => -3.0,
  161. '[email protected]' => -3.0,
  162. 'securityfocus.com' => -3.0,
  163. '[email protected]' => -3.0,
  164. '[email protected]' => -3.0,
  165. '[email protected]' => -3.0,
  166. '[email protected]'=> -3.0,
  167. '[email protected]' => -3.0,
  168. 'spamassassin.apache.org' => -3.0,
  169. '[email protected]' => -3.0,
  170. '[email protected]' => -3.0,
  171. '[email protected]' => -3.0,
  172. '[email protected]' => -3.0,
  173. '[email protected]' => -3.0,
  174. '[email protected]' => -3.0,
  175. '[email protected]' => -3.0,
  176. '[email protected]' => -3.0,
  177. '[email protected]' => -3.0,
  178. '[email protected]' => -3.0,
  179. '[email protected]' => -3.0,
  180. '[email protected]' => -3.0,
  181. '[email protected]' => -3.0,
  182. '[email protected]' => -3.0,
  183. '[email protected]' => -5.0,
  184. '[email protected]' => -3.0,
  185. 'returns.groups.yahoo.com' => -3.0,
  186. '[email protected]' => -3.0,
  187. lc('[email protected]') => -3.0,
  188. lc('[email protected]') => -5.0,
  189. # soft-blacklisting (positive score)
  190. '[email protected]' => 3.0,
  191. '.example.net' => 1.0,
  192. },
  193. ], # end of site-wide tables
  194. });
  195. @blacklist_sender_maps = ( new_RE(
  196. qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
  197. qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,
  198. qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
  199. qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
  200. qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
  201. qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
  202. ));
  203. $MAXLEVELS = 20; # (default is undef, no limit)
  204. $MAXFILES = 1500; # (default is undef, no limit)
  205. $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
  206. $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
  207. $MIN_EXPANSION_FACTOR = 5; # times original mail size (default is 5)
  208. $MAX_EXPANSION_FACTOR = 500; # times original mail size (default is 500)
  209. $virus_check_negative_ttl= 3*60; # time to remember that mail was not infected
  210. $virus_check_positive_ttl= 30*60; # time to remember that mail was infected
  211. $spam_check_negative_ttl = 10*60; # time to remember that mail was not spam
  212. $spam_check_positive_ttl = 30*60; # time to remember that mail was spam
  213. $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';
  214. $file = 'file'; # file(1) utility; use 3.41 or later to avoid vulnerability
  215. $dspam = 'dspam';
  216. @decoders = (
  217. ['mail', \&do_mime_decode],
  218. ['asc', \&do_ascii],
  219. ['uue', \&do_ascii],
  220. ['hqx', \&do_ascii],
  221. ['ync', \&do_ascii],
  222. ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  223. ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  224. ['gz', \&do_uncompress, 'gzip -d'],
  225. ['gz', \&do_gunzip],
  226. ['bz2', \&do_uncompress, 'bzip2 -d'],
  227. ['lzo', \&do_uncompress, 'lzop -d'],
  228. ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  229. ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
  230. ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ],
  231. ['deb', \&do_ar, 'ar'],
  232. ['zip', \&do_unzip],
  233. ['7z', \&do_7zip, ['7zr','7za','7z'] ],
  234. ['rar', \&do_unrar, ['rar','unrar'] ],
  235. ['arj', \&do_unarj, ['arj','unarj'] ],
  236. ['arc', \&do_arc, ['nomarch','arc'] ],
  237. ['zoo', \&do_zoo, ['zoo','unzoo'] ],
  238. ['lha', \&do_lha, 'lha'],
  239. ['cab', \&do_cabextract, 'cabextract'],
  240. ['tnef', \&do_tnef_ext, 'tnef'],
  241. ['tnef', \&do_tnef],
  242. ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
  243. );
  244. $sa_local_tests_only = 0; # only tests which do not require internet access?
  245. # for SA 3.0, its cf option is use_auto_whitelist)
  246. $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
  247. # (less than 1% of spam is > 64k)
  248. # default: undef, no limitations
  249. $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level;
  250. # undef is interpreted as lower than any spam level
  251. $sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
  252. # passed mail, adding address extensions;
  253. $sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
  254. # at or above that level: bounce/reject/drop,
  255. # quarantine
  256. $sa_dsn_cutoff_level = 9; # spam level beyond which a DSN is not sent,
  257. # effectively turning D_BOUNCE into D_DISCARD;
  258. # undef disables this feature and is a default;
  259. # when sender is known to have previously received mail from our
  260. # local user from this mail system; zero or undef disables penpals
  261. # lookups in SQL; default: undef
  262. # penpal bonus is halved for each halflife period from the last mail
  263. # sent by a local user to a current mail's sender; default: 7 days
  264. # bounce killer needs operational SQL logging (pen pals) !
