[Mimedefang] log which virusscanner found a virus

Thu Jun 23 13:06:13 EDT 2005

-----Original Message-----
From: Christoph Martin [mailto:martin at uni-mainz.de] 

> Hi,
> 
> is there a method to log which of the virus-scanners I have configured
> for mimedefang has actually found the virus?
> 
> Christoph

Here's what I do.  In sub filter_begin, look for the following lines from
the standard mimedefang-filter, and note my comments in the code...

    if ($FoundVirus) {
        md_graphdefang_log('virus', $VirusName, $RelayAddr);
        #############################
        # Added this next line, to log which scanner found the virus.
        # This required patching mimedefang.pl to provide $VirusScanner
        md_graphdefang_log('scanner_name', $VirusScanner, $VirusName);
        #############################

        return action_discard();
    }

Then, in mimedefang.pl, I do the following...

At the top of mimedefang.pl, in the "use vars" section, I insert a new
variable called $VirusScanner into the list, like so...

	# My deepest apologies for this mess of globals...
	use vars qw($AddWarningsInline @StatusTags $VirusScanner

Then, further down, in each "sub entity_contains_virus_*" and "sub
message_contains_virus_*", appropriate to the scanners that I use, I define
$VirusScanner as follows...

	sub entity_contains_virus_filescan ($) {
	    $VirusScanner = "FileScan";

...and

	sub message_contains_virus_filescan ($) {
	    $VirusScanner = "FileScan"; 

The resulting log entries look like this...

Jun 23 11:56:03 mail01 mimedefang.pl[31038]:
MDLOG,j5NFtvEe002275,scanner_name,FileScan,W32/Bagle.ai at MM,<munged at sender>,<
munged at recipient>,Re:

Might even be something David would consider making a permanent part of MD?

When I run my log parsing reports at midnight, I get a nice breakdown that
looks like this...

THE FOLLOWING SCANNERS FOUND THESE VIRUSES
        CLAMD: Broken.Executable
        CLAMD: Exploit.HTML.IFrame
        CLAMD: HTML.Phishing.Bank-1
        CLAMD: HTML.Phishing.Bank-104
        CLAMD: HTML.Phishing.Bank-137
        CLAMD: HTML.Phishing.Bank-211
        CLAMD: HTML.Phishing.Bank-225
        CLAMD: HTML.Phishing.Bank-246
        CLAMD: HTML.Phishing.Pay-14
        CLAMD: HTML.Phishing.Pay-27
        CLAMD: HTML.Phishing.Pay-43
        CLAMD: Worm.Bagle.AG.2
        CLAMD: Worm.Bagle.Gen-zippwd
        CLAMD: Worm.Dumaru.K
        CLAMD: Worm.Mytob.AF
        CLAMD: Worm.Mytob.AL
        CLAMD: Worm.Mytob.BM-2
        CLAMD: Worm.Mytob.BT
        CLAMD: Worm.Mytob.CL
        CLAMD: Worm.Mytob.CS
        CLAMD: Worm.Mytob.CW
        CLAMD: Worm.Mytob.DI
        CLAMD: Worm.Mytob.DJ
        CLAMD: Worm.Mytob.DK
        CLAMD: Worm.Mytob.F
        CLAMD: Worm.Mytob.Gen-1
        CLAMD: Worm.Mytob.Gen-2
        CLAMD: Worm.Mytob.T-2
        CLAMD: Worm.Mytob.V
        CLAMD: Worm.SomeFool.Gen-1
        CLAMD: Worm.SomeFool.P
     FileScan: W32/Bagle.af
     FileScan: W32/Bagle.ai
     FileScan: W32/Bugbear.b
     FileScan: W32/Netsky
     FileScan: W32/Netsky.c
     FileScan: W32/Netsky.p
     FileScan: W32/Zafi.b
       VEXIRA: Worm/Mytob.EN
       VEXIRA: Worm/Mytob.U

Hope this helps.

Ken