HPE Community
Operating System - HP-UX
1819794 Members
3374 Online
109607 Solutions
New Discussion юеВ

VirusScan for Unix and Socket files

 
Kevin Cherubini_1
Advisor

тАО01-29-2004 09:55 PM

тАО01-29-2004 09:55 PM

VirusScan for Unix and Socket files

Hi all,

I'm using HP-UX 11.00 and I've installed McAfee VirusScan for Unix version 4.32.0

I'm running it with the following options:

uvscan -cr --summary --file scan_directories

c - cleans any infected files
r - scans subdirectories
summary - gives me a summary at the end
the file scan_directories is a list of the directories to be scanned

I redirect standard output and standard error to a text file which is mailed to me each morning. The problem is, this text file is huge because I get lots of errors telling me that VirusScan could not open socket files.

For example:

/var/spool/sockets/pwgr/client1121
file could not be opened.

I have a few questions relating to this:

1. Should I bother scanning socket files for viruses?

2. If not, how would I turn off scanning of socket files? --exclude option only works on file names, I think.

3. If I do want to scan socket files, how do I allow VirusScan to scan them?

4. If I don't want to scan them but can't exclude them, how do I turn off the error reporting for this type of file?

I know that these are all questions relating to a third party product, but I guess I'm not the only person using HP-UX and VirusScan for Unix.

Thanks for your help,

Kevin
Is this why they pay us so little?
0 Kudos
Reply
14 REPLIES 14
Kevin Cherubini_1
Advisor

тАО02-01-2004 08:42 PM

тАО02-01-2004 08:42 PM

Re: VirusScan for Unix and Socket files


Anyone?

If this is not the right forum for this question, can anyone tell me where I sould ask it?

Thanks,

Kevin
Is this why they pay us so little?
0 Kudos
Reply
Mark Ellzey
Valued Contributor

тАО02-02-2004 02:30 AM

тАО02-02-2004 02:30 AM

Re: VirusScan for Unix and Socket files

Kevin,

I'm not sure why you would want to scan for viruses on a UNIX system. I think it would be better for you to harden your system to outside attacks using the existing configuration files available on any UNIX system.

<2 cents worth done>

I'm assuming your are running uvscan from a script, via cron. I don't know anything about McAfee's uvscan, but you could remove the error messages by doing:
grep -v "error string" >>
after your scan is complete. This would remove all the error messages in the output. Then mail to yourself.

Regards,
Mark
0 Kudos
Reply
Kevin Cherubini_1
Advisor

тАО02-02-2004 02:38 AM

тАО02-02-2004 02:38 AM

Re: VirusScan for Unix and Socket files

Thanks Mark.

I have hardened my system, but corporate policy says that I have to run uvscan every day anyway. And who am I to argue with corporate policy?

You're right - I run a script in cron to download and unzip the latest DAT files, scan the system directories and a few program directories and send the output text file to myself using sendmail.

Good idea to use grep for clearing out the error messages that I don't want. I'm kicking myself for not thinking of it. Worthy of five points, certainly.

Cheers,

Kevin

By the way, am I the ONLY person running uvscan?!


Is this why they pay us so little?
0 Kudos
Reply
Chris Watkins_1
Respected Contributor

тАО02-02-2004 03:16 AM

тАО02-02-2004 03:16 AM

Re: VirusScan for Unix and Socket files

Yes... you're the only one.
OK ok ok... probably not ;-) But I'd guess you were in the minority.
Who knows? The product exists... I may be in the minority, instead.

Incidentally... have your scans ever turned up anything?

Not without 2 backups and an Ignite image!
0 Kudos
Reply
Kevin Cherubini_1
Advisor

тАО02-02-2004 03:45 AM

тАО02-02-2004 03:45 AM

Re: VirusScan for Unix and Socket files


Not a thing, apart from the EICAR test file.

It did find lots of broken symbolic links, though! Was I naive to expect swremove to clean these up?

Is this why they pay us so little?
0 Kudos
Reply
Brian Hackley
Honored Contributor

тАО02-03-2004 02:21 AM

тАО02-03-2004 02:21 AM

Re: VirusScan for Unix and Socket files

Kevin,

Sorry for the late response but your question peaked my interest. A UDS socket(7) is a zero length file, so the AV software won't find a pattern in the file; it would have to rely upon the filename itself to remove it.

I did a short search on Google "uvscan socket" and found http://www.corpit.ru/pipermail/avcheck/2002q1/000463.html
-- is an article that explores the possibility of using UDS socket maliciously.

However, most of the articles spoke of using uvscan on files accessed by PC users over Samba shares.