  265. @spam_dsn_cutoff_level_bysender_maps = (
  266. { # an associative array (hash) lookup table, use lowercase keys
  267. 'virgilio.it' => 7, 'mail.ru' => 7, '0451.com' => 7,
  268. 'yahoo.co.uk' => 7, 'yahoo.co.jp' => 7, 'nobody@' => 7,
  269. 'noreply@' => 0, 'no-reply@' => 0, 'donotreply@' => 0,
  270. 'opt-in@' => 0, 'opt-out@' => 0, 'yahoo-dev-null@' => 0,
  271. '.optin-out.com' => 0, '[email protected]' => 0,
  272. '[email protected]'=> 7, # Sophos PureMessage spam bounces
  273. },
  274. \$sa_dsn_cutoff_level, # catchall default value
  275. );
  276. $sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
  277. # (only seen when spam is passed and recipient is
  278. # in local_domains*)
  279. @spam_subject_tag_maps = ('[possible-spam:_SCORE_] ');
  280. @spam_subject_tag2_maps = ('***SPAM*** _SCORE_ (_REQD_) ');
  281. @spam_subject_tag3_maps = ('***BLATANT*SPAM**** _SCORE_ (_REQD_) ');
  282. $sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true
  283. # undef or empty disables inserting X-Spam-Level
  284. $first_infected_stops_scan = 1; # default is false, all scanners in a section
  285. # are called
  286. @av_scanners = (
  287. ['ClamAV-clamd',
  288. \&ask_daemon, ["CONTSCAN {}\n", "/var/amavis/clamd.sock"],
  289. qr/\bOK$/m, qr/\bFOUND$/m,
  290. qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  291. ### http://www.kaspersky.com/ (kav4mailservers)
  292. ['KasperskyLab AVP - aveclient',
  293. ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
  294. '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
  295. '-p /var/run/aveserver -s {}/*',
  296. [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
  297. qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
  298. ],
  299. # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  300. # currupted or protected archives are to be handled
  301. ### http://www.kaspersky.com/
  302. ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
  303. '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ?
  304. qr/infected: (.+)/m,
  305. sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
  306. sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  307. ],
  308. ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  309. ### products and replaced by aveserver and aveclient
  310. ['KasperskyLab AVPDaemonClient',
  311. [ '/opt/AVP/kavdaemon', 'kavdaemon',
  312. '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
  313. '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
  314. '/opt/AVP/avpdc', 'avpdc' ],
  315. "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
  316. # change the startup-script in /etc/init.d/kavd to:
  317. # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
  318. # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
  319. # adjusting /var/amavis above to match your $TEMPBASE.
  320. # The '-f=/var/amavis' is needed if not running it as root, so it
  321. # can find, read, and write its pid file, etc., see 'man kavdaemon'.
  322. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
  323. # directory $TEMPBASE specifies) in the 'Names=' section.
  324. # cd /opt/AVP/DaemonClients; configure; cd Sample; make
  325. # cp AvpDaemonClient /opt/AVP/
  326. # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
  327. ### http://www.centralcommand.com/
  328. ['CentralCommand Vexira (new) vascan',
  329. ['vascan','/usr/lib/Vexira/vascan'],
  330. "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
  331. "--log=/var/log/vascan.log {}",
  332. [0,3], [1,2,5],
  333. qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
  334. # Adjust the path of the binary and the virus database as needed.
  335. # 'vascan' does not allow to have the temp directory to be the same as
  336. # the quarantine directory, and the quarantine option can not be disabled.
  337. # If $QUARANTINEDIR is not used, then another directory must be specified
  338. # to appease 'vascan'. Move status 3 to the second list if password
  339. # protected files are to be considered infected.
  340. ### http://www.avira.com/
  341. ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  342. ['Avira AntiVir', ['antivir','vexira'],
  343. '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
  344. qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
  345. (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
  346. # NOTE: if you only have a demo version, remove -z and add 214, as in:
  347. # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
  348. ### http://www.commandsoftware.com/
  349. ['Command AntiVirus for Linux', 'csav',
  350. '-all -archive -packed {}', [50], [51,52,53],
  351. qr/Infection: (.+)/m ],
  352. ### http://www.symantec.com/
  353. ['Symantec CarrierScan via Symantec CommandLineScanner',
  354. 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
  355. qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
  356. qr/^(?:Info|Virus Name):\s+(.+)/m ],
  357. ### http://www.symantec.com/
  358. ['Symantec AntiVirus Scan Engine',
  359. 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
  360. [0], qr/^Infected\b/m,
  361. qr/^(?:Info|Virus Name):\s+(.+)/m ],
  362. # NOTE: check options and patterns to see which entry better applies
  363. ### http://www.f-secure.com/products/anti-virus/ version 5.52
  364. ['F-Secure Antivirus for Linux servers',
  365. ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
  366. '--virus-action1=report --archive=yes --auto=yes '.
