[Avcheck] does avcheck work with drweb 4.31 ?

Sergey Akhapkin asv at drweb.ru
Tue Jun 1 12:35:53 MSD 2004


On Tue, 1 Jun 2004 08:43:02 +0200
Piotr Klaban <makler+avcheck at man.torun.pl> wrote:

> On Tue, Jun 01, 2004 at 02:13:10AM +0400, Sergey Akhapkin wrote:
> > > May 31 16:16:57 mail postfix/pipe[19721]: E60AEB1A: to=<yumingjia at feis.com.cn>, relay=avcheck, delay=4243, status=deferred (temporar
> > > y failure. Command output: avcheck: unexpected DrWeb return code 1114112 (0x110000) )
> > 
> > It's new bit (flag) in daemon return code. It shows that mail is clean
> > after curing, so this bit usefull only if curing is used. As I know
> > avcheck doesnt  uses cure, so you can just ignore this bit. Sorry, I
> > dont know is fixed version of avcheck exist or not.
> 
> Are there DrWeb's error codes listed somewhere on the web?

Directly on the web - no, indirectly - yes, you need download 

ftp://ftp.drweb.ru/pub/unix/drweb-clients-4.31-sources.tar.gz

for our filters sources and do RTFS, or download one of older version of drwebd package from: 

ftp://ftp.drweb.ru/pub/unix/archive/

and look at readme (or below) for section with daemon API description. But description would be incomplete (no new codes). Now we dont include daemon API in daemon distribution.

If you've some questions ask me:

For daemon return codes you need look src/dwc_scan.h:

#ifndef __DRWEBD_SCAN_H
#define __DRWEBD_SCAN_H

/*--------------------------------------------------------------------------
 *  Copyright (c) 2001-2004 Igor Daniloff. 
 *	All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at this directory.
 *------------------------------------------------------------------------*/
 
/* $Id: dwc_scan.h,v 1.34 2004/01/14 14:30:03 cvser Exp $ */

#ifdef  __cplusplus
extern "C" {
#endif

/* -- SCAN_COMMANDS -------------------------------------------------- */
#define DRWEBD_SCAN_CMD             (1)     /* scan file, buffer or diskfile */
#define DRWEBD_VERSION_CMD          (2)     /* get daemon version */
#define DRWEBD_BASEINFO_CMD         (3)     /* get info about viruses bases */
#define DRWEBD_IDSTRING_CMD         (4)     /* get id-string of daemon */
#define DRWEBD_SCANPART_CMD         (5)     /* scan part of diskfile */
#define DRWEBD_SPAMCHECK_CMD        (6)     /* check mail by anti-spam */
#define DRWEBD_GET_UUID_CMD         (7)     /* get daemon uuid (unique for each customer) */

