How to integrate Eset Antivirus with PMG

heutger

Famous Member
Apr 25, 2018
885
259
108
Fulda, Hessen, Germany
www.heutger.net
Hi,

can anyone assist in integrating Eset Antivirus with PMG. Talking about

https://www.eset.com/de/business/server-antivirus/file-security-linux/

Pricing is very attractive (against e.g. Avast), product is still official supported (accessible through sitemap/navigation, not only deep links to a near 5 years old product as e.g. Avast), results are reasonable better than ClamAV.

See https://help.eset.com/efs/4/en-US/command_line.html there is a CLI meanwhile eset is running as a service (daemon), so scan is fast.

Steps performed to install (to prepare, you need to register for the trial, get download credentials as well as a license file, need to upload then both to the server):

Code:
apt-get install libc6-i386
chmod +x esets.amd64.deb.bin
./esets.amd64.deb.bin
/opt/eset/esets/sbin/esets_lic --import ESET_File_Security_for_Linux.lic
vi /etc/opt/eset/esets/esets.cfg
/etc/init.d/esets start

Steps performed to scan:

Code:
/opt/eset/esets/sbin/esets_scan --clean-mode=none eicar.com

Result on Test virus:

Code:
ESET Command-line scanner, version 4.5.11, (C) 1992-2018 ESET, spol. s r.o.
Using license: Negecy (/etc/opt/eset/esets/license/esets_a8eade.lic)
Module loader, version 1072 (20180813), build 1118
Module perseus, version 1546 (20181127), build 1996
Module scanner, version 18549 (20181215), build 39732
Module archiver, version 1280 (20181128), build 1362
Module advheur, version 1191 (20181106), build 1171
Module cleaner, version 1172 (20181113), build 1247

Command line: --clean-mode=none index.html?file=files%2Fetes%2Fdownloads%2Fanwenden%2Feicar.com

Scan started at:   Sat 15 Dec 2018 01:04:39 PM CET
name="eicar.com", threat="Eicar test file", action="", info=""

Scan completed at: Sat 15 Dec 2018 01:04:39 PM CET
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 1
Infected:          files - 1, objects 1
Cleaned:           files - 0, objects 0

Code:
/opt/eset/esets/sbin/esets_scan --clean-mode=none esets.amd64.deb.bin

Result on clean file:

Code:
ESET Command-line scanner, version 4.5.11, (C) 1992-2018 ESET, spol. s r.o.
Using license: Negecy (/etc/opt/eset/esets/license/esets_a8eade.lic)
Module loader, version 1072 (20180813), build 1118
Module perseus, version 1546 (20181127), build 1996
Module scanner, version 18549 (20181215), build 39732
Module archiver, version 1280 (20181128), build 1362
Module advheur, version 1191 (20181106), build 1171
Module cleaner, version 1172 (20181113), build 1247

Command line: esets.amd64.deb.bin

Scan started at:   Sat 15 Dec 2018 01:02:03 PM CET

Scan completed at: Sat 15 Dec 2018 01:02:03 PM CET
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 1
Infected:          files - 0, objects 0
Cleaned:           files - 0, objects 0

BTW, scanning is also possible in root folder with Eset meanwhile Avast didn't work there.

Can anyone assist with the RegEx to use Eset similar to Avast with PMG?

Regards,
Christian
 
So I have some questions on that and on how to adjust:

my ($queue, $filename, $pmg_cfg, $testmode) = @_;

my $virus = undef ;
my $enable_eset = 1 ;
my $enable_clamav = 1 ;

# first analyze with eset
if ( $enable_eset ) {
syslog('info', "Starting ESET Scanning...");
$virus = analyze_virus_eset($queue, $filename, $pmg_cfg) ;
}

if ( ! defined $virus && $enable_clamav ) {
syslog('info', "Starting Clamav Scanning...");
$virus = analyze_virus_clam($queue, $filename, $pmg_cfg) ;
}

return $virus ;

If it’s possible above to choose, which scanner, I would keep this, but as for my optimizations there are many additional clamav signatures, I would then consider to reduce them.

Now the sub analyze_virus_eset:

my ($queue, $dname, $pmg_cfg) = @_;

my $timeout = 60*5;

I don’t know, where this value comes from
and if it’s correct.

my $vinfo;

my $eset_scan_opts = "—clean-mode=none";

Question on this: In Avast-Adjustments this option was kept but not used, I will try to add below but be not sure, if I set correct

my ($csec, $usec) = gettimeofday();

I‘m unsure, what is the reason for this?

my $previous_alarm;

eval {

$previous_alarm = alarm($timeout);

$SIG{ALRM} = sub {
die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " .
"virus analyze (eset) failed: ERROR";
};

open(CMD, "/opt/eset/esets/sbin/esets_scan '$eset_scan_opts' '$dname'|") ||
die "$queue->{logid}: can't exec eset: $! : ERROR";

my $ifiles;

my $response = '';
#syslog('info', "file is" . $dname);
#sleep(300);
while ( defined(my $line = <CMD>) ) {
if ($line =~ m/^$dname\s+(.*)\s+$/) {
# output is: /tmp/pippo.txt EICAR Test-NOT virus!!!
#syslog('info', "grepped virus line is" . $1);
# we just use the first detected virus name
$vinfo = $1 if !$vinfo;
$ifiles = 1 ;
}

Here I now need help. ESET is much more communicative than Avast, so response on virus or non-virus is similar to Avast: line exists or not and if virus contains filename and virus description. However, there is more output around that, filename and virus is in quotation marks and I don’t know, if multiple infections will be stated separate. I‘m also unsure on mails on how they are handled, mails can be scanned by default, so encoding should be no problem, but I‘m unsure, if the part with the virus will be stated correct.

