Hmmm, it seems to know about ClamAV picking it up
(27737-16) run_av (ClamAV-clamd):
/opt/zimbra/data/amavisd/tmp/amavis-20151208T103243-27737-gUGQqYmC/parts
INFECTED: Sanesecurity.Malware.24819.MacroHeurGen.Hp.UNOFFICIAL,
Sanesecurity.Malware.24819.MacroHeurGen.Hp.UNOFFICIAL
(27737-16) Turning AV infection into a spam report: score=0,
AV:Sanesecurity.Malware.24819.MacroHeurGen.Hp.UNOFFICIAL=0
Yes, score=10.749 tagged_above=-10 required=6.6
tests=[AV:Sanesecurity.Malware.24819.MacroHeurGen.Hp.UNOFFICIAL=0,
BAYES_00=-1.9, DCC_CHECK=1.1, DEAR_SOMETHING=1.973, DOS_OUTLOOK_TO_MX=2.845,
FORGED_OUTLOOK_TAGS=0.052, HTML_MESSAGE=0.001, KAM_COUK=1.1,
RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, RDNS_NONE=0.793, SPF_FAIL=0.001]
autolearn=no autolearn_force=no
Very odd/
----- On 8 Dec, 2015, at 11:58, RW rwmailli...@googlemail.com wrote:
> On Tue, 8 Dec 2015 08:31:45 +0000 (GMT)
> Phil Daws wrote:
>
>> Hello all,
>>
>> am trying to use this regex match:
>>
>> header CLAM_SS_JURLBL X-Amavis-AV-Status =~ m{Sanesecurity\.Jurlbl}
>>
>> but its not hitting against:
>>
>> AV:Sanesecurity.Jurlbl.4796.UNOFFICIAL
>>
>> What am I doing wrong please as its eluding me at present.
>
> Perhaps SA runs before that header is added.
