virus_scan log entry inaccurate w/multiple malware names?

Thread: virus_scan log entry inaccurate w/multiple malware names?

Search this list only Search all lists
virus_scan log entry inaccurate w/multiple malware names?
United States	2007-08-31 11:55:25
Hi Mark, I noticed a peculiarity this morning in my amavis log reports, which claimed that both ClamAV-clamd and McAfee AntiVirus detected the SaneSecurity malware: Email.Malware.Sanesecurity.07082700 It was clear that uvscan did not detect a SaneSecurity signature, so I tracked down the associated log messages: ... ask_av (ClamAV-clamd): /var/amavis/tmp/amavis-123/parts INFECTED: Email.Malware.Sanesecurity.07082700 ... run_av (NAI McAfee AntiVirus (uvscan)): INFECTED: W32/Zhelatin.gen!eml, W32/Zhelatin.gen!eml ... virus_scan: (Email.Malware.Sanesecurity.07082700), detected by 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan) The amavis-logwatch reporter uses the virus_scan line to trigger its Malware by scanner report, thus the report indicated that both scanners detected the Email.Malware.Sanesecurity.07082700, which is incorrect. As we can see above, uvscan detected W32/Zhelatin.gen!eml. I see that virusname is used in virus_scan() as the list of virus names: if (virusname && detecting_scanners) { my(ds) = detecting_scanners; for (ds) { s/,/;/ } # facilitates parsing ll(2) && do_log(2, "virus_scan: (%s), detected by %d scanners: %s", join(', ',virusname), scalar(ds), join(', ',ds)); } but it seems virusname isn't correct when multiple scanners produce different malware names. Should the log entry really be something like: virus_scan: (Email.Malware.Sanesecurity.07082700, W32/Zhelatin.gen!eml), detected by 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan) or some variant that is easy to parse and correlate the malware to scanner mapping ? Mike ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: virus_scan log entry inaccurate w/multiple malware names?
Slovenia	2007-09-03 10:37:25
Mike, > I noticed a peculiarity this morning in my amavis log reports, which > claimed that both ClamAV-clamd and McAfee AntiVirus detected the > SaneSecurity malware: Email.Malware.Sanesecurity.07082700 > It was clear that uvscan did not detect a SaneSecurity signature, > so I tracked down the associated log messages: > > ... ask_av (ClamAV-clamd): /var/amavis/tmp/amavis-123/parts > INFECTED: Email.Malware.Sanesecurity.07082700 > > ... run_av (NAI McAfee AntiVirus (uvscan)): > INFECTED: W32/Zhelatin.gen!eml, W32/Zhelatin.gen!eml > > ... virus_scan: (Email.Malware.Sanesecurity.07082700), detected by > 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan) > I see that virusname is used in virus_scan() as the list of virus names: > [...] but it seems virusname isn't correct when multiple scanners produce > different malware names. Admittedly this log report can be misleading. There is currently only one list of virus names found (virusname), and it receives its value from the FIRST scanner that reports an infection. And the 'detected by' lists ALL scanners that reported infection, regardless of what virus names they find and report. It is often that different scanners use different names for the same type of infection, so it was considered redundant to report all names reported by all scanners. The 'virus_scan: (...), detected by ... scanners: ...' is a summary report at log level 2. As you noticed, more detailed reports are available at higher log levels when needed. > The amavis-logwatch reporter uses the virus_scan line to trigger its > Malware by scanner report, thus the report indicated that both scanners > detected the Email.Malware.Sanesecurity.07082700, which is incorrect. > As we can see above, uvscan detected W32/Zhelatin.gen!eml. > Should the log entry really be something like: > virus_scan: (Email.Malware.Sanesecurity.07082700, > W32/Zhelatin.gen!eml), detected by > 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan) > > or some variant that is easy to parse and correlate the malware to > scanner mapping ? Actually the: do_log(2,"run_av (%s): INFECTED: %s", $av_name, ... is also logged at log level 2. So why not use this log entry for more detailed log analysis? Mark ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

Re: virus_scan log entry inaccurate w/multiple malware names?
United States	2007-09-03 10:49:00
Mark Martinec wrote: > Mike, > >> I noticed a peculiarity this morning in my amavis log reports, which >> claimed that both ClamAV-clamd and McAfee AntiVirus detected the > > Admittedly this log report can be misleading. There is currently > only one list of virus names found (virusname), and it receives > its value from the FIRST scanner that reports an infection. > And the 'detected by' lists ALL scanners that reported infection, > regardless of what virus names they find and report. > > It is often that different scanners use different names for the > same type of infection, so it was considered redundant to report > all names reported by all scanners. > > The 'virus_scan: (...), detected by ... scanners: ...' is a > summary report at log level 2. As you noticed, more detailed > reports are available at higher log levels when needed. Got it. > >> The amavis-logwatch reporter uses the virus_scan line to trigger its >> Malware by scanner report, thus the report indicated that both scanners >> detected the Email.Malware.Sanesecurity.07082700, which is incorrect. >> As we can see above, uvscan detected W32/Zhelatin.gen!eml. > >> Should the log entry really be something like: >> virus_scan: (Email.Malware.Sanesecurity.07082700, >> W32/Zhelatin.gen!eml), detected by >> 2 scanners: ClamAV-clamd, NAI McAfee AntiVirus (uvscan) >> >> or some variant that is easy to parse and correlate the malware to >> scanner mapping ? > > Actually the: > do_log(2,"run_av (%s): INFECTED: %s", $av_name, ... > is also logged at log level 2. So why not use this log entry > for more detailed log analysis? > > Mark Already done and posted on Sept 1: 2007-09-01 (version: 1.48.21) - Fix: use ask_av and run_av as virus indicators for Malware by Scanner, as previously used virus_scan line does not report accurate information when multiple scanners report different malware names Thanks Mark, Mike ------------------------------------------------------------ ------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list AMaViS-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amav is.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/ho wto/

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )