On 2014-03-20 at 08:37 +0000, Dr Andrew C Aitchison wrote:
> On Sat, 8 Mar 2014, Jeremy Harris wrote:
> >>Version 4 attached. This has been running in production for a couple
> >>of days, demonstrating operation of:
> >>clamav/SCAN
> >>I'd still like confirmation from other people that I've not broken:
> >>clamd/STREAM
> >>clamd/zINSTREAM
> warn message = ClamAV found $malware_name
> set acl_m0 = clamd:/var/run/clamav/clamd.sock
> malware = *
> ...
>
> but I'm not sure whether that means I'm using clamav/SCAN, sock,
> clamd/STREAM or clamd/zINSTREAM.
You're using SCAN.
First, the relevant bit of The Exim Specification:
----------------------------8< cut here >8------------------------------
av_scanner = clamd:/opt/clamd/socket
av_scanner = clamd:192.0.2.3 1234
av_scanner = clamd:192.0.2.3 1234:local
av_scanner = clamd:192.0.2.3 1234 : 192.0.2.4 1234
If the value of av_scanner points to a UNIX socket file or contains the
local keyword, then the ClamAV interface will pass a filename containing
the data to be scanned, which will should normally result in less I/O
happening and be more efficient. Normally in the TCP case, the data is
streamed to ClamAV as Exim does not assume that there is a common
filesystem with the remote host. There is an option WITH_OLD_CLAMAV_STREAM
in src/EDITME available, should you be running a version of ClamAV prior to
0.95.
----------------------------8< cut here >8------------------------------
SCAN: used when a filename is passed to ClamAV
STREAM: used before ClamAV 0.95 to send data to remote ClamAV daemons;
they keep threatening to drop support, not sure if they have
gotten around to it.
zINSTREAM: available as of ClamAV 0.95, sends the data inline in the
main TCP connection instead of juggling extra connections
In Exim 4.73, we switched from STREAM to zINSTREAM unless Exim is built
with WITH_OLD_CLAMAV_STREAM.
So any sane modern Exim install with ClamAV support will handle SCAN and
zINSTREAM and the decision is entirely an "is it local?" one, per the
spec.
-Phil
