Avast!: Name of virus is parsed incorrectly
Ralf Hildebrandt
Ralf.Hildebrandt at charite.de
Wed Aug 15 20:34:20 CEST 2012
Today I had to find out why amavis wouldn't properly log the virus
name when using the avast! Antivirus daemon.
Here's how the output looks like "on the wire" (when talking to the
daemon):
/var/lib/amavis/tmp/testvirus.zip/Bestellung 10.07.2012 .pif [L] 1759314145 Win32:Injector-ARW [Trj]
/var/lib/amavis/tmp/testvirus.zip/azel.exe [L] 1046957622 Win32:Downloader-PXR [Trj]
/var/lib/amavis/tmp/testvirus.zip[+]
The config:
# ### http://www.avast.com/
# ['avast! Antivirus daemon',
# \&ask_daemon, # greets with 220, terminate with QUIT
# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
needs to become:
# ### http://www.avast.com/
# ['avast! Antivirus daemon',
# \&ask_daemon, # greets with 220, terminate with QUIT
# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+ ([^[ \t\015\012]+)/m ],
All I did was to add "[0-9]+ ", since avast! seems to add a
arbitrary(?) number, followed by a space (not \t!) to it's output.
After my changes, the log would look like this:
Aug 15 19:54:40 mail amavis[5936]: (05936-01) Blocked INFECTED ("avast! Antivirus daemon":[Win32:Injector-ARW]), VIRUS [192.168.50.150] [192.168.50.150], filename: (), mail_id: vvKhd_VnzE2j, quarantine: vvKhd_VnzE2j, Hits: -, size: 241007, scan_time: 497 ms, <hildeb at charite.de> -> <recipient at kunde>
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebrandt at charite.de | http://www.charite.de
More information about the amavis-users
mailing list