Hi guys.
I can't figure out what's going wrong with my below config snippet to
make my Debian version of Exim 4.80 use Avira AntiVirus 3.1 as a generic
command line virus scanner:
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:/usr/lib/AntiVir/guard/avscan -s
> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
> malware = *
> log_message = This message contains malware
> (avira:$malware_name)
When I manually invoke the command line scanner I get the following output:
> # /usr/lib/AntiVir/guard/avscan -s --batch --scan-mode=all eicar.com.txt
> Avira AntiVir Personal (ondemand scanner)
> Copyright (C) 2010 by Avira GmbH.
> All rights reserved.
>
> SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.12.120
> VDF-Version: 7.11.102.248 created 20130918
>
> AntiVir license: 0000XXXXXX
>
> Info: automatically excluding /sys/ from scan (special fs)
> Info: automatically excluding /proc/ from scan (special fs)
> Info: automatically excluding /var/lib/antivir/quarantine/ from scan
> (quarantine)
>
> file: /root/work/eicar.com.txt
> last modified on date: 2013-09-18 time: 10:50:02, size: 68 bytes
> ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
> ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature
> no action taken
>
> ------ scan results ------
> directories: 0
> scanned files: 1
> alerts: 1
> suspicious: 0
> repaired: 0
> deleted: 0
> renamed: 0
> moved: 0
> scan time: 00:00:01
> --------------------------
The below is the list of codes Avira possibly returns, when I launched
the above test with the EICAR dummy virus I indeed got a result code of 1:
> list of return codes:
> 0: Normal program termination, nothing found, no error
> 1: Found concerning file
> 3: Suspicious file found
> 4: Warnings were issued
> 255: Internal error
> 254: Configuration error (invalid parameter in command-line
> or configuration file)
> 253: Error while preparing on-demand scan
> 252: The avguard daemon is not running
> 251: The avguard daemon is not accessible
> 250: Cannot initialize scan process
> 249: Scan process not completed
> 248: No valid license found
> 211: Program aborted, because the self check failed
This is the virus scanner version:
> # /usr/lib/AntiVir/guard/avscan --version
> product kind: Avira AntiVir Personal (ondemand scanner)
> product version: 3.1.3.5
> VDF version: 7.11.102.248
> VDF date: 2013-09-18
> AVE version: 8.2.12.120
> operating system: Linux 3.2.0-4-amd64 x86_64
> binary target: linux_glibc22
> The program is running in fully functional mode.
Debian version:
> # cat /etc/debian_version
> 7.1
I'm fiddling with this since almost 2 hours now and can't figure out
what's going wrong... :-(
I'm already using a couple of command line scanners as follows which are
all working fine (which I can tell from Exim's mainlog, they all trigger
on the EICAR dummy virus):
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/bin/avgscan --arc %s; echo -e
> \N"\navg_retval $?"\N:\
> avg_retval 5:\
> \NVirus identified *(.*)$\N
> malware = *
> log_message = This message contains malware
> (avg:$malware_name)
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/local/bin/fpscan --report %s; echo -e
> \N"\nfprot_retval $?"\N:\
> fprot_retval 1:\
> <([^>]*)>
> malware = *
> log_message = This message contains malware
> (f-prot:$malware_name)
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/bin/antivir --allfiles -z -rs %s:\
> ALERT:\
> [[](.+)\[]]
> malware = *
> log_message = This message contains malware
> (antivir:$malware_name)
I'm sure I'm missing s/t obvious, but it's been ages since I was really
"fluent speaking Exim", so your help would be much appreciated.
Thank you!
KR,
Ralf