[Mimedefang] log which virusscanner found a virus
Cormack, Ken
Ken.Cormack at Roadway.com
Thu Jun 23 13:06:13 EDT 2005
-----Original Message-----
From: Christoph Martin [mailto:martin at uni-mainz.de]
> Hi,
>
> is there a method to log which of the virus-scanners I have configured
> for mimedefang has actually found the virus?
>
> Christoph
Here's what I do. In sub filter_begin, look for the following lines from
the standard mimedefang-filter, and note my comments in the code...
if ($FoundVirus) {
md_graphdefang_log('virus', $VirusName, $RelayAddr);
#############################
# Added this next line, to log which scanner found the virus.
# This required patching mimedefang.pl to provide $VirusScanner
md_graphdefang_log('scanner_name', $VirusScanner, $VirusName);
#############################
return action_discard();
}
Then, in mimedefang.pl, I do the following...
At the top of mimedefang.pl, in the "use vars" section, I insert a new
variable called $VirusScanner into the list, like so...
# My deepest apologies for this mess of globals...
use vars qw($AddWarningsInline @StatusTags $VirusScanner
Then, further down, in each "sub entity_contains_virus_*" and "sub
message_contains_virus_*", appropriate to the scanners that I use, I define
$VirusScanner as follows...
sub entity_contains_virus_filescan ($) {
$VirusScanner = "FileScan";
...and
sub message_contains_virus_filescan ($) {
$VirusScanner = "FileScan";
The resulting log entries look like this...
Jun 23 11:56:03 mail01 mimedefang.pl[31038]:
MDLOG,j5NFtvEe002275,scanner_name,FileScan,W32/Bagle.ai at MM,<munged at sender>,<
munged at recipient>,Re:
Might even be something David would consider making a permanent part of MD?
When I run my log parsing reports at midnight, I get a nice breakdown that
looks like this...
THE FOLLOWING SCANNERS FOUND THESE VIRUSES
CLAMD: Broken.Executable
CLAMD: Exploit.HTML.IFrame
CLAMD: HTML.Phishing.Bank-1
CLAMD: HTML.Phishing.Bank-104
CLAMD: HTML.Phishing.Bank-137
CLAMD: HTML.Phishing.Bank-211
CLAMD: HTML.Phishing.Bank-225
CLAMD: HTML.Phishing.Bank-246
CLAMD: HTML.Phishing.Pay-14
CLAMD: HTML.Phishing.Pay-27
CLAMD: HTML.Phishing.Pay-43
CLAMD: Worm.Bagle.AG.2
CLAMD: Worm.Bagle.Gen-zippwd
CLAMD: Worm.Dumaru.K
CLAMD: Worm.Mytob.AF
CLAMD: Worm.Mytob.AL
CLAMD: Worm.Mytob.BM-2
CLAMD: Worm.Mytob.BT
CLAMD: Worm.Mytob.CL
CLAMD: Worm.Mytob.CS
CLAMD: Worm.Mytob.CW
CLAMD: Worm.Mytob.DI
CLAMD: Worm.Mytob.DJ
CLAMD: Worm.Mytob.DK
CLAMD: Worm.Mytob.F
CLAMD: Worm.Mytob.Gen-1
CLAMD: Worm.Mytob.Gen-2
CLAMD: Worm.Mytob.T-2
CLAMD: Worm.Mytob.V
CLAMD: Worm.SomeFool.Gen-1
CLAMD: Worm.SomeFool.P
FileScan: W32/Bagle.af
FileScan: W32/Bagle.ai
FileScan: W32/Bugbear.b
FileScan: W32/Netsky
FileScan: W32/Netsky.c
FileScan: W32/Netsky.p
FileScan: W32/Zafi.b
VEXIRA: Worm/Mytob.EN
VEXIRA: Worm/Mytob.U
Hope this helps.
Ken
More information about the MIMEDefang
mailing list