  367. '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
  368. qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
  369. # NOTE: internal archive handling may be switched off by '--archive=no'
  370. # to prevent fsav from exiting with status 9 on broken archives
  371. ['CAI InoculateIT', 'inocucmd', # retired product
  372. '-sec -nex {}', [0], [100],
  373. qr/was infected by virus (.+)/m ],
  374. # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
  375. ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
  376. ['CAI eTrust Antivirus', 'etrust-wrapper',
  377. '-arc -nex -spm h {}', [0], [101],
  378. qr/is infected by virus: (.+)/m ],
  379. # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
  380. # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
  381. ### http://mks.com.pl/english.html
  382. ['MkS_Vir for Linux (beta)', ['mks32','mks'],
  383. '-s {}/*', [0], [1,2],
  384. qr/--[ \t]*(.+)/m ],
  385. ### http://mks.com.pl/english.html
  386. ['MkS_Vir daemon', 'mksscan',
  387. '-s -q {}', [0], [1..7],
  388. qr/^... (\S+)/m ],
  389. ### http://www.eset.com/, version 3.0
  390. ['ESET Software ESETS Command Line Interface',
  391. ['/usr/bin/esets_cli', 'esets_cli'],
  392. '--subdir {}', [0], [1,2,3],
  393. qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
  394. ## http://www.nod32.com/, NOD32LFS version 2.5 and above
  395. ['ESET NOD32 for Linux File servers',
  396. ['/opt/eset/nod32/sbin/nod32','nod32'],
  397. '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
  398. '-w -a --action=1 -b {}',
  399. [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
  400. ### http://www.norman.com/products_nvc.shtml
  401. ['Norman Virus Control v5 / Linux', 'nvcc',
  402. '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
  403. qr/(?i).* virus in .* -> \'(.+)\'/m ],
  404. ### http://www.pandasoftware.com/
  405. ['Panda CommandLineSecure 9 for Linux',
  406. ['/opt/pavcl/usr/bin/pavcl','pavcl'],
  407. '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
  408. qr/Number of files infected[ .]*: 0+(?!\d)/m,
  409. qr/Number of files infected[ .]*: 0*[1-9]/m,
  410. qr/Found virus :\s*(\S+)/m ],
  411. # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  412. # before starting amavisd - the bases are then loaded only once at startup.
  413. # To reload bases in a signature update script:
  414. # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  415. # Please review other options of pavcl, for example:
  416. # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
  417. ### http://www.nai.com/
  418. ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
  419. '--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13],
  420. qr/(?x) Found (?:
  421. \ the\ (.+)\ (?:virus|trojan) |
  422. \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
  423. :\ (.+)\ NOT\ a\ virus)/m,
  424. # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  425. # sub {delete $ENV{LD_PRELOAD}},
  426. ],
  427. # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  428. # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  429. # and then clear it when finished to avoid confusing anything else.
  430. # NOTE2: to treat encrypted files as viruses replace the [13] with:
  431. # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
  432. ### http://www.virusbuster.hu/en/
  433. ['VirusBuster', ['vbuster', 'vbengcl'],
  434. "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
  435. qr/: '(.*)' - Virus/m ],
  436. # VirusBuster Ltd. does not support the daemon version for the workstation
  437. # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  438. # binaries, some parameters AND return codes have changed (from 3 to 1).
  439. # See also the new Vexira entry 'vascan' which is possibly related.
  440. ### http://www.cyber.com/
  441. ['CyberSoft VFind', 'vfind',
  442. '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
  443. # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  444. ],
  445. ### http://www.avast.com/
  446. ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
  447. '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
  448. ### http://www.ikarus-software.com/
  449. ['Ikarus AntiVirus for Linux', 'ikarus',
  450. '{}', [0], [40], qr/Signature (.+) found/m ],
  451. ### http://www.bitdefender.com/
  452. ['BitDefender', 'bdscan', # new version
  453. '--action=ignore --no-list {}', qr/^Infected files *:0+(?!\d)/m,
  454. qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
  455. qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
  456. ### http://www.bitdefender.com/
  457. ['BitDefender', 'bdc', # old version
  458. '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
  459. qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
  460. qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
  461. # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
  462. # not apply to your version of bdc, check documentation and see 'bdc --help'
  463. ### ArcaVir for Linux and Unix http://www.arcabit.pl/
  464. ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
  465. '-v 1 -summary 0 -s {}', [0], [1,2],
  466. qr/(?:VIR|WIR):[ \t]*(.+)/m ],
  467. );
  468. @av_scanners_backup = (
  469. ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
  470. ['ClamAV-clamscan', 'clamscan',
  471. "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
  472. [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  473. ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6
  474. ['F-PROT Antivirus for UNIX', ['fpscan'],
  475. '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10
  476. [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
  477. qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
  478. ### http://www.f-prot.com/ - backs up F-Prot Daemon (old)
  479. ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
  480. '-dumb -ai -archive -packed -server {}', [0,8], [3,6], # or: [0], [3,6,8],
  481. qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
  482. ### http://www.trendmicro.com/ - backs up Trophie
  483. ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
  484. '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
  485. ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD
  486. ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier
  487. ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
  488. '-path={} -al -go -ot -cn -upn -ok-',
  489. [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
  490. ### http://www.kaspersky.com/
  491. ['Kaspersky Antivirus v5.5',
  492. ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
  493. '/opt/kav/5.5/kav4unix/bin/kavscanner',
  494. '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
  495. '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
  496. qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
  497. ],
  498. );
  499. 1; # insure a defined return value
  500. ]0;root@echosnetwork:/etcechosnetwork etc # 
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!