[Avcheck] Re: avcheck support for Sophie?

Michael Tokarev mjt@tls.msk.ru
Fri, 26 Apr 2002 14:23:36 +0400 

[Cc'd to avcheck@list.corpit.ru]

Sorry for a late catch up - I wasn't aware of the discussion.. ;)

Orlando Andico wrote:
> 
> On Fri, 26 Apr 2002, Ralf Hildebrandt wrote:
> ..
> > Interesting, because usually it's disk I/O (the message hits the disk 3
> > times: initial injection, /tmp and then reinjection -- ok, in your case
> > just twice). Since when does avcheck use /tmp ? Did you patch it? It
> > uses /var/spool/avcheck/tst here...
> 
> I used -d command line switch to tell it which directory to use for
> temporary files..

Umm.  Don't do that.  At least directly in /tmp.  Avcheck isn't prepared,
and in fact shouldn't, to work with word-writable directories.  It will
create files with fixed names, something like "tmp-$PID", and this will
become a security risk when done in world-writable directory.  If you want
to, create dedicated directory in /tmp, e.g. /tmp/avcheck, and give it
similar permissions as suggested by READMEs comes with avcheck.

Also, for the same reason, it's a high risk to run any av software as
root, and sophie, as long as I remember, runs as root by default.  It
tries to create /var/run/sophie.pid file - if memory serves me right.
The best in this case - if you don't like to run it chrooted - is to
patch sophie so it will either change uid after successeful startup,
or, better, to have ability to specify alternative /var/run at command
line.

I don't know much about sophie/trophie -- not tested those almost at
all (but I do know that there is at least one another successeful
installation of avcheck+sophie combo working).

But be warned.  Sophos has only preliminary support for MIME decoding.
It works only partially -- it seems they did that just for marketing
purposes, not for real usage.  That isn't my expirience either, but
I do remember that sophos can't handle all varietes of message formats
as e.g. avp or drweb can.  You'd better verify this before relying on
it heavily (or else you risk to be false-protected, when your feeling
about possible "e-virus" infection isn't that strong since you use
virusscanner, but that virusscanner may not catch some known viruses).

BTW, this is yet another reason why it is NOT recommended to run any
virusscanner as root: a virusscanner should deal with complex data,
and it's very difficult to do that in right way, without bugs.

Am 25.04.2002 um 19:38:15 +0800 schrieb Orlando Andico folgendes:
> 
> I have been hacking avcheck 0.7 to support Sophie properly, and it *seems*
> to work. It detects viruses that is. I had to bzero(buf) several times in
> the sophie_trophie function because otherwise the path sent to Sophie
> sometimes contains garbage and Sophie becomes very unhappy.

that's strange.  It should not be required to zero a buffer.  I'll look
to this shortly.  I actually verified the code - once it was written -
and at that time, sophie worked - somehow, since sophos version that was
available was not able to handle email format at all.

Regards,
 Michael.