Sorry for my format, I am on webmail.  The post is from Jun 2:
http://mailtools.anomy.net/archives/anomy-list/2004-06/0000.shtml
 
Note they aren't my scripts, its just what I have setup.  The AV script header says it is from " Xavier Roche/Serianet ", so thank you very much!  The setup is with help from very nice people on this list.  I don't know perl at all, it looks greek to me ;-).  Give me a nice shell script instead any day..
 
Regards,
 
P


From: Paolo [mailto:oopla@users.sourceforge.net]
Sent: Wed 6/16/2004 12:18 AM
To: anomy-list@mailtools.anomy.net
Subject: Re: clamav (was: Re: [anomy-list]: more sanitizer questions)

On Tue, Jun 15, 2004 at 05:55:35PM +0200, Luis Miguel wrote:
...
> Anyone is using the patch to show the virusname with sanitizer? (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=235352), I have patched Sanitizer.pm and created a wrapper for my antivirus (clamav), but dont know how to pass the virus name from the wrapper to sanitizer.

don't know where Peter's scripts are - have checked archive list but could
not find any - perhaps his stuff may be more complete.
Anyway, here's mine - very rough, I'm not interested in doing anything fancy
with suspect email.
One note reg. clamav, it may be tricky to run clam[d]scan from anomy script
as in some distro (eg Debian) clam*scan runs as user clamav, hence is unable
to read anomy's tempfiles that should be mode 600 - that's why I'm feeding
clamdscan from stdin.

8<---[.sanitizer.cfg]-----
...
msg_file_drop += X-Anomy|Eventuale codice maligno rilevato: %VIRUSNAME.\n
...
file_list_3 = (?i)\.(doc|dot|xls|xlw|sxi|sdc|sdw|sxw
file_list_3 += |zip
file_list_3 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)$
file_list_3_policy = unknown:drop:drop:drop
file_list_3_scanner = 0:1:2:/usr/share/sanitizer/filters/filtro_av.sh %FILENAME
...
8<---[/.sanitizer.cfg]----

8<---[/usr/share/sanitizer/filters/filtro_av.sh]-----
#!/bin/sh
# need anomy with VIRUSNAME patch
#exit 0
VN=
[ -x /usr/bin/clamdscan ] && {
  AVR=`cat $1 | /usr/bin/clamdscan - 2>&1`
  R=$?
  VN=`echo $AVR | grep ": .* FOUND" | sed "s/.*: \([^ ]*\) FOUND.*/\1/"`
  # something went bad
  [ "$VN" ] || [ $R = 0 ] || \
    echo -e "$0:\nR=$R\nAVR=$AVR" | mail -s"clamdscan, errore: $R" root
}
[ "$VN" ] && {
  echo Anomy-FileScan-VirusName: $VN
  exit 1
}
exit 0
8<---[//usr/share/sanitizer/filters/filtro_av.sh]----

e.g.:

echo "blah blah" | mutt -a eicarsignature.sxw -stest-clamav paolo
...
[-- Allegato #1 --]
[-- Tipo: text/plain, Codifica: 7bit, Dimensioni: 0,1K --]

blah blah
[-- Allegato #2 --]
[-- Tipo: text/plain, Codifica: 8bit, Dimensioni: 0,4K --]


X-Anomy|*****
...
X-Anomy|Eventuale codice maligno rilevato: Eicar-Test-Signature.
                                           ^^^^^^^^^^^^^^^^^^^^
...
X-Anomy|*****


--
 paolo

 GPG/PGP id:0x21426690 kfp:EDFB 0103 A8D8 4180 8AB5  D59E 9771 0F28 2142 6690


- 8< - - -
This mailing list's home page is: http://mailtools.anomy.net/archives/anomy-list/
There you can find subscription instructions and possibly an archive.
Molar.is is a free Icelandic mailing list service.
- - - >8 -