[Avcheck] Sophos + avcheck

Piotr Klaban makler+avcheck at man.torun.pl
Mon Jan 19 13:21:49 MSK 2004 

On Fri, Jan 16, 2004 at 04:47:38PM -0600, Jim Olson wrote:
> It would be interesting if you could share your setup for 
> avcheck+sophos.  That may another direction to go.

I think AVP has better update algorithm than Sophos.
And it is very annoying that I need to reinstall Sophos
program at least every 3 months:
For example I use Sophos version 3.76 released on December 1 2003.
Current version is 3.77, released in January. Next month would be
3.78, and that would be the last month with 3.76 support -
in March there would be no v3.76 virus base updates.
(btw. v3.77 was buggy, and v.377b was released).

That is why I need to recompile Sophie with a new libsavi.so version.
Copy that version to /var/spool/sophie/usr/lib/ ...

Updating mechanism:

# crontab entry - update sophie database
5,35 * * * * /usr/local/sbin/update-sophie-database

I enclose /usr/local/sbin/update-sophie-database (small) and contents of the
/var/spool/sophie/etc/* if anyone is interested in it.

update-sophie-database scipt connects to the Sophos web site, and downloads correct version
of the virus database, then checks if the downloaded version has the same md5sum,
if not - script reloads the sophie daemon.


Now I use sophie v3.04rc1 configured with:

./configure --with-savilib=/opt/SAV/lib/libsavi.so --prefix=/usr --enable-only-fatal-err


There is the following line in /etc/postfix/master.cf:

sophie    unix  -       n       n       -       8       pipe
        flags=q user=avpc argv=/usr/local/sbin/avcheck-sophie
        -d /var/spool/sophie/./tst -s Sophie:/var/spool/sophie/var/run/sophie
        -h flis-sophie
        -f ${sender} -S :1025 -t 1200 -- ${recipient}

Substitute '-h flis-sophie' with your own custome header, and decrease
number of processes from 8 to e.g. 3, according to your needs.


There are the following files in /var/spool/sophie now:

drwxr-xr-x   8 root     other         512 Dec  8 13:40 /var/spool/sophie/
-rwxr-xr-x   1 root     other      286836 Dec  8 13:39 /var/spool/sophie/sophie
drwxr-xr-x   3 root     other         512 Jan 28  2003 /var/spool/sophie/usr
drwxr-xr-x   2 root     other         512 Dec  8 13:47 /var/spool/sophie/usr/lib
-rwxr-xr-x   1 root     other      227520 Jan 28  2003 /var/spool/sophie/usr/lib/ld.so.1
-rwxr-xr-x   1 root     bin         24968 Jan  5  2000 /var/spool/sophie/usr/lib/libmp.so.2
-rwxr-xr-x   1 root     bin          5292 Aug 19 10:43 /var/spool/sophie/usr/lib/libdl.so.1
-rwxr-xr-x   1 root     bin        908344 Jul 29 23:57 /var/spool/sophie/usr/lib/libnsl.so.1
-rwxr-xr-x   1 root     bin       1157900 Jul 29 23:57 /var/spool/sophie/usr/lib/libc.so.1
-r-xr-xr-x   1 bin      bin       1596176 Dec  8 13:30 /var/spool/sophie/usr/lib/libsavi.so.3
-rwxr-xr-x   1 root     bin         70864 Dec  4  2001 /var/spool/sophie/usr/lib/libsocket.so.1
-rwxr-xr-x   1 root     other       44892 Jan 29  2003 /var/spool/sophie/usr/lib/nss_files.so.1
-rwxr-xr-x   1 root     bin         41116 Aug 19 12:38 /var/spool/sophie/usr/lib/librt.so.1
-rwxr-xr-x   1 root     bin         38904 Jul 29 23:57 /var/spool/sophie/usr/lib/libpthread.so.1
lrwxrwxrwx   1 root     root           12 Dec  8 13:43 /var/spool/sophie/usr/lib/libposix4.so.1 -> ./librt.so.1
-rwxr-xr-x   1 root     bin         46796 Jan  5  2000 /var/spool/sophie/usr/lib/libaio.so.1
-rwxr-xr-x   1 root     bin        191996 Jul 29 23:57 /var/spool/sophie/usr/lib/libthread.so.1
drwx------   2 avpd     root          512 Jan 19 11:05 /var/spool/sophie/tmp
drwxr-x---   2 avpc     avp           512 Jan 19 11:11 /var/spool/sophie/tst
drwxr-xr-x   4 root     other         512 Jan 28  2003 /var/spool/sophie/var
drwxr-xr-x   2 avpd     other         512 Jan 19 10:28 /var/spool/sophie/var/run
srwxrwx---   1 avpd     avp             0 Jan 19 10:28 /var/spool/sophie/var/run/sophie
-rw-rw----   1 avpd     avp             5 Jan 19 10:28 /var/spool/sophie/var/run/sophie.pid [created by the sophie]
drwxr-xr-x   2 avpd     other         512 Jan 28  2003 /var/spool/sophie/var/log
drwxr-xr-x   2 root     other         512 Oct 10 09:58 /var/spool/sophie/etc
-rw-r--r--   1 root     other          40 Jan 28  2003 /var/spool/sophie/etc/sav.conf
-r--r--r--   1 root     other         216 Jan 29  2003 /var/spool/sophie/etc/passwd
-rw-r--r--   1 root     other          59 Jan 29  2003 /var/spool/sophie/etc/group
-rw-r--r--   1 root     other        1297 Jan 29  2003 /var/spool/sophie/etc/nsswitch.conf
-rw-r--r--   1 root     other        2759 Oct 10 09:58 /var/spool/sophie/etc/sophie.cfg
-rw-r--r--   1 root     other        9841 Aug 20 08:39 /var/spool/sophie/etc/sophie.savi
drwxr-xr-x   3 root     other         512 Jan 28  2003 /var/spool/sophie/opt
drwxr-xr-x   3 root     other         512 Jan 28  2003 /var/spool/sophie/opt/SAV
drwxr-xr-x   2 root     other        3072 Jan 19 03:35 /var/spool/sophie/opt/SAV/sav
-rw-r--r--   1 root     other         515 Dec  2 05:27 /var/spool/sophie/opt/SAV/sav/mimail-l.ide
[... other vdl / ide files ..]

