On Wed, 9 Mar 2005, Tomasz Kojm wrote:
In particular, I am thinking of supporting at least:
%f - infected filename
It was already supported but has been removed due to security issues.
Why is this a security issue?
The sysadmin specifies in the configuration file that he _wants_ %f, therefore that means he knows the implications of it. If he thinks it's a security risk, he can just not include %f in his VirusEvent string.
Could %f support be resurrected? The reason I think %f is important is that if one wants to use clamuko for on-access scanning, it is useful to know immediately which file was blocked because it was infected. This involves using VirusEvent to run a program, telling that program which file was infected.
Another approach involves parsing the log file which is not as clean or elegant, in my opinion. It would be nice to just rely on VirusEvent without too much polling of log files.
-Calin
_______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
