Two scanners, two different virus names, which one is chosen?

Patrick Ben Koetter p at state-of-mind.de
Sun Jul 1 22:49:40 CEST 2012 

Mark,

* Mark Martinec <Mark.Martinec+amavis at ijs.si>:
> > May 25 14:56:47 mail2 amavis[25873]: (25873-14) virus_scan:
> > (W32.Trojan.Inject-8), detected by 2 scanners: ClamAV-clamd, AVG
> > Anti-Virus
> > 
> > I then scanned the file with both clam & avg on the box:
> > 
> > # clamscan Lieferschein.exe
> > Lieferschein.exe: W32.Trojan.Inject-8 FOUND
> > 
> > # avgscan Lieferschein.exe
> > ...
> > Lieferschein.exe  Trojan horse Delf.AEJO
> > 
> > So the two scanners are recognizing the same virus under different
> > names. That's to be expected.
> > 
> > But: If I were to create an exception (maybe due to a false positive in
> > clamav -- which has happened quite a bit recently! -- I'd be hard pressed
> > to find out WHICH virus(name) was recognized by WHICH scanner!
> 
> The virus name reported is the one provided by the *first*
> of the scanners that detected infection, which also follows the
> declaration order in @av_scanners (or in case of a fallback,
> in the @av_scanners_backup list).
> 
> > Wouldn't something like:
> > 
> > virus_scan: [W32.Trojan.Inject-8, Trojan horse Delf.AEJO], detected by 2
> > scanners: [ClamAV-clamd, AVG Anti-Virus]
> > 
> > be better (the 1st name in the list first list corresponds to the
> > first scanner in the second list)?
> 
> I think we've been there in some very early versions of amavisd-new,
> but it seemed like an unnecessary clutter, as common viruses were
> detected by most scanners, so one would always see two or three
> names reported.

I agree it seems like unnecessary clutter at first. Mostly because virus
scanner vendors have been unable to use the same virus name in unison
throughout their products and that makes reports hard to read.

But there's more than only the pattern names one can read from a list of
pattern names. If two report a virus and one doesn't then I'd like to know
why. Was it late on pattern updates and therefore unable to recognize the
virus in transit? Does this happen often for that particular scanner? Should
we switch for a better product or will it suffice to get pattern updates in
shorter intervalls?

We, Ralf and I, find it very useful. Do you think listing all scan results or
only one could become a configurable feature? We could contribute a patch if
you want to.

p at rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the amavis-users mailing list