hammackj
meh.

Tool: aviriaparser.rb

So a while back I downloaded and setup the Avira Professional Beta for linux, it is a really good product for finding malware. This product has two downsides 1) it does not work on powerpc and 2) the logs are in a lame text format. So I needed was a way to parse all the endless logs from the binaries I have collected to see if anything was interesting enough to go ahead and RE the malicious code. So here is a simple script that will parse the raw Avira logs and write the results to screen for easy viewing. The version I use in production is built into a rails app and to complex too post here. Sorry.

#!/usr/bin/env ruby
#Jacob Hammack
#http://www.hammackj.com
#Ruby parser for the output of the Avira Professional for linux results

#This script assumes filenames are the sha1 hash of the file
#to change this

f = File.new(ARGV[0])

f.each { |line|
    lines = line.split(':')

    date = lines[0]
    time = lines[1]
    time1 = lines[2]
  av = lines[3]
    type = lines[4]
    result = lines[5]
    results = Array.new

    printf "Date: %s:%s:%s\n", date, time, time1
    printf "AntiVirus: %s\n", av

    if type =~ /WARNING .*\/([0-9a-fA-F]{40})(.*)/
        type = $1
        result = $2
        result[0] = ' '
        result.strip!
        printf "Filename: %s\n", type
        printf "Result: %s\n", result
    elsif type =~ /ALERT .*\/([0-9a-fA-F]{40})/
        type = $1
        printf "filename: %s\n", type
        result.scan(/(.*);(.*);(.*)/) { |s, c, d|
            printf "Shortname: %s\n", s
            printf "Category: %s\n", c
            printf "Description: %s\n", d               
        }
    end

    puts "\n"
}

Example Usage

[hammackj@fajitas:~/Desktop]$ ./avguparser.rb filescan-20090615.log

Date: 2009-06-15 13:41:25 hoss avscan[21821]
AntiVirus:  AVGU

Date: 2009-06-15 13:41:40 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00A66A90C0B2ECC0DEB975BE1F47526FD598D4A0
Shortname:  TR/Agent.225280.I
Category:  trojan
Description:  Is the Trojan horse TR/Agent.225280.I

Date: 2009-06-15 13:41:41 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00B224187CE4C7E378E954DB76D1AF86DDF1403B
Shortname:  ADSPY/Mywebsearch.AN.2
Category:  adware
Description:  Contains detection pattern of the Ad- or Spyware ADSPY/Mywebsearch.AN.2

hammackj@fajitas:~/Desktop]$