Thomas,
> i've installed the new version from avira for unix, version 3.
> @av_scanner snippet:
>
> ### Avira for UNIX 3.x
> ['Avira AntiVir', ['avscan'],
> '-s --batch --alert-action=none {}', [0], qr/ALERT:/,
> qr/ALERT: (.+)/m ],
>
> playing around i found a (maybe) misbehaviour of amavisd:
>
> if "qr/ALERT: (.+)/m " (i used a wrong one, this one works for me) doesn't
> match the virus description, amavisd will ignore the virus. debug shows
> "<path>/ parts INFECTED:" and then continues and forwards the email instead
> of saving to the quarantine.
>
> i'm using amavisd 2.6.3-rc1
>
> sample output of avscan if it found an infected file:
>
> file: /tmp/EICAR
> last modified on date: 2009-04-16 time: 16:36:17, size: 70 bytes
> ALERT: Eicar-Test-Signature ; virus ; Contains code of the
Eicar-Test-Signature virus
> ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature no
action taken
I don't know - I tried to reproduce your case (cut/pasted your av entry
and used a shell script to alway write your sample text), and I get the
following on the log (level 5):
(36486-01) run_command:
[36515] /usr/local/src/0.sh -s --batch --alert-action=none
/var/amavis/tmp-am/amavis-20090417T190043-36486/parts </dev/null 2>&1
(36486-01) collect_results from [36515] (Avira AntiVir), 263 bytes,
(limit 204800)
(36486-01) prolong_timer run_av: timer set to 473 s
(36486-01) run_av: /usr/local/src/0.sh exit 0, file: /tmp/EICAR\n last
modified on date: 2009-04-16 time: 16:36:17, size: 70 bytes\n
ALERT: Eicar-Test-Signature ; virus ; Contains code of the
Eicar-Test-Signature virus\n ALERT-URL:
http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature\n
no action taken
(36486-01) run_av (Avira AntiVir):
/var/amavis/tmp-am/amavis-20090417T190043-36486/parts INFECTED:
Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature
virus
which is about right. The virus name is unsightly long, but it
gets the job done, and a message is treated as infected.
Could you please retry your experiment and show the log.
What counts as an infection is when the regexp qr/ALERT:/
on the given string matches. The actual virus name (matched
by the qr/ALERT: (.+)/m) is used in the log and notifications,
but even if empty (no name found), the message should still
count as infected.
Mark
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