Also you might want to look at http://sourceforge.net/projects/amavis-n-parser/

Hope that helps a little,
-> Brian Hackley
Ask me about telecommuting!
0 Kudos
Reply
Jdamian
Respected Contributor

тАО02-03-2004 03:21 AM

тАО02-03-2004 03:21 AM

Re: VirusScan for Unix and Socket files

It sounds like a joke
0 Kudos
Reply
Keith Bevan_1
Trusted Contributor

тАО02-03-2004 03:28 AM

тАО02-03-2004 03:28 AM

Re: VirusScan for Unix and Socket files

Kevin,

You will be pleased to know that we also using the NAI/Mcafee command line scanner virusscan.

You can remove the links from the scan by :-

using the --ignore links

and can remove the sockets by entering the list of them in an exclusion file and then :-

using the --exclude where the
Keith
You are either part of the solution or part of the problem
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО02-03-2004 03:36 AM

тАО02-03-2004 03:36 AM

Re: VirusScan for Unix and Socket files

This thread of mine contains several open source suggestions:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=77096

It may be something you can use. I've been meaning to post this for days. Sorry.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Kevin Cherubini_1
Advisor

тАО02-03-2004 03:41 AM

тАО02-03-2004 03:41 AM

Re: VirusScan for Unix and Socket files


Thanks Keith.

Good to know I'm not their only customer!

I already tried the --exclude option (see point 2 in original post).

The problem is, I don't have a full list of all socket files on my system and as far as I know, --exclude only works on file names, not on file types.

Assuming the answer to my first question is "No", is there any way I can get a listing of socket files into a text file so that I can --exclude it? Something like:

ls -R >> exclude_list

What about using the -l option with some grep-ing for s on the mode listing?

Who is good at piping commands together?

Kev
Is this why they pay us so little?
0 Kudos
Reply
Chris Watkins_1
Respected Contributor

тАО02-03-2004 03:46 AM

тАО02-03-2004 03:46 AM

Re: VirusScan for Unix and Socket files

Try this:

# find / -type s >>exclude_list
Not without 2 backups and an Ignite image!
0 Kudos
Reply
Keith Bevan_1
Trusted Contributor

тАО02-03-2004 03:50 AM

тАО02-03-2004 03:50 AM

Re: VirusScan for Unix and Socket files

Kev,

Chris you took the words right out of my mouth.

The key is to build the exclusion file first and this can be achieved using the find command and the tag 's' as Chris has detailed.

Your only future issue is going to be if new sockets are added or existing ones are deleted, thus making you file stale. You would then need to refresh the exclusion file. You could get round this by setting up a cron job to populate
the exclusion file before running uvscan.

Keith
You are either part of the solution or part of the problem
0 Kudos
Reply
Kevin Cherubini_1
Advisor

тАО02-03-2004 04:08 AM

тАО02-03-2004 04:08 AM

Re: VirusScan for Unix and Socket files


Thanks for all the help so far, guys.

I've added a nice find command to the prescan tasks and am trying the --exclude option in tonight's scan.

Somebody somewhere told me to always be nice with find commands, as they are so processor hungry.

Will let you know tomorrow!

Is this why they pay us so little?
0 Kudos
Reply
Kevin Cherubini_1
Advisor

тАО02-03-2004 08:59 PM

тАО02-03-2004 08:59 PM

Re: VirusScan for Unix and Socket files


Right, I've just checked my email and it seems that the --exclude option worked fine with that exclude_list that I created with the find command.

For anyone who is reading this looking for an answer to their own uvscan problems, I've pasted a listing of the script that I run in cron below. I'm sure that there are better ways to do this, this is just what works for me.

All the echoes and remarks can be ignored - I just like to comment things so that it makes sense to me in two years time!

I've gathered from the answers above that socket files are not an issue for viruses because they are zero-length but that they can be security risks, so make sure you harden your systems against outside attacks.

Thanks again for all the help.

Mine's a Guinness.

Kev


# Tasks are split into three sections - Pre Scan, Scan and Post Scan


# Pre Scan

PATH=$PATH:/usr/local/uvscan
cd /usr/local/uvscan

rm scanlog

echo Scanning Log >> scanlog
echo >> scanlog
echo Script started $(date) >> scanlog
echo >> scanlog
echo Downloading updates $(date) >> scanlog
echo >> scanlog

rm dat-*.tar
ftp ftp.nai.com >> scanlog

echo >> scanlog

echo DAT version >> scanlog
echo >> scanlog
ls dat-*.tar >> scanlog
echo >> scanlog

echo Unzipping files $(date) >> scanlog
echo >> scanlog

tar -xfv /usr/local/uvscan/dat-*.tar >> scanlog 2>> scanlog

echo >> scanlog

echo Creating file exclusion list at $(date) >> scanlog
echo >> scanlog

rm exclude_list

nice find / -type s >> exclude_list

# Scan

echo Scanning started at $(date) >> scanlog
echo >> scanlog

/usr/local/uvscan/uvscan -cr --summary --file scan_directories --exclude exclude
_list >> scanlog 2>> scanlog

echo >> scanlog

# Post Scan

echo Script ended at $(date) >> scanlog

pg scanlog | sendmail me@my_email.ie


Is this why they pay us so little?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.