logging

Robert A. Thompson ucs_rat at SHSU.EDU
Thu Sep 12 17:43:11 IST 2002


This will work, however when I did this in amavis (before switching to
mailscanner) I found it was not 100% accurate.  Which is what I think
Julian ment.   This would get lots of them, however mcafee gets a wild
hair sometimes and words things different on some viruses(this is often
the case on Trojans, and new viruses where you use the extra.dat file
till they release the official dat file).  However, I would be willing
to accept this method and deal with the few inaccuracies, and I would be
happy with the "Found the yaha virus" messages for the report line
also.  Using a lot of unix tools (grep, awk, sort, uniq) I can still
print very usable results for turning into other agencies on what we are
seeing from either method.

--Robert


On Thu, 2002-09-12 at 12:32, Hamish Marson wrote:
> Julian Field wrote:
>
> > Ok, here are all the responses:
> >
> > *1. From <$1> To <$2> virus <$3>
> >
> > *Impossible to generically extract the name of the virus, so this
> > would have to include the whole virus report.
>
>
> Why do you say this? I run amavisd-new (Because I run postfix), and it
> manages to extract the name of (ALL) the virii caught in a mail message.
> And logs them.
>
> Admittedly it's separate code for each virus engine. But then it's
> separate code to call them anyway, because they're all differemt...
>
>
> e.g. for NAI
>
> #
> # McAfee
> #
>
> if ($uvscan ne "") {
>         $output = `$uvscan $uvscan_args $TEMPDIR/parts`;
>         $errval = ($? >> 8);
>         do_log(2,$output);
>         if ($errval != 0) {
>                 if ($errval == $uvscan_exitcode) {
>                         my $loutput = $output;
>                         $loutput =~ s/Found: (.+) NOT a/Found the $1/g;
>                         $loutput =~ s/Found the (.+) trojan/Found the $1
> virus/g;
>                         $loutput =~ s/Found virus or variant (.+) /Found
> the $1 virus/g;
>                         @virusname = ($loutput =~ /Found the (.+) virus/g);
>                         do_virus($output);
>          } else {
>                         do_log(0,"Virus scanner failure: $uvscan (error
> code: $errval)");
>                 }
>         }
> }
>
>
>
> And @virusname holds the names of all the virii caught...
>
>
> --
>
> I don't suffer from Insanity...         | Linux User #16396
>         I enjoy every minute of it...   |
>                                         |
> http://www.travellingkiwi.com/          |



More information about the MailScanner mailing list