----- Original Message ----- From: "Mark Martinec" <[EMAIL PROTECTED]>
> Bill, > > > (08400-01-2) ask_av (Avast! Antivirus daemon): > > /var/amavis/tmp/amavis-20060213T104403-08400/parts INFECTED: Win32:Beagle-HZ > > [Wrm > > > What modification can I make to: > > qr/[\t]\[+\]/, qr/[\t]\[L\][\t]/, qr/[\t]\[L\][\t](.+)[^\r\n]/ ], > > > > in order to cut " [Wrm" from the end of the log output line? > > This regexp does indeed look fishy. > > Could you please provide a couple of samples from the log (level 4 or above): > egrep 'ask_av .* result: ' /var/log/amavisd.log Here are two samples at log level 5: Feb 13 17:59:46 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-4) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p005\t[+]\r\n/var/a mavis/tmp/amavis-20060213T175527-10253/parts/p004\t[L]\tWin32:Beagle-HZ [Wrm]\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 17:59:46 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-4) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T175527-10253/parts INFECTED: Win32:Beagle-HZ [Wrm]\r ===== Feb 13 18:01:29 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-5) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p002\t[L]\tWin32:Be agle-AH [Wrm]\r\n/var/amavis/tmp/amavis-20060213T175527-10253/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 18:01:29 mgw1.pointshare.com /usr/local/sbin/amavisd[10253]: (10253-01-5) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T175527-10253/parts INFECTED: Win32:Beagle-AH [Wrm]\r > The [\t] occurrences could just as well be a plain \t > and the [^\r\n] eats the last ], and possibly misbehaves > on Mac OS X. The \[+ looks suspicious too: matching > one or more left brackets. > > Here is my blind guess at improvement: > > qr/\t\[.\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[\015\012]+)/ ], Here is the output of the same two viruses from your parse string above: Feb 13 18:06:54 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p005\t[+]\r\n/var/a mavis/tmp/amavis-20060213T180640-10480/parts/p004\t[L]\tWin32:Beagle-HZ [Wrm]\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 18:06:54 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T180640-10480/parts INFECTED: Win32:Beagle-HZ ===== Feb 13 18:07:52 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01-2) ask_av (Avast! Antivirus daemon) result: 220 Welcome to avast! Virus scanning daemon 2.0.0 (VPS 0607-0 13.02.2006)\r\n200 OK\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p002\t[L]\tWin32:Be agle-AH [Wrm]\r\n/var/amavis/tmp/amavis-20060213T180640-10480/parts/p001\t[+]\r\n\r\ n221 Service closing transmission channel\r\n Feb 13 18:07:52 mgw1.pointshare.com /usr/local/sbin/amavisd[10480]: (10480-01-2) ask_av (Avast! Antivirus daemon): /var/amavis/tmp/amavis-20060213T180640-10480/parts INFECTED: Win32:Beagle-AH The output looks great. Let me know if you want to revise the parse string and would like me to do any further testing for you. Thanks for your assistance with this, Mark! Bill PS, here is what I found to be most optimal settings for the Avast command line (avastcmd) scanner entry for amavisd.conf: ### http://www.avast.com/ ['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/infected by: (.+)/ ], This is based on the following scanner options: ===== avastcmd --help Usage: avastcmd [OPTION...] avastcmd v2.0.0 -- command-line virus scanner Options: -_, --console Application will be working in STDIN/STDOUT mode -a, --testall Test all of the files (default) -b, --blockdevices Scan block devices -c, --testfull Scan entire files -d, --directory Scan only directory content -i, --ignoretype Ignore virus sets -n, --nostats No virus check statistics -p, --continue=1234 Automatic action with infected file: 1:delete, 2:(not supported), 3:repair, 4:stop -r, --report=[*]file Create report file, '*' for OK results -t, --archivetype[=ZGBTIJRXOQLAN] Scan archives: Z:ZIP(default), G:GZ(default), B:BZIP2(default), T:TAR(default), I:MIME J:ARJ, R:RAR, X:Exec(default), O:ZOO, Q:ARC, H:LHA, F:TNEF, V:CPIO, P:RPM, Y:ISO, D:DBX, 6:SIS, W:WINEXEC(default), A:All, N:None -v, --viruslist=mask Show list of all specific viruses -h, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. ===== Here is a sample of what an avastcmd scan reports using the above scan options: avastcmd -a -i -n -t=A /var/quarantine/virus/virus-20060213-111317-08751-01 /var/quarantine/virus/virus-20060213-111317-08751-01 [OK] Archived /var/quarantine/virus/virus-20060213-111317-08751-01/PartNo_0#3387630057 [OK] Archived /var/quarantine/virus/virus-20060213-111317-08751-01/pointshare.com.zip#3624 106387 [infected by: Win32:Mydoom-M [Wrm]] Archived /var/quarantine/virus/virus-20060213-111317-08751-01/pointshare.com.zip#3624 106387/pointshare.com [infected by: Win32:Mydoom-M [Wrm]] ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
