Re: [AMaViS-user] SaneSecurity - new signature format.

Wed, 29 Oct 2008 22:53:29 -0700 

On 10/29/08 6:42 PM, Voytek Eymont wrote:
>
> what a better way to get some 'effectivness/usefulness stats' from my mail
> server ?
>
 > # grep 'Detected by 1' /var/log/maillog | grep Clam
 > Oct 27 03:18:35 bilby amavis[2755]: (02755-10) virus_scan:
 > (Sanesecurity.Phishing.Bank.3191.UNOFFICIAL), detected by 1 scanners:
 > ClamAV-clamd

[snip]

At one point, amavis-logwatch used to use the "virus_scan" log lines, 
but now ignores them, and instead uses the "run_av" log lines generated 
at $log_level=2 :

$ amavis-logwatch --nodetail --nosummary --limit malwareby="2 ::6" \
     /var/log/amavisd-info.log

****** Detail *****************************************************

      332   Malware by scanner 
-------------------------------------------------------------------
      316      ClamAV-clamd
       35         Email.Spam.Gen4055.Sanesecurity.08100104.UNOFFICIAL
       23         Email.Spam.Gen4035.Sanesecurity.08092800.UNOFFICIAL
       13         Email.Hdr.Sanesecurity.08092400.UNOFFICIAL
       12         Email.Spam.Gen4073.Sanesecurity.08100401.UNOFFICIAL
       12         Sanesecurity.Phishing.Bank.2986.UNOFFICIAL
        9         Phishing.Heuristics.Email.SpoofedDomain
                  ...
       16      NAI McAfee AntiVirus (uvscan)
       13         Generic Malware.a!zip
        1         Exploit-MIME.gen.exe
        1         New
        1         Phish-BankFraud.eml.b

The "virus_scan" code is still in amavis_logwatch, but commented out. 
It was disabled because it caused miscounts a virus was detected by 
multiple scanners.  You can reinstate the code if you want by 
uncommenting the appropriate lines (search virus_scan), and commenting 
out the one line tells amavis_logwatch to ignore "virus_scan" log lines, 
or I can send you a no-warranty, modified version.  But there's more 
info at $log_level=2.

Mike

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
[email protected] 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to