Anyone using AVG Free as an external virusscanner?

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Anyone using AVG Free as an external virusscanner?

Post by GlenC » 2005-03-01 22:44

I cannot make this work at all, and I am sure I am doing something silly. Here is what I have tried using on the line for the executable (within hmailadmin):

"C:\Program Files\Grisoft\AVG Free\avgscan.exe" /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC (also with and without "%1")

I've also tried putting the above in a cmd file and running that from within hmailadmin (with and without "%1"). It seems that no matter what, I get a return value of 2 (which according to Grisoft means it cannot open the file).

I can get this to work fine from the command line (but only if I use quotes around the file and path to be scanned).

I'm using the alpha of hmail if that makes a difference. Many thanks to anyone who can point out the error of my ways.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-03-01 23:01

I'll download it now and try it myself.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-03-01 23:18

Found what's wrong.

When hMailServer calls your cmd-file, it calls it like this
C:\YourCMD.cmd C:\Program Files\hMailServer\Temp\tempname.tmp

In YourCMD.cmd, %1 will represent the first parameter to YourCmd.cmd. In your case, %1 will represent "C:\Program". %2 represents the next parameter, which is "Files\hMailServer\Temp\tempname.tmp". So when you call avgscan.exe %1, you will execute the command line "avgscan.exe C:\Program" (which isn't the full path)

So if your path to the hMailServer temp directory contains a space, you need to replace %1 with %1 %2. If it contains 2 spaces, it needs to be %1 %2 %3.

Here's an example that should work in most cases :) Put it in a file called C:\yourfile.cmd. Then specify this file in hMailAdmin and the return value 6.

Code: Select all

"C:\Program Files\Grisoft\AVG Free\avgscan.exe" /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC "%1 %2 %3 %4 %5 %6 %7 %8 %9"
There's a test file in the bottom of this page you can test with:
http://www.eicar.org/anti_virus_test_file.htm
It's a test file that will be detected as a virus by all (?) anti-virus scanners. (Eventhought it isn't)

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Post by GlenC » 2005-03-02 03:57

Martin, you are a genius!

I'm not sure why, but I did exactly as you said and, at first I could only get the batch file to return 0. I fought with it for over an hour before I decided to start from scratch again, And BEHOLD! It now returns 6 and works perfectly! Well, I learned something valuable today so I am thankful.

I really do appreciate your taking the time to help with problems like this. I read the forums a lot and it hasn't gone unnoticed how patient and helpful you are, to everyone, even when the problem isn't really an hmail problem (like mine).

While I was having fun with this virus thing, I found this link. It's a really quick way to get an eicar test virus sent to you. It will send in a variety of formats. Perhaps someone will find it helpful.

http://www.aleph-tec.com/eicar/index.php

tweakerbee
New user
New user
Posts: 11
Joined: 2005-02-28 19:05

Post by tweakerbee » 2005-03-02 04:06

Martin,

No offence, but I think it should work the old fashioned way (with %1) if you call it with parenthesis from hMailServer.

So instead of just calling
C:\yourFile.cmd C:\Program Files\hMailServer\Temp\tempname.tmp
you could try
C:\yourFile.cmd "C:\Program Files\hMailServer\Temp\tempname.tmp"

This should ensure "C:\Program Files\hMailServer\Temp\tempname.tmp" being the value of %1.
Inventive workaround though.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-03-02 13:16

I'm not sure adding " would be a good solution. It's up to the application executed to parse the command line. cmd uses " to mark the beginning and end of parameters. But other applications may have other ways to mark beginning and ending. And " may mean special things to them.
So I've come up with a better solution.

From the next build, (B-84), it will be possible to use %FILE% as a makro in hMailAdmin where you specify the external virus scanner. So when you've upgraded to this build, you can replace C:\yourfile.cmd with

Code: Select all

"C:\Program Files\Grisoft\AVG Free\avgscan.exe" /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC "%FILE%"
The %FILE%-makro will be replaced with the file that is actually scanned. Then you can delte the C:\yourfile.cmd since it's no longer used.

User avatar
layer
Normal user
Normal user
Posts: 55
Joined: 2004-09-12 14:19
Location: Portugal

Post by layer » 2005-03-03 03:05

martin wrote:I'm not sure adding " would be a good solution. It's up to the application executed to parse the command line. cmd uses " to mark the beginning and end of parameters. But other applications may have other ways to mark beginning and ending. And " may mean special things to them.
So I've come up with a better solution.

