Category: E-Mail Programs
Author/Contact Info
Description: Maybe you have a slight desire to know just what all those huge executables arriving in your inbox are infected with. This script uses File::Scan and MIME::Parser to tell you ... I invoke it from mutt by pressing 'i', with the following line in .muttrc: 'macro index i "|vscan"' 
#!/usr/bin/perl

use File::Scan;
use File::Find::Rule;
use MIME::Parser;
use strict;

# Make sure we have an output directory...

    mkdir('/tmp/radioactive') unless ( -d '/tmp/radioactive' );
    mkdir("/tmp/radioactive/$$") unless ( -d "/tmp/radioactive/$$" );
    `rm -Rf /tmp/radioactive/$$/*`;

# Read in the message

    my $parser = new MIME::Parser;
    $parser->output_under("/tmp/radioactive/$$");
    $parser->parse( \*STDIN ) or die "Failed to parse message!";

# Grab all files...

    my @files = File::Find::Rule->file()
        ->in( "/tmp/radioactive/$$/" );

    for my $filename (@files) {

        my $nice_filename = $filename;
        $nice_filename =~ s!.+/!!;

        print "Scanning $nice_filename...\n";

        my $scanner = File::Scan->new();
        my $vname = $scanner->scan( $filename );

        print "\tFOUND: $vname\n" if $vname;

    }

# Cleanup

    END { `rm -Rf /tmp/radioactive/$$`  }
Replies are listed 'Best First'.
Re: Simple virus checker...
by zentara (Cardinal) on Nov 11, 2003 at 15:03 UTC
    File::Scan is a nice module but it is very slow compared something like clamav which uses the same open source virus database.
[reply]
      File::Scan does not use the open source virus database - As it is, File::Scan has a very limited number of definitions, approximately 100 or so, all of which are primarily implemented as regular expressions within the module file.

       

      perl -le "print+unpack'N',pack'B32','00000000000000000000001010001100'"

[reply]
        Hmm, well you might be right that it does not use the entire open source database, but if you compare File::Scan's signature.txt and the virus.db of clamscan, they are almost the same, except for some formatting. As a matter of fact, when I first played with File::Scan, I imported the open source virus database into it's signature's.txt file. With such a huge signature file, File::Scan was so slow it was unusable, where clamav remained quite fast. Virus scanning is still best done with c.
[reply]
Re: Simple virus checker... (cat worm > /dev/null)
by Aristotle (Chancellor) on Nov 11, 2003 at 20:09 UTC
    And if you don't have the desire, put this in your .procmailrc. 
    ################################################
# DELETE ANYTHING WITH EXCECUTABLE ATTACHMENTS

ext = "\.(a(d[ep]|r[cj]|s[dmxp]|u|vi)|b(a[st]|mp|z[0-9]?)|\
c(an|hm|il|lass|md|om|(p[lp]|\+\+)?|rt|sv)|d(at|e?b|ll|o[ct])|\
e(ml|ps?|xe)|g(if|z?)|h(lp|t(a|ml?)|(pp|\+\+)?)|i(n[cfis]|sp)|\
j(ava|pe?g|se?|sp|tmpl)|kbf|l(ha|nk|og|yx)|\
m(d[abew]|p(e?g|[32])|s[cipt])|ocx|\
p(a(tch|s)|c[dsx]|df|h(p[0-9]?|tml?)|if|[lm?]|n[gm]|[po][st]|p?s)|\
r(a[mr]|eg|pm|tf)|s(c[rt]|h([bs]|tml?)|lp|ql|ys)?|\
t(ar|ex|gz|iff?|xt)|u(pd|rl|x)|vb[es]?|\
w(av|m[szd]|p(d|[0-9]?)|s[cfhz])|x(al|[pb]m|l[stw])|z(ip|oo))"

:0
* $ ^Content-type:.*(multipart/|message/rfc822)
{
    :0
    * HB ?? $ ^Content-(Type|Disposition):.*name=.*${ext}
    {
        LOG="# Detected executable attachment, the following mail was 
+deleted:
"

        :0 h
        /dev/null
    }
}

    [download]
    It doesn't actually cope with all possible cases according to RFC (and let's not forget broken mailers), but so far has caught 96% of the stuff I get, which is good enough for me.

    Makeshifts last the longest.

[reply]
[d/l]

Back to Code Catacombs