J’ai 3 fichiers log. warnings.log et errors.log sont vides, et voici ce qui est affiché dans info.log quand je redémarre amavisd:
Jun 29 15:53:10 LINUX2 amavis[9751]: starting. /usr/sbin/amavisd at LINUX2.delta-technologies.fr amavisd-new-2.4.2 (20060627), Unicode aware, LC_CTYPE=fr_FR.UTF-8, LANG=fr_FR.UTF-8
Jun 29 15:53:10 LINUX2 amavis[9751]: Perl version 5.008008
Ta configuration de fonctionne pas, ca n’a rien changé pour moi. Je te copie le fichier amavisd.conf, je le met en spoil pour éviter qu’il fasse gros paté dans le sujet:
[spoiler]use strict;
a minimalistic configuration file for amavisd-new with all necessary settings
see amavisd.conf-default for a list of all variables with their defaults;
see amavisd.conf-sample for a traditional-style commented file;
for more details see documentation in INSTALL, README_FILES/*
COMMONLY ADJUSTED SETTINGS:
@bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code
@bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code
$max_servers = 2; # num of pre-forked children (2…15 is common), -m
$daemon_user = ‘amavis’; # (no default; customary: vscan or amavis), -u
$daemon_group = ‘amavis’; # (no default; customary: vscan or amavis), -g
$mydomain = ‘xxxxxxxx’; # a convenient default for other settings
$MYHOME = ‘/var/lib/amavis’; # a convenient default for other settings, -H
$TEMPBASE = “$MYHOME/tmp”; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR
$QUARANTINEDIR = ‘/var/spool/amavis/virusmails’; # -Q
$quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
$daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R
$db_home = “$MYHOME/db”; # dir for bdb nanny/cache/snmp databases, -D
$helpers_home = “$MYHOME/var”; # working directory for SpamAssassin, -S
#$pid_file = “$MYHOME/amavisd.pid”; # -L
#$lock_file = “$MYHOME/amavisd.lock”; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
@local_domains_maps = ( [".$mydomain"] );
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$log_level = 0; # verbosity 0…5, -d
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_facility = ‘mail’; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, … local7
$syslog_priority = ‘debug’; # Syslog base (minimal) priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info, debug
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10025; # listen on this local TCP port(s) (see $protocol)
$unix_socketname = “$MYHOME/amavisd.sock”; # amavisd-release or amavis-milter
# option(s) -p overrides $inet_socket_port and $unix_socketname
$interface_policy{‘SOCK’}=‘AM.PDP-SOCK’; # only relevant with $unix_socketname
Use with amavis-release over a socket or with Petr Rehor’s amavis-milter.c
(with amavis-milter.c from this package or old amavis.c client use ‘AM.CL’):
$policy_bank{‘AM.PDP-SOCK’} = { protocol=>‘AM.PDP’ };
$sa_tag_level_deflt = 1.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.9; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 4.9; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_quarantine_cutoff_level = 20; # spam level beyond which quarantine is off
$penpals_bonus_score = 4; # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt; # don’t waste time on hi spam
$sa_mail_body_size_limit = 512*1024; # don’t waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
@lookup_sql_dsn =
( [‘DBI:mysql:database=mail;host=127.0.0.1;port=3306’, ‘user1’, ‘passwd1’],
[‘DBI:mysql:database=mail;host=host2’, ‘username2’, ‘password2’],
[“DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite”, ‘’, ‘’] );
@storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
$timestamp_fmt_mysql = 1; # if using MySQL and msgs.time_iso is TIMESTAMP;
defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
$virus_admin = “virusalert@$mydomain”; # notifications recip.
