Warning: MS log record format changes in 4.65.1 BETA

Wed Oct 31 15:59:44 GMT 2007

It wont affect mailwatch at all as it continued to work fine during the
recent changes for me. The only thing it really affects is logwatch but
that is a very easily fixed.

On Wed, 2007-10-31 at 15:51, Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ah, okay, it's all about the space. I didn't spot that.
> Would it be better if all the virus scanner names in the log lines
> were 1 word?
> How much will that upset MailWatch for starters?
> 
> It will affect
>     ClamAVModule
>     F-Prot 6
> 
> 
> Quentin Campbell wrote:
> >> -----Original Message----- From:
> >> mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> >> bounces at lists.mailscanner.info] On Behalf Of Julian Field Sent:
> >> 31 October 2007 14:09 To: MailScanner discussion Subject: Re:
> >> Warning: MS log record format changes in 4.65.1 BETA
> > [snip]
> >
> >
> >>>> Jun 11 12:12:59 cheviot4 MailScanner[28551]:
> > ClamAVModule::INFECTED::
> >>>> Worm.Mydoom.M:: ./l5BBChGt030131/ATTACHMENT.SCR
> >>>>
> >>>> With 4.65.1-1 BETA, I now see the last few fields moved right
> >>>> one
> > place
> >>>> because the phrase "ClamAVModule::INFECTED::" is now split as
> >>>> in
> >> But these following examples look like the ones from 4.62.9-2
> >> that you posted above. Surely it's better that it logs which
> >> scanner found the infection?
> >>
> >>>> Oct 31 11:37:06 cheviot2 MailScanner[9758]: ClamAV
> > Module::INFECTED::
> >>>> Phishing.Heuristics.Email.SpoofedDomain:: ./l9VBaefJ002190/
> >>>>
> >
> > Julian
> >
> > Of course it is better to log which scanner found them. My point
> > was about consistency in the way you do this.  :-)
> >
> > If in one version of MailScanner you label as
> >
> > ... ClamAVModule::INFECTED::...
> >
> > and in a later version change the label to
> >
> > ... ClamAV Module::INFECTED::...  [Note the space]
> >
> > then scripts that process these records will be confused. The
> > second record format has, in Perl 'split' command terms, an extra
> > field. As it happens it is the last two fields that my scripts are
> > primarily interested in. :-(
> >
> > Quentin
> >
> 
> Jules
> 
> - --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHKKSHEfZZRxQVtlQRApZMAKCRa+ivLl1XbPAZhlsIqTVoFsP49ACg78t8
> okJZ9hlYGq1tcwJMqMRVTf0=
> =k9UV
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk