diff -u src/malware.c.orig src/malware.c
--- src/malware.c.orig	Mon Nov 28 17:57:32 2005
+++ src/malware.c	Sat Dec 17 21:43:46 2005
@@ -22,12 +22,34 @@
 
 #define DRWEBD_SCAN_CMD             (1)     /* scan file, buffer or diskfile */
 #define DRWEBD_RETURN_VIRUSES       (1<<0)   /* ask daemon return to us viruses names from report */
+#define DRWEBD_HEURISTIC_ON         (1<<3)   /* say to use heuristic algorithm */
 #define DRWEBD_IS_MAIL              (1<<19)  /* say to daemon that format is "archive MAIL" */
+#define DRWEBD_HAVE_EXTENDED        (1<<31)  /* client knows about extended options */ 
 
 #define DERR_READ_ERR               (1<<0)   /* read error */
 #define DERR_NOMEMORY               (1<<2)   /* no memory */
+#define DERR_KNOWN_VIRUS            (1<<5)  /*= 0x00000020 */
+#define DERR_UNKNOWN_VIRUS          (1<<6)  /*= 0x00000040 */
+#define DERR_VIRUS_MODIFICATION     (1<<7)  /*= 0x00000080 */
 #define DERR_TIMEOUT                (1<<9)   /* scan timeout has run out */
 #define DERR_BAD_CALL               (1<<15)  /* wrong command */
+#define DERR_ADWARE                 (1<<22) /*= 0x00400000 */
+#define DERR_DIALER                 (1<<23) /*= 0x00800000 */
+#define DERR_JOKE                   (1<<24) /*= 0x01000000 */
+#define DERR_RISKWARE               (1<<25) /*= 0x02000000 */
+#define DERR_HACKTOOL               (1<<26) /*= 0x04000000 */
+#define DERR_INFECTED               (DERR_KNOWN_VIRUS | DERR_VIRUS_MODIFICATION)
+#define DERR_MALWARE                (DERR_ADWARE | DERR_DIALER | DERR_JOKE | DERR_RISKWARE | DERR_HACKTOOL)
+#define DERR_COMMON_MASK            (DERR_INFECTED | DERR_UNKNOWN_VIRUS | DERR_MALWARE)
+
+#define DRWEBD_EXT_ADWARE_IGNORE    (1<<1)   /* ignore adware */
+#define DRWEBD_EXT_DIALER_IGNORE    (1<<5)   /* ignore adware */
+#define DRWEBD_EXT_JOKE_IGNORE      (1<<9)   /* ignore adware */
+#define DRWEBD_EXT_RISKWARE_IGNORE  (1<<13)   /* ignore adware */
+#define DRWEBD_EXT_HACKTOOL_IGNORE  (1<<17)   /* ignore adware */
+#define DRWEBD_EXT_ANY_IGNORE       (DRWEBD_EXT_ADWARE_IGNORE | DRWEBD_EXT_DIALER_IGNORE | \
+                                     DRWEBD_EXT_JOKE_IGNORE | DRWEBD_EXT_RISKWARE_IGNORE | \
+				     DRWEBD_EXT_HACKTOOL_IGNORE)
 
 /* Routine to check whether a system is big- or litte-endian.
    Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
@@ -155,6 +178,13 @@
     struct hostent *he;
     struct in_addr in;
     pcre *drweb_re;
+    
+    uschar *drweb_objlist;
+    uschar drweb_objlist_buffer[7];
+    uschar drweb_objlist_default[] = "";
+    int drweb_i,drweb_objlen;
+    int drweb_ext_flags, drweb_mask;
+
 
     if ((drweb_options = string_nextinlist(&av_scanner_work, &sep,
       drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) {
@@ -162,6 +192,71 @@
       drweb_options = drweb_options_default;
     };
 
+    // - read additional options
+    
+    if ((drweb_objlist = string_nextinlist(&av_scanner_work, &sep,
+      drweb_objlist_buffer, sizeof(drweb_objlist_buffer))) == NULL) {
+      /* no objlist supplied, use default objlist */
+      drweb_objlist = drweb_objlist_default;
+    };
+
+    drweb_objlen = strlen(drweb_objlist);
+    drweb_flags = DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL;
+    drweb_mask = DERR_COMMON_MASK;
+    drweb_ext_flags = 0x0000;
+    
+    // - set up scanning options 
+
+    for (drweb_i = 0; drweb_i<drweb_objlen; drweb_i++) 
+     switch (drweb_objlist[drweb_i]) {
+      case 'h': case 'H': 
+        drweb_flags |= DRWEBD_HEURISTIC_ON; // enable heuristic
+	break;
+      case 'd': case 'D':
+        drweb_flags |= DRWEBD_HAVE_EXTENDED;
+	drweb_ext_flags |= DRWEBD_EXT_DIALER_IGNORE;
+	break;
+      case 'a': case 'A':
+        drweb_flags |= DRWEBD_HAVE_EXTENDED;
+	drweb_ext_flags |= DRWEBD_EXT_ADWARE_IGNORE;
+	break;
+      case 'w': case 'W':
+        drweb_flags |= DRWEBD_HAVE_EXTENDED;
+	drweb_ext_flags |= DRWEBD_EXT_RISKWARE_IGNORE;
+	break;
+      case 'j': case 'J':
+        drweb_flags |= DRWEBD_HAVE_EXTENDED;
+	drweb_ext_flags |= DRWEBD_EXT_JOKE_IGNORE;
+	break;
+      case 't': case 'T':
+        drweb_flags |= DRWEBD_HAVE_EXTENDED;
+	drweb_ext_flags |= DRWEBD_EXT_HACKTOOL_IGNORE;
+	break;
+      case 'n': case 'N':
+        drweb_flags |= DRWEBD_HAVE_EXTENDED;
+	drweb_ext_flags |= DRWEBD_EXT_ANY_IGNORE;
+	break;
+      case '\0':
+        drweb_i = drweb_objlen;
+	break;
+     }
+
+    // - prepare flags
+    drweb_flags = htonl(drweb_flags);
+    drweb_ext_flags = htonl(drweb_ext_flags);
+    
+    // - prepare regexp
+    Ustrcpy(drweb_match_string, "(infected\\swith\\s*|contains\\s*)(.+?)$");
+    drweb_re = pcre_compile( CS drweb_match_string,
+      PCRE_COPT,
+      (const char **)&rerror,
+      &roffset,
+      NULL );
+
+//    log_write(0, LOG_MAIN|LOG_PANIC,
+//          "malware acl condition: drweb: regexp string is '%s', SO is %x, SEO is %x", 
+//	  drweb_match_string, ntohl(drweb_flags),ntohl(drweb_ext_flags));
+
     if (*drweb_options != '/') {
 
