Using Multiple Virus Scanners...


By Maga, a contributing member on the XWall Forum
I implemented a batch file with two different virus scanners - McAfee VirusScan and F-Prot. It works very well so far. Both of the scanners return different error levels for scanner errors (e.g. bad signatures) and found viruses. For simplicity, the batch exits if the first scanner finds a virus.

The report files differ for the two scanners used, but I was able to work around this to have parsereport.vbs still working properly.





Implementation
Note that if both scanners fail, the mail is passed on unscanned. In this case, an error flag file is written to the XWall directory. I could imagine a more suitable notification for the administrator here or even stopping the XWall service to prevent incoming viruses.

Just copy the files to your XWall directory and change the hardcoded directory names to your needs.




Future Goals
As promised, here is the listing of the multi-scanner implementation. It is still experimental, but works well for me. Use it at your own risk. I hope we can optimize it further with our combined efforts. Additional scanners? Please contribute.



Listing of mscan.cmd

code:

@echo off

if '%2'=='' goto USAGE

:1
"C:\FProt\fpcmd.exe" "%1" -dumb -noboot -nomem -server -archive=5 -packed -report="%2"
if errorlevel 10 goto 2
if errorlevel 9 goto 2
if errorlevel 8 goto 2
if errorlevel 7 goto 2
if errorlevel 6 goto 2
if errorlevel 5 goto 2
if errorlevel 4 goto 2
if errorlevel 3 goto FOUND1
if errorlevel 2 goto 2
if errorlevel 1 goto 2

rem F-Prot fpcmd.exe result codes
rem 0 Normal exit. Nothing found, nothing done.
rem 1 Unrecoverable error (e.g., missing virus signature files).
rem 2 Selftest failed (program has been modified).
rem 3 At least one virus-infected object was found.
rem 4 Reserved, not currently in use.
rem 5 Abnormal termination (scanning did not finish).
rem 6 At least one virus was removed.
rem 7 Error, out of memory.
rem 8 At least one suspicious object was found.
rem 9 At least one object was not scanned (encrypted file, unsupported/unknown)
rem compression method, unsupported/unknown file format, corrupted or invalid file).
rem 10 At lest one archive object was not scanned (contains more then N levels of
rem nested archives, as specified with -archive switch).

:2
"C:\Program Files\Common Files\Network Associates\Engine\Scan.exe" "%1" /ALL /NOBEEP /ANALYZE /UNZIP /NOMEM /PROGRAM /NOBOOT /MIME /REPORT "%2"
if errorlevel 15 goto ERROR
if errorlevel 13 goto FOUND2
if errorlevel 12 goto ERROR
if errorlevel 10 goto ERROR
if errorlevel 8 goto ERROR
if errorlevel 6 goto ERROR
if errorlevel 2 goto ERROR
rem McAfee scan.exe Scan result codes
rem 0 The scanner found no viruses or other potentially harmful software, no errors.
rem 2 Integrity check on DAT file failed.
rem 6 A general problem occurred.
rem 8 Scanner was unable to find a DAT file.
rem 10 A virus was found in memory.
rem 12 The scanner tried to clean a file, the attempt failed, file is still infected.
rem 13 The scanner found one or more viruses or hostile objects — such as a
rem Trojan-horse program, joke program, or test file.
rem 15 The scanner’s self-check failed; the scanner may be infected or damaged.
goto END

:FOUND1
rem F-Prot report file %2 already contains "Infection: "
exit 1
goto END

:FOUND2
rem Replace McAfee "Found: " in report file %2 with F-Prot "Infection: "
cscript.exe "d:\xwall\replace.vbs" "%2" "Found: " "Infection: "
exit 1
goto END

:ERROR
echo Virus Scan Error!
type "%2"
echo Virus Scan Error! >d:\xwall\_ERROR.TXT
type "%2">>d:\xwall\_ERROR.TXT
rem net stop xwall /y
rem pause
goto END

:USAGE
echo Usage: %0 [FILE] [TEMPFILE]
echo [FILE] File to scan
echo [TEMPFILE] Report file
rem pause
:END



Listing of replace.vbs convert McAfee report to F-Prot format:
Source: http://www.microsoft.com/technet/scriptcenter/resources/qanda/feb05/hey0208.mspx
Usage: cscript replace.vbs "C:\Scripts\Text.txt" "Jim " "James "


code:

Const ForReading = 1
Const ForWriting = 2
strFileName = Wscript.Arguments(0)
strOldText = Wscript.Arguments(1)
strNewText = Wscript.Arguments(2)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFileName, ForReading)
strText = objFile.ReadAll
objFile.Close
strNewText = Replace(strText, strOldText, strNewText)
Set objFile = objFSO.OpenTextFile(strFileName, ForWriting)
objFile.WriteLine strNewText
objFile.Close



Listing of Parsereport.vbs optimized for F-Prot (thanks, Freedom):
Source: http://xwall.us/phpBB2/viewtopic.php?t=1213

code:

Option Explicit

Const OpenAsASCII = 0
Const OpenAsUnicode = -1
Const OverwriteIfExist = -1
Const FailIfExist = 0
Const OpenAsDefault = -2
Const CreateIfNotExist = -1
Const FailIfNotExist = 0
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

Dim szSourceFile, szTargetFile, fsFileSys, hSource, hTarget, szSourceLine, szUnique
Dim szTargetLine, iPos, iSkip, j

szSourceFile = Wscript.Arguments(0)
szTargetFile = Wscript.Arguments(1)

szUnique = "Infection:" 'Unique string that appears in the report immediately before the Name of the Virus is reported
iSkip = 18 'Number of lines you can always skip at top of scanner output file

Set fsFileSys = CreateObject("Scripting.FileSystemObject")
Set hSource = fsFileSys.OpenTextFile(szSourceFile, ForReading, FailIfNotExist, OpenAsASCII)
Set hTarget = fsFileSys.CreateTextFile(szTargetFile, OverwriteIfExist, OpenAsASCII)

For j = 1 to iSkip
hSource.SkipLine
Next

Do While Not hSource.AtEndOfStream
szTargetLine = ""
szSourceLine = hSource.ReadLine
iPos = InStr(1, szSourceLine, szUnique, vbTextCompare)

If iPos > 0 Then
szTargetLine = Mid(szSourceLine, iPos + 11)
hTarget.WriteLine szTargetLine
End If
Loop

hSource.Close
hTarget.Close
Set fsFileSys = Nothing



XWALL.INI entries to use with this batch:
code:

VirusScanner=d:\xwall\mscan.cmd
VirusScannerPara=<FILE> <TEMPFILE>
VirusPostScanner=ParseReport.vbs
VirusPostScannerPara=<TEMPFILE> <MSGFILE>