Re: [exim] exiscan: clamd at a remote host

Top Page
Delete this message
Reply to this message
Author: Tom Kistner
Date:  
To: gul
CC: exim-users
Subject: Re: [exim] exiscan: clamd at a remote host
Pavel Gulchouck wrote:

> I've try to setup clamd malware to remote host, and see that it does not
> work. As I can see in the sources, STREAM command for clamd does not
> implemented, so, exim+exiscan can use only local clamd which has read
> access to files in the exim spool directory.


Remote AV scanning does not scale. The additional IO overhead eats up
the gain in CPU cycles. And since scanning at the DATA phase must the
synchronous, you don't even save resources on your SMTP machine.

AV scanning should be done on the box where mail is delivered into. If
you need to scale, you need multiple SMTP input machines, each with its
own AV.

Note: the same is NOT true for spam scanning (which is much more CPU
intensive).

> It will be good if this feature will be implemented (as it is for drwebs),
> or at least this limitation will be documented in the exiscan-acl-spec.txt
> (now there is an example "av_scanner = clamd:192.168.2.100 1234" which
> works only if 192.168.2.100 is local IP).


I admit this is a bit unfortunate :)

> And another feature request: I want to check mail by two different
> antiviruses (drwebd and clamd), but I cannot do this now with malware. :(


You can. From the docs:

-----------------------------------------------------------------
ADVANCED TIP: When the av_scanner option starts with a dollar
($) sign, it is expanded before being used. This is useful if
you want to use multiple scanners. You can then set

/* ----------------------
av_scanner = $acl_m0
---------------------- */

and use these ACL blocks to scan with both sophie and
aveserver scanners:

/* ----------------------
deny message = This message contains malware ($malware_name)
      set acl_m0 = sophie
      malware = *


deny message = This message contains malware ($malware_name)
      set acl_m0 = aveserver
      malware = *
---------------------- */


However, when av_scanner is expanded, the result caching of
the malware condition is not used, so each malware condition
call results in a new scan of the message.
-------------------------------------------------------------------

regards,

/tom