RE: [Mimedefang] log which virusscanner found a virus

Thu, 23 Jun 2005 10:20:01 -0700 

-----Original Message-----
From: Christoph Martin [mailto:[EMAIL PROTECTED] 

> Hi,
> 
> is there a method to log which of the virus-scanners I have configured
> for mimedefang has actually found the virus?
> 
> Christoph

Here's what I do.  In sub filter_begin, look for the following lines from
the standard mimedefang-filter, and note my comments in the code...

    if ($FoundVirus) {
        md_graphdefang_log('virus', $VirusName, $RelayAddr);
        #############################
        # Added this next line, to log which scanner found the virus.
        # This required patching mimedefang.pl to provide $VirusScanner
        md_graphdefang_log('scanner_name', $VirusScanner, $VirusName);
        #############################

        return action_discard();
    }

Then, in mimedefang.pl, I do the following...

At the top of mimedefang.pl, in the "use vars" section, I insert a new
variable called $VirusScanner into the list, like so...

        # My deepest apologies for this mess of globals...
        use vars qw($AddWarningsInline @StatusTags $VirusScanner

Then, further down, in each "sub entity_contains_virus_*" and "sub
message_contains_virus_*", appropriate to the scanners that I use, I define
$VirusScanner as follows...

        sub entity_contains_virus_filescan ($) {
            $VirusScanner = "FileScan";

...and

        sub message_contains_virus_filescan ($) {
            $VirusScanner = "FileScan"; 

The resulting log entries look like this...

Jun 23 11:56:03 mail01 mimedefang.pl[31038]:
MDLOG,j5NFtvEe002275,scanner_name,FileScan,W32/[EMAIL PROTECTED],<[EMAIL 
PROTECTED]>,<
[EMAIL PROTECTED]>,Re:

Might even be something David would consider making a permanent part of MD?

When I run my log parsing reports at midnight, I get a nice breakdown that
looks like this...

THE FOLLOWING SCANNERS FOUND THESE VIRUSES
        CLAMD: Broken.Executable
        CLAMD: Exploit.HTML.IFrame
        CLAMD: HTML.Phishing.Bank-1
        CLAMD: HTML.Phishing.Bank-104
        CLAMD: HTML.Phishing.Bank-137
        CLAMD: HTML.Phishing.Bank-211
        CLAMD: HTML.Phishing.Bank-225
        CLAMD: HTML.Phishing.Bank-246
        CLAMD: HTML.Phishing.Pay-14
        CLAMD: HTML.Phishing.Pay-27
        CLAMD: HTML.Phishing.Pay-43
        CLAMD: Worm.Bagle.AG.2
        CLAMD: Worm.Bagle.Gen-zippwd
        CLAMD: Worm.Dumaru.K
        CLAMD: Worm.Mytob.AF
        CLAMD: Worm.Mytob.AL
        CLAMD: Worm.Mytob.BM-2
        CLAMD: Worm.Mytob.BT
        CLAMD: Worm.Mytob.CL
        CLAMD: Worm.Mytob.CS
        CLAMD: Worm.Mytob.CW
        CLAMD: Worm.Mytob.DI
        CLAMD: Worm.Mytob.DJ
        CLAMD: Worm.Mytob.DK
        CLAMD: Worm.Mytob.F
        CLAMD: Worm.Mytob.Gen-1
        CLAMD: Worm.Mytob.Gen-2
        CLAMD: Worm.Mytob.T-2
        CLAMD: Worm.Mytob.V
        CLAMD: Worm.SomeFool.Gen-1
        CLAMD: Worm.SomeFool.P
     FileScan: W32/Bagle.af
     FileScan: W32/Bagle.ai
     FileScan: W32/Bugbear.b
     FileScan: W32/Netsky
     FileScan: W32/Netsky.c
     FileScan: W32/Netsky.p
     FileScan: W32/Zafi.b
       VEXIRA: Worm/Mytob.EN
       VEXIRA: Worm/Mytob.U

Hope this helps.


Ken
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
[email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to