Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.

Alex Broens ms-list at alexb.ch
Fri Sep 5 22:35:24 IST 2008


On 9/5/2008 11:17 PM, Julian Field wrote:
> 
> 
> Alex Broens wrote:
>> On 9/5/2008 10:55 PM, Julian Field wrote:
>>> Try the attached SweepViruses.pm.
>>> It will only help if the log output contains the attachment log entry 
>>> first, followed by the message log entry. If it's the other way 
>>> around, I can't suppress the message log entry on the basis that an 
>>> attachment log entry may appear afterwards.
>>> If you have any better ideas on how to predict what may be logged in 
>>> the future, I'm all ears :-)
>>
>> __
>> Sep  5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: 
>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip
>> __
>>
>> maillog / clamd look GOOD
>> Mailwatch agrees with one line /entry
>>
>>
>> Now, can you do the magic on esets? :-)
>>
>> here's what its doing.
>> I tried fiddling with the log formating in esets.cfg but have the 
>> feeling its being ignored.
>>
>> __
>> Sep  5 23:04:17 ms1 MailScanner[25357]: 
>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", 
>> action="", info=""
>> Sep  5 23:04:17 ms1 MailScanner[25357]: 
>> name="./411661008C85.5B8DE/eicar_com.zip » ZIP » eicar.com", 
>> threat="Eicar test file", action="", info=""
>> __
>>
> Not if it's logging in that order, as I need to log the eicar.com entry, 
> but I can't predict it's going to be there from the eicar_com.zip log 
> entry. That requires crystal balls :-)

lemme see if I get this right

Eset logging has

log_format_summ = "format"
log_format_part = "format"

What happens if you only log the "summ" ?

would that break anything?

the chances of having two different infections in one archive are VERY 
small, or am I still missing something real important?

Alex





More information about the MailScanner mailing list