Re: [AMaViS-user] virus_scan log entry inaccurate w/multiple malware names?

Mon, 03 Sep 2007 08:49:12 -0700 

Mark Martinec wrote:
> Mike,
> 
>> I noticed a peculiarity this morning in my amavis log reports, which
>> claimed that both ClamAV-clamd and McAfee AntiVirus detected the

> 
> Admittedly this log report can be misleading. There is currently
> only one list of virus names found (@virusname), and it receives
> its value from the FIRST scanner that reports an infection.
> And the 'detected by' lists ALL scanners that reported infection,
> regardless of what virus names they find and report.
> 
> It is often that different scanners use different names for the
> same type of infection, so it was considered redundant to report
> all names reported by all scanners.
> 
> The 'virus_scan: (...), detected by ... scanners: ...' is a
> summary report at log level 2. As you noticed, more detailed
> reports are available at higher log levels when needed.

Got it.


> 
>> The amavis-logwatch reporter uses the virus_scan line to trigger its
>> Malware by scanner report, thus the report indicated that both scanners
>> detected the Email.Malware.Sanesecurity.07082700, which is incorrect.
>> As we can see above, uvscan detected W32/Zhelatin.gen!eml.
> 
>> Should the log entry really be something like: 
>>    virus_scan: (Email.Malware.Sanesecurity.07082700,
>> W32/Zhelatin.gen!eml), detected by
>>      2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan)
>>
>> or some variant that is easy to parse and correlate the malware to
>> scanner mapping ?
> 
> Actually the:
>   do_log(2,"run_av (%s): INFECTED: %s", $av_name, ...
> is also logged at log level 2. So why not use this log entry
> for more detailed log analysis?
> 
>   Mark

Already done and posted on Sept 1:

2007-09-01 (version: 1.48.21)
  - Fix: use ask_av and run_av as virus indicators for Malware
    by Scanner, as previously used virus_scan line does not
    report accurate information when multiple scanners report
    different malware names

Thanks Mark,
Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to