RE: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Hi All, I decided to try an older build of ClamAV since my virus.cfg matches everyone elses. The difference in outputs lies in the sosdg.org ClamAV versions. The older version 0.84rc2-2 produces the proper output for DLAnalyzer. 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O The latest version 0.88.4-1 will produce an incorrect output that DLAnalyzer is not able to compile: 10/26/2006 12:38:28.828 q38cc128a00b2b1ba.smd Virus scanner 3 reports exit code of 1 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd Scanner 3: Virus= Attachment= [14] O 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd File(s) are INFECTED [ Html.Phishing.Pay.Gen358.Sanesecurity.06091502: 1] Thanks to all how provided suggestions. Eddie :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Pang Sent: Wednesday, October 25, 2006 8:44 PM To: declude.virus@declude.com Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Hi All, I decided to try an older build of ClamAV since my virus.cfg matches everyone elses. The difference in outputs lies in the sosdg.org ClamAV versions. The older version 0.84rc2-2 produces the proper output for DLAnalyzer. 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O The latest version 0.88.4-1 will produce an incorrect output that DLAnalyzer is not able to compile: 10/26/2006 12:38:28.828 q38cc128a00b2b1ba.smd Virus scanner 3 reports exit code of 1 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd Scanner 3: Virus= Attachment= [14] O 10/26/2006 12:38:28.843 q38cc128a00b2b1ba.smd File(s) are INFECTED [ Html.Phishing.Pay.Gen358.Sanesecurity.06091502: 1] Thanks to all how provided suggestions. Eddie :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Pang Sent: Wednesday, October 25, 2006 8:44 PM To: declude.virus@declude.com Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Darrell ([EMAIL PROTECTED]) wrote: Also, for me to get the virus name I had to use the wrapper. fyi - The names are otherwise recorded in the clamd.log -Nick --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Eddie, You do not need to run clamav twice to detect both phish and viruses. If you put the phish.ndb into the same directory as the clam db it will also use that. Also, for me to get the virus name I had to use the wrapper. This snippett below is from Scott Fisher who helped me get mine going. I use this version of the cygwin clam http://www.sosdg.org/clamav-win32/index.php I use Terri Fitts's runclamscan wrapper and runclamd service: http://www.smartbusiness.com/imail/declude/ Here is my virus.cfg entry # # Clam A/V # # Runclamscan log levels # log=0 (no logging) # log=1 (minimal logging only date, time, elapsed times, viruses) # log=2 (log all messages same as 1) # log=3 (debug log - whole bunch of stuff - multiple lines) # SCANFILE2 d:\imail\declude\runclamscan.exe log=1 C:\clamav-devel\bin\clamdscan.exe --quiet --mbox --max-ratio 0 --max-space 1M -l report.txt VIRUSCODE2 1 REPORT2 FOUND Hope this helps, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Eddie Pang" <[EMAIL PROTECTED]> To: Sent: Thursday, October 26, 2006 2:43 AM Subject: [Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin. Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] RE: Differences in reporting of ClamAV And ClamWin.
Hi All, I am stumpted. I am trying to run ClamAV to take advantage of clamdscan.exe for speed and performance, but I am unable to gather statistics for use with DLAnalyzer. Looking closer at the logs, I find a slight variation between the 2 products. ClamWin reports the phish/virus on the same line as virus=. However with ClamAV, the Virus= is blank, and the phish/virus is on the next line. ClamAV is from www.sosdg.org version 0.88.4-1, and ClamWin is from www.clamwin.net version 0.88.5. Any suggestions to ClamAV (Scanner3) would be greatly appreciated. Sincerely, Eddie. = SCANFILE2 C:\imail\declude\runclamscan.exe log=2 c:\Progra~1\clamwin\bin\clamscan.exe --verbose --database="C:\Docume~1\Alluse~1\.clamwin\db" --tempdir="c:\temp" --no-summary --max-ratio 0 -l report.txt VIRUSCODE2 1 REPORT2 FOUND # SCANFILE3 C:\imail\declude\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet --log-verbose --no-summary --max-ratio 0 -l report.txt VIRUSCODE3 1 REPORT3 FOUND == 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Virus scanner 2 reports exit code of 1 10/25/2006 19:07:52.875 q4148041a01064bf4.smd Scanner 2: Virus= Html.Phishing.Rock.Sanesecurity.06050500 Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Virus scanner 3 reports exit code of 1 10/25/2006 19:07:59.578 q4148041a01064bf4.smd Scanner 3: Virus= Attachment= [14] O 10/25/2006 19:07:59.578 q4148041a01064bf4.smd File(s) are INFECTED [ Html.Phishing.Rock.Sanesecurity.06050500: 1] == --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.