Jump to content
winriver

kavshell.exe return code

Recommended Posts

We just got our kaspersky licensing here, and we're in the process of deployment. Surfcontrol, which receives in our email before it hits the exchange box and filters it, needs some special setup for it's virus scanning side. Basically, it makes a call to the AV engine, which scans the file/message it's receiving inbound, and if the file has a virus then surfcontrol expects a certain Return Code from the AV engine which informs it of the presence of a virus - and if that's the case then it dumps that email message into a viral storage folder and keeps it from ever even hitting the exchange box.

 

We've got it set so it calls kavshell.exe SCAN %D, where %D is the file it's wanting to get scanned. And then in the return code portion it's expecting to get a value >= 1 back, indicating that a virus has been found. This is where things have gotten interesting - It's knocking down all the viral email we've sent to ourselves from the outside, including the eicar test virus and also some real ones. BUT, it's also returning a *lot* of false positives. There's still a lot of valid, outside mail that IS getting through just fine though without getting shot down. So far I haven't been able to find any pattern whatsoever as far as why it would be shot down or wouldn't be show down, but it's consistantly found every virus, test or not, that we've sent through out of about 40. However, out of another 200 emails that we didn't send outselves that it's knocked into the 'viral' holding folder, only about 8 of those actually show a virus when we do a scan on the folder. No idea why the other 192 are showing up in there.

 

Could well be a surfcontrol issue, however the kaspersky issue is that I need to know if anyone knows what return code kaspersky issues out that I can plug into surfcontrol in order to not get false positives like we are, indicating that ">=1" is not the correct solution, although it is correctly identifying viral files/emails. In that it's for sure *not* a surfcontrol issue, because it depends on the AV vendor. Any ideas?

 

Maxx

Share this post


Link to post

Normally if a vendor includes an AV-Solution to its own product it is a issue of that vendor and not of the AV vendor because you never know how they implemented the AV engine.

 

....or am i wrong ?!

Share this post


Link to post

surfcontrol has predefined AV stuff in there, but kaspersky is not an option. For situations like this is has an 'other' option where you can manually point the the engine, which I put in kavshell.exe, and then you tell it what to expect to hear back if it finds one or more viruses. So the integration on surfcontrol's side is as much as possible - it's not feasible for them to know what to expect back from every AV product on the market. Therefore I'm considering it a kaspersky issue. I may be wrong, but I'm fishing to see if anyone has any ideas at this point. Any help is much appreciated, thanks!

 

Maxx

Share this post


Link to post
Therefore I'm considering it a kaspersky issue.  I may be wrong, but I'm fishing to see if anyone has any ideas at this point.

I've been looking into this for quite some time myself. As far as I can tell, KAVSHELL does not return an errorlevel when it exits. I've tried creating a wrapper for KAVShell, but haven't worked all the bugs out yet.

 

Until KAVSHELL returns standard exit codes (or at least documented exit codes), we're probably out of luck.

 

-MattL

Share this post


Link to post

I believe I've got the solution. In the manual for KAV 5.0 for Fileservers, Appendix B - Command Line Return Codes (summarized):

 

Code Description

101 Not all the infected or suspicious objects have been

removed

102 All infected objects have been cured

103 All variations of infected and suspicious objects have been

relocated to quarantine

104 All infected and suspicious objects have been deleted

105 Infected objects have been detected

106 Variations of infected objects have been detected

107 Suspicious object have been detected

108 Not all the objects have been processed

 

I plugged in 101 I believe, as our filter checks for whatever number or greater, since it doesn't matter to me what was done with the file from KAVs end - as long as something was detected I want the filter to not forward the email onto the exchange box. No more false positives at all, and it's caught everything I've sent in :) Thanks go to Mike from ICE systems for tracking it down!

 

Maxx

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.