Re: [exim] Need help with exiscan and generic command line s…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Ralf G. R. Bergs
Date:  
À: Jeremy Harris, exim-users
Sujet: Re: [exim] Need help with exiscan and generic command line scanner interface
On 2013-10-12 22:03 , Ralf G. R. Bergs wrote:
> I'm now at a point where it triggers, but the malware name is still
> wrong. I'm confident that I will fix this soon.

This is what I had, and I cannot make this extract the malware name:
> warn  message                = This message contains malware
> ($malware_name)
>         set acl_m0      = cmdline:\
>                               /usr/lib/AntiVir/guard/avscan -s --batch
> --scan-mode=all %s;\
>                               /bin/echo -e \N"\navira_retval $?"\N:\
>                               \N^avira_retval 1$\N:\
>                               \N^.*ALERT: ([^;]*) ;.*$\N
>         malware                = *
>         log_message    = This message contains malware
> (avira:$malware_name)

The output of the scanner looks like this:
>     ALERT: Eicar-Test-Signature ; virus ; Contains code of the
> Eicar-Test-Signature virus

If I match the trailing part of the line I can make it work:
> \NContains code of the (.*) virus\N

But for me this is not the "perfect" implementation, since Avira AntiVir
knows several different categories of "malware", such as "virus" and
"jokes", etc. In that case it would probably output something like
>     ALERT: foobar ; joke ; Contains code of the foobar joke

in which case the above expression would not extract "foobar". :-(

Any idea why my original expression doesn't extract the name properly?
I'm sure the characters after "ALERT:" and before the ";" are spaces,
since I redirected the output into a file and looked at it with a hexdump.

I somehow have the suspicion that the ":" (colon) character is confusing
ExiScan/Exim (even though the whole thing is included in between \N...\N)?!

KR,

Ralf