Re: [exim-dev] New malware scanner type "sock"

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Dr Andrew C Aitchison
CC: exim-dev, Jeremy Harris
Subject: Re: [exim-dev] New malware scanner type "sock"
On 2014-03-20 at 08:37 +0000, Dr Andrew C Aitchison wrote:
> On Sat, 8 Mar 2014, Jeremy Harris wrote:
> >>Version 4 attached. This has been running in production for a couple
> >>of days, demonstrating operation of:


> >>clamav/SCAN


> >>I'd still like confirmation from other people that I've not broken:


> >>clamd/STREAM
> >>clamd/zINSTREAM


>   warn message = ClamAV found $malware_name
>         set acl_m0 = clamd:/var/run/clamav/clamd.sock
>          malware = *
>     ...

>
> but I'm not sure whether that means I'm using clamav/SCAN, sock,
> clamd/STREAM or clamd/zINSTREAM.


You're using SCAN.

First, the relevant bit of The Exim Specification:

----------------------------8< cut here >8------------------------------
    av_scanner = clamd:/opt/clamd/socket
    av_scanner = clamd:192.0.2.3 1234
    av_scanner = clamd:192.0.2.3 1234:local
    av_scanner = clamd:192.0.2.3 1234 : 192.0.2.4 1234


    If the value of av_scanner points to a UNIX socket file or contains the
    local keyword, then the ClamAV interface will pass a filename containing
    the data to be scanned, which will should normally result in less I/O
    happening and be more efficient. Normally in the TCP case, the data is
    streamed to ClamAV as Exim does not assume that there is a common
    filesystem with the remote host. There is an option WITH_OLD_CLAMAV_STREAM
    in src/EDITME available, should you be running a version of ClamAV prior to
    0.95.
----------------------------8< cut here >8------------------------------


SCAN: used when a filename is passed to ClamAV
STREAM: used before ClamAV 0.95 to send data to remote ClamAV daemons;
        they keep threatening to drop support, not sure if they have
        gotten around to it.
zINSTREAM: available as of ClamAV 0.95, sends the data inline in the
           main TCP connection instead of juggling extra connections


In Exim 4.73, we switched from STREAM to zINSTREAM unless Exim is built
with WITH_OLD_CLAMAV_STREAM.

So any sane modern Exim install with ClamAV support will handle SCAN and
zINSTREAM and the decision is entirely an "is it local?" one, per the
spec.

-Phil