On 2013-10-12 22:03 , Ralf G. R. Bergs wrote:
> I'm now at a point where it triggers, but the malware name is still
> wrong. I'm confident that I will fix this soon.
This is what I had, and I cannot make this extract the malware name:
> warn message = This message contains malware
> ($malware_name)
> set acl_m0 = cmdline:\
> /usr/lib/AntiVir/guard/avscan -s --batch
> --scan-mode=all %s;\
> /bin/echo -e \N"\navira_retval $?"\N:\
> \N^avira_retval 1$\N:\
> \N^.*ALERT: ([^;]*) ;.*$\N
> malware = *
> log_message = This message contains malware
> (avira:$malware_name)
The output of the scanner looks like this:
> ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus
If I match the trailing part of the line I can make it work:
> \NContains code of the (.*) virus\N
But for me this is not the "perfect" implementation, since Avira AntiVir
knows several different categories of "malware", such as "virus" and
"jokes", etc. In that case it would probably output something like
> ALERT: foobar ; joke ; Contains code of the foobar joke
in which case the above expression would not extract "foobar". :-(
Any idea why my original expression doesn't extract the name properly?
I'm sure the characters after "ALERT:" and before the ";" are spaces,
since I redirected the output into a file and looked at it with a hexdump.
I somehow have the suspicion that the ":" (colon) character is confusing
ExiScan/Exim (even though the whole thing is included in between \N...\N)?!
KR,
Ralf