$mailfrom_notify_admin = “virusalert@$mydomain”; # notifications sender
$mailfrom_notify_recip = “virusalert@$mydomain”; # notifications sender
$mailfrom_notify_spamadmin = “spam.police@$mydomain”; # notifications sender
$mailfrom_to_quarantine = ‘’; # null return path; uses original sender if undef
@addr_extension_virus_maps = (‘virus’);
@addr_extension_spam_maps = (‘spam’);
@addr_extension_banned_maps = (‘banned’);
@addr_extension_bad_header_maps = (‘badh’);
$recipient_delimiter = ‘+’; # undef disables address extensions altogether
when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
$path = ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin’;
$dspam = ‘dspam’;
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 1001024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 3001024*1024; # bytes (default undef, not enforced)
$sa_spam_subject_tag = 'SPAM ';
$defang_virus = 1; # MIME-wrap passed infected mail
$defang_banned = 1; # MIME-wrap passed mail containing banned name
OTHER MORE COMMON SETTINGS (defaults may suffice):
$myhostname = ‘xxxxxxxxxxxxxx’; # must be a fully-qualified domain name!
$notify_method = ‘smtp:[127.0.0.1]:10026’;
$forward_method = ‘smtp:[127.0.0.1]:10026’; # set to undef with milter!
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;
$os_fingerprint_method = ‘p0f:127.0.0.1:2345’; # to query p0f-analyzer.pl
hierarchy by which a final setting is chosen:
policy bank (based on port or IP address) -> *_by_ccat
*_by_ccat (based on mail contents) -> *_maps
*_maps (based on recipient address) -> final configuration value
SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
$warnbadhsender,
$warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
@bypass_virus_checks_maps, @bypass_spam_checks_maps,
@bypass_banned_checks_maps, @bypass_header_checks_maps,
@virus_lovers_maps, @spam_lovers_maps,
@banned_files_lovers_maps, @bad_header_lovers_maps,
@blacklist_sender_maps, @score_sender_maps,
$clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
$bad_header_quarantine_to, $spam_quarantine_to,
$defang_bad_header, $defang_undecipherable, $defang_spam
REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
@keep_decoded_original_maps = (new_RE(
qr’^MAIL$’, # retain full original message for virus checking (can be slow)
qr’^MAIL-UNDECIPHERABLE$’, # recheck full mail if it contains undecipherables
qr’^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
qr’^Zip archive data’, # don’t trust Archive::Zip
));
for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
$banned_filename_re = new_RE(
qr’^UNDECIPHERABLE$’, # is or contains any undecipherable components
block certain double extensions anywhere in the base name
qr’.[^./][A-Za-z][^./].(exe|vbs|pif|scr|bat|cmd|com|cpl|dll).?$'i,
qr’{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}}?'i, # Class ID CLSID, strict
qr’{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}}?'i, # Class ID extension CLSID, loose
qr’^application/x-msdownload$‘i, # block these MIME types
qr’^application/x-msdos-program$‘i,
qr’^application/hta$'i,
qr’^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME
qr’^.wmf$’, # Windows Metafile file(1) type
qr’^message/partial$'i, # rfc2046 MIME type
qr’^message/external-body$'i, # rfc2046 MIME type
