[AMaViS-user] virus_scan log entry inaccurate w/multiple malware names?

Fri, 31 Aug 2007 09:56:47 -0700 

Hi Mark,

I noticed a peculiarity this morning in my amavis log reports, which 
claimed that both ClamAV-clamd and McAfee AntiVirus detected the 
SaneSecurity malware:

   Email.Malware.Sanesecurity.07082700

It was clear that uvscan did not detect a SaneSecurity signature, so I 
tracked down the associated log messages:

... ask_av (ClamAV-clamd): /var/amavis/tmp/amavis-123/parts
    INFECTED: Email.Malware.Sanesecurity.07082700

... run_av (NAI McAfee AntiVirus (uvscan)):
     INFECTED: W32/Zhelatin.gen!eml, W32/Zhelatin.gen!eml

... virus_scan: (Email.Malware.Sanesecurity.07082700), detected by
     2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan)

The amavis-logwatch reporter uses the virus_scan line to trigger its 
Malware by scanner report, thus the report indicated that both scanners 
detected the Email.Malware.Sanesecurity.07082700, which is incorrect. 
As we can see above, uvscan detected W32/Zhelatin.gen!eml.

I see that @virusname is used in virus_scan() as the list of virus names:

   if (@virusname && @detecting_scanners) {
     my(@ds) = @detecting_scanners;  for (@ds) { s/,/;/ }  # facilitates 
parsing
     ll(2) && do_log(2, "virus_scan: (%s), detected by %d scanners: %s",
                       join(', ',@virusname), scalar(@ds),
                               join(', ',@ds));
   }

but it seems virusname isn't correct when multiple scanners produce 
different malware names.  Should the log entry really be something like:

   virus_scan: (Email.Malware.Sanesecurity.07082700, 
W32/Zhelatin.gen!eml), detected by
     2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan)

or some variant that is easy to parse and correlate the malware to 
scanner mapping ?

Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to