F-Prot vs ClamAV
Lindsay Snider
lindsay at pa.net
Mon Sep 15 15:33:36 IST 2003
In the syslog:maillog, F-Prot's virus lines look like this:
MailScanner[16841]:
/var/spool/MailScanner/incoming/16841/./9FAB36BC95/patch.exe Infection:
W32/Dumaru.A at mm
So, grep for ' Infection: ' and pipe that through something that will group
and count the viruses. I used:
'| perl -ne '/\sInfection:\s(.*)$/; print "$1\n";' | sort | uniq -c | sort -n
| tac'
For ClamAV, as the first step, I grep'd for 'FOUND$' and piped it through:
'|perl -ne '/:\s(\S+)\sFOUND/; print "$1\n";' | sort | uniq -c | sort -n |
tac'
-Lindsay
On Monday 15 September 2003 10:08, Tunc Eresen(?`..,,.-> Cobalt M447785363481
wrote:
> Could you explain how did you get F-Prot stats, I would like to do same on
> my servers
>
> Best Regards
>
> O. TUNC ERESEN
>
> ISP & Security Consultant
>
> Mobile: (44)07785 363 481
>
> 17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER
>
> tunceresen at eresen.com
>
>
>
> www.findmenet.com
>
>
>
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Lindsay Snider
> Sent: Monday, September 15, 2003 3:04 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
>
> We are running F-Prot and ClamAV. We pulled stats for the two over the
> last month and I was surprised to find that the open source ClamAV caught
> more viruses than F-Prot. Since we were a bit worry of installing ClamAV,
> I thought I'd post these stats in case others felt mildly concerned the way
> we did when we first considered ClamAV.
>
> ClamAV (558355 total)
> 519800 Worm.Sobig.F
> 13225 Worm.Dumaru
> 10032 Worm/Klez.H
> 8385 Exploit.IFrame.Gen
> 1758 Trojan.Dropper.C
> 1437 Worm.BugBear.B
> 750 Worm.LoveLorn
> 603 W32/Yaha.g.dam
> 459 Worm.Sobig.A
> 355 Worm.LoveLorn.VBS
> 322 W95/Hybris.PI.003
> 317 Sircam
> 159 Yaha.K
> 141 Yaha.P
> 89 W32/Magistr.B
> 88 W32/Magistr.A
> 55 Worm/Klez.E
> 42 Worm.Gibe.B
> 40 W32/Hybris.C
> 33 W32/BugBear.A
> 24 W95/Hybris.PI.002
> 24 W32/Magistr.B5
> 20 Worm.Dumaru.C
> 19 Trojan.FDoS.HuC.51
> 18 W95/Hybris.PI.001
> 18 VBS.Redlof.Encoded
> 12 WScr.Unsafe.D
> 12 Eicar-Test-Signature
> 11 Worm.Fizzer.A
> 10 W32/Magistr.B1
> 10 JS.FortNight.2
> 9 Worm.Ganda-A
> 8 W32/Magistr.B3
> 8 JS.FortNight.M
> 7 Worm.Sobig.E
> 7 W32/Magistr.B4
> 6 W97M/Class.B
> 5 TR.Happy99/SKA
> 4 Worm.Holar-H
> 4 W32/Magistr.B6
> 4 W32/Magistr.B2
> 4 Joke.SmallPenis
> 3 JS/Fortnight.B.1
> 2 W97/Marker
> 2 W32/Nimda.html
> 2 W32/Brid.Worm
> 2 VBS.LoveLetter.D
> 2 HTML.Netdex.A
> 1 Worm.Sobig.C
> 1 Worm.Palyh.A
> 1 WM/Thus.B
> 1 W98/Hybris.E
> 1 W95/Hybris.PI.000
> 1 W32/PrettyPark
> 1 m
> 1 Joke.CokeGift
>
> F-Prot (519869 total)
> 460595 W32/Sobig.F at mm
> 31529 W32/Sobig.F
> 10514 W32/Dumaro.A at mm
> 9791 W32/Klez.H at mm
> 2123 W32/Dumaru.A at mm
> 758 W32/Bugbear.B at mm
> 753 W32/Lovelorn.A at mm
> 660 W32/Bugbear.B at mm (corrupted)
> 601 W32/Lentin.F at mm
> 449 W32/Sobig.A at mm
> 409 W32/Hybris.worm.B
> 385 W32/Dumaro.A
> 355 VBS/Lovelorn.dropper
> 315 W32/Sircam.worm at mm
> 137 W32/Lentin.N at mm
> 122 W32/Magistr.32768 at mm
> 101 W32/Magistr.28672 at mm
> 55 W32/Klez.E at mm
> 42 W32/Gibe.B at mm
> 23 W32/Bugbear.A at mm
> 21 W32/Lentin.R at mm
> 18 VBS/Redolf.A
> 11 W32/Fizzer.A at mm
> 11 W32/Dumaro.E at mm
> 10 JS/Kak.A at m
> 10 Forten.F at m
> 8 JS/Forten.B at m
> 7 W32/Sobig.E at mm
> 7 EICAR_Test_File
> 5 W32/Ska.10000.worm at m
> 5 W32/Ganda.A at mm
> 4 W32/Holar.H at mm
> 3 W97M/Eight941.E
> 3 W32/Lentin.H at mm
> 3 W32/Elkern.C
> 3 JS/Fortnight.A
> 3 JS/Forten.E at m
> 2 W97M/Marker.{C,AP,DJ}
> 2 W32/Hybris.worm.D
> 2 W32/Bridex.A at mm
> 2 VBS/LoveLetter.gen
> 2 JS/Fortnight.C
> 1 X97M/Laroux.MV
> 1 W97M/Thus.A
> 1 W97M/Proverb.A
> 1 W32/Sobig.C at mm
> 1 W32/Sobig.B at mm
> 1 W32/Ronoper.E
> 1 W32/Kindal.A at mm
> 1 W32/CIH.1003.A
> 1 PrettyPark.51433
> 1 JS/NoClose.gen
More information about the MailScanner
mailing list