Re: [Clamav-users] Perl script for sorting logs entries

2004-08-31 Thread Brett Simpson 
On Mon, 2004-08-30 at 18:33, Internet Helpdesk wrote:
  For example:
  ./source_virus_count.pl -l amavis -f amavis/amavis.log -r -c 10
 For this to work for milter, what logging to I need to have?  Do I enable 
 verbose logging in clamav.conf?  Right now In my log I have:
 
 Mon Aug  2 14:00:49 2004 - /home/clamquar/040802/msg.TwmNG2: Worm.Bagle.N 
 FOUND
 Mon Aug  2 14:01:38 2004 - /home/clamquar/040802/msg.1dEnWr: 
 Worm.SomeFool.P FOUND

You will need LogSyslog in your clamav.conf. I'm not sure if you need
anything special in your sendmail.mc but I have the following.

INPUT_MAIL_FILTER(`clmilter',`S=local:/var/spool/MIMEDefang/clmilter.sock, F=T, 
T=S:45s;R:45s')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')


On Redhat this would create similar log entries to the following in
/var/log/maillog. Other platforms and variations of Linux should work
fine.

Aug 31 08:37:19 ns2b sendmail[5491]: i7VCbAus005491:
from=[EMAIL PROTECTED], size=41727, class=0, nrcpts=1,
msgid=[EMAIL PROTECTED],
proto=ESMTP, daemon=MTA, relay=rrcs-se-24-227-44-226.biz.rr.com
[24.227.44.226]
Aug 31 08:37:19 ns2b clamav-milter[23178]: i7VCbAus005491: stream:
Worm.SomeFool.P Intercepted virus from [EMAIL PROTECTED] to
[EMAIL PROTECTED]
Aug 31 08:37:19 ns2b sendmail[5491]: i7VCbAus005491: Milter: data,
discard
Aug 31 08:37:19 ns2b sendmail[5491]: i7VCbAus005491: discarded




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Perl script for sorting logs entries - version 0.20

2004-08-31 Thread Brett Simpson 
I have corrected a few bugs, added smtp support, and added a minimum virus count. 
For smtp support you will need to define your smtp server and email address in perl 
script.

You will also need LogSyslog enabled in your clamav.conf for Milter logging.

Options:
-h Help
-f Log file
-l Log type - valid types are: amavis and milter - Defaults to milter
-r Show recipients
-s Show senders - Milter only
-c Minimum virus count for unique hosts
-v Minimum virus type count
-m Email report to predefined values set in this perl script
-V Version

For example:
./source_virus_count.pl -l amavis -f amavis/amavis.log -r -c 10
Shows a count of each virus type:
Count is 16 for Worm.SomeFool.P
Count is 13 for Worm.Zafi.B
Count is 7 for Worm.Klez.H
Count is 3 for Worm.SomeFool.Gen-1
Count is 1 for Worm.SomeFool.Q
Count is 1 for Worm.SomeFool.I
Count is 1 for Worm.Bagle.Gen-zippwd, Worm.Bagle.Gen-zippwd
Count is 1 for Worm.Bagle.AG.2
Count is 1 for Worm.SomeFool.X
 
Shows uniques hosts with a virus count over 10:
 
mail.nsslawoffice.com sent the following virus's a total of 12 times:
Worm.Zafi.B was transmitted 12 times.
 
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.
Recipient address [EMAIL PROTECTED] was seen 1 times.

#!/usr/bin/perl

# Licensed under the GNU GPL

# Features
# Count the number of times a virus was sent in descending order
# Count the number of times an IP address sent a virus in descending order
# Show each unique virus that was sent for each IP address.
# Populate a complex data structure with message id's, ip address's, and virus names. This is necesary since the ip address and virus name are on separate lines but have the same message id.
# Capable of sending email based reports

# Changelog
# 08/31/2004 - Released version 0.20
# 08/30/2004 - Released version 0.10
# 08/30/2004 - Added command line arguments
# 08/27/2004 - Corrected a bug were multiple Senders or virus's per IP address would produce errors
# 08/20/2004 - Commented out Recipient information