[ qr’^.(Z|gz|bz2)$’ => 0 ], # allow any in Unix-compressed
[ qr’^.(rpm|cpio|tar)$’ => 0 ], # allow any in Unix-type archives
[ qr’^.(zip|rar|arc|arj|zoo)$’=> 0 ], # allow any within such archives
qr’..(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
qr’..(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
wmf|wsc|wsf|wsh)$'ix, # banned ext - long
qr’..(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
qr’^.(exe-ms)$’, # banned file(1) types
qr’^.(exe|lha|tnef|cab|dll)$’, # banned file(1) types
);
ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
## per-recipient personal tables (NOTE: positive: black, negative: white)
‘user1@example.com’ => [{‘bla-mobile.press@example.com’ => 10.0}],
‘user3@example.com’ => [{’.ebay.com’ => -3.0}],
‘user4@example.com’ => [{‘cleargreen@cleargreen.com’ => -7.0,
‘.cleargreen.com’ => -5.0}],
site-wide opinions about senders (the ‘.’ matches any recipient)
‘.’ => [ # the first matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr’^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@‘i => 5.0],
[qr’^(greatcasino|investments|lose_weight_today|market.alert)@‘i=> 5.0],
[qr’^(money2you|MyGreenCard|new.tld.registry|opt-out|opt-in)@‘i=> 5.0],
[qr’^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@‘i => 5.0],
[qr’^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@‘i => 5.0],
[qr’^(your_friend|greatoffers)@‘i => 5.0],
[qr’^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
read_hash("/var/lib/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
‘nobody@cert.org’ => -3.0,
‘cert-advisory@us-cert.gov’ => -3.0,
‘owner-alert@iss.net’ => -3.0,
‘slashdot@slashdot.org’ => -3.0,
‘securityfocus.com’ => -3.0,
‘ntbugtraq@listserv.ntbugtraq.com’ => -3.0,
‘security-alerts@linuxsecurity.com’ => -3.0,
‘mailman-announce-admin@python.org’ => -3.0,
‘amavis-user-admin@lists.sourceforge.net’=> -3.0,
‘amavis-user-bounces@lists.sourceforge.net’ => -3.0,
‘spamassassin.apache.org’ => -3.0,
‘notification-return@lists.sophos.com’ => -3.0,
‘owner-postfix-users@postfix.org’ => -3.0,
‘owner-postfix-announce@postfix.org’ => -3.0,
‘owner-sendmail-announce@lists.sendmail.org’ => -3.0,
‘sendmail-announce-request@lists.sendmail.org’ => -3.0,
‘donotreply@sendmail.org’ => -3.0,
‘ca+envelope@sendmail.org’ => -3.0,
‘noreply@freshmeat.net’ => -3.0,
‘owner-technews@postel.acm.org’ => -3.0,
‘ietf-123-owner@loki.ietf.org’ => -3.0,
‘cvs-commits-list-admin@gnome.org’ => -3.0,
‘rt-users-admin@lists.fsck.com’ => -3.0,
‘clp-request@comp.nus.edu.sg’ => -3.0,
‘surveys-errors@lists.nua.ie’ => -3.0,
‘emailnews@genomeweb.com’ => -5.0,
‘yahoo-dev-null@yahoo-inc.com’ => -3.0,
‘returns.groups.yahoo.com’ => -3.0,
‘clusternews@linuxnetworx.com’ => -3.0,
lc(‘lvs-users-admin@LinuxVirtualServer.org’) => -3.0,
lc(‘owner-textbreakingnews@CNNIMAIL12.CNN.COM’) => -5.0,
# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
@decoders = (
[‘mail’, &do_mime_decode],
[‘asc’, &do_ascii],
[‘uue’, &do_ascii],
[‘hqx’, &do_ascii],
[‘ync’, &do_ascii],
[‘F’, &do_uncompress, [‘unfreeze’,‘freeze -d’,‘melt’,‘fcat’] ],
[‘Z’, &do_uncompress, [‘uncompress’,‘gzip -d’,‘zcat’] ],
[‘gz’, &do_uncompress, ‘gzip -d’],
[‘gz’, &do_gunzip],
[‘bz2’, &do_uncompress, ‘bzip2 -d’],
[‘lzo’, &do_uncompress, ‘lzop -d’],
