Ralf,
> Jan 26 11:06:04 idvamavis03 amavis[9249]: (09249) virus_scan: (
> 310, PayPal_Limited_Form.html <<< PHISH/Paypal.27959, PHISH/Paypal.27959
> ), detected by 1 scanners: Avira SAVAPI
> I can confirm that! amavisd-agent also logs
> virus.byname.310 ... ... ... 100%
> since it's somehow logging the "310" returncode as virus name.
Since when is the status code followed by a comma instead of a space,
and since when is the: " ; type ; english-text-message" part of the
310 or 420 responses made optional?
Please try the following:
['Avira SAVAPI',
\&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'],
qr/^(200|210)/m, qr/^(310|420|319)/m,
qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m
The comma after a status code may also require the following change:
--- amavisd.orig 2011-01-25 20:19:09.000000000 +0100
+++ amavisd 2011-01-27 17:21:48.470582488 +0100
@@ -22397,6 +22397,6 @@
$output .= $ln if length($output) < 10000; # sanity limit
}
- last if $ln =~ /^([0125-9]\d\d|300|319) .*\012/; # terminal status
- # last if $ln =~ !/^(310|420|421|422|430) .*\012/; # nonterminal status
+ last if $ln =~ /^([0125-9]\d\d|300|319).*\012/; # terminal status
+ # last if $ln =~ !/^(310|420|421|422|430).*\012/; # nonterminal status
}
}
Mark
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
Please visit http://www.ijs.si/software/amavisd/ regularly
For administrativa requests please send email to rainer at openantivirus dot
org