/* -- SCAN_OPTIONS ---------------------------------------------------- */
#define DRWEBD_RETURN_VIRUSES       (1<<0)   /* ask daemon return to us viruses names from report */
#define DRWEBD_RETURN_REPORT        (1<<1)   /* ask daemon return to us return report line */
#define DRWEBD_RETURN_CODES         (1<<2)   /* ask daemon return to us return codes */
#define DRWEBD_HEURISTIC_ON         (1<<3)   /* enables heuristic in finding module */
#define DRWEBD_RULE_FILTER_ON       (1<<5)   /* enables FilterRules in daemon */
#define DRWEBD_INFECTED_CURE        (1<<6)   /* try to cure infected files - if fails file decided incureable */ 
#define DRWEBD_INFECTED_MOVE        (1<<7)   /* move infected files */
#define DRWEBD_INFECTED_RENAME      (1<<8)   /* just rename infected files */
#define DRWEBD_INFECTED_DELETE      (1<<9)   /* delete infected files */
#define DRWEBD_INCURABLE_MOVE       (1<<10)  /* move incureable files */
#define DRWEBD_INCURABLE_RENAME     (1<<11)  /* just rename incureable files */
#define DRWEBD_INCURABLE_DELETE     (1<<12)  /* delete incureable files */
#define DRWEBD_SUSPECTED_MOVE       (1<<13)  /* move suspicious files */
#define DRWEBD_SUSPECTED_RENAME     (1<<14)  /* just rename suspicious files */
#define DRWEBD_SUSPECTED_DELETE     (1<<15)  /* delete suspicious files */
#define DRWEBD_ARCHIVE_MOVE         (1<<16)  /* move archive with infected/suspected files */
#define DRWEBD_ARCHIVE_RENAME       (1<<17)  /* rename archive with infected/suspected files */
#define DRWEBD_ARCHIVE_DELETE       (1<<18)  /* delete archive with infected/suspected files */
#define DRWEBD_IS_MAIL              (1<<19)  /* say to daemon that format is "archive MAIL" */
#define DRWEBD_DONT_CHANGEMAIL      (1<<21)  /* say to daemon that mail file cannot be changed */
#define DRWEBD_RETURN_SHORT_VIRUSES (1<<22)  /* ask daemon return to us pairs of virusnames and infection type {K|M|S} */
#define DRWEBD_RETURN_FILTER_RULE   (1<<23)  /* ask daemon return to us filtering rule that has been altered */
#define DRWEBD_HAVE_ENVELOPE        (1<<24)  /* say to daemon that filter will send mail envelope */
#define DRWEBD_CHECK_ARX            (1<<25)  /* say to WinEngine scans into archives (RAR,ZIP etc) */

/* -- SCAN_RESULT ----------------------------------------------------- */
#define DERR_NOERROR                (0)     /*= 0x00000000 */
#define DERR_READ_ERR               (1<<0)  /*= 0x00000001 */
#define DERR_WRITE_ERR              (1<<1)  /*= 0x00000002 */               
#define DERR_NOMEMORY               (1<<2)  /*= 0x00000004 */            
#define DERR_CRC_ERROR              (1<<3)  /*= 0x00000008 */            
#define DERR_READSOCKET             (1<<4)  /*= 0x00000010 */             
#define DERR_KNOWN_VIRUS            (1<<5)  /*= 0x00000020 */            
#define DERR_UNKNOWN_VIRUS          (1<<6)  /*= 0x00000040 */               
#define DERR_VIRUS_MODIFICATION     (1<<7)  /*= 0x00000080 */             
#define DERR_HAVE_CURED             (1<<8)  /*= 0x00000100 */             
#define DERR_TIMEOUT                (1<<9)  /*= 0x00000200 */              
#define DERR_SYMLINK                (1<<10) /*= 0x00000400 */            
#define DERR_NO_REGFILE             (1<<11) /*= 0x00000800 */             
#define DERR_SKIPPED                (1<<12) /*= 0x00001000 */           
#define DERR_TOO_BIG                (1<<13) /*= 0x00002000 */            
#define DERR_TOO_COMPRESSED         (1<<14) /*= 0x00004000 */           
#define DERR_BAD_CALL               (1<<15) /*= 0x00008000 */            
#define DERR_EVAL_KEY               (1<<16) /*= 0x00010000 */            
#define DERR_FILTER_REJECT          (1<<17) /*= 0x00020000 */           
#define DERR_ARCHIVE_LEVEL          (1<<18) /*= 0x00040000 */
#define DERR_HAVE_DELETED           (1<<19) /*= 0x00080000 */
#define DERR_IS_CLEAN               (1<<20) /*= 0x00100000 */
#define DERR_LICENSE_ERROR          (1<<21) /*= 0x00200000 */
#define DERR_MASK                   (0x00FFFFFF)
#define DERR_NON_DAEMON_ERROR       (~DERR_MASK)
#define DERR_INFECTED               (DERR_KNOWN_VIRUS | DERR_VIRUS_MODIFICATION)
#define DERR_SUSPICIOUS             (DERR_UNKNOWN_VIRUS)
#define DERR_VIRUS_MASK             (DERR_INFECTED | DERR_SUSPICIOUS)
#define DERR_SKIP_OBJECT            (DERR_SYMLINK | DERR_NO_REGFILE | DERR_SKIPPED | DERR_CRC_ERROR | DERR_TIMEOUT)
#define DERR_ARCHIVE_RESTRICTION    (DERR_TOO_BIG | DERR_TOO_COMPRESSED | DERR_ARCHIVE_LEVEL)
#define DERR_DAEMON_ERROR           (DERR_READ_ERR | DERR_WRITE_ERR | DERR_NOMEMORY | DERR_READSOCKET | DERR_BAD_CALL)

#ifdef  __cplusplus
}
#endif

#endif /* __DRWEBD_SCAN_H */

From old documentation where new codes (DERR_IS_CLEAN,DERR_LICENSE_ERROR,DERR_ARCHIVE_LEVEL,DERR_HAVE_DELETED) and options (DRWEBD_RETURN_SHORT_VIRUSES,DRWEBD_RETURN_FILTER_RULE) has no descriptions:

                7. DrWeb Daemon program API

This paragraph has been written for those going to write their own
integration modules for DrWeb Daemon. It consists of two articles. In the
first one daemon API itself is described, in the second one we describe the
library allowing to create your own integration module.

        7.1. Program API

First let's describe in general interaction of the client and DrWeb Daemon.
So, the interaction is described by the following sequence (INT stands for
parameters being 4 byte words in network order, STRING(n) stands for the
array of symbols of fixed length n):

- client establish connection with the daemon;
- outputs Cmd(INT) command, admissible commands:  
        DRWEBD_SCAN_CMD     1 - scan file or buffer
        DRWEBD_VERSION_CMD  2 - return DrWeb Daemon version
        DRWEBD_BASEINFO_CMD 3 - return information on antivirus bases
                                loaded by DrWeb Daemon
        DRWEBD_IDSTRING_CMD 4 - return information on DrWeb Daemon 
        DRWEBD_SCANPART_CMD 5 - scan file fragment
  for the scan file fragment command the following parameters are transmitted:
    - Offset(INT) - offset relational to the beginning of the file
    - Length(INT) - fragment length
  if it was one of the scan commands than the additional data is also needed:
    - ScanOptions(INT) - scan options as bit flags array (action flags do not
      regard files attached to message):
        DRWEBD_RETURN_VIRUSES   0x0001 - return names of the detected viruses
        DRWEBD_RETURN_REPORT    0x0002 - return scan log
        DRWEBD_RETURN_CODES     0x0004 - return extended codes
        DRWEBD_HEURISTIC_ON     0x0008 - use heuristic analyzer
        DRWEBD_CURE_FILES       0x0010 - cure file
        DRWEBD_SPAM_FILTER      0x0020 - use header filter
        DRWEBD_INFECTED_CURE    0x0040 - try curing infected file; if fails
                                         the file is treated as incurable
        DRWEBD_INFECTED_MOVE    0x0080 - move infected files
        DRWEBD_INFECTED_RENAME  0x0100 - rename infected files
        DRWEBD_INFECTED_DELETE  0x0200 - delete infected files
        DRWEBD_INCURABLE_MOVE   0x0400 - move incurable files
        DRWEBD_INCURABLE_RENAME 0x0800 - rename incurable files
        DRWEBD_INCURABLE_DELETE 0x1000 - delete incurable files
        DRWEBD_SUSPECTED_MOVE   0x2000 - move suspicious files
        DRWEBD_SUSPECTED_RENAME 0x4000 - rename suspicious files
        DRWEBD_SUSPECTED_DELETE 0x8000 - delete suspicious files
    - PathLen(INT) - name length (may equal to 0, than buffer is considered
      nameless and the next parameter Path is skipped);
    - Path(STRING(PathLen)) - buffer name or path to file (depends on the
      value of DataLen field);
    - DataLen(INT) - data block length, if it is 0 (must be 0 for scan
      fragment command), it means that Path is path to the file for the
      daemon to scan;
    - Data(STRING(DataLen)) - data block to be scanned.

- then the client awaits DrWeb Daemon's response, and reads the following
  data from the socket depending on the command:
    - for return version command: 
      Version(INT) - packed DrWeb Daemon version;
      Major = PackedVersion / 100,  Minor = PackedVersion % 100;
    - for information on DrWeb Daemon command: 
      IdLen(INT) - information string length and
      Id(STRING(IdLen)) - string itself;
    - for information on the loaded bases command:
      BaseNum(INT) - number of the loaded bases, and then for each base read: 
        NameLen(INT) - file name length with the base;
        Name(STRING(NameLen)) - base file name;
        VirCount(INT) - antivirus records number (in the base);
    - for scan commands:
      DaemonCode(INT) - daemon return code, contains bit fields with the
      events happened during scaning:
        DERR_NOERROR            0x00000000 - no errors
        DERR_READ_ERR           0x00000001 - read error(s), may occur both
                                             because of file physical
                                             inaccessibility (e.g., wrong
                                             access rights) and of logical
                                             damage of the document
        DERR_WRITE_ERR          0x00000002 - write error(s) (possible only
                                             when curing)
        DERR_NOMEMORY           0x00000004 - no memory
        DERR_CRC_ERROR          0x00000008 - integrity of the scanned
                                             archive(s) has been broken
        DERR_READSOCKET         0x00000010 - error in the log
        DERR_KNOWN_VIRUS        0x00000020 - virus(es) found
        DERR_UNKNOWN_VIRUS      0x00000040 - virus(es) suspected (possible
                                             only if heuristic analyzer is
                                             enabled)
        DERR_VIRUS_MODIFICATION 0x00000080 - virus modification(s) found
        DERR_FILE_IS_CURED      0x00000100 - file(s) cured
        DERR_TIMEOUT            0x00000200 - scan timeout has run out
        DERR_SYMLINK            0x00000400 - file(s) skipped because symlink
        DERR_NO_REGFILE         0x00000800 - file(s) skipped because not
                                             regular file 
        DERR_SKIPPED            0x00001000 - file(s) skipped, for example
                                             in ByType mode
        DERR_TOO_BIG            0x00002000 - file(s) skipped because
                                             MaxFileSizeToExtract exceeded
        DERR_TOO_COMPRESSED     0x00004000 - file(s) skipped because
                                             MaxCompressionRatio exceeded
        DERR_BAD_CALL           0x00008000 - wrong command
        DERR_EVAL_KEY           0x00010000 - DrWeb Daemon operates with demo
                                             key
        DERR_SPAM               0x00020000 - file(s) denied by the header
                                             filter (possible only if header
                                             filter is enabled)
    Then, if additional flags were specified:
        - return virus names:
          VirNum(INT) - number of detected viruses, modifications or
          suspected objects, for every virus:
            VirNameLen(INT) - record length;
            VirName(STRING(VirNameLen)) - record of the following type:
               infected with EICAR Test File (NOT a Virus!)
               or
               possibly infected with COM.TSR Virus
        - return scan log:
          LineNum(INT) - line number in the report, for each:
            LineLen(INT) - line length;
            Line(STRING(LineLen)) - report length, of the type:
               test.zip - archive PKZIP
               or
               >test.zip/test.doc - Ok
               or
               >test.zip/eicar.com - infected with EICAR Test File (NOT a Virus!)
        - return extended codes: 
            EventNum(INT) - number of pair (event - number of occurrences),
            for each:
              EventCode(INT) - event code;
              EventOccurency(INT) - number of occurrences.
            Example:
            2                       // number of pairs
            DERR_KNOWN_VIRUS,    1  // one file infected by the known virus
            DERR_TOO_COMPRESSED, 2  // two file exceeded compression ratio

-- 
      Sergey Akhapkin <asv at drweb.ru>
             Software Developer
Doctor Web Ltd. <http://www.drweb.com>



More information about the Avcheck mailing list