Re: [AMaViS-user] infected message forwarded / Avira for UNIX 3.x

[Mark Martinec]

Thomas,

> i've installed the new version from avira for unix, version 3.
> @av_scanner snippet:
>
>   ### Avira for UNIX 3.x
>   ['Avira AntiVir', ['avscan'],
>     '-s --batch --alert-action=none {}', [0], qr/ALERT:/,
>     qr/ALERT: (.+)/m ],
>
> playing around i found a (maybe) misbehaviour of amavisd:
>
> if "qr/ALERT: (.+)/m " (i used a wrong one, this one works for me) doesn't
> match the virus description, amavisd will ignore the virus. debug shows
> "<path>/ parts INFECTED:" and then continues and forwards the email instead
> of saving to the quarantine.
>
> i'm using amavisd 2.6.3-rc1
>
> sample output of avscan if it found an infected file:
>
>   file: /tmp/EICAR
>     last modified on  date: 2009-04-16  time: 16:36:17,  size: 70 bytes
>     ALERT: Eicar-Test-Signature ; virus ; Contains code of the 
Eicar-Test-Signature virus
>     ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature no 
action taken

I don't know - I tried to reproduce your case (cut/pasted your av entry
and used a shell script to alway write your sample text), and I get the
following on the log (level 5):

(36486-01) run_command:
  [36515] /usr/local/src/0.sh -s --batch --alert-action=none
  /var/amavis/tmp-am/amavis-20090417T190043-36486/parts </dev/null 2>&1

(36486-01) collect_results from [36515] (Avira AntiVir), 263 bytes,
  (limit 204800)

(36486-01) prolong_timer run_av: timer set to 473 s

(36486-01) run_av: /usr/local/src/0.sh exit 0, file: /tmp/EICAR\n  last
  modified on  date: 2009-04-16  time: 16:36:17,  size: 70 bytes\n
  ALERT: Eicar-Test-Signature ; virus ; Contains code of the
  Eicar-Test-Signature virus\n  ALERT-URL:
  http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature\n
  no action taken

(36486-01) run_av (Avira AntiVir):
  /var/amavis/tmp-am/amavis-20090417T190043-36486/parts INFECTED:
  Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature
  virus

which is about right. The virus name is unsightly long, but it
gets the job done, and a message is treated as infected.

Could you please retry your experiment and show the log.

What counts as an infection is when the regexp qr/ALERT:/
on the given string matches. The actual virus name (matched
by the qr/ALERT: (.+)/m) is used in the log and notifications,
but even if empty (no name found), the message should still
count as infected.

  Mark

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/