use strict;

#
# Section VII - External programs, virus scanners
#

# Specify a path string, which is a colon-separated string of directories
# (no trailing slashes!) to be assigned to the environment variable PATH
# and to serve for locating external programs below.

# NOTE: if $daemon_chroot_dir is nonempty, the directories will be
#       relative to the chroot directory specified;

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

# For external programs specify one string or a search list of strings (first
# match wins). The string (or: each string in a list) may be an absolute path,
# or just a program name, to be located via $path;
# Empty string or undef (=default) disables the use of that external program.
# Optionally command arguments may be specified - only the first substring
# up to the whitespace is used for file searching.

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability
$dspam  = 'dspam';

# A list of pairs or n-tuples: [short-type, code_ref, optional-args...].
# Maps short types to a decoding routine, the first match wins.
# Arguments beyond the first two can be program path string (or a listref of
# paths to be searched) or a reference to a variable containing such a path,
# which allows for lazy evaluation, making possible to assign values to
# legacy configuration variables even after the assignment to @decoders.
#
@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['deb',  \&do_ar,          'ar'],
# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill
  ['zip',  \&do_unzip],
  ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
  ['lha',  \&do_lha,         'lha'],
# ['doc',  \&do_ole,         'ripole'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
# ['sit',  \&do_unstuff,     'unstuff'],  # broken/unsafe decoder
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);


# SpamAssassin settings

# $sa_local_tests_only is passed to Mail::SpamAssassin::new as a value
# of the option local_tests_only. See Mail::SpamAssassin man page.
# If set to 1, no SA tests that require internet access will be performed.
#
$sa_local_tests_only = 0;   # only tests which do not require internet access?
#$sa_auto_whitelist = 1;    # turn on AWL in SA 2.63 or older (irrelevant
                            # for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
			    # (less than 1% of spam is > 64k)
			    # default: undef, no limitations

# default values, customarily used in the @spam_*_level_maps as the last entry
$sa_tag_level_deflt  = 2.0; # add spam info headers if at, or above that level;
			    # undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
                            # passed mail, adding address extensions;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
			    # at or above that level: bounce/reject/drop,
			    # quarantine
$sa_dsn_cutoff_level = 9;   # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;
# see also $sa_quarantine_cutoff_level above, which only controls quarantining

# $penpals_bonus_score = 5;  # (positive) score by which spam score is lowered
           # when sender is known to have previously received mail from our
           # local user from this mail system; zero or undef disables penpals
           # lookups in SQL; default: undef
# $penpals_halflife = 10*24*60*60; #exponential decay time constant in seconds;
           # penpal bonus is halved for each halflife period from the last mail
           # sent by a local user to a current mail's sender; default: 7 days
# $penpals_threshold_low = 1.0; # no need for pen pals lookup on low spam score
# $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam

# advanced example specifying per-recipient values using a hash lookup:
#@spam_tag_level_maps  = (\$sa_tag_level_deflt);  # this is a default
#@spam_tag2_level_maps = (
#  { 'user1@example.com' => 8.0, '.example.com' => 6.0 },
#  \$sa_tag2_level_deflt,   # catchall default
#);
#@spam_kill_level_maps = (
#  { 'user1@example.com' => 8.0, '.example.com' => 6.0 },
#  \$sa_kill_level_deflt,   # catchall default
#);
#@spam_dsn_cutoff_level_maps = (
#  { 'user1@example.com' => 10, '.example.com' => 15 },
#  \$sa_dsn_cutoff_level,   # catchall default
#);

# selectively trim down bounces to domains sending their own bounces with
# non-null return path, to frequently abused domains, or to those sending
# marginal spam
@spam_dsn_cutoff_level_bysender_maps = (
  { # an associative array (hash) lookup table, use lowercase keys
    'virgilio.it' => 7,  'mail.ru'     => 7,  '0451.com' => 7,
    'yahoo.co.uk' => 7,  'yahoo.co.jp' => 7,  'nobody@'  => 7,
    'noreply@'    => 0,  'no-reply@'   => 0,  'donotreply@'     => 0,
    'opt-in@'     => 0,  'opt-out@'    => 0,  'yahoo-dev-null@' => 0,
    '.optin-out.com' => 0,  'daily@astrocenter.com' => 0,
    'spamadmin@fraunhofer.de'=> 7,  # Sophos PureMessage spam bounces
  },
  \$sa_dsn_cutoff_level,  # catchall default value
);

