On 12/10/13 21:21, Ralf G. R. Bergs wrote:
On 2013-10-12 22:03 , Ralf G. R. Bergs wrote:
I'm now at a point where it triggers, but the malware name is still
wrong. I'm confident that I will fix this soon.
This is what I had, and I cannot make this extract the malware name:
warn message = This message contains malware
($malware_name)
set acl_m0 = cmdline:\
/usr/lib/AntiVir/guard/avscan -s --batch
--scan-mode=all %s;\
/bin/echo -e \N"\navira_retval $?"\N:\
\N^avira_retval 1$\N:\
\N^.*ALERT: ([^;]*) ;.*$\N
malware = *
[...]
Any idea why my original expression doesn't extract the name properly?
I'm sure the characters after "ALERT:" and before the ";" are spaces,
since I redirected the output into a file and looked at it with a hexdump.
I somehow have the suspicion that the ":" (colon) character is confusing
ExiScan/Exim (even though the whole thing is included in between \N...\N)?!
The av_scanner string is parsed by Exim's list-handling code, splitting
on (by default) the colon character. To get a colon into the
name-expression for the cmdline processor you need to double it, or
change to a non-default list separator. See
http://exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_run_time_configuration_file.html#SECTlistconstruct
for details. The \N wrappers that protect the regex from Exim's
string-expansion do not protect it from list-element splitting.
I'll see about adding a warning to the documentation on this point.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
