MyDoom.F

Jon Carnes jonc at nc.rr.com
Thu Feb 26 21:09:41 GMT 2004


On Thu, 2004-02-26 at 13:19, Craig Daters wrote:
> Looking at this, it looks like this is not for ClamAV. I would like
> to use these examples to produce similar reports for ClamAV and
> F-Prot.
>
> I can sort of follow what is happening here, but I am not familiar
> with 'cut' so I am purusing the man page for cut, but can you kind of
> walk me through what's happening here with each of these examples?
>
> >===
> >I find it helpful to run two daily virus reports - one at noon that just
> >looks at that morning, the other at 6am and scans the whole week (so
> >far). The reports show the last time the AV dat files were updated and a
> >count of current viruses that have been stopped by MailScanner.
> >
> >The time the DAT files were last updated is given by:
> >   ls -l --time-style="+%b %d %r" /usr/local/uvscan/datfiles/current \
> >     cut -c44-62

For ClamAV (or at least the clients I have running it) you would use
something like:
  ls -ld --time-style="+%b %d %r" /usr/local/share/clamav |cut -c44-62

The "cut -c44-62" cuts out all characters but the ones between 44th and
62nd columns. On my systems these columns happen to be where the
Date/Time shows up from the "ls" command.



> >
> >The virus count is given by:
> >   grep virus\ \! /var/log/maillog |cut -f7- "-d " |cut -f2 -d/ | \
> >     cut -f1 "-d " |sort |uniq -c |sort -nr
> >
> >For the noon day one I do something like:
> >   TODAY=`date -d "today" "+%b %e" `
> >   grep "$TODAY" /var/log/maillog |grep virus\ \! |cut -f7- "-d " | \
> >     cut -f2 -d/ |cut -f1 "-d " |sort |uniq -c |sort -nr
> >

In the above, I find the date and assign it to the variable "TODAY". The
format of the date is the same as that used in my maillog file.

Next I "grep" for todays date in the maillog file, then I take that
stream of information and look inside it for the word 'virus' followed
by a space and then an exclamation point: "virus !".  This is a unique
tag used by MailScanner to log when it has found a virus.  The actual
tag is "virus !!!"

Now I have a stream of information that contains all log entries from
today with MailScanner virus declarations. I want to trim this down to
just the virus names, so I use a series of "cut" commands - this is
necessary since the log entry does not use a fixed record format and has
a variable number of spaces in it (the file name for instance could have
spaces in it).
  cut -f7- "-d "
     This cuts the first 6 fields of line, each field is separated
     by a space (the "-d " means use spaces to separate fields on
     the line). This gets rid of the file name section.
  cut -f2 -d/
     Now using "/" as a separator, only keep the second field
     (the part of the line that comes after the "/")
     This gets rid of anything left at the beginning of the line
     up to the W32/....
  cut -f1 "-d "
     Now only the virus name remains as the first word, so lets
     throw away anything after that first word on the line.

Now I have a stream of information that contains virus names, one/line.
I sort the names, then use "uniq -c" to count the number of times each
virus occured.

Lastly, I sort this numbered list (in reverse order since I want the
higher numbers on top), and I'm done.


> >The report will look something like this:
> >
> >   Anti-Virus files last updated on: Feb 25 01:01:15 PM
> >   ===
> >   Morning Virus report:
> >      53 Netsky.b at MM!zip
> >      47 Netsky.b at MM
> >      17 Mydoom.f.zip
> >      15 Mydoom.f at MM
> >       4 Mimail.a at MM
> >       2 Bagle.b at MM
> >       1 Sober.c at MM
> >    ===
> >
> >As you can see from the report, it shows you clearly that the MyDoom.f
> >virus is being correctly caught.
> >
> >BTW: It's also a POC (Piece Of Cake) to publish this as a web page for
> >your organization, and is great PR for you and MailScanner.
> >
> >Hope this is helpful - Jon Carnes
>

I used to teach a class/seminar on scripting.  I hope this was helpful!

Jon Carnes



More information about the MailScanner mailing list