quarkslab / irma-probe Goto Github PK

Running 'python -m tools.run_module FProt eicar.com' as the deploy user returns:

{'database': None,
'duration': 0.844196081161499,
'error': None,
'name': 'F-PROT Antivirus',
'platform': 'linux2',
'results': 'EICAR_Test_File (exact)',
'status': 1,
'type': 'antivirus',
'version': '1.0.0'}

However, when I check the probe.log I see the following:

[2016-06-26 12:26:42,981: DEBUG/Worker-1] probe.tasks.probe_scan[16ef2430-22f7-4b64-bcd0-f2be14147c72]: scanid 5cfc6081-643a-45a8-8965-e8$
$6132s: {u'status': -1, u'name': u'F-PROT Antivirus', u'database': None, u'results': None, u'platform': u'linux2', u'version':...

Any ideas?

The Virus Blokada's script interfacing with Virus Blokada does not consider suspect binaries as infected (return value == 6 from the tool). Irma consider therefore that 6 is an error and result into a -1 status in the json report from the API.

• self._scan_retcodes[self.ScanResult.INFECTED] = lambda x: x in [7]
• self._scan_retcodes[self.ScanResult.INFECTED] = lambda x: x in [6, 7]

Issue 1:
Antivirus was not found (i.e. folder not in PATH) -> celery starts with default queue. Frontend recognizes it and schedules a scan -> timeout for scan

Issue 2:
Got not detected:
McAfee Antivirus 2014

In the returned json, use filehash instead of temporary filename

Allow irma-probe to use SSL with RabbitMQ

installed cav-linux_1.1.268025-1_amd64.deb started probe AV got recognized as ComodoCAVL, but the results are always as follows

ComodoCAVL :
The file came out as: no formatter

ClamAV Probe doesn't recognize EICAR

docs dir was removed to merge all docs in irma repo but setup.py need to be fixed

Hi all,

My environment is as follows:

• Debian 8.0.0 VM with Brain and Frontend installed (as per the manual instructions)
• Debian 8.0.0 VM with a number of Static Linux Probes installed (as per manual instructions)
• Debian 8.0.0 VM with a number of Linux AV Probes installed (as per manual instructions)
• Windows 7 Pro VM with a number of Windows AV Probes installed (as per manual instructions)

All post-install checks return expected results and no errors are being reported in any logs that I can find.
Network wise the VMs can all ping hostnames and IP addresses of eachother, there are no firewalls and IPtables has not been configured with any rules on the Debian boxes.

When running up the Frontend, no probes show. Is anyone able to help with this issue and suggest ways forward?

Kind Regards
Andrew

in modules/antivirus/base.py. We also need to correct the command injection problem

Currently we get results like this,
{"status": 0, "name": "McAfee VirusScan Command Line scanner", "results": null, "version": "6.0.4.564", "duration": 12.68, "type": "antivirus"}

It's great that we get AV product version "6.0.4.564". But the thing is, AV product version doesn't update automatically but virus definitions does (& happen almost daily).
It will be great if you can include Virus definition information along with (or instead of ) AV product version.