Patrick, > I need to log the filename that contains a virus. Playing with $log_templ > and $log_recip_templ I found out I can use %F get almost (see: "filename: > /.asc,eicar.com/" in example) what I want. > > Nov 17 11:25:07 amavisdev amavis[25532]: (25532-01) deflt, Blocked INFECTED > (310, Eicar-Test-Signature), filename: /.asc,eicar.com/, LOCAL > [172.16.1.31] [172.16.1.31] <sen...@example.com> -> > <recipi...@example.com>, quarantine: eWPPLsh4e-dk, Message-ID: > <20101117102506.gl25...@rayamavis>, mail_id: eWPPLsh4e-dk, Hits: -, size: > 1166, 283 ms > > The %F macro however consists of two informations - MIME type and filename. > > It there a way to retrieve the filename only? If not could it be added?
The %F macro gets you banned parts, which may not correspond to what a virus scanner considers infected. README.customize: banning_rule_key a lookup key (a regexp) of a banning rule which matched, e.g.: (?-xism:^\\.(exe-ms|dll)$(?# rule #9)) banning_rule_comment a comment from a regexp in banning_rule_key, or the whole banning_rule_key if it does not contain a comment, e.g.: rule #9 banning_rule_rhs right-hand side of a banning rule which matched, often just a '1', but can be any string which evaluates to true banned_parts a list of banned parts, with their full path in a MIME/archive e.g.: multipart/mixed | application/octet-stream,.exe,.exe-ms,videos.exe F just the first leaf node from banned_parts, with a prepended rule comment (if any), e.g.: rule #9:application/octet-stream,.exe,.exe-ms,videos.exe A name of a file which a virus scanner considered infected may or may not be reported by a virus scanner - depends on which one you use, and if several, depends on which one reported the infection. With virus scanners which take the whole directory name as argument and do their own traversal, amavisd is not in position to know which file was infected, unless a virus scanner reports this in its output (which would need to be parsed to obtain a name, individually for each scanner). For virus scanners which can not do a directory tree traversal on their own, amavisd calls them with each file. In this case it would be possible to remember the filename or archive member name on which a virus scanner reported infection. As this information is currently not readily available, there is currently no macro to report it. The closest is a macro %v, which expands to whatever output text a virus scanner produced: README.customize: v output of the (last) virus checking program Depending on a virus scanner in use, this text may or may not include a file name of the infected component. Mark ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org