On Sun, 2010-08-29 at 01:20 -0400, Phil Pennock wrote:
> On 2010-08-27 at 14:41 +0100, John Horne wrote:
> > >
> > > It seems that the InetMsg spamdomain third-party signatures are being
> > > reported by ClamAV as (e.g.):
> > > INetMsg.SpamDomain-2m.engduates_com.UNOFFICIAL(924747f3c8e4b999eb887c755839021b:457)
> > > Our clamd log file shows the same name as being detected.
> > >
>
> This is very plausible. The expected results from ClamAV are:
> infected: -> "<filename>: <virusname> FOUND"
> not-infected: -> "<filename>: OK"
> error: -> "<filename>: <errcode> ERROR
>
> and the code does a strrchr() to find the colon. FWIW, this parsing has
> not (yet) changed with the 4.73 ClamAV re-working, so an upgrade won't
> help you.
>
> The documentation for ClamAV only documents the FOUND and OK cases and
> states that "When a virus is found its name is printed between the
> filename: and FOUND strings."
>
> Clearly the parse logic in Exim needs to be a little more careful. I'm
> apparently in the middle of developing a head-cold which is messing up
> my ability to think clearly, so don't feel that any code I wrote now
> would be worth the electrons used to encode it. So, patches welcome.
> :)
>
Okay, thanks for this, and I hope you get well soon.
I've had a quick look at the code, and I think it should be possible to
cater for this case. I'll bugzilla the problem, and submit a patch if I
can devise one.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