# a quick reference:
#   tag_level  contents category: CC_CLEAN,
#              controls adding the X-Spam-Status and X-Spam-Level headers,
#   tag2_level contents category: CC_SPAMMY,
#              controls adding 'X-Spam-Flag: YES', editing (tagging) Subject,
#                       and adding address extensions,
#   tag3_level contents category: CC_SPAMMY, minor category 1,
#              like tag2, but may insert different Subject tag
#              e.g. @spam_subject_tag3_maps=('***BLATANT*SPAM*** ');
#   kill_level contents category: CC_SPAM,
#              controls 'evasive actions' (reject, quarantine);
# it only makes sense to maintain the relationship:
#   tag_level <= tag2_level <= tag3_level <= kill_level <
#     < dsn_cutoff_level <= quarantine_cutoff_level

# string to prepend to Subject header field when message exceeds tag2 level
$sa_spam_subject_tag = '***SPAM*** ';	# (defaults to undef, disabled)
			     # (only seen when spam is passed and recipient is
                             # in local_domains*)
# more examples, using @*_maps directly:
#@spam_subject_tag_maps  = ('[possible-spam:_SCORE_] ');
#@spam_subject_tag2_maps = ('***SPAM*** _SCORE_ (_REQD_) ');
#@spam_subject_tag3_maps = ('***BLATANT*SPAM**** _SCORE_ (_REQD_) ');
# another examples, using _maps_by_ccat:
#$subject_tag_maps_by_ccat{+CC_CLEAN} = [
#  { lc('TestUser@example.net') =>
#      '**TEST:_U_,hits=_SCORE_,req=_REQD_,amid=_TASKID_,mid=_MAILID_**' } ];

$sa_spam_modifies_subj = 0; # in @spam_modifies_subj_maps, default is true

# Example: modify Subject for all local recipients except user@example.com
#@spam_modifies_subj_maps = ( [qw( !user@example.com . )] );

#$sa_spam_level_char = '*';  # char for X-Spam-Level bar, defaults to '*';
			     # undef or empty disables inserting X-Spam-Level
#$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false

# stop anti-virus scanning when the first scanner detects a virus?
#$first_infected_stops_scan = 1;  # default is false, all scanners in a section
                                  # are called

# @av_scanners is a list of n-tuples, where fields semantics is:
#  1. av scanner plain name, to be used in log and reports;
#  2a.scanner program name; this string will be submitted to subroutine
#     find_external_programs(), which will try to find the full program path
#     name during startup; if program is not found, this scanner is disabled.
#     Besides a simple string (full program path name or just the basename
#     to be looked for in PATH), this may be an array ref of alternative
#     program names or full paths - the first match in the list will be used;
#  2b.alternatively, this second field may be a subroutine reference,
#     and the whole n-tuple entry is passed to it as args; it should return
#     a triple: ($scan_status,$output,$virusnames_ref), where:
#     - $scan_status is: true if a virus was found, 0 if no viruses,
#       undef if scanner was unable to complete its job (failed);
#     - $output is an optional result string to appear in logging and macro %v;
#     - $virusnames_ref is a ref to a list of detected virus names (may be
#       undef or a ref to an empty list);
#  3. command arguments to be given to the scanner program;
#     a substring {} will be replaced by the directory name to be scanned, i.e.
#     "$tempdir/parts", a "*" will be replaced by base file names of parts;
#  4. an array ref of av scanner exit status values, or a regexp (to be
#     matched against scanner output), indicating NO VIRUSES found;
#     a special case is a value undef, which does not claim file to be clean
#     (i.e. it never matches, similar to []), but suppresses a failure warning;
#     to be used when the result is inconclusive (useful for specialized and
#     quick partial scanners such as jpeg checker);
#  5. an array ref of av scanner exit status values, or a regexp (to be
#     matched against scanner output), indicating VIRUSES WERE FOUND;
#     a value undef may be used and it never matches (for consistency with 4.);
#     Note: the virus match prevails over a 'not found' match, so it is safe
#     even if the no. 4. matches for viruses too;
#  6. a regexp (to be matched against scanner output), returning a list
#     of virus names found, or a sub ref, returning such a list when given
#     scanner output as argument;
#  7. and 8.: (optional) subroutines to be executed before and after scanner
#     (e.g. to set environment or current directory);
#     see examples for these at KasperskyLab AVP and NAI uvscan.

