MyDoom.F
Jon Carnes
jonc at nc.rr.com
Thu Feb 26 21:09:41 GMT 2004
On Thu, 2004-02-26 at 13:19, Craig Daters wrote:
> Looking at this, it looks like this is not for ClamAV. I would like
> to use these examples to produce similar reports for ClamAV and
> F-Prot.
>
> I can sort of follow what is happening here, but I am not familiar
> with 'cut' so I am purusing the man page for cut, but can you kind of
> walk me through what's happening here with each of these examples?
>
> >===
> >I find it helpful to run two daily virus reports - one at noon that just
> >looks at that morning, the other at 6am and scans the whole week (so
> >far). The reports show the last time the AV dat files were updated and a
> >count of current viruses that have been stopped by MailScanner.
> >
> >The time the DAT files were last updated is given by:
> > ls -l --time-style="+%b %d %r" /usr/local/uvscan/datfiles/current \
> > cut -c44-62
For ClamAV (or at least the clients I have running it) you would use
something like:
ls -ld --time-style="+%b %d %r" /usr/local/share/clamav |cut -c44-62
The "cut -c44-62" cuts out all characters but the ones between 44th and
62nd columns. On my systems these columns happen to be where the
Date/Time shows up from the "ls" command.
> >
> >The virus count is given by:
> > grep virus\ \! /var/log/maillog |cut -f7- "-d " |cut -f2 -d/ | \
> > cut -f1 "-d " |sort |uniq -c |sort -nr
> >
> >For the noon day one I do something like:
> > TODAY=`date -d "today" "+%b %e" `
> > grep "$TODAY" /var/log/maillog |grep virus\ \! |cut -f7- "-d " | \
> > cut -f2 -d/ |cut -f1 "-d " |sort |uniq -c |sort -nr
> >
In the above, I find the date and assign it to the variable "TODAY". The
format of the date is the same as that used in my maillog file.
Next I "grep" for todays date in the maillog file, then I take that
stream of information and look inside it for the word 'virus' followed
by a space and then an exclamation point: "virus !". This is a unique
tag used by MailScanner to log when it has found a virus. The actual
tag is "virus !!!"
Now I have a stream of information that contains all log entries from
today with MailScanner virus declarations. I want to trim this down to
just the virus names, so I use a series of "cut" commands - this is
necessary since the log entry does not use a fixed record format and has
a variable number of spaces in it (the file name for instance could have
spaces in it).
cut -f7- "-d "
This cuts the first 6 fields of line, each field is separated
by a space (the "-d " means use spaces to separate fields on
the line). This gets rid of the file name section.
cut -f2 -d/
Now using "/" as a separator, only keep the second field
(the part of the line that comes after the "/")
This gets rid of anything left at the beginning of the line
up to the W32/....
cut -f1 "-d "
Now only the virus name remains as the first word, so lets
throw away anything after that first word on the line.
Now I have a stream of information that contains virus names, one/line.
I sort the names, then use "uniq -c" to count the number of times each
virus occured.
Lastly, I sort this numbered list (in reverse order since I want the
higher numbers on top), and I'm done.
> >The report will look something like this:
> >
> > Anti-Virus files last updated on: Feb 25 01:01:15 PM
> > ===
> > Morning Virus report:
> > 53 Netsky.b at MM!zip
> > 47 Netsky.b at MM
> > 17 Mydoom.f.zip
> > 15 Mydoom.f at MM
> > 4 Mimail.a at MM
> > 2 Bagle.b at MM
> > 1 Sober.c at MM
> > ===
> >
> >As you can see from the report, it shows you clearly that the MyDoom.f
> >virus is being correctly caught.
> >
> >BTW: It's also a POC (Piece Of Cake) to publish this as a web page for
> >your organization, and is great PR for you and MailScanner.
> >
> >Hope this is helpful - Jon Carnes
>
I used to teach a class/seminar on scripting. I hope this was helpful!
Jon Carnes
More information about the MailScanner
mailing list