From e5140faeba18139e5f534919eead9aa2a0900fb3 Mon Sep 17 00:00:00 2001
From: Arne Fahrenwalde <macgeneral@macgeneral.de>
Date: Mon, 29 Jan 2018 09:41:00 +0100
Subject: [PATCH] [Fix] F-PROT Antivirus: only check return code to determine
 infection

F-PROT Antivirus uses return codes 1-3 (infected, suspicious, both) to signal an infection, while 4-255 are various error codes (including infected files were found before the error occured, but it's too complicated to handle all that edge case scenarios).
---
 src/plugins/lua/antivirus.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/plugins/lua/antivirus.lua b/src/plugins/lua/antivirus.lua
index c35b8cfd6..4b69b8850 100644
--- a/src/plugins/lua/antivirus.lua
+++ b/src/plugins/lua/antivirus.lua
@@ -410,7 +410,9 @@ local function fprot_check(task, rule)
             rspamd_logger.infox(task, '%s [%s]: message is clean', rule['symbol'], rule['type'])
           end
         else
-          local vname = string.match(data, '^1 <.*infected.*: (.-)>')
+          -- returncodes: 1: infected, 2: suspicious, 3: both, 4-255: some error occured
+          -- see http://www.f-prot.com/support/helpfiles/unix/appendix_c.html for more detail
+          local vname = string.match(data, '^[1-3] <[%w%s]-: (.-)>')
           if not vname then
             rspamd_logger.errx(task, 'Unhandled response: %s', data)
           else
-- 
2.39.5