Warning: MS log record format changes in 4.65.1 BETA
Quentin Campbell
Q.G.Campbell at newcastle.ac.uk
Wed Oct 31 15:20:57 GMT 2007
>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>bounces at lists.mailscanner.info] On Behalf Of Julian Field
>Sent: 31 October 2007 14:09
>To: MailScanner discussion
>Subject: Re: Warning: MS log record format changes in 4.65.1 BETA
[snip]
>>> Jun 11 12:12:59 cheviot4 MailScanner[28551]:
ClamAVModule::INFECTED::
>>> Worm.Mydoom.M:: ./l5BBChGt030131/ATTACHMENT.SCR
>>>
>>> With 4.65.1-1 BETA, I now see the last few fields moved right one
place
>>> because the phrase "ClamAVModule::INFECTED::" is now split as in
>
>But these following examples look like the ones from 4.62.9-2 that you
>posted above.
>Surely it's better that it logs which scanner found the infection?
>
>>>
>>> Oct 31 11:37:06 cheviot2 MailScanner[9758]: ClamAV
Module::INFECTED::
>>> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VBaefJ002190/
>>>
Julian
Of course it is better to log which scanner found them. My point was
about consistency in the way you do this. :-)
If in one version of MailScanner you label as
... ClamAVModule::INFECTED::...
and in a later version change the label to
... ClamAV Module::INFECTED::... [Note the space]
then scripts that process these records will be confused. The second
record format has, in Perl 'split' command terms, an extra field. As it
happens it is the last two fields that my scripts are primarily
interested in. :-(
Quentin
More information about the MailScanner
mailing list