New service - the Team Cymru Malware Hash Registry!
--[ UxBoD ]--
uxbod at splatnix.net
Tue Oct 28 12:35:52 GMT 2008
Superb Steve! Looks like its being heavily used already ;)
# ./generic-wrapper /usr/local/bin .
CLEAN::File::./f-prot-6-wrapper
CLEAN::File::./kaspersky.prf
CLEAN::File::./vexira-wrapper
CLEAN::File::./MailScanner.pm
CLEAN::File::./bitdefender-autoupdate
CLEAN::File::./f-secure-wrapper
CLEAN::File::./vba32-wrapper
CLEAN::File::./symscanengine-wrapper
CLEAN::File::./MailScanner/CustomFunctions/SQLBlackWhiteList.pm
CLEAN::File::./vba32-autoupdate
CLEAN::File::./kaspersky-autoupdate
CLEAN::File::./MailScanner/Log.pm
CLEAN::File::./clamav-autoupdate
INFO::ERROR::Timed out after 30 seconds
Regards,
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749
----- "Steve Freegard" <steve.freegard at fsl.com> wrote:
> Anyone fancy trying the attached? - I've tested it here and it appears
>
> to work fine.
>
>
>
> It's a plug-in to lookup the hashes in the Malware Registry
> implemented
>
> using MailScanner's generic virus scanner interface.
>
>
>
> It uses the SHA1 algorithm instead of MD5 and uses background sockets
> to
>
> increase scanning speed with a maximum timeout of 30 seconds waiting
> for
>
> DNS results.
>
>
>
> To install it - copy the attached to /usr/local/bin, then edit
>
> virus.scanners.conf and change:
>
>
>
> generic /usr/lib/MailScanner/generic-wrapper /
>
> to
>
> generic /usr/lib/MailScanner/generic-wrapper /usr/local/bin
>
>
>
> Then edit generic-wrapper and change
>
>
>
> MyScanner=/bin/false
>
> to
>
> MyScanner=generic_hash_scanner.pl
>
>
>
> And then test it by running the following (you must be in the same
>
> directory as the generic-wrapper script):
>
>
>
> ./generic-wrapper /usr/local/bin .
>
>
>
> You should get output similar to the following:
>
>
>
> [root at mail MailScanner]# ./generic-wrapper /usr/local/bin .
>
> CLEAN::File::./f-secure-wrapper
>
> CLEAN::File::./generic-wrapper
>
> CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessages.pm
>
> CLEAN::File::./MailScanner/CustomFunctions/SignCleanMessagesFunction.tar.gz
>
> CLEAN::File::./sophos-wrapper
>
> CLEAN::File::./utils/bin/encode-base64
>
>
>
> Here's an example with eicar:
>
>
>
> [root at mail MailScanner]# ./generic-wrapper /usr/local/bin eicar.com
>
> ERROR::Cymru_Malware_Hash::./eicar.com
>
>
>
> Any errors are reported as:
>
>
>
> INFO::ERROR::<error text>
>
>
>
> And any output from the wrapper will be automatically displayed in the
>
> log by MailScanner:
>
>
>
> Oct 28 08:05:09 mail MailScanner[6065]: Virus and Content Scanning:
>
> Starting
>
> Oct 28 08:05:11 mail MailScanner[6065]:
>
> GenericScanner::CLEAN::File::./m9SC5507007840.header
>
> Oct 28 08:05:11 mail MailScanner[6065]:
>
> GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-48.html
>
> Oct 28 08:05:11 mail MailScanner[6065]:
>
> GenericScanner::CLEAN::File::./m9SC5507007840/msg-6065-47.txt
>
> Oct 28 08:05:11 mail MailScanner[6065]: Virus Scanning completed at
> 2420
>
> bytes per second
>
>
>
> In my testing it's actually *faster* than a command-line virus scanner
>
> by a considerable margin:
>
>
>
> [root at mail ~]# time clamscan eicar.com
>
> <output snipped>
>
> real 0m11.910s
>
> user 0m11.447s
>
> sys 0m0.253s
>
>
>
> [root at mail ~]# time /usr/local/bin/generic_hash_scanner.pl eicar.com
>
> ERROR::Cymru_Malware_Hash::./eicar.com
>
>
>
> real 0m0.320s
>
> user 0m0.284s
>
> sys 0m0.036s
>
>
>
> How long it will stay this fast as people start using it remains to be
> seen.
>
>
>
> Kind regards,
>
> Steve.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list