Two scanners, two different virus names, which one is chosen?

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri May 25 17:17:57 CEST 2012


Ralf,

> May 25 14:56:47 mail2 amavis[25873]: (25873-14) virus_scan:
> (W32.Trojan.Inject-8), detected by 2 scanners: ClamAV-clamd, AVG
> Anti-Virus
> 
> I then scanned the file with both clam & avg on the box:
> 
> # clamscan Lieferschein.exe
> Lieferschein.exe: W32.Trojan.Inject-8 FOUND
> 
> # avgscan Lieferschein.exe
> ...
> Lieferschein.exe  Trojan horse Delf.AEJO
> 
> So the two scanners are recognizing the same virus under different
> names. That's to be expected.
> 
> But: If I were to create an exception (maybe due to a false positive in
> clamav -- which has happened quite a bit recently! -- I'd be hard pressed
> to find out WHICH virus(name) was recognized by WHICH scanner!

The virus name reported is the one provided by the *first*
of the scanners that detected infection, which also follows the
declaration order in @av_scanners (or in case of a fallback,
in the @av_scanners_backup list).

> Wouldn't something like:
> 
> virus_scan: [W32.Trojan.Inject-8, Trojan horse Delf.AEJO], detected by 2
> scanners: [ClamAV-clamd, AVG Anti-Virus]
> 
> be better (the 1st name in the list first list corresponds to the
> first scanner in the second list)?

I think we've been there in some very early versions of amavisd-new,
but it seemed like an unnecessary clutter, as common viruses were
detected by most scanners, so one would always see two or three
names reported.

The change would be realatively simple to make: in 'sub virus_scan'
the section:

  if (!@virusname) { # store results of the first scanner detecting
  # @virusname = map(sprintf('[%s] %s',$scanner_name,$_), @$this_vn);
    @virusname = @$this_vn;
    $scan_status = $this_status; $output = $this_output;
  }

would need to be changed to avoid an 'if' and use a push()
instead of assignment. Something like (untested):

  if (!@virusname) { # store results of the first scanner detecting
    $scan_status = $this_status; $output = $this_output;
  }
  push(@virusname, @$this_vn);


Mark



More information about the amavis-users mailing list