Some anti-virus software has a feature to customize the alert message when a virus is detected. The administrator can use this feature to instruct the user to contact the help-desk.
But most of the time, you cannot customize the message to the extend that it changes according to the type of alert. For example, an alert in the Temporary Internet Files folder is generated when a user browses a malicious website with IE. You want the custom message to tell him to “get the hell out of there”, in a politically correct way.
I wrote a quick C# PoC program that monitors the event log for virus alerts and displays customized messages for the user. Monitoring the event log is really easy with .NET:
EventLog myLog = new EventLog("Application");
myLog.EntryWritten += new EntryWrittenEventHandler(OnEventAdded);
myLog.EnableRaisingEvents = true;
The OnEventAdded function will be called each time an event is added to the Application event log.
private void OnEventAdded(object source, EntryWrittenEventArgs e)
{
if (e.Entry.Source == "Alert Manager Event Interface")
{
Regex regexVirus = new Regex(@"VirusScan Enterprise\: The file (.+) is infected with the (.+)\. ");
Match matchVirus = regexVirus.Match(e.Entry.Message);
if (matchVirus.Success)
{
String fileName = matchVirus.Groups[1].Value;
String virusName = matchVirus.Groups[2].Value.Substring(0, matchVirus.Groups[2].Value.IndexOf(". "));
// the rest of the code comes here
}
}
}
I test if the source is “Alert Manager Event Interface” (this is the case when you use McAfee VirusScan Enterprise), and then I parse the event message with regular expression to extract relevant data.
Example of a customized alert:
Example of a customized alert for IE:
PoC source code available here.
Didier Stevens 
Leave a Reply (comments are moderated)