Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.

Julian Field MailScanner at ecs.soton.ac.uk
Fri Sep 5 22:54:26 IST 2008



Alex Broens wrote:
> On 9/5/2008 11:17 PM, Julian Field wrote:
>>
>>
>> Alex Broens wrote:
>>> On 9/5/2008 10:55 PM, Julian Field wrote:
>>>> Try the attached SweepViruses.pm.
>>>> It will only help if the log output contains the attachment log 
>>>> entry first, followed by the message log entry. If it's the other 
>>>> way around, I can't suppress the message log entry on the basis 
>>>> that an attachment log entry may appear afterwards.
>>>> If you have any better ideas on how to predict what may be logged 
>>>> in the future, I'm all ears :-)
>>>
>>> __
>>> Sep  5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: 
>>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip
>>> __
>>>
>>> maillog / clamd look GOOD
>>> Mailwatch agrees with one line /entry
>>>
>>>
>>> Now, can you do the magic on esets? :-)
>>>
>>> here's what its doing.
>>> I tried fiddling with the log formating in esets.cfg but have the 
>>> feeling its being ignored.
>>>
>>> __
>>> Sep  5 23:04:17 ms1 MailScanner[25357]: 
>>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", 
>>> action="", info=""
>>> Sep  5 23:04:17 ms1 MailScanner[25357]: 
>>> name="./411661008C85.5B8DE/eicar_com.zip » ZIP » eicar.com", 
>>> threat="Eicar test file", action="", info=""
>>> __
>>>
>> Not if it's logging in that order, as I need to log the eicar.com 
>> entry, but I can't predict it's going to be there from the 
>> eicar_com.zip log entry. That requires crystal balls :-)
>
> lemme see if I get this right
>
> Eset logging has
>
> log_format_summ = "format"
> log_format_part = "format"
>
> What happens if you only log the "summ" ?
>
> would that break anything?
Surely it's better to always log the more detailed one, ie log_format_part ?
Personally I would much rather log both of them. Who cares about one 
extra log line? No-one ever reads them anyway, do they?
>
> the chances of having two different infections in one archive are VERY 
> small, or am I still missing something real important?
>
> Alex
>
>
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list