Virus Detected Alerts

scott · **Posted:** Tue Oct 18, 2011 8:16 am

Thats correct, the AV events were not tracked in 2.x. They still happened, it just didnt tell you about it.

mikeshinn · **Posted:** Tue Oct 18, 2011 8:59 pm

Quote:

It is a shame osssec can't differentiate between a virus found in an email (common, harmless, dealt with, don't want to know about it) and a virus uploaded via FTP (might be an indication of compromised ftp credentials - need to know about it - level 14 at least!)

Actually it does that now. You will only get (and see) virus alerts for non-email related viruses, which means it does differentiate between a virus found in an email (common, harmless, dealt with, don't want to know about it) and a virus uploaded via FTP.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

"Now" as in "as of latest rules", I take it? There's no way my previous alerts were uploads.

Faris.

mikeshinn · **Posted:** Wed Oct 19, 2011 4:43 pm

As of the 17th, when I posted this: :-)

Quote:

I just added in two new rules, 590000 and 590001 that makes qmail-scanner and clapf virus alerts level 0. So out of the box if qmail generates a message like this:

Oct 17 13:36:54 asl-modsec-test clamd[3841]: /var/spool/qscan/tmp/eicar.com: Eicar-Test-Signature FOUND

Or clapf generates a message like this:

Oct 17 13:36:54 asl-modsec-test clamd[3841]: /var/spool/clapf/tmp/eicar.com: Eicar-Test-Signature FOUND

You will never see that in the GUI, or in an email alert. But if clamd catches a virus somewhere else, you will see that alert.

If you want to get the alerts for email, just change the alert level on rule 590000 or 590001 depending on which one you use.

laughingbuddha · **Posted:** Wed Oct 19, 2011 7:30 pm

I ran an update last night, and now it seems to have solved the issue. I now no-longer get the Level 8 virus emails triggered by email attachments. I've gone from an email every hour of the day, down to just 5 emails in the inbox now. A vast improvement.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

yay! Thanks Mike! ASL just gets better and better!

mikeshinn · **Posted:** Thu Oct 20, 2011 6:38 pm

My pleasure. And for future cases like this, we just need log examples of things you dont want to see (or want to see). You can either report the former as a False Positive (things you dont want to see), or the later as a False Negative (things you should see), or you can just create a forum thread with what you need.

If you use the FP/FN buttons, please check your cases as we generally attach notes asking for a little more information to understand your use case, such as if you dont want to see it all, maybe just make it a lower level, etc.

Virus Detected Alerts

Who is online