[Avcheck] does avcheck work with drweb 4.31 ?
Sergey Akhapkin
asv at drweb.ru
Tue Jun 1 12:35:53 MSD 2004
On Tue, 1 Jun 2004 08:43:02 +0200
Piotr Klaban <makler+avcheck at man.torun.pl> wrote:
> On Tue, Jun 01, 2004 at 02:13:10AM +0400, Sergey Akhapkin wrote:
> > > May 31 16:16:57 mail postfix/pipe[19721]: E60AEB1A: to=<yumingjia at feis.com.cn>, relay=avcheck, delay=4243, status=deferred (temporar
> > > y failure. Command output: avcheck: unexpected DrWeb return code 1114112 (0x110000) )
> >
> > It's new bit (flag) in daemon return code. It shows that mail is clean
> > after curing, so this bit usefull only if curing is used. As I know
> > avcheck doesnt uses cure, so you can just ignore this bit. Sorry, I
> > dont know is fixed version of avcheck exist or not.
>
> Are there DrWeb's error codes listed somewhere on the web?
Directly on the web - no, indirectly - yes, you need download
ftp://ftp.drweb.ru/pub/unix/drweb-clients-4.31-sources.tar.gz
for our filters sources and do RTFS, or download one of older version of drwebd package from:
ftp://ftp.drweb.ru/pub/unix/archive/
and look at readme (or below) for section with daemon API description. But description would be incomplete (no new codes). Now we dont include daemon API in daemon distribution.
If you've some questions ask me:
For daemon return codes you need look src/dwc_scan.h:
#ifndef __DRWEBD_SCAN_H
#define __DRWEBD_SCAN_H
/*--------------------------------------------------------------------------
* Copyright (c) 2001-2004 Igor Daniloff.
* All rights reserved.
*
* By using this file, you agree to the terms and conditions set
* forth in the LICENSE file which can be found at this directory.
*------------------------------------------------------------------------*/
/* $Id: dwc_scan.h,v 1.34 2004/01/14 14:30:03 cvser Exp $ */
#ifdef __cplusplus
extern "C" {
#endif
/* -- SCAN_COMMANDS -------------------------------------------------- */
#define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
#define DRWEBD_VERSION_CMD (2) /* get daemon version */
#define DRWEBD_BASEINFO_CMD (3) /* get info about viruses bases */
#define DRWEBD_IDSTRING_CMD (4) /* get id-string of daemon */
#define DRWEBD_SCANPART_CMD (5) /* scan part of diskfile */
#define DRWEBD_SPAMCHECK_CMD (6) /* check mail by anti-spam */
#define DRWEBD_GET_UUID_CMD (7) /* get daemon uuid (unique for each customer) */
/* -- SCAN_OPTIONS ---------------------------------------------------- */
#define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
#define DRWEBD_RETURN_REPORT (1<<1) /* ask daemon return to us return report line */
#define DRWEBD_RETURN_CODES (1<<2) /* ask daemon return to us return codes */
#define DRWEBD_HEURISTIC_ON (1<<3) /* enables heuristic in finding module */
#define DRWEBD_RULE_FILTER_ON (1<<5) /* enables FilterRules in daemon */
#define DRWEBD_INFECTED_CURE (1<<6) /* try to cure infected files - if fails file decided incureable */
#define DRWEBD_INFECTED_MOVE (1<<7) /* move infected files */
#define DRWEBD_INFECTED_RENAME (1<<8) /* just rename infected files */
#define DRWEBD_INFECTED_DELETE (1<<9) /* delete infected files */
#define DRWEBD_INCURABLE_MOVE (1<<10) /* move incureable files */
#define DRWEBD_INCURABLE_RENAME (1<<11) /* just rename incureable files */
#define DRWEBD_INCURABLE_DELETE (1<<12) /* delete incureable files */
#define DRWEBD_SUSPECTED_MOVE (1<<13) /* move suspicious files */
