Thomas, > i've installed the new version from avira for unix, version 3. > @av_scanner snippet: > > ### Avira for UNIX 3.x > ['Avira AntiVir', ['avscan'], > '-s --batch --alert-action=none {}', [0], qr/ALERT:/, > qr/ALERT: (.+)/m ], > > playing around i found a (maybe) misbehaviour of amavisd: > > if "qr/ALERT: (.+)/m " (i used a wrong one, this one works for me) doesn't > match the virus description, amavisd will ignore the virus. debug shows > "<path>/ parts INFECTED:" and then continues and forwards the email instead > of saving to the quarantine. > > i'm using amavisd 2.6.3-rc1 > > sample output of avscan if it found an infected file: > > file: /tmp/EICAR > last modified on date: 2009-04-16 time: 16:36:17, size: 70 bytes > ALERT: Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature virus > ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature no action taken
I don't know - I tried to reproduce your case (cut/pasted your av entry and used a shell script to alway write your sample text), and I get the following on the log (level 5): (36486-01) run_command: [36515] /usr/local/src/0.sh -s --batch --alert-action=none /var/amavis/tmp-am/amavis-20090417T190043-36486/parts </dev/null 2>&1 (36486-01) collect_results from [36515] (Avira AntiVir), 263 bytes, (limit 204800) (36486-01) prolong_timer run_av: timer set to 473 s (36486-01) run_av: /usr/local/src/0.sh exit 0, file: /tmp/EICAR\n last modified on date: 2009-04-16 time: 16:36:17, size: 70 bytes\n ALERT: Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature virus\n ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature\n no action taken (36486-01) run_av (Avira AntiVir): /var/amavis/tmp-am/amavis-20090417T190043-36486/parts INFECTED: Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature virus which is about right. The virus name is unsightly long, but it gets the job done, and a message is treated as infected. Could you please retry your experiment and show the log. What counts as an infection is when the regexp qr/ALERT:/ on the given string matches. The actual virus name (matched by the qr/ALERT: (.+)/m) is used in the log and notifications, but even if empty (no name found), the message should still count as infected. Mark ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/