$response .= $line;
}

close(CMD);

alarm(0); # avoid race conditions

$ifiles = 0 if ( !$vinfo ) ;

if (!defined($ifiles)) {
die "$queue->{logid}: got undefined output from " .
"virus detector: $response : ERROR";
}

if ($vinfo) {
syslog('info', "$queue->{logid}: virus detected: $vinfo
(eset)");
}
};
my $err = $@;

alarm($previous_alarm);

my ($csec_end, $usec_end) = gettimeofday();
$queue->{ptime_clam} =
int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000);

if ($err) {
syslog ('err', $err);
$vinfo = undef;
$queue->{errors} = 1;
}

$queue->{vinfo_clam} = $vinfo;

return $vinfo ? "$vinfo (eset)" : undef;
}
 
The initial implementation of avast support was suggested by me so what I would suggest to you is to move the discussion on pmg-devel mailing list.

Adding av support to pmg-smtp-filter is always tricky because it didn't have a general interface to plug external scanners like amavis have.
 
The initial implementation of avast support was suggested by me so what I would suggest to you is to move the discussion on pmg-devel mailing list.

Adding av support to pmg-smtp-filter is always tricky because it didn't have a general interface to plug external scanners like amavis have.

I know, and you also provided the essential piece of code. So I'm asking, if you could also assist here as I'm not aware on how to do it.
 
Ohh ... too late :)
It's now working .. anyway ... maybe as info for others too ...
It's change avast to esets without functions changes nor configs.
I changed only those lines for run, parse output & messages.

Files: /usr/share/perl5/PMG/Utils.pm

Code:
--- Utils.pm.org        2018-12-18 10:24:39.000000000 +0100
+++ Utils.pm    2019-02-07 12:47:03.924754477 +0100
@@ -372,17 +372,17 @@

        $SIG{ALRM} = sub {
            die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " .
-               "virus analyze (avast) failed: ERROR";
+               "virus analyze (esets) failed: ERROR";
        };

-       open(my $cmd, '-|', '/bin/scan', $dname) ||
-           die "$queue->{logid}: can't exec avast scan: $! : ERROR";
+        open(my $cmd, '-|', '/opt/eset/esets/sbin/esets_scan' , '--clean-mode=none', $dname) ||
+           die "$queue->{logid}: can't exec esets scan: $! : ERROR";

        my $response = '';
        while (defined(my $line = <$cmd>)) {
-           if ($line =~ m/^$dname\s+(.*\S)\s*$/) {
+           if ($line =~ m/^name=\"(.*)\".*threat=\"(.*)\".*action=\"(.*)\".*info=\"(.*)\"$/) {
                # we just use the first detected virus name
-               $vinfo = $1 if !$vinfo;
+               $vinfo = $2 if !$vinfo;
            }

            $response .= $line;
@@ -393,7 +393,7 @@
        alarm(0); # avoid race conditions

        if ($vinfo) {
-           syslog('info', "$queue->{logid}: virus detected: $vinfo (avast)");
+           syslog('info', "$queue->{logid}: virus detected: $vinfo (esets)");
        }
     };
     my $err = $@;
@@ -414,7 +414,7 @@

     $queue->{vinfo_avast} = $vinfo;

-    return "$vinfo (avast)";
+    return "$vinfo (esets)";
}

sub analyze_virus {


Obsolete:
Look at https://forum.proxmox.com/threads/pmg-6-1-how-to-add-antivirus.67006/post-320192
 
Last edited:
  • Like
Reactions: killmasta93
Never mind, it’s fine to see others integrated. ESET from my point of view has one advantage, one disadvantage and one curiosity:

+ It’s one of the few CLI scanners still available for Linux with official support and official listing on the website

- As been not daemonized, it take some time for scan

c Pricing is confusing. If looking on the product page, pricing looks very attractive and it looks like pricing per machine, which is also fine. However entering the purchase dialog it changes from devices to users. If pricing is per user, it’s very unattractive. Additional official available for mail servers is another product (e.g. having an active Amavis integration), but that’s prices per mailbox and has a huge overhead
 
Hello !
After one Year, i ask one more time, with 2 Subscritions Inclusive.... Any Chance to integrate Support for Esets on Code ?
Please see Patch ... only a few lines are neeed.
And a lot less work for me after each update/upgrade.
Thanks a lot !
 
Hello !
After one Year, i ask one more time, with 2 Subscritions Inclusive.... Any Chance to integrate Support for Esets on Code ?
Please see Patch ... only a few lines are neeed.
And a lot less work for me after each update/upgrade.
Thanks a lot !

Subscribe to the developers mailing list and contribute your code there. I believe, they will be able to help out. Also try not to manipulate but add a wrapper, which should be the latest update, so any antivirus software can be called. Then this change will also be update safe.
 
Hello !
After one Year, i ask one more time, with 2 Subscritions Inclusive.... Any Chance to integrate Support for Esets on Code ?
Please see Patch ... only a few lines are neeed.
And a lot less work for me after each update/upgrade.
Thanks a lot !
There is no need to patch che cose in order to implement new av engine.
The dev team has done a good job in creating support for external scanner by using an external script interface
 
There is no need to patch che cose in order to implement new av engine.
The dev team has done a good job in creating support for external scanner by using an external script interface

That's it, that's what I meant with wrapper. So you may use your own external script or (better and more welcome) contribute your external script code to consider to include with official packages and being able to use ESET out of the box. However, keep in mind as mentioned before, that I stopped my enquiry because of ESET isn't able to be demonized. My final statement is, that beside Avast (with worse publicity just once again just some days ago) you may consider Dr.Web, which seems to be as well affordable, demonized and still supported, but I have no glue on Dr.Web's scan quality, they are not included in any rating I was able to find.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!