Norman Sandbox and MailScanner

James Gray james at grayonline.id.au
Wed Jul 12 12:59:59 IST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sjakie wrote:
> 
> This is one line in the Norman output:
> 
> ----- Possible virus in '/root/SCANDIR/./eicar_com.zip : eicar.com' ->
> 'EICAR_Test_file_not_a_virus!'
> 
> 
> 
> 
> total 5 lines in the Norman output (sandbox):
> 
> ----- Possible virus in './dummy.exe' -> 'Sandbox: W32/Malware;  [
> General information ]
>    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO -
> REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
>    * File length:         4096 bytes.
> 
> '

Yep the problem is the sandbox output is multiple lines, AND the last
line BEGINS with a single quote (see below).  So using Julian's original
REGEX, it will definitely NOT work.  REGEX, unless you seriously get
funky, deals with single lines in the pattern space, so multi-line
output is a royal pain.

Also, Julian's REGEX has this:

/^[^']+'([^']+)' -> '([^']+)'\s*$/

Specifically, it is DESIGNED to ignore[1] lines the begin with one, or
more, single quotes.  See the problem?  The sandbox output spans
multiple lines until it reaches the terminator (a single quote), BUT the
single quote is the first character on the line.  No cigar :(

It's too late and I'm too tired to think about how a single REGEX
pattern could be written to match BOTH Norman's outputs.  So I'll leave
that as an exercise for someone who doesn't a have deadline tomorrow
morning, a dead database tonight and 11 hours until the world ends :P

Cheers,

James
[1] "Ignore" as in "NOT match". [^'] = means don't match a single quote
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEtOQ/wBHpdJO7b9ERAjhWAKDZi+g5mXfkHhJYk7I9XJwf4lyNZQCg21mH
Roibcx4o2f61qsNhgrnqSxA=
=okiK
-----END PGP SIGNATURE-----


More information about the MailScanner mailing list