Warning: MS log record format changes in 4.65.1 BETA
Julian Field
MailScanner at ecs.soton.ac.uk
Wed Oct 31 15:51:35 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ah, okay, it's all about the space. I didn't spot that.
Would it be better if all the virus scanner names in the log lines
were 1 word?
How much will that upset MailWatch for starters?
It will affect
ClamAVModule
F-Prot 6
Quentin Campbell wrote:
>> -----Original Message----- From:
>> mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Julian Field Sent:
>> 31 October 2007 14:09 To: MailScanner discussion Subject: Re:
>> Warning: MS log record format changes in 4.65.1 BETA
> [snip]
>
>
>>>> Jun 11 12:12:59 cheviot4 MailScanner[28551]:
> ClamAVModule::INFECTED::
>>>> Worm.Mydoom.M:: ./l5BBChGt030131/ATTACHMENT.SCR
>>>>
>>>> With 4.65.1-1 BETA, I now see the last few fields moved right
>>>> one
> place
>>>> because the phrase "ClamAVModule::INFECTED::" is now split as
>>>> in
>> But these following examples look like the ones from 4.62.9-2
>> that you posted above. Surely it's better that it logs which
>> scanner found the infection?
>>
>>>> Oct 31 11:37:06 cheviot2 MailScanner[9758]: ClamAV
> Module::INFECTED::
>>>> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VBaefJ002190/
>>>>
>
> Julian
>
> Of course it is better to log which scanner found them. My point
> was about consistency in the way you do this. :-)
>
> If in one version of MailScanner you label as
>
> ... ClamAVModule::INFECTED::...
>
> and in a later version change the label to
>
> ... ClamAV Module::INFECTED::... [Note the space]
>
> then scripts that process these records will be confused. The
> second record format has, in Perl 'split' command terms, an extra
> field. As it happens it is the last two fields that my scripts are
> primarily interested in. :-(
>
> Quentin
>
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHKKSHEfZZRxQVtlQRApZMAKCRa+ivLl1XbPAZhlsIqTVoFsP49ACg78t8
okJZ9hlYGq1tcwJMqMRVTf0=
=k9UV
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk
More information about the MailScanner
mailing list