ged at jubileegroup
Sep 2, 2012, 4:38 AM
Post #2 of 2
On Sun, 2 Sep 2012, john hutton cooper wrote:
> ... the return status comes back non-zero if it can't access a file,
> in which case I don't want to be bothered. ...
Hmmmmm. If malicious software manages to write a Trojan file and also
limit the access to it you don't want to be bothered? I think I would
want to be bothered. :)
> ... if there's both an error in the scan and also a virus is found,
> will it still return 1 indicating a virus, or a different error
> code? I don't want to miss a virus ...
The normal way to set up a return code would be to use a different bit
in the return status word for each different kind of information. In
that case you can mask the return codes and know all there was to know.
Clamscan's return codes don't seem to meet this definition of normal,
and I wouldn't know a way to distinguish for example beteen the single
clamscan return value of
71: Can't allocate memory (malloc)
and what might be the two values
70: Can't allocate memory (calloc) plus
1 : Virus(es) found
There's hope, however. You have access to the source code. My guess
is that the return codes are mutually exclusive, and you'll just have
to test for all of them.
The return codes for clamdscan are simpler. So is the code. A little
experimentation and reading will probably tell you what you need to know.
Alternatively you could use clamd directly, the interface is simple and
reasonably well documented. I think in that case any error would need
to be investigated but there would presumably be fewer of them as you'd
be the one making them. :)
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net