Dennis Davis wrote:
> On Thu, 1 Dec 2005, Nigel Wade wrote:
>
>
>>From: Nigel Wade <nmw@???>
>>To: Exim users list <exim-users@???>
>>Date: Thu, 01 Dec 2005 15:27:59 +0000
>>Subject: Re: [exim] How to debug malware
>
>
> ...
>
>
>>My mime ACL was incorrect, and it was not performing the decode
>>= default. Now that I've fixed it as above it does the required
>>action of decoding the mime parts. When the data acl is actioned,
>>and the av_scanner is run, the decoded mime parts are all there
>>in separate files in the directory which is passed to the
>>av_scanner. Sophos sweep will now happily detect viruses both in
>>the entire message, and in the decoded parts.
>>
>>Thanks for supplying the correct syntax of the mime ACL.
>
>
> In an earlier message you said:
>
>
>>Sorry, I forgot to add that the av_scanner is:
>>
>>av_scanner = cmdline:\
>> /usr/local/bin/sweep -ss -all -rec -archive %s:\
>> found:'(.+)
>
>
> Note that Sophos sweep *won't* do any mime decoding unless you tell
> it to. So change the above to:
>
> av_scanner = cmdline:\
> /usr/local/bin/sweep -ss -all -rec -archive -mime %s:\
> found:'(.+)
>
> and try again. You may well find you don't need your mime ACL.
>
> It's *very* easy to miss this. It isn't documented in the manual
> page for Sophos sweep and the example in the exim specification
> doesn't include it. You only find it out by typing something like
> "sweep --help" to get a list of the options.
Thanks, I've already done this, someone mailed me off-list to tell me about this
option.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@???
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
