[Avcheck] Bug in v.0.9
Michael Tokarev
mjt@tls.msk.ru
Thu, 03 Oct 2002 00:35:11 +0400
Varadi Gabor wrote:
> Hi, all.
>
> I'm found new bug ? in avcheck v.0.9 if kavdaemon is 4.0.2.2
>
> Result: no virus message ( infected $2 parameter )
>
> I'm examine source file and debug :) and examine kavdaemon result.
>
> This original avcheck wait '\t', but not found :(
> Kavdaemon send ' ' (0x20) and not send '\t' (0x09).
Formatting of KAV's message is a complete mess. I did my
best to remove the cruft and extract actual useful message.
At a time this code was written, -- errm, I don't remember
how the formatting looked like, but it consisted of some
information, a name of a file, some additional information
"inside a file", a tab, an actual "infected by ..." text,
and a newline (this repeated several times if there was
many than one virus). Something like
blabla /file/name/From Michael<...>/infected.zip/infected.doc Infected by eicar
(I repeat: I don't remember details).
The only almost reliable way to detect where actual message
begins is to look at tab character.
It seems the format has been changed somehow. Can you
please post actual data KAV is sending back? (This can
be obtained from their command-line scanner too - if memory
serves me right). I can't just apply your patch because
I don't see actual formatting and don't know if this will
work for other versions and will not break something.
Tanks.
/mjt