#define DRWEBD_SUSPECTED_RENAME (1<<14) /* just rename suspicious files */
#define DRWEBD_SUSPECTED_DELETE (1<<15) /* delete suspicious files */
#define DRWEBD_ARCHIVE_MOVE (1<<16) /* move archive with infected/suspected files */
#define DRWEBD_ARCHIVE_RENAME (1<<17) /* rename archive with infected/suspected files */
#define DRWEBD_ARCHIVE_DELETE (1<<18) /* delete archive with infected/suspected files */
#define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
#define DRWEBD_DONT_CHANGEMAIL (1<<21) /* say to daemon that mail file cannot be changed */
#define DRWEBD_RETURN_SHORT_VIRUSES (1<<22) /* ask daemon return to us pairs of virusnames and infection type {K|M|S} */
#define DRWEBD_RETURN_FILTER_RULE (1<<23) /* ask daemon return to us filtering rule that has been altered */
#define DRWEBD_HAVE_ENVELOPE (1<<24) /* say to daemon that filter will send mail envelope */
#define DRWEBD_CHECK_ARX (1<<25) /* say to WinEngine scans into archives (RAR,ZIP etc) */
/* -- SCAN_RESULT ----------------------------------------------------- */
#define DERR_NOERROR (0) /*= 0x00000000 */
#define DERR_READ_ERR (1<<0) /*= 0x00000001 */
#define DERR_WRITE_ERR (1<<1) /*= 0x00000002 */
#define DERR_NOMEMORY (1<<2) /*= 0x00000004 */
#define DERR_CRC_ERROR (1<<3) /*= 0x00000008 */
#define DERR_READSOCKET (1<<4) /*= 0x00000010 */
#define DERR_KNOWN_VIRUS (1<<5) /*= 0x00000020 */
#define DERR_UNKNOWN_VIRUS (1<<6) /*= 0x00000040 */
#define DERR_VIRUS_MODIFICATION (1<<7) /*= 0x00000080 */
#define DERR_HAVE_CURED (1<<8) /*= 0x00000100 */
#define DERR_TIMEOUT (1<<9) /*= 0x00000200 */
#define DERR_SYMLINK (1<<10) /*= 0x00000400 */
#define DERR_NO_REGFILE (1<<11) /*= 0x00000800 */
#define DERR_SKIPPED (1<<12) /*= 0x00001000 */
#define DERR_TOO_BIG (1<<13) /*= 0x00002000 */
#define DERR_TOO_COMPRESSED (1<<14) /*= 0x00004000 */
#define DERR_BAD_CALL (1<<15) /*= 0x00008000 */
#define DERR_EVAL_KEY (1<<16) /*= 0x00010000 */
#define DERR_FILTER_REJECT (1<<17) /*= 0x00020000 */
#define DERR_ARCHIVE_LEVEL (1<<18) /*= 0x00040000 */
#define DERR_HAVE_DELETED (1<<19) /*= 0x00080000 */
#define DERR_IS_CLEAN (1<<20) /*= 0x00100000 */
#define DERR_LICENSE_ERROR (1<<21) /*= 0x00200000 */
#define DERR_MASK (0x00FFFFFF)
#define DERR_NON_DAEMON_ERROR (~DERR_MASK)
#define DERR_INFECTED (DERR_KNOWN_VIRUS | DERR_VIRUS_MODIFICATION)
#define DERR_SUSPICIOUS (DERR_UNKNOWN_VIRUS)
#define DERR_VIRUS_MASK (DERR_INFECTED | DERR_SUSPICIOUS)
#define DERR_SKIP_OBJECT (DERR_SYMLINK | DERR_NO_REGFILE | DERR_SKIPPED | DERR_CRC_ERROR | DERR_TIMEOUT)
#define DERR_ARCHIVE_RESTRICTION (DERR_TOO_BIG | DERR_TOO_COMPRESSED | DERR_ARCHIVE_LEVEL)
#define DERR_DAEMON_ERROR (DERR_READ_ERR | DERR_WRITE_ERR | DERR_NOMEMORY | DERR_READSOCKET | DERR_BAD_CALL)
#ifdef __cplusplus
}
#endif
#endif /* __DRWEBD_SCAN_H */
From old documentation where new codes (DERR_IS_CLEAN,DERR_LICENSE_ERROR,DERR_ARCHIVE_LEVEL,DERR_HAVE_DELETED) and options (DRWEBD_RETURN_SHORT_VIRUSES,DRWEBD_RETURN_FILTER_RULE) has no descriptions:
7. DrWeb Daemon program API
This paragraph has been written for those going to write their own
integration modules for DrWeb Daemon. It consists of two articles. In the
first one daemon API itself is described, in the second one we describe the
library allowing to create your own integration module.
7.1. Program API
First let's describe in general interaction of the client and DrWeb Daemon.
