Patrick,
> I need to log the filename that contains a virus. Playing with $log_templ
> and $log_recip_templ I found out I can use %F get almost (see: "filename:
> /.asc,eicar.com/" in example) what I want.
>
> Nov 17 11:25:07 amavisdev amavis[25532]: (25532-01) deflt, Blocked INFECTED
> (310, Eicar-Test-Signature), filename: /.asc,eicar.com/, LOCAL
> [172.16.1.31] [172.16.1.31] <sen...@example.com> ->
> <recipi...@example.com>, quarantine: eWPPLsh4e-dk, Message-ID:
> <20101117102506.gl25...@rayamavis>, mail_id: eWPPLsh4e-dk, Hits: -, size:
> 1166, 283 ms
>
> The %F macro however consists of two informations - MIME type and filename.
>
> It there a way to retrieve the filename only? If not could it be added?
The %F macro gets you banned parts, which may not correspond to what
a virus scanner considers infected.
README.customize:
banning_rule_key a lookup key (a regexp) of a banning rule which matched,
e.g.: (?-xism:^\\.(exe-ms|dll)$(?# rule #9))
banning_rule_comment a comment from a regexp in banning_rule_key, or
the whole banning_rule_key if it does not contain a comment,
e.g.: rule #9
banning_rule_rhs right-hand side of a banning rule which matched, often
just a '1', but can be any string which evaluates to true
banned_parts a list of banned parts, with their full path in a MIME/archive
e.g.: multipart/mixed | application/octet-stream,.exe,.exe-ms,videos.exe
F just the first leaf node from banned_parts, with a prepended rule comment
(if any), e.g.: rule #9:application/octet-stream,.exe,.exe-ms,videos.exe
A name of a file which a virus scanner considered infected may or may not be
reported by a virus scanner - depends on which one you use, and if several,
depends on which one reported the infection.
With virus scanners which take the whole directory name as argument and
do their own traversal, amavisd is not in position to know which file
was infected, unless a virus scanner reports this in its output (which
would need to be parsed to obtain a name, individually for each scanner).
For virus scanners which can not do a directory tree traversal on their
own, amavisd calls them with each file. In this case it would be possible
to remember the filename or archive member name on which a virus scanner
reported infection.
As this information is currently not readily available, there is currently
no macro to report it. The closest is a macro %v, which expands to whatever
output text a virus scanner produced:
README.customize:
v output of the (last) virus checking program
Depending on a virus scanner in use, this text may or may not include
a file name of the infected component.
Mark
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
