[Mimedefang] Graphdefang 0.9 fails to report certain viruses

Mark admin at asarian-host.net
Thu Nov 20 18:18:16 EST 2003


----- Original Message ----- 
From: "Bill Maidment" <bill.maidment at elgas.com.au>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, November 20, 2003 11:03 PM
Subject: [Mimedefang] Graphdefang 0.9 fails to report certain viruses


> Hi all
>
> I've noticed that graphdefang 0.9 ignores this type of virus MDLOG
> message.
>
> Nov 18 09:34:39 b090_lx0 mimedefang.pl[6263]:
> MDLOG,hAHMYafK007795,virus,Oversized
> Zip,1.90.1.121,<bill.maidment at elgas.com.au>,
> <data at xxx.com.au>,Subject stuff
>
> Is it because the virus name has a space in it between "Oversized"
> and "Zip"? This potential virus was detected by clamav-0.65.


Not to be too nit-picky, but graphdefang itself does not report, conversely,
does not fail to report, anything. Graphdefang allows you to define events,
in which you can look for a pattern of your choice.

I suppose, though, you are referring to the "general" event?

if ($text =~ m/^MDLOG,\S+?,(\S+?),(\S*?),(\S*?),(.*?),(.*?),(.*)$/ ) {

Indeed, that will not match. Perhaps you can just rewrite the lot as
follows,

if ($FoundNewRow = ($text =~ m/^MDLOG,\S+?,(.+)$/)) {
   ($event,$value1,$value2,$sender,$recipient,$subject) = split (/,/, $1);
}

(assuming MimeDefang always logs enough commas). Otherwise, you could simply
replace the \S*? sequences for .*? as well, or [^,]*? even.

- Mark



More information about the MIMEDefang mailing list