amavisd-new fails to block viruses with backup scanner (clamscan)

Binary package hint: amavisd-new

When all primary scanners fail (specifically I was testing clamav), amavis tries to run some predefined backup scanners (in my case it is clamscan). There is a config file in /etc/amavis/conf.d named 15-av_scanners, which has all the primary and backup scanner definitions.

After trying out clamd with a test virus email (which got detected ok), I disabled clamd, so amavis would switch to clamscan, then I sent the same test mail (2 attachments, one with EICAR test signature and one clean file). Amavis failed to block the email with the following error:

May 16 10:41:01 utest-kk amavis[32558]: (32558-02) (!!)run_av (ClamAV-clamscan) FAILED - unexpected exit 1, output="/var/lib/amavis/tmp/amavis-20090516T103501-32558/parts/p001: OK\n/var/lib/amavis/tmp/amavis-20090516T103501-32558/parts/p005: Eicar-Test-Signature FOUND\n/var/lib/amavis/tmp/amavis-20090516T103501-32558/parts/p002: OK"

Notice the 'unexpected exit 1' message, which is the return code for clamscan when it FINDS a virus. The only problem is, amavisd doesn't get that because (IMHO) the faulty regexp in the config which does not match on the above clamscan output.

   ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

[0] - is the expected return code when NO viruses are found
qr/:.*\sFOUND$/ - this should match when viruses ARE found, but it doesn't, so amavis gets confused by the exit code

Amavis only finds the virus if the _last_ part/attachment of the email is infected, like this:

May 16 10:39:20 utest-kk amavis[32559]: (32559-01) run_av: /usr/bin/clamscan exit 1, /var/lib/amavis/tmp/amavis-20090516T103918-32559/parts/p003: OK\n/var/lib/amavis/tmp/amavis-20090516T103918-32559/parts/p001: OK\n/var/lib/amavis/tmp/amavis-20090516T103918-32559/parts/p005: Eicar-Test-Signature FOUND

Notice the order in which the email 'parts' are scanned (p005 is the last one and the above regexp matches).

This got fixed upstream in amavis 2.6.3 (amavisd.conf in the tarball) but I only found something in the changelog (no reference to a bug):

"- added missing /m flags to regular expressions in AV entries
  (a bug is revealed with Perl 5.10.0; previous versions of Perl happened
  to work, unintentionally accepting a /m flag if added late during a regexp
  evaluation); reported by Rafael;"

But the Debian package in testing (2.6.2-2) still has the older 15-av_scanners config file which isn't fixed. There is a closed Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518524 however, which resembles this problem, but I think it's not the same.
Debian changelog of 2.6.3-1 doesn't mention changes to av_scanner config either.

Note: on default postfix+amavis content scanner, the infected mail remains in the mail queue with a 450 temporary error code.

This also affects Jaunty (2.6.2-2ubuntu2) and Intrepid (2.6.1.dfsg-2ubuntu1.1).
It doesn't seem to affect Hardy (2.5.3-1ubuntu3) or Dapper (2.3.3-3).

TEST CASE:
- install postfix + clamav + amavisd-new (content scanner to postfix)
- install spamassassin on Karmic (see Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526529)
- configure amavisd as follows (in /etc/amavis/conf.d)
  - 15-av_scanners: disable clamd scanner, and make sure clamscan is enabled (in av_scanners_backup)
  - 15-content_filter_mode: enabled virus scanning (and spam scanning on Karmic)
  - 50-user: set $myhostname
- send a test email with multiple attachments, one of them the EICAR test virus (from http://www.eicar.org/anti_virus_test_file.htm)
- see it fail in the mail.log with above error message