----- Original Message -----
From: "Ron 'The InSaNe OnE' Rosson" <firstname.lastname@example.org>
Sent: Wednesday, July 17, 2002 11:36 AM
Subject: [anomy-list]: uvscan with anmomy
> file_list_4_scanner = 0:5:3,4:/usr/local/bin/uvscan -c %FILENAME
> file_list_4_policy = unknown:save:save:save
> file_list_4 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
> file_list_4 += |class|upd|wp\d?|m?db
> file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
> file_list_4 += )(\.g?z|\.bz\d?)*$
> Everything so in the first three rules apears to work. It is
> the 4th one that is supposed to kick off the virus scanner.
> I have the klez worm that I have tested uvscan with and it
> detects it fine. so when I attach the file to an email and
> send it locally thru the unix server anomy never detects the
> file is a virus. ( I do not think it is starting the virus
> Anyone have any ideas what I am doing wrong.
I think it is your exit codes. When I set up my configuration file, I found the
exit codes listed in the man page for uvscan and based my configuration on this.
Here are the relevant parts:
# McAfee VirusScan exit codes mapped to policies
# "accept" if the file is clean (exit status 0)
# "mangle" if the file was dirty, but is now clean (19)
# "drop!" if the file is still dirty (12 or 13)
# "save" if the virscan utility returns some other exit code
# or an error occurs.
# Scan Word,Excel,WordPerfect,Project,Corel Quattropro
# SQL, Visio, PDF, Powerpoint
file_list_3 = (?i)\.(do[tc]|xl[sw]|p[po]t|rtf|wpd|mpp|wb3|sql|vsd|p(df|cx)|pps)$
file_list_3_policy = accept:mangle:drop!:save
file_list_3_scanner = 0:19:12,13:/opt/uvscan/uvscan --clean %FILENAME