hello,
at http://andreasschulze.de/tmp/samplemail I put a sample mailbody.
It contains a paypal phishingmail Avira assigned an unsual log name to.
Savapi-Mode handles it correct. But I have some older systems using the avscan
interface.
There the virusname is empty which breaks my backend scripting:
I assum a virusname is at least one charakter an contains no spaces
I dont see, why "ALERT: ([^;.]+) ;/m" should not match "ALERT:
PayPal_Limited_Form.html <<< PHISH/Paypal.27959 ; phishing : foobar"
but maybe it's related to an older amavisd-new version.
Any help is welcome ...
Andreas
amavisd-new.2.7.0-pre* with Avira via savapi-daemon logs:
Jan 26 11:06:04 idvamavis03 amavis[9249]: (09249) run_av (Avira SAVAPI): p004
p001 p002 INFECTED: 310, PayPal_Limited_Form.html <<< PHISH/Paypal.27959, 310,
PHISH/Paypal.27959
Jan 26 11:06:04 idvamavis03 amavis[9249]: (09249) virus_scan: (310,
PayPal_Limited_Form.html <<< PHISH/Paypal.27959, PHISH/Paypal.27959), detected
by 1 scanners: Avira SAVAPI
amavisd-new.2.6.4 with Avira via avscan logs:
Jan 26 11:48:52 mailin02 amavis[10545]: (10545) run_av (Avira-avscan):
/var/spool/amavis/tmp/afXXXXDSyWyM/parts INFECTED:
Jan 26 11:48:52 mailin02 amavis[10545]: (10545) virus_scan: (), detected by 1
scanners: Avira-avscan
the virusscanner definitions used are:
---
['Avira SAVAPI',
\&ask_daemon, ["*", 'savapi:/var/run/savapi/socket', '10077'],
qr/^(200|210) /m, qr/^(310|420|319) /m,
qr/^(310|420) (.+?) ; \S* ; (?:.*)$/m ]
---
['Avira-avscan', '/usr/bin/avscan',
'-s --batch --alert-action=none {}', [0], qr/ALERT:/,
qr/ALERT: ([^;.]+) ;/m ],
---
calling avscan direct:
# /usr/bin/avscan -s --batch --alert-action=none
/var/spool/amavis/virusmails/J/virus-JaK3PgGzRGzn
Avira AntiVir Server (ondemand scanner)
Copyright (C) 2010 by Avira GmbH.
All rights reserved.
SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.4.150
VDF-Version: 7.11.1.247 created 20110126
AntiVir license: 42
Info: automatically excluding /sys/ from scan (special fs)
Info: automatically excluding /proc/ from scan (special fs)
Info: automatically excluding /home/quarantine/ from scan (quarantine)
file: /var/spool/amavis/virusmails/J/virus-JaK3PgGzRGzn
last modified on date: 2011-01-26 time: 08:29:42, size: 33276 bytes
ALERT: PayPal_Limited_Form.html <<< PHISH/Paypal.27959 ; phishing ;
Contains detection pattern of the Phish-File/Email PHISH/Paypal.27959
ALERT-URL: http://www.avira.com/en/threats?q=PHISH%2FPaypal%2E27959
no action taken
------ scan results ------
directories: 0
scanned files: 1
alerts: 1
suspicious: 0
repaired: 0
deleted: 0
renamed: 0
moved: 0
scan time: 00:00:01
--------------------------
--
Andreas Schulze
Internetdienste | P252
DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