[‘rpm’, &do_uncompress, [‘rpm2cpio.pl’,‘rpm2cpio’] ],
[‘cpio’, &do_pax_cpio, [‘pax’,‘gcpio’,‘cpio’] ],
[‘tar’, &do_pax_cpio, [‘pax’,‘gcpio’,‘cpio’] ],
[‘tar’, &do_tar],
[‘deb’, &do_ar, ‘ar’],
[‘a’, &do_ar, ‘ar’], # unpacking .a seems an overkill
[‘zip’, &do_unzip],
[‘rar’, &do_unrar, [‘rar’,‘unrar’] ],
[‘arj’, &do_unarj, [‘arj’,‘unarj’] ],
[‘arc’, &do_arc, [‘nomarch’,‘arc’] ],
[‘zoo’, &do_zoo, [‘zoo’,‘unzoo’] ],
[‘lha’, &do_lha, ‘lha’],
[‘doc’, &do_ole, ‘ripole’],
[‘cab’, &do_cabextract, ‘cabextract’],
[‘tnef’, &do_tnef_ext, ‘tnef’],
[‘tnef’, &do_tnef],
[‘sit’, &do_unstuff, ‘unstuff’], # broken/unsafe decoder
[‘exe’, &do_executable, [‘rar’,‘unrar’], ‘lha’, [‘arj’,‘unarj’] ],
);
@av_scanners = (
[‘Sophie’,
&ask_daemon, ["{}/\n", ‘/var/run/sophie’],
qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
qr/(?x)^ [-+]? \d+ : (.?) [\000\r\n] $/ ],
[‘Sophos SAVI’, &sophos_savi ],
[‘ClamAV-clamd’,
&ask_daemon, [“CONTSCAN {}\n”, “/var/lib/clamav/clamd.socket”],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.?: (?!Infected Archive)(.) FOUND$/ ],
NOTE: the easiest is to run clamd under the same user as amavisd; match the
socket name (LocalSocket) in clamav.conf to the socket name in this entry
When running chrooted one may prefer: [“CONTSCAN {}\n”,"$MYHOME/clamd"],
### www.clamav.net… and CPAN (memory-hungry! clamd is preferred)
[‘Mail::ClamAV’, &ask_clamav, “*”, [0], [1], qr/^INFECTED: (.+)/],
[‘OpenAntiVirus ScannerDaemon (OAV)’,
&ask_daemon, [“SCAN {}\n”, ‘127.0.0.1:8127’],
qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],
[‘Trophie’,
&ask_daemon, ["{}/\n", ‘/var/run/trophie’],
qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
qr/(?x)^ [-+]? \d+ : (.?) [\000\r\n] $/ ],
[‘AVG Anti-Virus’,
&ask_daemon, [“SCAN {}\n”, ‘127.0.0.1:55555’],
qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ],
[‘FRISK F-Prot Daemon’,
&ask_daemon,
[“GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n”,
[‘127.0.0.1:10200’,‘127.0.0.1:10201’,‘127.0.0.1:10202’,
‘127.0.0.1:10203’,‘127.0.0.1:10204’] ],
qr/(?i)<summary[^>]*>clean</summary>/,
qr/(?i)<summary[^>]*>infected</summary>/,
qr/(?i)(.+)</name>/ ],
[‘DrWebD’, &ask_daemon, # DrWebD 4.31 or later
[pack(‘N’,1). # DRWEBD_SCAN_CMD
pack(‘N’,0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
pack(‘N’, # path length
length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
‘{}/*’. # path
pack(‘N’,0). # content size
pack(‘N’,0),
‘/var/drweb/run/drwebd.sock’,
# ‘/var/lib/amavis/var/run/drwebd.sock’, # suitable for chroot
# ‘/usr/local/drweb/run/drwebd.sock’, # FreeBSD drweb ports default
# ‘127.0.0.1:3000’, # or over an inet socket
],
qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED
qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF
qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
],
# NOTE: If using amavis-milter, change length to:
# length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
[‘KasperskyLab AVP - aveclient’,
[’/usr/local/kav/bin/aveclient’,’/usr/local/share/kav/bin/aveclient’,
‘/opt/kav/bin/aveclient’,‘aveclient’],
‘-p /var/run/aveserver -s {}/*’, [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
qr/(?:INFECTED|SUSPICION) (.+)/,
],
[‘KasperskyLab AntiViral Toolkit Pro (AVP)’, [‘avp’],
‘-* -P -B -Y -O- {}’, [0,3,6,8], [2,4], # any use for -A -K ?
