New service - the Team Cymru Malware Hash Registry!

Steve Freegard steve.freegard at fsl.com
Tue Oct 28 12:16:08 GMT 2008 

Martin.Hepworth wrote:
> Oops hit 'send' too quick..
> 
> Jules if ya get bored with the kitties, i think this could be a useful addition to MS.
> 

Anyone fancy trying the attached? - I've tested it here and it appears 
to work fine.

It's a plug-in to lookup the hashes in the Malware Registry implemented 
using MailScanner's generic virus scanner interface.

It uses the SHA1 algorithm instead of MD5 and uses background sockets to 
increase scanning speed with a maximum timeout of 30 seconds waiting for 
DNS results.

To install it - copy the attached to /usr/local/bin, then edit 
virus.scanners.conf and change:

generic         /usr/lib/MailScanner/generic-wrapper    /
to
generic         /usr/lib/MailScanner/generic-wrapper    /usr/local/bin

Then edit generic-wrapper and change

MyScanner=/bin/false
to
MyScanner=generic_hash_scanner.pl

And then test it by running the following (you must be in the same 
directory as the generic-wrapper script):

./generic-wrapper /usr/local/bin .

You should get output similar to the following:

[root at mail MailScanner]# ./generic-wrapper /usr/local/bin .
CLEAN::File::./f-secure-wrapper
CLEAN::File::./generic-wrapper
CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessages.pm
CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessagesFunction.tar.gz
CLEAN::File::./sophos-wrapper
CLEAN::File::./utils/bin/encode-base64

Here's an example with eicar:

[root at mail MailScanner]# ./generic-wrapper /usr/local/bin eicar.com
ERROR::Cymru_Malware_Hash::./eicar.com

Any errors are reported as:

INFO::ERROR::<error text>

And any output from the wrapper will be automatically displayed in the 
log by MailScanner:

Oct 28 08:05:09 mail MailScanner[6065]: Virus and Content Scanning: 
Starting
Oct 28 08:05:11 mail MailScanner[6065]: 
GenericScanner::CLEAN::File::./m9SC5507007840.header
Oct 28 08:05:11 mail MailScanner[6065]: 
GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-48.html
Oct 28 08:05:11 mail MailScanner[6065]: 
GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-47.txt
Oct 28 08:05:11 mail MailScanner[6065]: Virus Scanning completed at 2420 
bytes per second

In my testing it's actually *faster* than a command-line virus scanner 
by a considerable margin:

[root at mail ~]# time clamscan eicar.com
<output snipped>
real	0m11.910s
user	0m11.447s
sys	0m0.253s

[root at mail ~]# time /usr/local/bin/generic_hash_scanner.pl eicar.com
ERROR::Cymru_Malware_Hash::./eicar.com

real	0m0.320s
user	0m0.284s
sys	0m0.036s

How long it will stay this fast as people start using it remains to be seen.

Kind regards,
Steve.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: generic_hash_scanner.pl
Type: application/x-perl
Size: 2648 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20081028/cd851ada/generic_hash_scanner.bin

More information about the MailScanner mailing list