[Avcheck] automated AVP update script

[Michael Kubecka]

>>
Again, as I already said before, the only more-or-less reliable
way to perform updates is:

 1 download all updates to a separate directory.  Abort on any error
 2 execute kavscanner or kavdaemon with those updated bases, giving
   it a file with known virus to check.  Both should return known
   exit code.  If something goes wrong, abort.
   scanner/daemon should be executed as a separate user in this
   case, to avoid possible further damage.
 3 rename current working bases to `old' directory (erasing it's
   content if `old' already exists)
 4 rename new bases directory to be current
 5 reload (or restart) running daemon
<<

Based on several messages and snippets of code I've seen on this list, I
wrote
a script a while ago to automate AVP virus updating.  I modified it
shortly after the discussion about someone receiving a corrupted
AV update from Kaspersky's site that killed his kavdaemon.  The script
follows Michael
Tokarev's list above (except that, for right now, it runs as root. 
Shame on me.)

I run the script from cron, and it e-mails me a msg with "OK" or "ERROR"
in the
subject so I can see at a glance how things went.

The script successfully detected some problem/corruption in AV virus
defs a month
ago that continued for about 4 days, so it seems to work OK.

Hopefully the below will be helpful.  Or if anyone has changes or
suggestions,
let me know, as I'd like to improve the script where possible.

==========================================================================

#!/bin/sh
# Modified by M. Kubecka from examples
# provided by Michael Tokarev,
# Ralf Hildebrandt, Kaspersky and others on the
# avcheck list.

# Version 1.6, written for FreeBSD 4.x
# 01/04/2002

# Future mods:
# Kavscanner and kavdaemon should be executed as
# a non-root user.

PATH=$PATH:/usr/local/bin
AVP=/var/chroot/AVP
Subj="AVP Update Status - OK"

# Assumes the directory
# $AVP/test_files which contains eicar.msg
# for test virus-scanning.  The dir should be
# world readable.

# Name of mail administrator acct to receive
# status messages.

MailAdmin="root"

# defer avpcheck Transport
# The defer_transports parameter allows you to specify what
# mail should always be deferred until Postfix is
# explicitly asked to deliver. 

echo "Temporarily deferring mail..."
postconf -e "defer_transports = avpcheck"

# kill kavdaemon

echo "Killing the Kaspersky kavdaemon..."
cd $AVP
$AVP/kavdaemon -ka && sleep 2

# Save old virus definition updates
# in case of problems in updating...

echo "Saving the current anti-virus definitions..."
mkdir $AVP/Bases.old
chmod 755 $AVP/Bases.old
cp -p $AVP/Bases/* $AVP/Bases.old

# Fetch updates to temporary directory...
# (You could also use -ki instead of -kb, to get
# incremental updates.)

echo "Fetching Kaspersky virus definition updates..."
$AVP/kavupdater -y -o -kb -b=$AVP/Bases \
-ui=http://downloads1.kaspersky-labs.com/updates > /root/kavupdate.tmp
exitCode=$?

case $exitCode in
        6)
        result="(6) Found corrupted file; process stopped."
        ;;
        4)
        result="(4) Found corrupted file."
        ;;
        2)
        result="Process stopped on corrupted file."
        ;;
        0)
        result="Antiviral databases correctly loaded."
        ;;
        *)
        result="($exitCode) Unknown failure."
esac

# Don't just depend on the exit code; also check
# the output of the update process.
if [ 0 -lt $(egrep -c "(not completed|corrupted)" /root/kavupdate.tmp)
]; then
        exitCode=6
        result="(6) Found corrupted file; process stopped."
fi

records=`cat /root/kavupdate.tmp | grep 'Known' \
| sed 's/.*\. //'`

# Test the new virus definitions by scanning
# a known infected file...
if [ -f $AVP/test_files/eicar.msg -a $exitCode -eq 0 ]; then
        echo "Testing the virus defs by scanning a known-infected
file..."
        $AVP/kavscanner -T $AVP/tmp -O $AVP/test_files/eicar.msg

        virexitCode=$?
        lo=$[$virexitCode%16]
        hi=$[$virexitCode/16]

        # If it doesn't detect known virus or suspicious object
        # then we'll assume there's a problem with the defs.

        if [ $virexitCode -ne 4 -a $virexitCode -ne 3 ]; then
                echo "Known virus not detected!"
                exitCode=6
                result="(6) Found corrupted file; process stopped."
        else
                echo "Virus detected successfully."
        fi
fi

# If the virus definitions didn't load properly
# then fall back...

if [ $exitCode -ne 0 ]; then
        Subj="AVP Update Status - ERROR"
        echo "A problem was encountered during update."
        echo "Falling back to previous virus definitions..."
        rm -rf $AVP/Bases > /dev/null 2>&1
        mv $AVP/Bases.old $AVP/Bases
        records="Reverted to previous known good anti-virus
definitions."
fi

# Fix permissions.
echo "Setting permissions on anti-virus databases..."
chmod 644 $AVP/Bases/* > /dev/null
chmod 755 $AVP/Bases > /dev/null
rm -rf $AVP/Bases.old > /dev/null 2>&1

# Start kavdaemon chroot()'ed as unprivileged user avdaemon.
# The "echo no" line is needed only for the evaluation version,
# otherwise comment it out.

echo "Starting the Kaspersky kavdaemon..."

# echo no | \   # only needed for the evaluation version!
/usr/bin/env - HOME=/ \
/usr/bin/nice \
/usr/local/sbin/uchroot -u avdaemon $AVP \
./kavdaemon -dl -MP -f=/ctl /tst > /dev/null

# un-defer avpcheck Transport
echo "Undeferring mail..."
sleep 1 && postconf -e "defer_transports ="

# Send a status update to the mail administrator
currentdate=`date`
echo "$currentdate:
Kaspersky's virus definitions update status:
$result
$records" | \
mail -s "$Subj" $MailAdmin

exit $exitCode