qr/infected: (.+)/,
sub {chdir(’/opt/AVP’) or die “Can’t chdir to AVP: $!”},
sub {chdir($TEMPBASE) or die “Can’t chdir back to $TEMPBASE $!”},
],
The kavdaemon and AVPDaemonClient have been removed from Kasperky
products and replaced by aveserver and aveclient
[‘KasperskyLab AVPDaemonClient’,
[ ‘/opt/AVP/kavdaemon’, ‘kavdaemon’,
‘/opt/AVP/AvpDaemonClient’, ‘AvpDaemonClient’,
‘/opt/AVP/AvpTeamDream’, ‘AvpTeamDream’,
‘/opt/AVP/avpdc’, ‘avpdc’ ],
“-f=$TEMPBASE {}”, [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
# change the startup-script in /etc/init.d/kavd to:
# DPARMS="-* -Y -dl -f=/var/lib/amavis /var/lib/amavis"
# (or perhaps: DPARMS="-I0 -Y -* /var/lib/amavis" )
# adjusting /var/lib/amavis above to match your $TEMPBASE.
# The ‘-f=/var/lib/amavis’ is needed if not running it as root, so it
# can find, read, and write its pid file, etc., see ‘man kavdaemon’.
# defUnix.prf: there must be an entry “*/var/lib/amavis” (or whatever
# directory $TEMPBASE specifies) in the ‘Names=’ section.
# cd /opt/AVP/DaemonClients; configure; cd Sample; make
# cp AvpDaemonClient /opt/AVP/
# su - vscan -c “${PREFIX}/kavdaemon ${DPARMS}”
[‘CentralCommand Vexira (new) vascan’,
[‘vascan’,’/usr/lib/Vexira/vascan’],
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
“–vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}”,
[0,3], [1,2,5],
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^]\s’]+ )\ …\ / ],
# Adjust the path of the binary and the virus database as needed.
# ‘vascan’ does not allow to have the temp directory to be the same as
# the quarantine directory, and the quarantine option can not be disabled.
# If $QUARANTINEDIR is not used, then another directory must be specified
# to appease ‘vascan’. Move status 3 to the second list if password
# protected files are to be considered infected.
[‘H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus’,
[‘antivir’,‘vexira’],
‘–allfiles -noboot -nombr -rs -s -z {}’, [0], qr/ALERT:|VIRUS:/,
qr/(?x)^\s* (?: ALERT: \s* (?: [ | [^’]* ’ ) |
(?i) VIRUS:\ .*?\ virus\ ‘?) ( [^]\s’]+ )/ ],
# NOTE: if you only have a demo version, remove -z and add 214, as in:
# ‘–allfiles -noboot -nombr -rs -s {}’, [0,214], qr/ALERT:|VIRUS:/,
[‘Command AntiVirus for Linux’, ‘csav’,
‘-all -archive -packed {}’, [50], [51,52,53],
qr/Infection: (.+)/ ],
[‘Symantec CarrierScan via Symantec CommandLineScanner’,
‘cscmdline’, ‘-a scan -i 1 -v -s 127.0.0.1:7777 {}’,
qr/^Files Infected:\s+0$/, qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
[‘Symantec AntiVirus Scan Engine’,
‘savsecls’, ‘-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}’,
[0], qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
# NOTE: check options and patterns to see which entry better applies
[‘F-Secure Antivirus’, ‘fsav’,
‘–dumb --mime --archive {}’, [0], [3,8],
qr/(?:infection|Infected|Suspected): (.+)/ ],
[‘avast! Antivirus daemon’,
&ask_daemon, # greets with 220, terminate with QUIT
[“SCAN {}\015\012QUIT\015\012”, ‘/var/run/avast4/mailscanner.sock’],
