Dodgy RAV output using RAV8.4.0 for OpenBSD/Exim

Julian Field mailscanner at ecs.soton.ac.uk
Tue Oct 15 22:26:01 IST 2002


Try using this code instead for the ProcessRavOutput function in sweep.pl.
This is the new code that will be in the release of version 4, but it
should work perfectly well in MailScanner version 3 as well.

sub ProcessRavOutput {
   my($line, $infections, $types, $BaseDir) = @_;

   my($report, $infected, $dot, $id, $part, @rest);
   my($logout);

   chomp $line;

   $report = $line;
   if ($line =~ /\t+(Infected|Suspicious): /i) {
     $logout = $line;
     $logout =~ s/%/%%/g;
     MailScanner::Log::InfoLog($logout);
     # Get to relevant filename in a reasonably but not
     # totally robust manner (*impossible* to be totally robust
     # if we have slashes, spaces and "->" in filenames)
     # Strip the infection report off the end, leaves us with the path
     # and the archive element name
     $line =~ s/\t(Infected|Suspicious): \S+$//;
     # Strip any archive elements so we should just have the path and filename
     $line =~ s/^(.*?)\-\>.*$/$1/;
     $line =~ /\-\>/
       and MailScanner::Log::DieLog("Dodgy things going on in Rav " .
                                    "output:\n%s\n", $report);
     #print STDERR "**$line\n";
     ($dot,$id,$part, at rest) = split(/\//, $line);
     $infections->{"$id"}{"$part"} .= $report . "\n";
     $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender
     return 1;
   }
   return 0;
}


At 22:02 15/10/2002, you wrote:
>I have been running RAV for OpenBSD3.x/Exim-8.4.0 for a little while
>now and decided to use MailScanner-3.23-5 to also use SpamAssassin.
>
>Noticed this when I hit it with a subseven attachment to test:
>---------------------------------------------------------------------
>Oct 15 11:09:35 home mailscanner[28119]: Scanning 1 messages, 1401338
>bytes
>Oct 15 11:09:37 home mailscanner[28119]: Dodgy things going on in Rav
>output:
>Oct 15 11:09:37 home mailscanner[28119]:
>./181W8K-0002s6-00/subseven20.zip->SubSeven.exe Infected:
>Backdoor:Win32/SubSeven.2_0
>---------------------------------------------------------------------
>
>Checked out sweep.pl and found on line 1014:
>
>$line =~ s/^.*(\/.*\/.*)\s+Infected:[^:]*$/$1/
>
>Seeing that my RAV output had an extra colon after "Backdoor",
>I removed the "[^:]" and cavalierly replaced it with "."
>
>$line =~ s/^.*(\/.*\/.*)\s+Infected:.*$/$1/
>
>It worked, but I do not know what I have broken by doing so! Can
>anyone advise why the second colon was excluded so I/we can write a
>regex that will fix the issue?
>
>Thanks in advance for any help.
>
>
>Mike
>--
>Mike Sullenszino
>mike at sullenszino.org

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list