On 12/10/13 21:21, Ralf G. R. Bergs wrote:
> On 2013-10-12 22:03 , Ralf G. R. Bergs wrote:
>> I'm now at a point where it triggers, but the malware name is still
>> wrong. I'm confident that I will fix this soon.
> This is what I had, and I cannot make this extract the malware name:
>> warn message = This message contains malware
>> ($malware_name)
>> set acl_m0 = cmdline:\
>> /usr/lib/AntiVir/guard/avscan -s --batch
>> --scan-mode=all %s;\
>> /bin/echo -e \N"\navira_retval $?"\N:\
>> \N^avira_retval 1$\N:\
>> \N^.*ALERT: ([^;]*) ;.*$\N
>> malware = *
[...]
> Any idea why my original expression doesn't extract the name properly?
> I'm sure the characters after "ALERT:" and before the ";" are spaces,
> since I redirected the output into a file and looked at it with a hexdump.
>
> I somehow have the suspicion that the ":" (colon) character is confusing
> ExiScan/Exim (even though the whole thing is included in between \N...\N)?!
The av_scanner string is parsed by Exim's list-handling code, splitting
on (by default) the colon character. To get a colon into the
name-expression for the cmdline processor you need to double it, or
change to a non-default list separator. See
http://exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_run_time_configuration_file.html#SECTlistconstruct
for details. The \N wrappers that protect the regex from Exim's
string-expansion do not protect it from list-element splitting.
I'll see about adding a warning to the documentation on this point.
--
Cheers,
Jeremy