qr/\t[+]/, qr/\t[L]\t/, qr/\t[L]\t([^[ \t\015\012]+)/ ],
[‘avast! Antivirus - Client/Server Version’, ‘avastlite’,
‘-a /var/run/avast4/mailscanner.sock -n {}’, [0], [1],
qr/\t[L]\t([^[ \t\015\012]+)/ ],
[‘CAI InoculateIT’, ‘inocucmd’, # retired product
‘-sec -nex {}’, [0], [100],
qr/was infected by virus (.+)/ ],
[‘CAI eTrust Antivirus’, ‘etrust-wrapper’,
‘-arc -nex -spm h {}’, [0], [101],
qr/is infected by virus: (.+)/ ],
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
# see marc.theaimsgroup.com…
[‘MkS_Vir for Linux (beta)’, [‘mks32’,‘mks’],
'-s {}/’, [0], [1,2],
qr/–[ \t](.+)/ ],
[‘MkS_Vir daemon’, ‘mksscan’,
‘-s -q {}’, [0], [1…7],
qr/^… (\S+)/ ],
[‘ESET Software NOD32 Command Line Interface v 2.51’, ‘nod32cli’,
‘–subdir {}’, [0,3], [1,2], qr/virus="([^"]+)"/ ],
[‘ESET Software NOD32 - Client/Server Version’, ‘nod32cli’,
‘-a -r -d recurse --heur standard {}’, [0], [10,11],
qr/^\S+\s+infected:\s+(.+)/ ],
[‘ESET Software NOD32’, ‘nod32’,
‘–arch --mail {}’, [0], [1,10], qr/^object=., virus="(.?)",/ ],
Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
[‘ESET Software NOD32 Client/Server (NOD32SS)’,
&ask_daemon2, # greets with 200, persistent, terminate with QUIT
[“SCAN {}/*\r\n”, ‘127.0.0.1:8448’ ],
qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ],
[‘Norman Virus Control v5 / Linux’, ‘nvcc’,
‘-c -l:0 -s -u -temp:$TEMPBASE {}’, [0,10,11], [1,2,14],
qr/(?i).* virus in .* -> ‘(.+)’/ ],
[‘Panda Antivirus for Linux’, [‘pavcl’],
‘-aut -aex -heu -cmp -nbr -nor -nso -eng {}’,
qr/Number of files infected[ .]: 0+(?!\d)/,
qr/Number of files infected[ .]: 0*[1-9]/,
qr/Found virus :\s*(\S+)/ ],
[‘Panda Antivirus for Linux’, [‘pavcl’],
‘-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}’,
[0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
qr/Found virus :\s*(\S+)/ ],
GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
Check your RAV license terms before fiddling with the following two lines!
[‘GeCAD RAV AntiVirus 8’, ‘ravav’,
‘–all --archive --mail {}’, [1], [2,3,4,5], qr/Infected: (.+)/ ],
# NOTE: the command line switches changed with scan engine 8.5 !
# (btw, assigning stdin to /dev/null causes RAV to fail)
[‘NAI McAfee AntiVirus (uvscan)’, ‘uvscan’,
‘–secure -rv --mime --summary --noboot - {}’, [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ (.+?)\s*! |
:\ (.+)\ NOT\ a\ virus)/,
sub {$ENV{LD_PRELOAD}=’/lib/libc.so.6’},
sub {delete $ENV{LD_PRELOAD}},
],
NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
and then clear it when finished to avoid confusing anything else.
NOTE2: to treat encrypted files as viruses replace the [13] with:
qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
[‘VirusBuster’, [‘vbuster’, ‘vbengcl’],
"{} -ss -i ‘’ -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.)’ - Virus/ ],
VirusBuster Ltd. does not support the daemon version for the workstation
engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
binaries, some parameters AND return codes have changed (from 3 to 1).
See also the new Vexira entry ‘vascan’ which is possibly related.
