On Fri, 17 Apr 2009 19:13:21 +0200, Mark Martinec wrote:
> Thomas,
>
>> i've installed the new version from avira for unix, version 3.
>> @av_scanner snippet:
>>
>> ### Avira for UNIX 3.x
>> ['Avira AntiVir', ['avscan'],
>> '-s --batch --alert-action=none {}', [0], qr/ALERT:/, qr/ALERT:
>> (.+)/m ],
>>
>> playing around i found a (maybe) misbehaviour of amavisd:
>>
>> if "qr/ALERT: (.+)/m " (i used a wrong one, this one works for me)
>> doesn't match the virus description, amavisd will ignore the virus.
>> debug shows "<path>/ parts INFECTED:" and then continues and forwards
>> the email instead of saving to the quarantine.
>>
>> i'm using amavisd 2.6.3-rc1
>>
>> sample output of avscan if it found an infected file:
>>
>> file: /tmp/EICAR
>> last modified on date: 2009-04-16 time: 16:36:17, size: 70 bytes
>> ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
>> ALERT-URL:
>> http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature no
> action taken
>
> I don't know - I tried to reproduce your case (cut/pasted your av entry
> and used a shell script to alway write your sample text), and I get the
> following on the log (level 5):
>
> (36486-01) run_command:
> [36515] /usr/local/src/0.sh -s --batch --alert-action=none
> /var/amavis/tmp-am/amavis-20090417T190043-36486/parts </dev/null 2>&1
>
> (36486-01) collect_results from [36515] (Avira AntiVir), 263 bytes,
> (limit 204800)
>
> (36486-01) prolong_timer run_av: timer set to 473 s
>
> (36486-01) run_av: /usr/local/src/0.sh exit 0, file: /tmp/EICAR\n last
> modified on date: 2009-04-16 time: 16:36:17, size: 70 bytes\n
> ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus\n ALERT-URL:
> http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature\n no action
> taken
>
> (36486-01) run_av (Avira AntiVir):
> /var/amavis/tmp-am/amavis-20090417T190043-36486/parts INFECTED:
> Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
>
> which is about right. The virus name is unsightly long, but it gets the
> job done, and a message is treated as infected.
>
> Could you please retry your experiment and show the log.
>
> What counts as an infection is when the regexp qr/ALERT:/ on the given
> string matches. The actual virus name (matched by the qr/ALERT: (.+)/m)
> is used in the log and notifications, but even if empty (no name found),
> the message should still count as infected.
> AMaViS-HowTos:http://www.amavis.org/howto/
ok here a "steps to reproduce" and the debug log:
1. for example change
### Avira for UNIX 3.x
['Avira AntiVir', ['avscan'],
'-s --batch --alert-action=none {}', [0], qr/ALERT:/,
qr/ALERT: (.+)/m ],
to this faulty one:
### Avira for UNIX 3.x
['Avira AntiVir', ['avscan'],
'-s --batch --alert-action=none {}', [0], qr/ALERT:/,
qr/ALERT: asdfasdf],
2. disable all other primary av scanners.
3. send EICAR message to an gmail.com account
4. receive a message about infected and blocked message from gmail.com
servers
debug log:
http://pastebin.com/m7e1b8fab
see "INFECTED" on line 330 and then it goes on delivering mail instead of
blocking it.
- Thomas
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
