Re: [Clamav-users] Perl script for sorting logs entries
On Mon, 2004-08-30 at 18:33, Internet Helpdesk wrote: For example: ./source_virus_count.pl -l amavis -f amavis/amavis.log -r -c 10 For this to work for milter, what logging to I need to have? Do I enable verbose logging in clamav.conf? Right now In my log I have: Mon Aug 2 14:00:49 2004 - /home/clamquar/040802/msg.TwmNG2: Worm.Bagle.N FOUND Mon Aug 2 14:01:38 2004 - /home/clamquar/040802/msg.1dEnWr: Worm.SomeFool.P FOUND You will need LogSyslog in your clamav.conf. I'm not sure if you need anything special in your sendmail.mc but I have the following. INPUT_MAIL_FILTER(`clmilter',`S=local:/var/spool/MIMEDefang/clmilter.sock, F=T, T=S:45s;R:45s')dnl define(`confINPUT_MAIL_FILTERS', `clmilter') On Redhat this would create similar log entries to the following in /var/log/maillog. Other platforms and variations of Linux should work fine. Aug 31 08:37:19 ns2b sendmail[5491]: i7VCbAus005491: from=[EMAIL PROTECTED], size=41727, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=rrcs-se-24-227-44-226.biz.rr.com [24.227.44.226] Aug 31 08:37:19 ns2b clamav-milter[23178]: i7VCbAus005491: stream: Worm.SomeFool.P Intercepted virus from [EMAIL PROTECTED] to [EMAIL PROTECTED] Aug 31 08:37:19 ns2b sendmail[5491]: i7VCbAus005491: Milter: data, discard Aug 31 08:37:19 ns2b sendmail[5491]: i7VCbAus005491: discarded --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Perl script for sorting logs entries - version 0.20
I have corrected a few bugs, added smtp support, and added a minimum virus count. For smtp support you will need to define your smtp server and email address in perl script. You will also need LogSyslog enabled in your clamav.conf for Milter logging. Options: -h Help -f Log file -l Log type - valid types are: amavis and milter - Defaults to milter -r Show recipients -s Show senders - Milter only -c Minimum virus count for unique hosts -v Minimum virus type count -m Email report to predefined values set in this perl script -V Version For example: ./source_virus_count.pl -l amavis -f amavis/amavis.log -r -c 10 Shows a count of each virus type: Count is 16 for Worm.SomeFool.P Count is 13 for Worm.Zafi.B Count is 7 for Worm.Klez.H Count is 3 for Worm.SomeFool.Gen-1 Count is 1 for Worm.SomeFool.Q Count is 1 for Worm.SomeFool.I Count is 1 for Worm.Bagle.Gen-zippwd, Worm.Bagle.Gen-zippwd Count is 1 for Worm.Bagle.AG.2 Count is 1 for Worm.SomeFool.X Shows uniques hosts with a virus count over 10: mail.nsslawoffice.com sent the following virus's a total of 12 times: Worm.Zafi.B was transmitted 12 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. Recipient address [EMAIL PROTECTED] was seen 1 times. #!/usr/bin/perl # Licensed under the GNU GPL # Features # Count the number of times a virus was sent in descending order # Count the number of times an IP address sent a virus in descending order # Show each unique virus that was sent for each IP address. # Populate a complex data structure with message id's, ip address's, and virus names. This is necesary since the ip address and virus name are on separate lines but have the same message id. # Capable of sending email based reports # Changelog # 08/31/2004 - Released version 0.20 # 08/30/2004 - Released version 0.10 # 08/30/2004 - Added command line arguments # 08/27/2004 - Corrected a bug were multiple Senders or virus's per IP address would produce errors # 08/20/2004 - Commented out Recipient information # TODO # Review and cleanup of code # Add command line argument for only showing specific hosts who sent virus's # Fix bug where if no virus log lines are present then it will not close with an error use warnings; use diagnostics; use strict; use vars qw/ $opt_h $opt_f $opt_l $opt_r $opt_s $opt_c $opt_v $opt_m $opt_V /; use Getopt::Std; use Net::SMTP; my $Version = 0.20; my $host_count = 10; my $virus_count = 1; my $mail_server = '207.156.7.30'; my $mail_user = [EMAIL PROTECTED]; my $log_file = '/var/log/maillog'; getopts( 'hf:l:sc:v:rmV' ); if ($opt_h) { print Options: \n; print -h Help \n; print -f Log file \n; print -l Log type - valid types are: amavis and milter - Defaults to milter \n; print -r Show recipients \n; print -s Show senders - Milter only \n; print -c Minimum virus count for unique hosts \n; print -v Minimum virus type count \n; print -m Email report to predefined values set in this perl script \n; print -V Version \n; exit 0 } if ($opt_f) { $log_file = $opt_f; } my $log_type; if ($opt_l) { if ($opt_l eq amavis) { $log_type = $opt_l; } elsif ($opt_l eq milter) { $log_type = $opt_l; } else { print -l Log type - valid types are: amavis and milter \n; exit 1 } } else { $log_type = milter; } my $show_senders; if ($opt_s) { if ($log_type eq amavis) { print Showing of Senders not yet supported for Amavis\n; exit 1 } else { $show_senders = 1; } } $host_count = $opt_c if ($opt_c); $virus_count = $opt_v if ($opt_v); my $show_recipients = 1 if ($opt_r); my $send_email = 1 if ($opt_m); if ($opt_V) { print Version $Version \n; exit 0 } our $ip_addr; our $sender; my $email; my %ip_addr; my $virus; my %virus; my $Virus; my $Sender; my $recipient; my $Recipient; my $message_id; my @text_body; open(FILE, $log_file); while(FILE) { if ($log_type eq milter) { if (/(?:\d|\D)+sendmail\[(?:\d)+\]:\s((?:\w)+):(?:\d|\D)+\[(\d+\.\d+\.\d+\.\d+)\]/) { $message_id = $1; $ip_addr = $2; $email-{$message_id}{ip_addr} = $ip_addr; } elsif (/(?:\d|\D)+clamav-milter\[(?:\d)+\]:\s((?:\w)+):\sstream:\s(\d|\D+)\sIntercepted virus from \((?:\d|\D)+)\ to \((?:\d|\D)+)\/) { $message_id = $1; $virus = $2; $sender = $3; $recipient = $4; $email-{$message_id}{virus} = $virus; $email-{$message_id}{sender} = $sender; $email-{$message_id}{recipient} = $recipient; } } elsif ($log_type eq amavis) { if