From the next build, (B-84), it will be possible to use %FILE% as a makro in hMailAdmin where you specify the external virus scanner. So when you've upgraded to this build, you can replace C:\yourfile.cmd with

Code: Select all

"C:\Program Files\Grisoft\AVG Free\avgscan.exe" /EXT=* /NOBOOT /NOMEM /SCAN /NOSELF /NOHIMEM /ARC "%FILE%"
The %FILE%-makro will be replaced with the file that is actually scanned. Then you can delte the C:\yourfile.cmd since it's no longer used.
it works but did not detec virus in zip or rar etc formats :(

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-03-03 09:37

run avgscan.exe /? and paste the output here. Uninstalled AVG again. I'm sure there's a parameter that lets you scan compressed files.

User avatar
layer
Normal user
Normal user
Posts: 55
Joined: 2004-09-12 14:19
Location: Portugal

Post by layer » 2005-03-03 15:31

martin wrote:run avgscan.exe /? and paste the output here. Uninstalled AVG again. I'm sure there's a parameter that lets you scan compressed files.
yes is the /ARC comand...


thanks

User avatar
Anlan
Normal user
Normal user
Posts: 71
Joined: 2004-11-24 11:09
Location: Bergamo - Italy
Contact:

Post by Anlan » 2005-05-03 17:40

There is an update about this issue.

You can add "/SMART" as a parameter: this will scan files regardless their extension (it will try to "understand" which is the real file type).

You can add "/HEUR" as a parameter: this will try an heuristic analisys test on the file.

Also, according to this new specification published by Grisoft, error level checking should be lowered to 4.

Code: Select all

ERRORLEVEL == 0 /* everything is o.k. */
ERRORLEVEL == 1 /* user cancelled/interrupted test */
ERRORLEVEL == 2 /* any error during the test – cannot open file etc. */
ERRORLEVEL == 3 /* change identified */
ERRORLEVEL == 4 /* suspicion detected by heuristic analysis */
ERRORLEVEL == 5 /* virus found by heuristic analysis */
ERRORLEVEL == 6 /* specific virus detected */
ERRORLEVEL == 7 /* active virus in memory detected */
ERRORLEVEL == 8 /* AVG corrupted */

FrankWSweet
New user
New user
Posts: 13
Joined: 2004-12-19 16:33
Location: Palm Coast, FL
Contact:

Post by FrankWSweet » 2005-09-24 23:37

I am invoking avgscan.exe from hMailServer 3.4.1-B86. The call works okay. The avgscan.exe finds the email okay. If the email is clean, avgscan.exe returns "0" okay. And if the email has eicar.zip attached, avgscan.exe returns "6" okay. Everything seems cool.

But then hMailServer always accepts the email, no matter what. This happens no matter what value I put in the "Return value" slot of the "external virusscanner" tab of the "AntiVirus" dialog of the hMailServer Administrator. Also, it fails to "notify recipient" although I have this box also checked (as well as having checked off "delete e-mail," of course). The pertinent section of the debug log follows:

"DEBUG" 5812 "2005-09-24 17:21:44.698" "SD:DeliverMessage"
"APPLICATION" 5812 "2005-09-24 17:21:44.698" "SMTPDeliverer - Message 41803: Delivering message from fwsweet@backintyme.com to fwsweet@backintyme.com."
"DEBUG" 5812 "2005-09-24 17:21:44.698" "CustomVirusScanner::Scan()"
"DEBUG" 5812 "2005-09-24 17:21:45.104" "CustomVirusScanner::Scan() - c:\avg.cmd C:\Program Files\hMailServer\Data\{8AF2F0F8-56D7-4CC1-91A2-2B6D6EF678A0}.eml - Returned 0"
"DEBUG" 5812 "2005-09-24 17:21:45.104" "CustomVirusScanner::~Scan()"
"DEBUG" 5812 "2005-09-24 17:21:45.104" "CustomVirusScanner::Scan()"
"DEBUG" 5812 "2005-09-24 17:21:45.510" "CustomVirusScanner::Scan() - c:\avg.cmd C:\Program Files\hMailServer\Temp\{9578D902-4A1E-4D4D-AE9E-282D6C657F20}.tmp - Returned 6"
"DEBUG" 5812 "2005-09-24 17:21:45.510" "CustomVirusScanner::~Scan()"
"DEBUG" 5812 "2005-09-24 17:21:45.510" "PMADO:CopyMailContentsFrom()"
"DEBUG" 5812 "2005-09-24 17:21:45.510" "PMADO:~CopyMailContentsFrom()"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "PMADO:SaveObject()"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "Adding message to database. File: C:\Program Files\hMailServer\Data\backintyme.com\fwsweet\{D3021BDD-6445-4F8A-8B7F-A2043E49EEA2}.eml"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "PMADO:~SaveObject()"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "PersistentMessage::DeleteObject()"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "PersistentMessage::DeleteFile()"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "PersistentMessage::~DeleteFile() - E3"
"DEBUG" 5812 "2005-09-24 17:21:45.526" "PersistentMessage::DeleteObject() - E5"
"APPLICATION" 5812 "2005-09-24 17:21:45.526" "SMTPDeliverer - Message 41803: Message delivery complete."
"DEBUG" 5812 "2005-09-24 17:21:45.526" "SD:~DeliverMessage"

