[Avcheck] AvpUpdate.pl and checking the downloaded files
Michael Tokarev
mjt@tls.msk.ru
Wed, 23 Jan 2002 21:32:37 +0300
Ralf Hildebrandt wrote:
>
> Today our kavdaemon died an ugly death, because one of the updated
> files was corrupt / missing and kavdaemon was restarted.
>
> My idea:
>
> I created a directory /opt/AVP which contains:
>
> -rw-r--r-- 1 root root 135 Jan 23 15:40 AvpUnix.ini
> -rw-r--r-- 1 root root 950 Jan 23 15:44 AvpUnix.key
> lrwxrwxrwx 1 root root 20 Jan 23 15:38 bases -> /var/spool/avp/bases
> lrwxrwxrwx 1 root root 26 Jan 23 15:41 defUnix.prf -> /var/spool/avp/defUnix.prf
> lrwxrwxrwx 1 root root 25 Jan 23 15:41 kavscanner -> /var/spool/avp/kavscanner
>
> Comments:
> a) Linking the AvpUnix.key doesn't work -- bad code?
> b) AvpUnix.ini needs to be changed, due to the fact that the real
> AvpUnix.ini works only for the chroot jail!
It is better to have additional ini file specially for non-chrooted
version. It may point to the same key file as used by chrooted
daemon, using KeyPath (if memory serves me right) statement.
> I thought if I started kavscanner like this:
>
> % ./kavscanner -Y . && restart_kavdaemon || echo "Oh shit!"
>
> it would load the bases (which it does) and would complain with a
> non-zero exit status.
As I pointed several times already, avp treats all errors as success.
> Unfortunately kavscanner is a piece of junk -- If I delete one bases
> file, I get:
What will be wrong from kav's point of view if you delete one virusbase
file? Well, this depends on a file you deleted -- if you'll delete
the main file, perhaps it is an error, but not necessary for other
files, especially for "addons". Ah, yes, them all listed in one
of it's files too -- ...let me check... avp.klb and avp.set, but
I don't know how those files handled by avp.
> # ./kavscanner -Y . < /dev/null > /dev/null;echo $?
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> mount: /dev/fd0 is not a valid block device
> 0
Never, NEVER execute it as root!
> Hello? There were errors and still it reports an exit status of 0?
This is very expectable.
Again, as I already said before, the only more-or-less reliable
way to perform updates is:
1 download all updates to a separate directory. Abort on any error
2 execute kavscanner or kavdaemon with those updated bases, giving
it a file with known virus to check. Both should return known
exit code. If something goes wrong, abort.
scanner/daemon should be executed as a separate user in this
case, to avoid possible further damage.
3 rename current working bases to `old' directory (erasing it's
content if `old' already exists)
4 rename new bases directory to be current
5 reload (or restart) running daemon
This method is very good to use with any antivirus software, not
only avp. Well, different virusscanners are reliable differently,
especially in step 2 (kav definitely not reliable), but this way,
most common errors will be catched anyway.
I'm lazy to write this all to be done automatically -- this is the
reason why I still update manually (oh well, I spent more time
on manual updates than it is needed to write the above script! :).
Regards,
Michael.