[Clamav-users] Trojan.Baglet?
greetings all; i'm having a lot of grief with some very persistent worm infections, many of which are not detected by our Symantec NAV Corporate edition (with up to the minute definitions). i keep submitting files to Symantec, and they keep sending me back responses that, yes, my file is infected, and with the latest definitions i'll catch this latest variant. what a waste of time! what i really want to know is what the infection mechanisms are here, and how i can prevent further infection. systems are windows 2000 sp4, with all the latest patches from MS. the worms i've seen so far have been: Backdoor.Sdbot Backdoor.Ranky.G W32.Spybot.Worm Trojan.Baglet this last one has no entry in the Symantec database, even though this is the name they gave me for it. these are all Symantec names, although they are close to useless as they don't specify the infection mechanism for any of these. i'm asking these questions here because Trojan.Baglet appears to be a ClamAV designation. when i scan the file in question, Clam detects it as Trojan.Baglet.A. can anyone tell me more about this virus? about any of the virii i've mentioned earlier? Symantec is useless, i'm hoping this list may be more help : thanks in advance. henry --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Can I submit a file if I'm not sure it's a virus?
I just received 3 emails with a subject of 'foto' or 'fotos' and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm' contained therein that passed through 3 different scanners undetected. I don't want to infect my own machine by opening it. Can I forward it to someone to check it out? _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Messages that got through clam
I am running clam in series with RAV on CommuniGate Pro via cgpav. The messages go through clam first and if clam says OK then they go through RAV. Today RAV caught 4 messages that clam thought were OK. The following lines are from the RAV log. Should I provide the original messages to the clam team, via appropriate methods? And by the way, how does one send the clam team apparently virus laden e-mail? Thanks, Phil Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED] Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED] Aug 31 14:01:30 [07878] infected with JS/Dword.dr* Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr* Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit* --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] [OT] Symantec update frequency
On 8/31/2004 11:02 PM +0200, John Jolet wrote: I don't believe Symantec updates their definitions more than once a week. Certainly not for us poor home users. you can update all you want, but the file won't change. The following are my experiences with new defs from Symantec: Liveupdate: 1-2 times per week, they save up the 'non important' viruses. Intelligent updater: 1-2 per day. Beta intelligent updater: multiple times per day. The catch is, that Joe Homeuser only uses liveupdate. If he wants to stay up-to-date, he has to grab the (beta) intelligent updates manually. Run them manually (this can be scripted, Symantec has some batch files on their website if you search long enough.) Symantec's corporate products can be configured to update more often, than standard liveupdate. Kind regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] List Down
Daniel J McDonald said: On Tue, 2004-08-31 at 13:17, Chris Jett wrote: Is the list down? I haven't gotten any list messages since this morning... No, merely slow. It only took 4 hours to be delivered to me. What do you want? Back in the bad old days we only got mail once a month, over a 1200 baud modem, in the snow, uphill both ways! And you're complaining about a 4-hour delay? Young whippersnapper! ;-) -- Daniel J McDonald, CCIE 2495, CNX Austin Energy 1200 baud? Slow down, sonny! It wasn't that long ago that I was working at 50 baud with 5 bit code. Then some smart-aleck invented the lower case alphabet and we move to a blazing 56.8 baud and added a bit for the shift character. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] OS X Installer and Permissions
Chris Jett at 2004-08-31 13:39 from [EMAIL PROTECTED] wrote: I am working on a double-click installer for Mac OS X. Everything seems to be working OK and I am able to start clamd just fine and scan files just fine. The only problem I am seeing is when trying to use freshclam. Here is the error I get on the command line: ClamAV update process started at Tue Aug 31 12:29:38 2004 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES You need to have Gnu MP -- http://www.swox.com/gmp/ Reading CVD header (main.cvd): OK ERROR: Can't open new file ./clamav-1a227263d1e5cc92 to write open: Permission denied ERROR: Can't download main.cvd from 64.69.64.158 I think that I need to set a permission somewhere, but I can't figure out where. Any ideas? --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?
