Announce: MailWatch for MailScanner 0.2 (was MailScanner-Con sole )

Steve Freegard steve.freegard at LBSLTD.CO.UK
Tue Jun 17 09:45:34 IST 2003


Thanks for this - glad it's working now.  I'll add your regex to the source
for the next version.


-----Original Message-----
From: Mike Zanker [mailto:mike at ZANKER.ORG]
Sent: 17 June 2003 09:31

On 17 June 2003 09:18 +0100 Steve Freegard
<steve.freegard at LBSLTD.CO.UK> wrote:

> The regex works against the report field on the database which
> contains all the reports from MailScanner joined together, so it will
> be slightly different to what you see in the maillog.  If you look at
> the message detail for an infected message and look at the 'Report:'
> field, you'll see what I mean.

This is the Report: field for an infected message:

Report: >>> Virus 'EICAR-AV-Test' found in file

> Try this for the regex:  '/Sophos: (\S+) found in file (.+)/' - and
> see if that does the trick.

I'm actually using this at the moment:

define(VIRUS_REGEX, '/(>>>) Virus \'(.+)\' found/');

and it seems to be extracting the virus name correctly - at least it
appears as just EICAR-AV-Test in the various reports and the box at the
top right of the main page. The (>>>) is to make sure that the virus
name ends up as the second element of your array.



This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender and delete the message from your mailbox.

This footnote also confirms that this email message has been swept by
MailScanner ( for the presence of computer viruses.

More information about the MailScanner mailing list