[‘VirusBuster (Client + Daemon)’, ‘vbengd’,
‘-f -log scandir {}’, [0], [3],
qr/Virus found = (.*);/ ],
# HINT: for an infected file it always returns 3,
# although the man-page tells a different story
[‘CyberSoft VFind’, ‘vfind’,
‘–vexit {}/*’, [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
sub {$ENV{VSTK_HOME}=’/usr/lib/vstk’},
],
[‘avast! Antivirus’, [’/usr/bin/avastcmd’,‘avastcmd’],
‘-a -i -n -t=A {}’, [0], [1], qr/\binfected by:\s+([^ \t\n[]]+)/ ],
[‘Ikarus AntiVirus for Linux’, ‘ikarus’,
‘{}’, [0], [40], qr/Signature (.+) found/ ],
[‘BitDefender’, ‘bdc’,
‘–arc --mail {}’, qr/^Infected files :0+(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) :0[1-9]/,
qr/(?:suspected|infected): (.)(?:\033|$)/ ],
consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
not apply to your version of bdc, check documentation and see ‘bdc --help’
[‘File::Scan’, sub {Amavis::AV::ask_av(sub{
use File::Scan; my($fn)=@_;
my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
my($vname) = $f->scan($fn);
$f->error ? (2,"Error: ".$f->error)
: ($vname ne ‘’) ? (1,"$vname FOUND") : (0,“Clean”)}, @_) },
["{}/"], [0], [1], qr/^(.) FOUND$/ ],
### example: fully-fledged checker for JPEG marker segments of invalid length
[‘check-jpeg’,
sub { use JpegTester (); Amavis::AV::ask_av(&JpegTester::test_jpeg, @_) },
["{}/"], undef, [1], qr/^(bad jpeg: .)$/ ],
# NOTE: place file JpegTester.pm somewhere where Perl can find it,
# for example in /usr/local/lib/perl5/site_perl
);
@av_scanners_backup = (
www.clamav.net… - backs up clamd or Mail::ClamAV
[‘ClamAV-clamscan’, ‘clamscan’,
“–stdout --disable-summary -r --tempdir=$TEMPBASE {}”,
[0], qr/:.\sFOUND$/, qr/^.?: (?!Infected Archive)(.*) FOUND$/ ],
[‘FRISK F-Prot Antivirus’, [‘f-prot’,‘f-prot.sh’],
‘-dumb -archive -packed {}’, [0,8], [3,6],
qr/Infection: (.+)|\s+contains\s+(.+)$/ ],
[‘Trend Micro FileScanner’, [’/etc/iscan/vscan’,‘vscan’],
‘-za -a {}’, [0], qr/Found virus/, qr/Found virus (.+) in/ ],
[‘drweb - DrWeb Antivirus’,
[’/usr/local/drweb/drweb’, ‘/opt/drweb/drweb’, ‘drweb’],
‘-path={} -al -go -ot -cn -upn -ok-’,
[0,32], [1,9,33], qr’ infected (?:with|by)(?: virus)? (.*)$’],
[‘KasperskyLab kavscanner’, [’/opt/kav/bin/kavscanner’,‘kavscanner’],
‘-i1 -xp {}’, [0,10,15], [5,20,21,25],
qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
sub {chdir(’/opt/kav/bin’) or die “Can’t chdir to kav: $!”},
sub {chdir($TEMPBASE) or die “Can’t chdir back to $TEMPBASE $!”},
],
Commented out because the name ‘sweep’ clashes with Debian and FreeBSD
package/port of an audio editor. Make sure the correct ‘sweep’ is found
in the path when enabling.
### www.sophos.com… - backs up Sophie or SAVI-Perl
[‘Sophos Anti Virus (sweep)’, ‘sweep’,
‘-nb -f -all -rec -ss -sc -archive -cab -tnef --no-reset-atime {}’,
[0,2], qr/Virus .*? found/,
qr/^>>> Virus(?: fragment)? ‘?(.*?)’? found/,
],
# other options to consider: -mime -oe -idedir=/usr/local/sav
always succeeds (uncomment to consider mail clean if all other scanners fail)
[‘always-clean’, sub {0}],
);
1; # insure a defined return[/spoiler]
Merci pour ton aide 
Edité le 29/06/2007 à 16:01