Trying to understand av_scanners to use BitDefender's "bdconsole" [Repost]

Ralph Seichter via amavis-users amavis-users at amavis.org
Wed May 21 22:21:27 CEST 2014 

This is a repost because there has not been any reply since the original
mail one week ago. Please help me with this. Thanks!


Hello list members,

I am having some troubles configuring an av_scanners entry to use the
BitDefender "bdconsole" tool to scan for viruses with amavisd-new 2.7.2.

First, I wonder if I am the only one having trouble finding documentation
about av_scanners n-tuple entries? I searched, looked at the sample
amavisd.conf files in the official release archives, looked harder at
the amavisd Perl program itself (but I don't speak Perl that good). I
think I figured some things out by doing so, but I am still missing
"formal" documentation.

Anyway, currently I am using the following av_scanners entry:

  ['BitDefender-bdconsole', '/opt/BitDefender/bin/bdconsole',
    '-vvv -f -S {}',
    qr/\bnone \(clean\)/m,
    qr/\bignored \(infected\)/m,
    qr/^\s+\d+\.\s+(.*)$/m ],

to parse scan results like these:

/tmp/sample8 => ignored (infected) (library: 0, bdscand: 0, bdcore: 0x0)
  1. Trojan.GenericKD.1635804
    - object      : /tmp/tmp410be476/tmp0000074a
    - status      : infected (0x1400)
    - action      : ignored (0x1400)
    - malware type: virus (0x2)

  scan time: 0h 0m 0s 15ms 516us

/tmp/sample7 => ignored (password protected) (library: 0, bdscand: 0, bdcore: 0x0)
  1.
    - object      : /tmp/tmp410be476/tmp000007da
    - status      : password protected (0x21400)
    - action      : ignored (0x21400)
    - malware type: password protected (0x3)

  scan time: 0h 0m 0s 24ms 891us

/tmp/sample9 => none (clean) (library: 0, bdscand: 0, bdcore: 0x0)
  scan time: 0h 0m 0s 13ms 928us

/tmp/sample.zip => ignored (infected) (library: 0, bdscand: 0, bdcore: 0x0)
  1. Trojan.GenericKD.1668493
    - object      : (self)
    - status      : infected (0x1400)
    - action      : ignored (0x1400)
    - malware type: virus (0x2)

  scan time: 0h 0m 0s 1ms 664us

I use only parsed text to check the scan results, because unfortunately
bdconsole always returns 0 to the caller, no matter if an infection was
detected or not. With that parsing, Amavis correctly distinguishes
between "clean" and "infected" files, but extracting the malware's name
does not work with my configuration. From what I can see, an av_scanners
n-tuple consists of the following fields/elements:

  1: Human-readable name of the virus scanner
  2: Binary used to start scanning process
  3: Options for binary with {} as a placeholder for what to scan.
  4: Regex or return code indicating "scanned files are clean".
  5..n: Regex or return code indicating "scanned files are NOT clean".

What I am not sure of is how the extract the malware name from the
scanner output. Looking at the av_scanners entries I suspect that one
can use a Perl regex match group to identify the desired string (I tried
to do so with the last line in my av_scanners entry shown above), but
that is just me guessing.

Your help is appreciated.

-Ralph

More information about the amavis-users mailing list