topic Re: VirusScan for Unix and Socket files in Operating System - HP-UX

VirusScan for Unix and Socket files

Kevin Cherubini_1 — Fri, 30 Jan 2004 05:55:06 GMT

Hi all,

I'm using HP-UX 11.00 and I've installed McAfee VirusScan for Unix version 4.32.0

I'm running it with the following options:

uvscan -cr --summary --file scan_directories

c - cleans any infected files
r - scans subdirectories
summary - gives me a summary at the end
the file scan_directories is a list of the directories to be scanned

I redirect standard output and standard error to a text file which is mailed to me each morning. The problem is, this text file is huge because I get lots of errors telling me that VirusScan could not open socket files.

For example:

/var/spool/sockets/pwgr/client1121
file could not be opened.

I have a few questions relating to this:

1. Should I bother scanning socket files for viruses?

2. If not, how would I turn off scanning of socket files? --exclude option only works on file names, I think.

3. If I do want to scan socket files, how do I allow VirusScan to scan them?

4. If I don't want to scan them but can't exclude them, how do I turn off the error reporting for this type of file?

I know that these are all questions relating to a third party product, but I guess I'm not the only person using HP-UX and VirusScan for Unix.

Thanks for your help,

Kevin

Re: VirusScan for Unix and Socket files

Kevin Cherubini_1 — Mon, 02 Feb 2004 04:42:32 GMT

Anyone?

If this is not the right forum for this question, can anyone tell me where I sould ask it?

Thanks,

Kevin

Re: VirusScan for Unix and Socket files

Mark Ellzey — Mon, 02 Feb 2004 10:30:17 GMT

Kevin,

I'm not sure why you would want to scan for viruses on a UNIX system. I think it would be better for you to harden your system to outside attacks using the existing configuration files available on any UNIX system.

<2 cents worth done>

I'm assuming your are running uvscan from a script, via cron. I don't know anything about McAfee's uvscan, but you could remove the error messages by doing:
grep -v "error string" >>
after your scan is complete. This would remove all the error messages in the output. Then mail to yourself.

Regards,
Mark

Re: VirusScan for Unix and Socket files

Kevin Cherubini_1 — Mon, 02 Feb 2004 10:38:54 GMT

Thanks Mark.

I have hardened my system, but corporate policy says that I have to run uvscan every day anyway. And who am I to argue with corporate policy?

You're right - I run a script in cron to download and unzip the latest DAT files, scan the system directories and a few program directories and send the output text file to myself using sendmail.

Good idea to use grep for clearing out the error messages that I don't want. I'm kicking myself for not thinking of it. Worthy of five points, certainly.

Cheers,

Kevin

By the way, am I the ONLY person running uvscan?!

Re: VirusScan for Unix and Socket files

Chris Watkins_1 — Mon, 02 Feb 2004 11:16:15 GMT

Yes... you're the only one.
OK ok ok... probably not ;-) But I'd guess you were in the minority.
Who knows? The product exists... I may be in the minority, instead.

Incidentally... have your scans ever turned up anything?

Re: VirusScan for Unix and Socket files

Kevin Cherubini_1 — Mon, 02 Feb 2004 11:45:07 GMT

Not a thing, apart from the EICAR test file.

It did find lots of broken symbolic links, though! Was I naive to expect swremove to clean these up?

Re: VirusScan for Unix and Socket files

Brian Hackley — Tue, 03 Feb 2004 10:21:12 GMT

Kevin,

Sorry for the late response but your question peaked my interest. A UDS socket(7) is a zero length file, so the AV software won't find a pattern in the file; it would have to rely upon the filename itself to remove it.

I did a short search on Google "uvscan socket" and found http://www.corpit.ru/pipermail/avcheck/2002q1/000463.html
-- is an article that explores the possibility of using UDS socket maliciously.

However, most of the articles spoke of using uvscan on files accessed by PC users over Samba shares.

Also you might want to look at http://sourceforge.net/projects/amavis-n-parser/

Hope that helps a little,
-> Brian Hackley

Re: VirusScan for Unix and Socket files

Jdamian — Tue, 03 Feb 2004 11:21:39 GMT

It sounds like a joke

Re: VirusScan for Unix and Socket files

Keith Bevan_1 — Tue, 03 Feb 2004 11:28:50 GMT

Kevin,

You will be pleased to know that we also using the NAI/Mcafee command line scanner virusscan.

