Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.

Fri Sep 5 23:11:09 IST 2008

On 9/5/2008 11:54 PM, Julian Field wrote:
> 
> 
> Alex Broens wrote:
>> On 9/5/2008 11:17 PM, Julian Field wrote:
>>>
>>>
>>> Alex Broens wrote:
>>>> On 9/5/2008 10:55 PM, Julian Field wrote:
>>>>> Try the attached SweepViruses.pm.
>>>>> It will only help if the log output contains the attachment log 
>>>>> entry first, followed by the message log entry. If it's the other 
>>>>> way around, I can't suppress the message log entry on the basis 
>>>>> that an attachment log entry may appear afterwards.
>>>>> If you have any better ideas on how to predict what may be logged 
>>>>> in the future, I'm all ears :-)
>>>>
>>>> __
>>>> Sep  5 23:04:16 ms1 MailScanner[25357]: Clamd::INFECTED:: 
>>>> Eicar-Test-Signature :: ./411661008C85.5B8DE/eicar_com.zip
>>>> __
>>>>
>>>> maillog / clamd look GOOD
>>>> Mailwatch agrees with one line /entry
>>>>
>>>>
>>>> Now, can you do the magic on esets? :-)
>>>>
>>>> here's what its doing.
>>>> I tried fiddling with the log formating in esets.cfg but have the 
>>>> feeling its being ignored.
>>>>
>>>> __
>>>> Sep  5 23:04:17 ms1 MailScanner[25357]: 
>>>> name="./411661008C85.5B8DE/eicar_com.zip", threat="Eicar test file", 
>>>> action="", info=""
>>>> Sep  5 23:04:17 ms1 MailScanner[25357]: 
>>>> name="./411661008C85.5B8DE/eicar_com.zip Â» ZIP Â» eicar.com", 
>>>> threat="Eicar test file", action="", info=""
>>>> __
>>>>
>>> Not if it's logging in that order, as I need to log the eicar.com 
>>> entry, but I can't predict it's going to be there from the 
>>> eicar_com.zip log entry. That requires crystal balls :-)
>>
>> lemme see if I get this right
>>
>> Eset logging has
>>
>> log_format_summ = "format"
>> log_format_part = "format"
>>
>> What happens if you only log the "summ" ?
>>
>> would that break anything?
> Surely it's better to always log the more detailed one, ie 
> log_format_part ?
> Personally I would much rather log both of them. Who cares about one 
> extra log line? No-one ever reads them anyway, do they?

doesn't that go both ways :-)
if nobody reads them, then verbosity is usually bloat & useless.

the way it is now it dupes all Mailwatch entries and borks stats, etc 
and in the end both entries are pretty much saying the same.

this is what MAilwatch spits out to the DB

esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in 
Late.Night.rar Â» RAR Â» 
Late.Night.CamRip.Sexual.Blondy.Fuck.And.Suck.avi.exe
Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 esets: Found 
virus Win32/TrojanDownloader.FakeAlert.HK trojan in Late.Night.rar

if we had this it would be enough:

esets: Found virus Win32/TrojanDownloader.FakeAlert.HK trojan in 
Late.Night.rar Â» RAR Â»
Clamd: Late.Night.rar was infected: Trojan.Fakealert-532 Night.rar

at the end of the day the infected file is the RAR file, what's inside 
it becomes irrelevant so there's no real need to report it separately

Alex