lists at truthisfreedom
Sep 15, 2009, 8:49 AM
Post #1 of 3
(692 views)
Permalink
|
|
VirusEvent based on signature file
|
|
Hi all,
I'm new to the list so be gentle! :)
I've had a good search around this topic and I'm struggling to find an
answer to an issue I've got.
I'm using clamav with proftpd as a virus scanner and rudimentary content
checker for html/php files (c99 shells and the like).
In most cases, I just need to know if a file (or it's content) matches a
regex and if it does let it continue to be uploaded but alert via email
and if it doesn't, check it against the default signatures and deal with
it accordingly.
Here's an example:
Alice uploads a normal html file via ftp. ClamAV scans the file, finds
that it is clean and allows it to be uploaded into the correct place.
The second file Alice uploads is a PDF. This is infected with a virus.
ClamAV detects the virus and prevents the upload.
Bob tries to upload a C99 php shell script. As these are generally
base64 encoded, ClamAV scans for the "base64_decode" string and if it is
found it allows the upload but sends an alert to the systems
administrator letting them know that there is a suspect file on the
system _without alerting the user_.[0]
I guess my question is two-fold:
a) Is this possible with ClamAV or do I need to look elsewhere?
b) What's the best way to achieve this.
If ClamAV is not the answer and someone else can suggest a good
alternative, please let me know.
Thanks in advance,
M.
[0] All our users have signed T's & C's stating that we can virus scan
this without their permission and we do not have to notify them that we
do this. I am not concerned about the justifications for this exercise,
just whether it is possible. Thanks, M :)
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
|