You can remove the links from the scan by :-

using the --ignore links

and can remove the sockets by entering the list of them in an exclusion file and then :-

using the --exclude where the
Keith

Re: VirusScan for Unix and Socket files

Steven E. Protter — Tue, 03 Feb 2004 11:36:11 GMT

This thread of mine contains several open source suggestions:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=77096

It may be something you can use. I've been meaning to post this for days. Sorry.

SEP

Re: VirusScan for Unix and Socket files

Kevin Cherubini_1 — Tue, 03 Feb 2004 11:41:41 GMT

Thanks Keith.

Good to know I'm not their only customer!

I already tried the --exclude option (see point 2 in original post).

The problem is, I don't have a full list of all socket files on my system and as far as I know, --exclude only works on file names, not on file types.

Assuming the answer to my first question is "No", is there any way I can get a listing of socket files into a text file so that I can --exclude it? Something like:

ls -R >> exclude_list

What about using the -l option with some grep-ing for s on the mode listing?

Who is good at piping commands together?

Kev

Re: VirusScan for Unix and Socket files

Chris Watkins_1 — Tue, 03 Feb 2004 11:46:40 GMT

Try this:

# find / -type s >>exclude_list

Re: VirusScan for Unix and Socket files

Keith Bevan_1 — Tue, 03 Feb 2004 11:50:53 GMT

Kev,

Chris you took the words right out of my mouth.

The key is to build the exclusion file first and this can be achieved using the find command and the tag 's' as Chris has detailed.

Your only future issue is going to be if new sockets are added or existing ones are deleted, thus making you file stale. You would then need to refresh the exclusion file. You could get round this by setting up a cron job to populate
the exclusion file before running uvscan.

Keith

Re: VirusScan for Unix and Socket files

Kevin Cherubini_1 — Tue, 03 Feb 2004 12:08:03 GMT

Thanks for all the help so far, guys.

I've added a nice find command to the prescan tasks and am trying the --exclude option in tonight's scan.

Somebody somewhere told me to always be nice with find commands, as they are so processor hungry.

Will let you know tomorrow!

Re: VirusScan for Unix and Socket files

Kevin Cherubini_1 — Wed, 04 Feb 2004 04:59:17 GMT

Right, I've just checked my email and it seems that the --exclude option worked fine with that exclude_list that I created with the find command.

For anyone who is reading this looking for an answer to their own uvscan problems, I've pasted a listing of the script that I run in cron below. I'm sure that there are better ways to do this, this is just what works for me.

All the echoes and remarks can be ignored - I just like to comment things so that it makes sense to me in two years time!

I've gathered from the answers above that socket files are not an issue for viruses because they are zero-length but that they can be security risks, so make sure you harden your systems against outside attacks.

Thanks again for all the help.

Mine's a Guinness.

Kev

# Tasks are split into three sections - Pre Scan, Scan and Post Scan

# Pre Scan

PATH=$PATH:/usr/local/uvscan
cd /usr/local/uvscan

rm scanlog

echo Scanning Log >> scanlog
echo >> scanlog
echo Script started $(date) >> scanlog
echo >> scanlog
echo Downloading updates $(date) >> scanlog
echo >> scanlog

rm dat-*.tar
ftp ftp.nai.com >> scanlog

echo >> scanlog

echo DAT version >> scanlog
echo >> scanlog
ls dat-*.tar >> scanlog
echo >> scanlog

echo Unzipping files $(date) >> scanlog
echo >> scanlog

tar -xfv /usr/local/uvscan/dat-*.tar >> scanlog 2>> scanlog

echo >> scanlog

echo Creating file exclusion list at $(date) >> scanlog
echo >> scanlog

rm exclude_list

nice find / -type s >> exclude_list

# Scan

echo Scanning started at $(date) >> scanlog
echo >> scanlog

/usr/local/uvscan/uvscan -cr --summary --file scan_directories --exclude exclude
_list >> scanlog 2>> scanlog

echo >> scanlog

# Post Scan

echo Script ended at $(date) >> scanlog

pg scanlog | sendmail me@my_email.ie