[prev in list] [next in list] [prev in thread] [next in thread]
List: amavis-user
Subject: Re: [AMaViS-user] Logging filename along with virus name
From: Patrick Ben Koetter <p () state-of-mind ! de>
Date: 2010-11-17 20:54:07
Message-ID: 20101117205407.GA3400 () state-of-mind ! de
[Download RAW message or body]
* Mark Martinec <Mark.Martinec+amavis@ijs.si>:
> Patrick,
>
> > I need to log the filename that contains a virus. Playing with $log_templ
> > and $log_recip_templ I found out I can use %F get almost (see: "filename:
> > /.asc,eicar.com/" in example) what I want.
> >
> > Nov 17 11:25:07 amavisdev amavis[25532]: (25532-01) deflt, Blocked INFECTED
> > (310, Eicar-Test-Signature), filename: /.asc,eicar.com/, LOCAL
> > [172.16.1.31] [172.16.1.31] <sender@example.com> ->
> > <recipient@example.com>, quarantine: eWPPLsh4e-dk, Message-ID:
> > <20101117102506.GL25249@rayamavis>, mail_id: eWPPLsh4e-dk, Hits: -, size:
> > 1166, 283 ms
> >
> > The %F macro however consists of two informations - MIME type and filename.
> >
> > It there a way to retrieve the filename only? If not could it be added?
>
...
> A name of a file which a virus scanner considered infected may or may not be
> reported by a virus scanner - depends on which one you use, and if several,
> depends on which one reported the infection.
>
> With virus scanners which take the whole directory name as argument and
> do their own traversal, amavisd is not in position to know which file
> was infected, unless a virus scanner reports this in its output (which
> would need to be parsed to obtain a name, individually for each scanner).
How about scanners that take full paths to files in opposition to a whole
directory as argument? Would amavis (!) be able to report the filename that was
given to the scanner?
The particular scanner I am talking about is AVIRAs SAVAPI. The documentation
indicates the SCAN command "is used to invoke the engine for a specified
file".
Here's a test for a full path to a file:
# telnet localhost 3333
100 SAVAPI:3.0
SET PRODUCT <id>
100 PRODUCT:<id>
SCAN /tmp/letter.zip
310 WORM/Agent ; worm ; Contains detection pattern of the worm WORM/Agent
310 letter.doc .scr <<< WORM/Agent ; worm ; \
Contains detection pattern of the worm WORM/Agent 319 OK
QUIT
Here's a test for a full path to a file:
# telnet localhost 3333
100 SAVAPI:3.0
SET PRODUCT 10225
100 PRODUCT:10225
319 OK
SCAN /tmp/viren/*
350 file open error
SCAN /tmp/viren/letter.zip
310 WORM/Agent ; worm ; Contains detection pattern of the worm WORM/Agent
310 letter.doc .scr <<< WORM/Agent ; worm ; \
Contains detection pattern of the worm WORM/Agent QUIT
p@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic