Mike, > I noticed a peculiarity this morning in my amavis log reports, which > claimed that both ClamAV-clamd and McAfee AntiVirus detected the > SaneSecurity malware: Email.Malware.Sanesecurity.07082700 > It was clear that uvscan did not detect a SaneSecurity signature, > so I tracked down the associated log messages: > > ... ask_av (ClamAV-clamd): /var/amavis/tmp/amavis-123/parts > INFECTED: Email.Malware.Sanesecurity.07082700 > > ... run_av (NAI McAfee AntiVirus (uvscan)): > INFECTED: W32/Zhelatin.gen!eml, W32/Zhelatin.gen!eml > > ... virus_scan: (Email.Malware.Sanesecurity.07082700), detected by > 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan)
> I see that @virusname is used in virus_scan() as the list of virus names: > [...] but it seems virusname isn't correct when multiple scanners produce > different malware names. Admittedly this log report can be misleading. There is currently only one list of virus names found (@virusname), and it receives its value from the FIRST scanner that reports an infection. And the 'detected by' lists ALL scanners that reported infection, regardless of what virus names they find and report. It is often that different scanners use different names for the same type of infection, so it was considered redundant to report all names reported by all scanners. The 'virus_scan: (...), detected by ... scanners: ...' is a summary report at log level 2. As you noticed, more detailed reports are available at higher log levels when needed. > The amavis-logwatch reporter uses the virus_scan line to trigger its > Malware by scanner report, thus the report indicated that both scanners > detected the Email.Malware.Sanesecurity.07082700, which is incorrect. > As we can see above, uvscan detected W32/Zhelatin.gen!eml. > Should the log entry really be something like: > virus_scan: (Email.Malware.Sanesecurity.07082700, > W32/Zhelatin.gen!eml), detected by > 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan) > > or some variant that is easy to parse and correlate the malware to > scanner mapping ? Actually the: do_log(2,"run_av (%s): INFECTED: %s", $av_name, ... is also logged at log level 2. So why not use this log entry for more detailed log analysis? Mark ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
