Hi Jeremy.
Thanks for your reply.
On 2013-09-22 20:09 , Jeremy Harris wrote:
> On 18/09/13 14:08, Ralf G. R. Bergs wrote:
>>> warn message = This message contains malware
>>> ($malware_name)
>>> set acl_m0 = cmdline:/usr/lib/AntiVir/guard/avscan -s
>>> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
>>> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
>
> I suspect that just setting acl_m0 to that string doesn't do what you
> think. Have a look at
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html
>
>
> - maybe it should be involved with the av_scanner global option,
Actually I do use this already -- I left it out for briefness.
> but I doubt the bit with "echo" will work there.
As I said the other three scanners are working just fine, and I'm
already using a similar construct (i. e. the below fragment does work
well!):
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/bin/avgscan --arc %s; echo -e
> \N"\navg_retval $?"\N:\
> avg_retval 5:\
> \NVirus identified *(.*)$\N
> malware = *
> log_message = This message contains malware
> (avg:$malware_name)
Any idea why the below is not working?
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:/usr/lib/AntiVir/guard/avscan -s
> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
> malware = *
> log_message = This message contains malware
> (avira:$malware_name)
Thanks for kindly looking into this again (please also refer to my
original message, reattached for your convenience).
KR,
Ralf
[Resending this msg since mod seems not to have released my original msg
yet]
Hi guys.
I can't figure out what's going wrong with my below config snippet to
make my Debian version of Exim 4.80 use Avira AntiVirus 3.1 as a generic
command line virus scanner:
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:/usr/lib/AntiVir/guard/avscan -s
> --batch --scan-mode=all %s; /bin/echo -e \N"\navira_retval
> $?"\N:\N^avira_retval 1$\N:\N.*ALERT: ([^;]*) ;.*\N
> malware = *
> log_message = This message contains malware
> (avira:$malware_name)
When I manually invoke the command line scanner I get the following output:
> # /usr/lib/AntiVir/guard/avscan -s --batch --scan-mode=all eicar.com.txt
> Avira AntiVir Personal (ondemand scanner)
> Copyright (C) 2010 by Avira GmbH.
> All rights reserved.
>
> SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.12.120
> VDF-Version: 7.11.102.248 created 20130918
>
> AntiVir license: 0000XXXXXX
>
> Info: automatically excluding /sys/ from scan (special fs)
> Info: automatically excluding /proc/ from scan (special fs)
> Info: automatically excluding /var/lib/antivir/quarantine/ from scan
> (quarantine)
>
> file: /root/work/eicar.com.txt
> last modified on date: 2013-09-18 time: 10:50:02, size: 68 bytes
> ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
> ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature
> no action taken
>
> ------ scan results ------
> directories: 0
> scanned files: 1
> alerts: 1
> suspicious: 0
> repaired: 0
> deleted: 0
> renamed: 0
> moved: 0
> scan time: 00:00:01
> --------------------------
The below is the list of codes Avira possibly returns, when I launched
the above test with the EICAR dummy virus I indeed got a result code of 1:
> list of return codes:
> 0: Normal program termination, nothing found, no error
> 1: Found concerning file
> 3: Suspicious file found
> 4: Warnings were issued
> 255: Internal error
> 254: Configuration error (invalid parameter in command-line
> or configuration file)
> 253: Error while preparing on-demand scan
> 252: The avguard daemon is not running
> 251: The avguard daemon is not accessible
> 250: Cannot initialize scan process
> 249: Scan process not completed
> 248: No valid license found
> 211: Program aborted, because the self check failed
This is the virus scanner version:
> # /usr/lib/AntiVir/guard/avscan --version
> product kind: Avira AntiVir Personal (ondemand scanner)
> product version: 3.1.3.5
> VDF version: 7.11.102.248
> VDF date: 2013-09-18
> AVE version: 8.2.12.120
> operating system: Linux 3.2.0-4-amd64 x86_64
> binary target: linux_glibc22
> The program is running in fully functional mode.
Debian version:
> # cat /etc/debian_version
> 7.1
I'm fiddling with this since almost 2 hours now and can't figure out
what's going wrong... :-(
I'm already using a couple of command line scanners as follows which are
all working fine (which I can tell from Exim's mainlog, they all trigger
on the EICAR dummy virus):
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/bin/avgscan --arc %s; echo -e
> \N"\navg_retval $?"\N:\
> avg_retval 5:\
> \NVirus identified *(.*)$\N
> malware = *
> log_message = This message contains malware
> (avg:$malware_name)
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/local/bin/fpscan --report %s; echo -e
> \N"\nfprot_retval $?"\N:\
> fprot_retval 1:\
> <([^>]*)>
> malware = *
> log_message = This message contains malware
> (f-prot:$malware_name)
> warn message = This message contains malware ($malware_name)
> set acl_m0 = cmdline:\
> /usr/bin/antivir --allfiles -z -rs %s:\
> ALERT:\
> [[](.+)\[]]
> malware = *
> log_message = This message contains malware
> (antivir:$malware_name)
I'm sure I'm missing s/t obvious, but it's been ages since I was really
"fluent speaking Exim", so your help would be much appreciated.
Thank you!
KR,
Ralf