So, the interaction is described by the following sequence (INT stands for
parameters being 4 byte words in network order, STRING(n) stands for the
array of symbols of fixed length n):
- client establish connection with the daemon;
- outputs Cmd(INT) command, admissible commands:
DRWEBD_SCAN_CMD 1 - scan file or buffer
DRWEBD_VERSION_CMD 2 - return DrWeb Daemon version
DRWEBD_BASEINFO_CMD 3 - return information on antivirus bases
loaded by DrWeb Daemon
DRWEBD_IDSTRING_CMD 4 - return information on DrWeb Daemon
DRWEBD_SCANPART_CMD 5 - scan file fragment
for the scan file fragment command the following parameters are transmitted:
- Offset(INT) - offset relational to the beginning of the file
- Length(INT) - fragment length
if it was one of the scan commands than the additional data is also needed:
- ScanOptions(INT) - scan options as bit flags array (action flags do not
regard files attached to message):
DRWEBD_RETURN_VIRUSES 0x0001 - return names of the detected viruses
DRWEBD_RETURN_REPORT 0x0002 - return scan log
DRWEBD_RETURN_CODES 0x0004 - return extended codes
DRWEBD_HEURISTIC_ON 0x0008 - use heuristic analyzer
DRWEBD_CURE_FILES 0x0010 - cure file
DRWEBD_SPAM_FILTER 0x0020 - use header filter
DRWEBD_INFECTED_CURE 0x0040 - try curing infected file; if fails
the file is treated as incurable
DRWEBD_INFECTED_MOVE 0x0080 - move infected files
DRWEBD_INFECTED_RENAME 0x0100 - rename infected files
DRWEBD_INFECTED_DELETE 0x0200 - delete infected files
DRWEBD_INCURABLE_MOVE 0x0400 - move incurable files
DRWEBD_INCURABLE_RENAME 0x0800 - rename incurable files
DRWEBD_INCURABLE_DELETE 0x1000 - delete incurable files
DRWEBD_SUSPECTED_MOVE 0x2000 - move suspicious files
DRWEBD_SUSPECTED_RENAME 0x4000 - rename suspicious files
DRWEBD_SUSPECTED_DELETE 0x8000 - delete suspicious files
- PathLen(INT) - name length (may equal to 0, than buffer is considered
nameless and the next parameter Path is skipped);
- Path(STRING(PathLen)) - buffer name or path to file (depends on the
value of DataLen field);
- DataLen(INT) - data block length, if it is 0 (must be 0 for scan
fragment command), it means that Path is path to the file for the
daemon to scan;
- Data(STRING(DataLen)) - data block to be scanned.
- then the client awaits DrWeb Daemon's response, and reads the following
data from the socket depending on the command:
- for return version command:
Version(INT) - packed DrWeb Daemon version;
Major = PackedVersion / 100, Minor = PackedVersion % 100;
- for information on DrWeb Daemon command:
IdLen(INT) - information string length and
Id(STRING(IdLen)) - string itself;
- for information on the loaded bases command:
BaseNum(INT) - number of the loaded bases, and then for each base read:
NameLen(INT) - file name length with the base;
Name(STRING(NameLen)) - base file name;
VirCount(INT) - antivirus records number (in the base);
- for scan commands:
DaemonCode(INT) - daemon return code, contains bit fields with the
events happened during scaning:
DERR_NOERROR 0x00000000 - no errors
DERR_READ_ERR 0x00000001 - read error(s), may occur both
because of file physical
inaccessibility (e.g., wrong
access rights) and of logical
damage of the document
DERR_WRITE_ERR 0x00000002 - write error(s) (possible only
when curing)
DERR_NOMEMORY 0x00000004 - no memory
DERR_CRC_ERROR 0x00000008 - integrity of the scanned
archive(s) has been broken
DERR_READSOCKET 0x00000010 - error in the log
DERR_KNOWN_VIRUS 0x00000020 - virus(es) found
DERR_UNKNOWN_VIRUS 0x00000040 - virus(es) suspected (possible
only if heuristic analyzer is
enabled)
DERR_VIRUS_MODIFICATION 0x00000080 - virus modification(s) found
DERR_FILE_IS_CURED 0x00000100 - file(s) cured
DERR_TIMEOUT 0x00000200 - scan timeout has run out
DERR_SYMLINK 0x00000400 - file(s) skipped because symlink
DERR_NO_REGFILE 0x00000800 - file(s) skipped because not
regular file
DERR_SKIPPED 0x00001000 - file(s) skipped, for example
in ByType mode
DERR_TOO_BIG 0x00002000 - file(s) skipped because
MaxFileSizeToExtract exceeded
DERR_TOO_COMPRESSED 0x00004000 - file(s) skipped because
MaxCompressionRatio exceeded
DERR_BAD_CALL 0x00008000 - wrong command
DERR_EVAL_KEY 0x00010000 - DrWeb Daemon operates with demo
key
DERR_SPAM 0x00020000 - file(s) denied by the header
filter (possible only if header
filter is enabled)
Then, if additional flags were specified:
- return virus names:
VirNum(INT) - number of detected viruses, modifications or
suspected objects, for every virus:
VirNameLen(INT) - record length;
VirName(STRING(VirNameLen)) - record of the following type:
infected with EICAR Test File (NOT a Virus!)
or
possibly infected with COM.TSR Virus
- return scan log:
LineNum(INT) - line number in the report, for each:
LineLen(INT) - line length;
Line(STRING(LineLen)) - report length, of the type:
test.zip - archive PKZIP
or
>test.zip/test.doc - Ok
or
>test.zip/eicar.com - infected with EICAR Test File (NOT a Virus!)
- return extended codes:
EventNum(INT) - number of pair (event - number of occurrences),
for each:
EventCode(INT) - event code;
EventOccurency(INT) - number of occurrences.
Example:
2 // number of pairs
DERR_KNOWN_VIRUS, 1 // one file infected by the known virus
DERR_TOO_COMPRESSED, 2 // two file exceeded compression ratio
--
Sergey Akhapkin <asv at drweb.ru>
Software Developer
Doctor Web Ltd. <http://www.drweb.com>
More information about the Avcheck
mailing list