# NOTES:
#
# - NOT DEFINING @av_scanners (e.g. setting it to empty list, or deleting the
#   whole assignment) TURNS OFF LOADING AND COMPILING OF THE ANTIVIRUS CODE
#   (which can be handy if all you want to do is spam scanning);
#
# - the order matters: although _all_ available entries from the list
#   are tried regardless of their verdict, scanners are run in the order
#   specified: the report from the first one detecting a virus will be used
#   (providing virus names and scanner output); REARRANGE THE ORDER TO WILL;
#   see also $first_infected_stops_scan;
#
# - it doesn't hurt to keep an unused command line scanner entry in the list
#   if the program can not be found; the path search is only performed once
#   during the program startup;
#
#   COROLLARY: to disable a scanner that _does_ exist on your system,
#   comment out its entry or use undef or '' as its program name/path
#   (second parameter). An example where this is almost a must: disable
#   Sophos 'sweep' if you have its daemonized version Sophie or SAVI-Perl
#   (same for Trophie/vscan, and clamd/clamscan), or if another unrelated
#   program happens to have a name matching one of the entries ('sweep'
#   again comes to mind);
#
# - it DOES HURT to keep unwanted entries which use INTERNAL SUBROUTINES
#   for interfacing (where the second parameter starts with \&).
#   Keeping such entry and not having a corresponding virus scanner daemon
#   causes an unnecessary connection attempt (which eventually times out,
#   but it wastes precious time). For this reason the daemonized entries
#   are commented in the distribution - just remove the '#' where needed.
#
# CERT list of av resources: http://www.cert.org/other_sources/viruses.html

@av_scanners = (

# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],

# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],

# ### http://www.clamav.net/
  ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd.socket"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# #   AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/],

# ### http://www.openantivirus.org/
# ['OpenAntiVirus ScannerDaemon (OAV)',
#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
#   qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],

# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
#   \&ask_daemon, ["{}/\n", '/var/run/trophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],

# ### http://www.grisoft.com/
# ['AVG Anti-Virus',
#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
#   qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ],

# ### http://www.f-prot.com/
# ['FRISK F-Prot Daemon',
#   \&ask_daemon,
#   ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
#     ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202',
#      '127.0.0.1:10203','127.0.0.1:10204'] ],
#   qr/(?i)<summary[^>]*>clean<\/summary>/,
#   qr/(?i)<summary[^>]*>infected<\/summary>/,
#   qr/(?i)<name>(.+)<\/name>/ ],

# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
# ['DrWebD', \&ask_daemon,   # DrWebD 4.31 or later
#   [pack('N',1).  # DRWEBD_SCAN_CMD
#    pack('N',0x00280001).   # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
#    pack('N',     # path length
#      length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
#    '{}/*'.       # path
#    pack('N',0).  # content size
#    pack('N',0),
#    '/var/drweb/run/drwebd.sock',
#  # '/var/amavis/var/run/drwebd.sock',   # suitable for chroot
#  # '/usr/local/drweb/run/drwebd.sock',  # FreeBSD drweb ports default
#  # '127.0.0.1:3000',                    # or over an inet socket
#   ],
#   qr/\A\x00[\x10\x11][\x00\x10]\x00/s,         # IS_CLEAN,EVAL_KEY; SKIPPED
#   qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF
#   qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
# ],
# # NOTE: If using amavis-milter, change length to:
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").

  ### http://www.kaspersky.com/  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled

  ### http://www.kaspersky.com/
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',       'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
    # change the startup-script in /etc/init.d/kavd to:
    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    #   directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.centralcommand.com/
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.

  ### http://www.avira.com/
  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

  ### http://www.commandsoftware.com/
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/ ],

  ### http://www.symantec.com/
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/, qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ### http://www.symantec.com/
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
    # NOTE: check options and patterns to see which entry better applies

  ### http://www.f-secure.com/products/anti-virus/  version 4.65
   ['F-Secure Antivirus for Linux servers',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
    '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
    qr/(?:infection|Infected|Suspected): (.+)/ ],

# ### http://www.avast.com/
# ['avast! Antivirus daemon',
#   \&ask_daemon,	# greets with 220, terminate with QUIT
#   ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
#   qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ],

# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
#   '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
#   qr/\t\[L\]\t([^[ \t\015\012]+)/ ],

  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/ ],
  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/ ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/ ],

  ### http://mks.com.pl/english.html
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/ ],

  ### http://www.nod32.com/,  version v2.52 and above
  ['ESET NOD32 for Linux Mail servers',
    ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
     '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
     '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
     '--action-on-notscanned=accept {}',
    [0,3], [1,2], qr/virus="([^"]+)"/ ],

  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
  ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],

# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
#   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT
#   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
#   qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ],

  ### http://www.norman.com/products_nvc.shtml
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ### http://www.pandasoftware.com/
  ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/,
    qr/Number of files infected[ .]*: 0*[1-9]/,
    qr/Found virus :\s*(\S+)/ ],
  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  # before starting amavisd - the bases are then loaded only once at startup.
  # To reload bases in a signature update script:
  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  # Please review other options of pavcl, for example:
  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies

# ### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
#   '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
#   [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
#   qr/Found virus :\s*(\S+)/ ],

# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
#   '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)

  ### http://www.nai.com/
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],
  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  # and then clear it when finished to avoid confusing anything else.
  # NOTE2: to treat encrypted files as viruses replace the [13] with:
  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

  ### http://www.virusbuster.hu/en/
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/ ],
  # VirusBuster Ltd. does not support the daemon version for the workstation
  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  # binaries, some parameters AND return codes have changed (from 3 to 1).
  # See also the new Vexira entry 'vascan' which is possibly related.

# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
#   '-f -log scandir {}', [0], [3],
#   qr/Virus found = (.*);/ ],
# # HINT: for an infected file it always returns 3,
# # although the man-page tells a different story

  ### http://www.cyber.com/
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],

  ### http://www.avast.com/
  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],

  ### http://www.ikarus-software.com/
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/ ],

  ### http://www.bitdefender.com/
  ['BitDefender', 'bdc',
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
  # not apply to your version of bdc, check documentation and see 'bdc --help'

# ['File::Scan', sub {Amavis::AV::ask_av(sub{
#   use File::Scan; my($fn)=@_;
#   my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
#   my($vname) = $f->scan($fn);
#   $f->error ? (2,"Error: ".$f->error)
#   : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
#   ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ],

# ### fully-fledged checker for JPEG marker segments of invalid length
# ['check-jpeg',
#   sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ],
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
# #       for example in /usr/local/lib/perl5/site_perl

# ### example: simpleminded checker for JPEG marker segments with
# ### invalid length (only checks first 32k, which is not thorough enough)
# ['check-jpeg-simple',
#   sub { Amavis::AV::ask_av(sub {
#     my($f)=@_; local(*FF,$_,$1,$2); my(@r)=(0,'not jpeg');
#     open(FF,$f) or die "jpeg: open err $f: $!";
#     binmode(FF) or die "jpeg: binmode err $f: $!";
#     defined read(FF,$_,32000) or die "jpeg: read err $f: $!";
#     close(FF) or die "jpeg: close err $f: $!";
#     if (/^\xff\xd8\xff/) {
#       @r=(0,'jpeg ok');
#       while (!/\G(?:\xff\xd9|\z)/gc) {          # EOI or eof
#         if (/\G\xff+(?=\xff|\z)/gc) {}          # fill-bytes before marker
#         elsif (/\G\xff([\x01\xd0-\xd8])/gc) {}  # TEM, RSTi, SOI
#         elsif (/\G\xff([^\x00\xff])(..)/gcs) {  # marker segment start
#           my($n)=unpack("n",$2)-2;
#           $n=32766 if $n>32766;  # Perl regexp limit
#           if ($n<0) {@r=(1,"bad jpeg: len=$n, pos=".pos); last}
#           elsif (/\G.{$n}/gcs) {}          # ok
#           elsif (/\G.{0,$n}\z/gcs) {last}  # truncated
#           else {@r=(1,"bad jpeg: unexpected, pos=".pos); last}
#         }
#         elsif (/\G[^\xff]+/gc)      {}  # ECS
#         elsif (/\G(?:\xff\x00)+/gc) {}  # ECS
#         else {@r=(2,"bad jpeg: unexpected char, pos=".pos); last}
#       }
#     }; @r}, @_) },
#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ],

# ### an example/testing/template virus scanner (external), wastes 3 seconds
# ['wasteful sleeper example',
#   '/bin/sleep', '3',  # calls external program
#   undef, undef, qr/no such/ ],

# ### an example/testing/template virus scanner (internal), does nothing
# ['null',
#   sub {}, ["{}"],     # supplies its own subroutine, no external program
#   undef, undef, qr/no such/ ],

);


# If no virus scanners from the @av_scanners list produce 'clean' nor
# 'infected' status (i.e. they all fail to run or the list is empty),
# then _all_ scanners from the @av_scanners_backup list are tried
# (again, subject to $first_infected_stops_scan). When there are both
# daemonized and equivalent or similar command-line scanners available,
# it is customary to place slower command-line scanners in the
# @av_scanners_backup list. The default choice is somewhat arbitrary,
# move entries from one list to another as desired, keeping main scanners
# in the primary list to avoid warnings.

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/ ],
	
  ### http://www.trendmicro.com/   - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

   ### http://www.kaspersky.com/
   ['Kaspersky Antivirus v5.5',
     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
      '/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ ,
#    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],

# Commented out because the name 'sweep' clashes with Debian and FreeBSD
# package/port of an audio editor. Make sure the correct 'sweep' is found
# in the path when enabling.
#
# ### http://www.sophos.com/   - backs up Sophie or SAVI-Perl
# ['Sophos Anti Virus (sweep)', 'sweep',
#   '-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}',
#   [0,2], qr/Virus .*? found/,
#   qr/^>>> Virus(?: fragment)? '?(.*?)'? found/,
# ],
# # other options to consider: -mime -oe -idedir=/usr/local/sav

# always succeeds (uncomment to consider mail clean if all other scanners fail)
# ['always-clean', sub {0}],

);

1;  # insure a defined return