       /* extract host and port part */
@@ -198,7 +293,6 @@
 
       /* prepare variables */
       drweb_cmd = htonl(DRWEBD_SCAN_CMD);
-      drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
       (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
             spool_directory, message_id, message_id);
 
@@ -226,6 +320,8 @@
       /* send scan request */
       if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
           (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+	  ((ntohl(drweb_flags) & DRWEBD_HAVE_EXTENDED) &&
+           (send(sock, &drweb_ext_flags, sizeof(drweb_ext_flags), 0) < 0)) ||
           (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
           (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) {
         (void)close(sock);
@@ -286,13 +382,14 @@
 
       /* prepare variables */
       drweb_cmd = htonl(DRWEBD_SCAN_CMD);
-      drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
       (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
       drweb_slen = htonl(Ustrlen(scanrequest));
 
       /* send scan request */
       if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
           (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+	  ((ntohl(drweb_flags) & DRWEBD_HAVE_EXTENDED) &&
+           (send(sock, &drweb_ext_flags, sizeof(drweb_ext_flags), 0) < 0)) ||
           (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
           (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) ||
           (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) {
@@ -320,17 +417,23 @@
     }
     drweb_vnum = ntohl(drweb_vnum);
 
-    /* "virus(es) found" if virus number is > 0 */
+    /* something found if virus number is > 0 */
     if (drweb_vnum)
     {
       int i;
       uschar pre_malware_nb[256];
 
-      malware_name = malware_name_buffer;
-
-      /* setup default virus name */
-      Ustrcpy(malware_name_buffer,"unknown");
-
+      // check if we need to report something
+      if (drweb_rc & drweb_mask) {
+	malware_name = malware_name_buffer;
+	/* setup default virus name */
+	Ustrcpy(malware_name_buffer,"unknown");	
+	drweb_objlen = 1;
+      } else {
+        drweb_objlen = 0;
+        malware_name = NULL;
+      }
+      
       /* read and concatenate virus names into one string */
       for (i=0;i<drweb_vnum;i++)
       {
@@ -351,32 +454,29 @@
           return DEFER;
         };
         tmpbuf[drweb_slen] = '\0';
+	
+//        log_write(0, LOG_MAIN|LOG_PANIC,
+//            "malware acl condition: drweb: debug: i = %d, result = %d, rc=%x, flag=%d",i,result,drweb_rc,drweb_objlen);
 
-        /* set up match regex, depends on retcode */
-        Ustrcpy(drweb_match_string, "infected\\swith\\s*(.+?)$");
-
-        drweb_re = pcre_compile( CS drweb_match_string,
-          PCRE_COPT,
-          (const char **)&rerror,
-          &roffset,
-          NULL );
+	if (!drweb_objlen) continue;
 
         /* try matcher on the line, grab substring */
         result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30);
-        if (result >= 2) {
-          pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255);
-        }
-        /* the first name we just copy to malware_name */
-        if (i==0)
-          Ustrcpy(CS malware_name_buffer, CS pre_malware_nb);
-        else {
-          /* concatenate each new virus name to previous */
-          int slen = Ustrlen(malware_name_buffer);
-          if (slen < (slen+Ustrlen(pre_malware_nb))) {
-            Ustrcat(malware_name_buffer, "/");
-            Ustrcat(malware_name_buffer, pre_malware_nb);
-          }
-        }
+
+        if (result >= 3) {
+          pcre_copy_substring(CS tmpbuf, ovector, result, 2, CS pre_malware_nb, 255);
+          /* the second name we just copy to malware_name */
+          if (i==0)
+            Ustrcpy(CS malware_name_buffer, CS pre_malware_nb);
+          else {
+            /* concatenate each new virus name to previous */
+            int slen = Ustrlen(malware_name_buffer);
+            if (slen < (slen+Ustrlen(pre_malware_nb))) {
+              Ustrcat(malware_name_buffer, "/");
+              Ustrcat(malware_name_buffer, pre_malware_nb);
+            }
+	  }  
+	}
       }
     }
     else {