I just received 3 emails with a subject of 'foto' or 'fotos' and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm' contained therein that passed through 3 different scanners undetected. I don't want to infect my own machine by opening it. Can I forward it to someone to check it out? http://clamav.catt.com/cgi-bin/sendvirus.cgi --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?
On 9/1/2004 1:49 AM +0200, D.J. Fan wrote: I just received 3 emails with a subject of 'foto' or 'fotos' and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm' contained therein that passed through 3 different scanners undetected. I don't want to infect my own machine by opening it. Can I forward it to someone to check it out? http://www.clamav.net Click on 'submit sample' Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?
D.J. Fan said: I just received 3 emails with a subject of 'foto' or 'fotos' and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm' contained therein that passed through 3 different scanners undetected. I don't want to infect my own machine by opening it. Can I forward it to someone to check it out? Check it at http://test-clamav.power-netz.de/ --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Messages that got through clam
On 9/1/2004 1:52 AM +0200, Philip Ershler wrote: I am running clam in series with RAV on CommuniGate Pro via cgpav. The messages go through clam first and if clam says OK then they go through RAV. Today RAV caught 4 messages that clam thought were OK. The following lines are from the RAV log. Should I provide the original messages to the clam team, via appropriate methods? And by the way, how does one send the clam team apparently virus laden e-mail? Thanks, Phil Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED] Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED] Aug 31 14:01:30 [07878] infected with JS/Dword.dr* Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr* Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit* What version of clamav are you using ? If 0.75.1, update to 0.75.1 or CVS. If the viruses are not detected after upgrading, submit them via: http://www.clamav.net 'submit sample' Regards, Niek Baakman -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] List Down
1200 baud? Slow down, sonny! It wasn't that long ago that I was working at 50 baud with 5 bit code. Then some smart-aleck invented the lower case alphabet and we move to a blazing 56.8 baud and added a bit for the shift character. If you weren't able to whistle a connect tone for a 50 baud modem, you weren't really using one. :-) -- --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?
D.J. Fan wrote: I just received 3 emails with a subject of 'foto' or 'fotos' and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm' contained therein that passed through 3 different scanners undetected. This is Trojan.Dropper.Small-11 added in ClamAV update 475 just in the last hour. I got a couple that slipped through just before the update, but they are being caught now. My other virus scanners still don't detect it. -- James Lick -- -- [EMAIL PROTECTED] -- http://jameslick.com/ --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47alloc_id808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Messages that got through clam
On Aug 31, 2004, at 8:02 PM, Niek wrote: On 9/1/2004 1:52 AM +0200, Philip Ershler wrote: I am running clam in series with RAV on CommuniGate Pro via cgpav. The messages go through clam first and if clam says OK then they go through RAV. Today RAV caught 4 messages that clam thought were OK. The following lines are from the RAV log. Should I provide the original messages to the clam team, via appropriate methods? And by the way, how does one send the clam team apparently virus laden e-mail? Thanks, Phil Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED] Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED] Aug 31 14:01:30 [07878] infected with JS/Dword.dr* Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr* Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit* What version of clamav are you using ? If 0.75.1, update to 0.75.1 or CVS. If the viruses are not detected after upgrading, submit them via: http://www.clamav.net 'submit sample' I'm running 0.75.1 so I guess I'll submit them. Phil --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users