virus name does not appear in maillog

Tomas Macek macek at fortech.cz
Mon Aug 29 14:01:37 CEST 2011



On Fri, 26 Aug 2011, Mark Martinec wrote:

> Tomas,
>
>> I'm using Scientific Linux 6.1, Postfix 2.8.4 and Amavisd-new 2.6.4 with
>> ClamAV 0.97.
>> Everything works with one exception: I can't see the name of the virus in
>> the maillog. This is an example when I'm sending empty mail with eicar
>> virus as an attachment:
>>
>> Aug 22 14:46:46 zet amavis[26543]: (26543-01) ask_av (Clam
>> Antivirus-clamd) result:
>> /var/spool/amavisd/tmp/amavis-20110822T144646-26543/parts/p004:
>> Eicar-Test-Signature
>> FOUND\n/var/spool/amavisd/tmp/amavis-20110822T144646-26543/parts/p002:
>> Eicar-Test-Signature FOUND\n
>
>> Aug 22 14:46:46 zet postfix/smtp[26567]: 0315953: to=<mailbox at domain.cz>,
>> relay=127.0.0.1[127.0.0.1]:10024, delay=0.14, delays=0.03/0.01/0.01/0.09,
>> dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26543-01 - INFECTED: )
>>
>> I was trying to look into the code of /usr/sbin/amavisd, but with no
>> result, because I don't understand the code well (I'm not the Perl guru)
>> and I was also unable to find anyone with the same issues.
>
> How does your clamd entry in the @av_scanners list look like?
> Apparently the regexp in the last field is not capturing
> the virus name.
>
> Should be something like:
>
> ['ClamAV-clamd',
>   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
>   qr/\bOK$/m, qr/\bFOUND$/m,
>   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>
> Perhaps the /m regexp flag is missing in your case?
>
>
> Mark

Thank you very much Mark! This did the job! I copied the text from 
somewhere and it was buggy.

Now I see this:
... (26153-01) Blocked INFECTED (Eicar-Test-Signature), MYNETS LOCAL ...
... dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=26153-01 - 
INFECTED: Eicar-Test-Signature)

Works perfectly!

I said, that there should be some virus name ;-)

Best regards, Tomas



More information about the amavis-users mailing list