# TODO
# Review and cleanup of code
# Add command line argument for only showing specific hosts who sent virus's
# Fix bug where if no virus log lines are present then it will not close with an error

use warnings;
use diagnostics;
use strict;
use vars qw/ $opt_h $opt_f $opt_l $opt_r $opt_s $opt_c $opt_v $opt_m $opt_V /;
use Getopt::Std;
use Net::SMTP;

	my $Version = 0.20;
	my $host_count = 10;
	my $virus_count = 1;
	my $mail_server = '207.156.7.30';
	my $mail_user = [EMAIL PROTECTED];
	my $log_file = '/var/log/maillog';


getopts( 'hf:l:sc:v:rmV' );	

if ($opt_h) {
	print Options: \n;
	print -h Help \n;
	print -f Log file \n;
	print -l Log type - valid types are: amavis and milter - Defaults to milter \n;
	print -r Show recipients \n;
	print -s Show senders - Milter only \n;
	print -c Minimum virus count for unique hosts \n;
	print -v Minimum virus type count \n;
	print -m Email report to predefined values set in this perl script  \n;
	print -V Version \n;
	exit 0
}

if ($opt_f) {
	$log_file = $opt_f;
}


my $log_type;
if ($opt_l) {
	if ($opt_l eq amavis) {
	$log_type = $opt_l;
	} elsif ($opt_l eq milter) {
	$log_type = $opt_l;
	} else {
	print -l Log type - valid types are: amavis and milter  \n;
	exit 1
	}
} else {
	$log_type = milter;
}

my $show_senders;
if ($opt_s) {
	if ($log_type eq amavis) {
		print Showing of Senders not yet supported for Amavis\n;
		exit 1
	} else {
		$show_senders = 1;
	}
}

$host_count = $opt_c if ($opt_c);

$virus_count = $opt_v if ($opt_v);

my $show_recipients = 1 if ($opt_r);

my $send_email = 1 if ($opt_m);

if ($opt_V) {
	print Version $Version \n;
	exit 0
}

	our $ip_addr;
	our $sender;
	my $email;
	my %ip_addr;
	my $virus;
	my %virus;
	my $Virus;
	my $Sender;
	my $recipient;
	my $Recipient;
	my $message_id;
	my @text_body;

open(FILE, $log_file);
while(FILE) {

	if ($log_type eq milter) {

		if (/(?:\d|\D)+sendmail\[(?:\d)+\]:\s((?:\w)+):(?:\d|\D)+\[(\d+\.\d+\.\d+\.\d+)\]/) {
			$message_id = $1;
			$ip_addr = $2;
			$email-{$message_id}{ip_addr} = $ip_addr;
		} 
		elsif (/(?:\d|\D)+clamav-milter\[(?:\d)+\]:\s((?:\w)+):\sstream:\s(\d|\D+)\sIntercepted virus from \((?:\d|\D)+)\ to \((?:\d|\D)+)\/) {
		$message_id = $1;
			$virus = $2;
			$sender = $3;
			$recipient = $4;
			
			$email-{$message_id}{virus} = $virus;
			$email-{$message_id}{sender} = $sender;
			$email-{$message_id}{recipient} = $recipient;
		}
	} elsif ($log_type eq amavis) {
		if

[Clamav-users] Trojan.Baglet?

2004-08-31 Thread henry j. mason 
greetings all;
i'm having a lot of grief with some very persistent worm
infections, many of which are not detected by our Symantec
NAV Corporate edition (with up to the minute definitions).
i keep submitting files to Symantec, and they keep sending
me back responses that, yes, my file is infected, and with
the latest definitions i'll catch this latest variant.
what a waste of time! what i really want to know is what
the infection mechanisms are here, and how i can prevent
further infection. systems are windows 2000 sp4, with all
the latest patches from MS.
the worms i've seen so far have been:
Backdoor.Sdbot
Backdoor.Ranky.G
W32.Spybot.Worm
Trojan.Baglet
this last one has no entry in the Symantec database, even
though this is the name they gave me for it. these are all
Symantec names, although they are close to useless as they
don't specify the infection mechanism for any of these.
i'm asking these questions here because Trojan.Baglet appears
to be a ClamAV designation. when i scan the file in question,
Clam detects it as Trojan.Baglet.A.
can anyone tell me more about this virus? about any of the
virii i've mentioned earlier? Symantec is useless, i'm
hoping this list may be more help :
thanks in advance.
henry

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Can I submit a file if I'm not sure it's a virus?

2004-08-31 Thread D.J. Fan 
I just received 3 emails with a subject of 'foto' or 'fotos'
and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm'
contained therein that passed through 3 different scanners undetected.
I don't want to infect my own machine by opening it.
Can I forward it to someone to check it out?
_
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Messages that got through clam

2004-08-31 Thread Philip Ershler 
I am running clam in series with RAV on CommuniGate Pro via cgpav. The 
messages go through clam first and if clam says OK then they go through 
RAV. Today RAV caught 4 messages that clam thought were OK. The 
following lines are from the RAV log. Should I provide the original 
messages to the clam team, via appropriate methods? And by the way, how 
does one send the clam team apparently virus laden e-mail?

Thanks, Phil
Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED]
Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED]
Aug 31 14:01:30 [07878] infected with JS/Dword.dr*
Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr*
Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit*

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] [OT] Symantec update frequency

2004-08-31 Thread Niek 
On 8/31/2004 11:02 PM +0200, John Jolet wrote:
I don't believe Symantec updates their definitions more than once a week.  
Certainly not for us poor home users.
you can update all you want, but the file won't change.
The following are my experiences with new defs from Symantec:
Liveupdate: 1-2 times per week, they save up the 'non important' viruses.
Intelligent updater: 1-2 per day.
Beta intelligent updater: multiple times per day.
The catch is, that Joe Homeuser only uses liveupdate.
If he wants to stay up-to-date, he has to grab the (beta)
intelligent updates manually. Run them manually (this can be scripted,
Symantec has some batch files on their website if you search long enough.)
Symantec's corporate products can be configured to update more often,
than standard liveupdate.
Kind regards,
Niek Baakman
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] List Down

2004-08-31 Thread [EMAIL PROTECTED] 
Daniel J McDonald said:
 On Tue, 2004-08-31 at 13:17, Chris Jett wrote:
 Is the list down?  I haven't gotten any list messages since this
 morning...

 No, merely slow.  It only took 4 hours to be delivered to me.  What do
 you want?  Back in the bad old days we only got mail once a month, over
 a 1200 baud modem, in the snow, uphill both ways!  And you're
 complaining about a 4-hour delay?  Young whippersnapper! ;-)
 --
 Daniel J McDonald, CCIE 2495, CNX
 Austin Energy


1200 baud?  Slow down, sonny!  It wasn't that long ago that I was working
at 50 baud with 5 bit code.  Then some smart-aleck invented the lower case
alphabet and we move to a blazing 56.8 baud and added a bit for the shift
character.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] OS X Installer and Permissions

2004-08-31 Thread The Count of CipherSpace 
Chris Jett at 2004-08-31 13:39 from [EMAIL PROTECTED] wrote:

I am working on a double-click installer for Mac OS X.  Everything 
seems to be working OK and I am able to start clamd just fine and scan 
files just fine.  The only problem I am seeing is when trying to use 
freshclam.  Here is the error I get on the command line:

ClamAV update process started at Tue Aug 31 12:29:38 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES

You need to have Gnu MP --  http://www.swox.com/gmp/

Reading CVD header (main.cvd): OK
ERROR: Can't open new file ./clamav-1a227263d1e5cc92 to write
open: Permission denied
ERROR: Can't download main.cvd from 64.69.64.158

I think that I need to set a permission somewhere, but I can't figure 
out where.  Any ideas?


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?

2004-08-31 Thread List 
 I just received 3 emails with a subject of 'foto' or 'fotos'
 and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm'
 contained therein that passed through 3 different scanners undetected.
 
 I don't want to infect my own machine by opening it.
 
