On 2013-10-13 15:11 , Jeremy Harris wrote:
> On 12/10/13 21:21, Ralf G. R. Bergs wrote:
>> On 2013-10-12 22:03 , Ralf G. R. Bergs wrote:
>>> I'm now at a point where it triggers, but the malware name is still
>>> wrong. I'm confident that I will fix this soon.
>> This is what I had, and I cannot make this extract the malware name:
>>> warn message = This message contains malware
>>> ($malware_name)
>>> set acl_m0 = cmdline:\
>>> /usr/lib/AntiVir/guard/avscan -s --batch
>>> --scan-mode=all %s;\
>>> /bin/echo -e \N"\navira_retval $?"\N:\
>>> \N^avira_retval 1$\N:\
>>> \N^.*ALERT: ([^;]*) ;.*$\N
>>> malware = *
> [...]
>> Any idea why my original expression doesn't extract the name properly?
>> I'm sure the characters after "ALERT:" and before the ";" are spaces,
>> since I redirected the output into a file and looked at it with a
>> hexdump.
>>
>> I somehow have the suspicion that the ":" (colon) character is confusing
>> ExiScan/Exim (even though the whole thing is included in between
>> \N...\N)?!
>
> The av_scanner string is parsed by Exim's list-handling code, splitting
> on (by default) the colon character. To get a colon into the
> name-expression for the cmdline processor you need to double it,
Yes!!! That did it, it's working now completely as I wanted it to be.
Thanks for refreshing my mind, as I said it's a long time since I knew
the Exim manual by heart... ;-)
> I'll see about adding a warning to the documentation on this point.
That would certainly be helpful, thank you.
KR,
Ralf