That is for Solaris version only!
You will need other libraries in /usr/lib on Linux box.

I hope that attachements are not so big for the mailing list.

Best regards,

-- 
Piotr Klaban
-------------- next part --------------
#!/bin/sh
# Updating Sophos virus database v1.1 made by Piotr Klaban <makler at man.torun.pl>

cd /var/spool/sophie/opt/SAV/sav || exit 1
[ -x /var/spool/sophie/sophie ] || exit 1
VERSION=`( sh -c '/var/spool/sophie/sophie -v 2>&1' ) | grep 'Sophie IDE' | perl -ple 's/^.*IDE version (\d+)\.(\d+) .*/$1$2/;'`
if [ "x$VERSION" = "x" ]; then
  VERSION=376
fi

/usr/local/bin/wget --output-document=${VERSION}_ides-new.zip -q http://www.sophos.com/downloads/ide/${VERSION}_ides.zip || exit 1
if [ -f ${VERSION}_ides-new.zip -a -f ${VERSION}_ides.zip ]; then
#   sizeOLD=`/bin/ls -l ${VERSION}_ides.zip | awk '{print $5 }'`
#   sizeNEW=`/bin/ls -l ${VERSION}_ides-new.zip | awk '{print $5 }'`
#   if [ "$sizeOLD" -eq "$sizeNEW" ]; then
#     exit 0;
#   fi
   md5OLD=`/usr/local/bin/md5sum ${VERSION}_ides.zip`
   md5NEW=`/usr/local/bin/md5sum ${VERSION}_ides-new.zip`
   if [ "$md5OLD" -eq "$md5NEW" ]; then
     exit 0;
   fi
fi
if [ -f ${VERSION}_ides.zip ]; then
  mv -f ${VERSION}_ides.zip ${VERSION}_ides.zip.old
fi
mv ${VERSION}_ides-new.zip ${VERSION}_ides.zip
/usr/local/bin/unzip -qq -t ${VERSION}_ides.zip && \
/usr/local/bin/unzip -q -o ${VERSION}_ides.zip && \
/etc/init.d/sophie.init stop && \
( sleep 1; /etc/init.d/sophie.init start )

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sophie.etc.tgz
Type: application/x-tar-gz
Size: 5114 bytes
Desc: not available
Url : http://www.corpit.ru/pipermail/avcheck/attachments/20040119/11c92573/sophie.etc.bin

More information about the Avcheck mailing list