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-09-27 22:23

Yes, hMailServer always _accept_ the email. Virus scanning is done after the message has been prevented. But if a virus is detected, it should be deleted before it reaches the account.

Have you entered 6 in the settings?

FrankWSweet
New user
New user
Posts: 13
Joined: 2004-12-19 16:33
Location: Palm Coast, FL
Contact:

Post by FrankWSweet » 2005-09-27 22:27

No. I have 4 in the setting. This was based on something mentioned above about AVG. Should I use 6?

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-09-27 22:30

Not sure if I understand you correctly (I'm tired as always), but you say that AVG returns "6" if you send the eicar-test-virus. This wound indicate that AVG returns "6" if a virus is found. Hence you should enter 6 as Return value in the anti virus settings.

Also, in my post above I say that the return value is 6 and GlenC says he's using 6. I think 6 is a good value..

User avatar
TheAngryPenguin
Senior user
Senior user
Posts: 341
Joined: 2004-10-11 20:51

Post by TheAngryPenguin » 2005-09-28 05:40

For those counting, that makes 6 sixes in the above post...

...knowing Martin, it probably was not a coincidence!

FrankWSweet
New user
New user
Posts: 13
Joined: 2004-12-19 16:33
Location: Palm Coast, FL
Contact:

Post by FrankWSweet » 2005-09-30 19:22

martin wrote:Not sure if I understand you correctly (I'm tired as always), but you say that AVG returns "6" if you send the eicar-test-virus. This wound indicate that AVG returns "6" if a virus is found. Hence you should enter 6 as Return value in the anti virus settings. Also, in my post above I say that the return value is 6 and GlenC says he's using 6. I think 6 is a good value..
Okay. I am now using six, (6), seis, <grin>. It works fine for specific well-known viruses.

But, according to Anlan's post of 2005-05-03 17:40 (above), this will not pick up either of the following return codes.

ERRORLEVEL == 4 /* suspicion detected by heuristic analysis */
ERRORLEVEL == 5 /* virus found by heuristic analysis */

Perhaps in some future release, you could have hMailServer's external virus-checker look for the given return value **OR GREATER**, rather than for only one specific value.

In the meantime, I am experimenting with invoking a vbscript that, in OnDeliverMessage, shells out to the avg.cmd and, depending on what it gets, returns a code asking hmailserver to reject the message.

Thanks

koumdros
Normal user
Normal user
Posts: 78
Joined: 2005-11-10 01:20

Post by koumdros » 2005-11-18 03:37

yep that would be great :)
on a side note, i think it;s possible to use bot Avg and clamwin simultaniosuly, has anuone else tried doing that?
i set it up today and it seems to work, but I'm wondering whether i might meet a locku situation where on AV program blocks the other or something.

User avatar
Anlan
Normal user
Normal user
Posts: 71
Joined: 2004-11-24 11:09
Location: Bergamo - Italy
Contact:

Post by Anlan » 2006-01-17 02:32

koumdros wrote:yep that would be great :)
but I'm wondering whether i might meet a locku situation where on AV program blocks the other or something.
This might happen only under certain circusmtances that can be easily avoided: in particular if you have some sort of resident protection active. In this case, if an infected file is found, resident protection might lock the file prompting the user for an action.

Be careful when setting up your resident protection: always exclude from resident protection every folder used by the MTA processes.

AFAIK this is possibile only with licenced AVG : not the free version.

Bye
My software never has bugs. It only develops random features.

Post Reply