[clamav-users] making clamdscan noisier when it has found something

Gene Heskett gheskett at wdtv.com
Sun Feb 14 06:18:36 UTC 2016 

On Friday 12 February 2016 15:59:13 Dennis Peterson wrote:

> The most useful information I get is from the milter (J-Chkmail) that
> manages scanning via clamd.
>
> Sun Feb  7 05:57:59 2016 -> /var/spool/jchkmail/56B74D61.000.0000:
> Sanesecurity.Foxhole.Zip_doc_js.UNOFFICIAL FOUND
>
> The serial number maps directly to the message id in sendmail's log
> which has the transaction information.
>
> dp
>
That would simplify it somewhat.  But I'm not using sendmail, I am using 
fetchmail, and fetchmails log entries don't show that by default, and I 
see no option to turn that on in the manpages. Wrapping that procmail 
recipe in a verbosity control might also yield some info into the log 
file.  I'll start by doing that.

But, and I haven't started on it yet, I could have it save that message 
using a round robin nameing scheme, from the bash script that responds 
to the virii file being written to.  I can steal the code from another 
utility I wrote that manages a printer queue for a legacy computer, and 
maintain a 25 file subdir.  Some of that same code can then send me an 
email that a viri has been isolated, giving me the .XX enumeration of 
that saved file.  That particular function I wrote as two files, so the 
work is handed off to a second one, in that case to feed it to the 
printer, and since bash can do text searches without a lot of help, it 
could easily include the subject line, all the From: lines, and any 
Reply-to: lines in the email it sends me.

All I have to do is find my missing round tuit. And I am in the early 
stages of something else I need to get done while I still can get it 
done, the years (81) are catching up to my body and beginning to limit 
what I can do physically.
> On 2/12/16 8:22 AM, Gene Heskett wrote:
> > Greetings;
> >
> > Currently it spits out a one line message to the logfile when it has
> > found something, and when procmail see's the NZ return, the incoming
> > mail is placed in a holding file. But it contains zero information
> > that would give a clue as to where the infected mail came from.
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

More information about the clamav-users mailing list