Norman Sandbox and MailScanner

Sjakie sjakie07 at
Wed Jul 12 14:40:09 IST 2006

James wrote:
> Yep the problem is the sandbox output is multiple lines, AND the last
> line BEGINS with a single quote (see below).  So using Julian's original
> REGEX, it will definitely NOT work.  REGEX, unless you seriously get
> funky, deals with single lines in the pattern space, so multi-line
> output is a royal pain.
> Also, Julian's REGEX has this:
> /^[^']+'([^']+)' -> '([^']+)'\s*$/
> Specifically, it is DESIGNED to ignore[1] lines the begin with one, or
> more, single quotes.  See the problem?  The sandbox output spans
> multiple lines until it reaches the terminator (a single quote), BUT the
> single quote is the first character on the line.  No cigar :(
> It's too late and I'm too tired to think about how a single REGEX
> pattern could be written to match BOTH Norman's outputs.  So I'll leave
> that as an exercise for someone who doesn't a have deadline tomorrow
> morning, a dead database tonight and 11 hours until the world ends :P

Thanks for your help!

If it's really difficult to write a single REGEX pattern to match BOTH
Norman's outputs,
then maybe as a workaround it would be possible to add a new virusscanner
i.e. "normansandbox" in MailScanner?

It might not be the best solution and it maybe slower (Virus Scanners = 
norman normansandbox clamav) but i can live with that.
I could even disable sandbox scanning in the default "norman" virusscanner 
of MailScanner (options -sb:0) so that this one will be a little bit faster.

Is this possible and what would the REGEX for "normansandbox" look like?


More information about the MailScanner mailing list