logging

S Mohan smohan at VSNL.COM
Fri Sep 13 05:03:57 IST 2002


Is it possible to log which scanner found the virus if multiple scanners are
being used in sequence. This is one way of knowing whether the first scanner
is good or not. Either helps replace scanner or change the order to make the
system more efficient.

Mohan

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
Behalf Of Robert A. Thompson
Sent: 12 September 2002 22:13
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: logging


This will work, however when I did this in amavis (before switching to
mailscanner) I found it was not 100% accurate.  Which is what I think
Julian ment.   This would get lots of them, however mcafee gets a wild
hair sometimes and words things different on some viruses(this is often
the case on Trojans, and new viruses where you use the extra.dat file
till they release the official dat file).  However, I would be willing
to accept this method and deal with the few inaccuracies, and I would be
happy with the "Found the yaha virus" messages for the report line
also.  Using a lot of unix tools (grep, awk, sort, uniq) I can still
print very usable results for turning into other agencies on what we are
seeing from either method.

--Robert


On Thu, 2002-09-12 at 12:32, Hamish Marson wrote:
> Julian Field wrote:
>
> > Ok, here are all the responses:
> >
> > *1. From <$1> To <$2> virus <$3>
> >
> > *Impossible to generically extract the name of the virus, so this
> > would have to include the whole virus report.
>
>
> Why do you say this? I run amavisd-new (Because I run postfix), and it
> manages to extract the name of (ALL) the virii caught in a mail message.
> And logs them.
>
> Admittedly it's separate code for each virus engine. But then it's
> separate code to call them anyway, because they're all differemt...
>
>
> e.g. for NAI
>
> #
> # McAfee
> #
>
> if ($uvscan ne "") {
>         $output = `$uvscan $uvscan_args $TEMPDIR/parts`;
>         $errval = ($? >> 8);
>         do_log(2,$output);
>         if ($errval != 0) {
>                 if ($errval == $uvscan_exitcode) {
>                         my $loutput = $output;
>                         $loutput =~ s/Found: (.+) NOT a/Found the $1/g;
>                         $loutput =~ s/Found the (.+) trojan/Found the $1
> virus/g;
>                         $loutput =~ s/Found virus or variant (.+) /Found
> the $1 virus/g;
>                         @virusname = ($loutput =~ /Found the (.+)
virus/g);
>                         do_virus($output);
>          } else {
>                         do_log(0,"Virus scanner failure: $uvscan (error
> code: $errval)");
>                 }
>         }
> }
>
>
>
> And @virusname holds the names of all the virii caught...
>
>
> --
>
> I don't suffer from Insanity...         | Linux User #16396
>         I enjoy every minute of it...   |
>                                         |
> http://www.travellingkiwi.com/          |



More information about the MailScanner mailing list