 Can I forward it to someone to check it out?

http://clamav.catt.com/cgi-bin/sendvirus.cgi


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?

2004-08-31 Thread Niek 
On 9/1/2004 1:49 AM +0200, D.J. Fan wrote:
I just received 3 emails with a subject of 'foto' or 'fotos'
and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm'
contained therein that passed through 3 different scanners undetected.
I don't want to infect my own machine by opening it.
Can I forward it to someone to check it out?
http://www.clamav.net
Click on 'submit sample'
Regards,
Niek Baakman
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?

2004-08-31 Thread [EMAIL PROTECTED] 
D.J. Fan said:
 I just received 3 emails with a subject of 'foto' or 'fotos'
 and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm'
 contained therein that passed through 3 different scanners undetected.

 I don't want to infect my own machine by opening it.

 Can I forward it to someone to check it out?


Check it at http://test-clamav.power-netz.de/


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Messages that got through clam

2004-08-31 Thread Niek 
On 9/1/2004 1:52 AM +0200, Philip Ershler wrote:
I am running clam in series with RAV on CommuniGate Pro via cgpav. The 
messages go through clam first and if clam says OK then they go through 
RAV. Today RAV caught 4 messages that clam thought were OK. The 
following lines are from the RAV log. Should I provide the original 
messages to the clam team, via appropriate methods? And by the way, how 
does one send the clam team apparently virus laden e-mail?

Thanks, Phil
Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED]
Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED]
Aug 31 14:01:30 [07878] infected with JS/Dword.dr*
Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr*
Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit*
What version of clamav are you using ?
If  0.75.1, update to 0.75.1 or CVS.
If the viruses are not detected after upgrading, submit them via:
http://www.clamav.net 'submit sample'
Regards,
Niek Baakman
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] List Down

2004-08-31 Thread Mike Nolan 
 1200 baud?  Slow down, sonny!  It wasn't that long ago that I was working
 at 50 baud with 5 bit code.  Then some smart-aleck invented the lower case
 alphabet and we move to a blazing 56.8 baud and added a bit for the shift
 character.

If you weren't able to whistle a connect tone for a 50 baud modem, you 
weren't really using one.  :-)
--



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can I submit a file if I'm not sure it's a virus?

2004-08-31 Thread James Lick 
D.J. Fan wrote:
I just received 3 emails with a subject of 'foto' or 'fotos'
and a zip attachment named 'foto.zip' with 'calc.exe' and 'foto.htm'
contained therein that passed through 3 different scanners undetected.
This is Trojan.Dropper.Small-11 added in ClamAV update 475 just in the 
last hour.  I got a couple that slipped through just before the update, 
but they are being caught now.  My other virus scanners still don't 
detect it.

--
James Lick --  -- [EMAIL PROTECTED] -- http://jameslick.com/
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47alloc_id808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Messages that got through clam

2004-08-31 Thread Philip Ershler 
On Aug 31, 2004, at 8:02 PM, Niek wrote:
On 9/1/2004 1:52 AM +0200, Philip Ershler wrote:
I am running clam in series with RAV on CommuniGate Pro via cgpav. 
The messages go through clam first and if clam says OK then they go 
through RAV. Today RAV caught 4 messages that clam thought were OK. 
The following lines are from the RAV log. Should I provide the 
original messages to the clam team, via appropriate methods? And by 
the way, how does one send the clam team apparently virus laden 
e-mail?
Thanks, Phil
Aug 31 12:47:22 [06801] infected with Win32/[EMAIL PROTECTED]
Aug 31 12:53:22 [06858] infected with Win32/[EMAIL PROTECTED]
Aug 31 14:01:30 [07878] infected with JS/Dword.dr*
Aug 31 09:22:20 [04888] infected with VBS/Baggle.Z.dr*
Aug 31 10:46:56 [05625] infected with HTML/IFrame_Exploit*
What version of clamav are you using ?
If  0.75.1, update to 0.75.1 or CVS.
If the viruses are not detected after upgrading, submit them via:
http://www.clamav.net 'submit sample'

I'm running 0.75.1 so I guess I'll submit them.
Phil

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users