Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

VirusLogger - Script to sort and e-mail Symantec Corporate Anti-Virus Logs available

From: "Faigle, Chris" <cfaigle () RICHMOND EDU>
Date: Thu, 3 Jun 2004 16:18:07 -0400
Hi,

        We use Symantec Corporate Anti-Virus here at the University of
Richmond for all faculty, staff and student Windows machines.

        Several institutions have expressed interest in a script that I
wrote to have the logs from the virus server sorted and e-mailed daily.

        It is now available (under GPL) at
http://is.richmond.edu/techsupport/security/Downloads.htm 

        In brief:

                It uses Symantec's VHistExp tool (on the CD, in the
Tools\Nosuprt\VHistExp\ folder) to pull the logs.

                It then buckets each entry into "Left Alone", "Deleted",
"Cleaned", "Quarantined" and "Unknown".

                It also makes a bucket for "Special" entries, which are
keywords set to "Blaster", "Welchia", "Gaobot", "Sasser", etc. [I use
these as an additional resource to determine if a machine is patched.]

                It then saves these reports and e-mails them to the
addresses specified.

        I have it set up as a Scheduled Task on our SAV server to run at
3 am, using "VirusLogger.py -yesterday", so every morning I receive a
fresh report of the previous day's activity. (As does our help-desk.)

        Each morning, I go through the "Left Alone" report and use the
server to verify if each virus still exists and make decisions as to how
each machine should be handled.

        I go through the "Special" report if it is not empty as these
machines have a patch issue.

        Further, I also run quickly check the "Deleted" report to keep
an eye on what is coming through, but getting deleted.

        It requires Python, keeps an extensive log and has reasonably
good exception handling.  It has been running stably for months now.

        Hope this is useful.

        Please reply off-list.

Best,
Chris Faigle
IS Security
University of Richmond

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: