What I used to create that little summary of my viruses was
some grepping of the post-facto logs I create, as described on Thursday,
archived here:
The short version is that I run f-prot on every suspicious
spam during the dark of night, because in my configuration I have chosen
not to bother scan held spam for viruses (this is through the AVAFTERJM
ON switch in the virus.cfg file).
I redirect the output from fpcmd.exe to a text file,
appending as it goes. I then use grep to count the number of unique lines
that indicate an infection or suspicious file to count the
viruses.
The post I made at the top of this thead was made with
gawk doing the math while totaling the viruses. It may not be pretty,
but I'll include that snippet as a text attachment here called
VirusFamilyTotals.cmd as .txt file. With a few "if" statements, that
gawk script could print out the full explanation of the text I replaced for the
first three lines in the output.
If you have a vanilla Declude antivirus configuration, then
you can just filter the virMMDD.log files with another scriptlet I made, which
I'll also attach. It's called VirusList.cmd and you simply pass it the
name of the virMMDD.log file or files that you want to look at, e.g.
viruslist.cmd vir01??.log ... it will show you the Declude line, and then
provide a table at the end with the totals.
I used to run the VirusList.cmd as a task, and then
the task would email me the results.
Both scripts depend on the *nix utilities which are
freely available here:
Andrew
8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Imail
Sent: Friday, January 27, 2006 11:37 AM
To: [email protected]
Subject: Re: [Declude.Virus] My quick and dirty virus stats
Sent: Friday, January 27, 2006 11:37 AM
To: [email protected]
Subject: Re: [Declude.Virus] My quick and dirty virus stats
Andrew,
What are you using to compile these numbers?
Mark
At 12:48 PM 1/27/2006, you wrote:
Just because it's easy to produce...
This is from the viruses that get caught as spam from Dec 01 2005 through yesterday:
13 Suspicious program in Archive
1 Suspicious program
5 Unknown Virus
57 W32/Bagle
1 W32/Banker
13 W32/Brepibot
28 W32/Kapser
33 W32/Klez
108 W32/Mitglieder
13 W32/Mydoom
665 W32/Mytob
1,124 W32/Netsky
5,607 W32/Sober
1 W32/Torvil
5 W32/Zafi
Andrew 8)
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.375 / Virus Database: 267.14.23/243 - Release Date: 1/27/2006
@echo off rem This pulls out the last word of a detection line, carves off the left hand side of the name rem to store only the family name, and stores it in an array, incrementing the counter for that rem element of the array each time. rem Lines such as (compressiontool) may contain an unknown virus get truncated to just "virus"
rem How to find all the exceptions:
rem gawk "($0 ~ /SMD->/) && ($NF !~ /W32/)" F-ProtResultDEC????.txt
rem e.g. here are some exceptions:
rem (encrypted program in archive)
rem is a security risk or a "backdoor" program
rem (FSG) could be infected with an unknown virus
rem (PCK) could be infected with an unknown virus
fgrep -h "SMD->" F-ProtResultDEC????.txt | gawk "{split($NF,temp,\".\");
virusnames[temp[1]]++} END {for (i in virusnames) print i,virusnames[i]}" |
usort
@echo off if "%1" == "" goto explain if not exist %1 (echo No such file [%1] & goto quit) gawk "$4 ~ /Scanner/" %1 echo. grep INFECTED %1 | cut -d " " -f 7- | usort | uniq -c | usort goto quit :explain echo This batch file shows which infections are detected and their count echo Run it with the name of the file(s) to check, e.g. VirusList.cmd vir0415.log echo. :quit
