----- Original Message -----
From: "Mark Martinec" <[EMAIL PROTECTED]>
Ok, a little refinement to not include a space after a virus name,
and to match a '+' literally. Here are the latest avast entries:
### http://www.avast.com/
['avast! Antivirus daemon',
\&ask_daemon, # greets with 220, terminate with QUIT
["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ],
### http://www.avast.com/
['avast! Antivirus - Client/Server Version', 'avastlite',
'-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
qr/\t\[L\]\t([^[ \t\015\012]+)/ ],
### http://www.avast.com/
['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/\[infected by: ([^ \t\n\[\]]+)/ ],
Mark, the avastcmd script above does not capture the virus name in the log
file, rather it's only showing:
Feb 21 09:42:13 mgw1.pointshare.com /usr/local/sbin/amavisd[18217]:
(18217-01) run_av (Avast! Antivirus): INFECTED:
However, with the previous script:
### http://www.avast.com/
['Avast Anti-Virus', ['/usr/bin/avastcmd','avastcmd'],
'-a -i -n -t=A {}', [0], [1], qr/infected by: (.+)/ ],
I was getting the virus name:
Feb 16 19:05:28 mgw1.pointshare.com /usr/local/sbin/amavisd[26635]:
(26635-01) run_av (Avast Anti-Virus): INFECTED: Win32:Beagle-IB [Wrm]
But I could not quit seem to figure out how to strip the "[Wrm]" from the
end of the line.
Bill
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
