[exim] Exim and Sophos command line AV wrong exit codes?

All,

Environment: Devuan 3.0 Beowulf 64-bit on Xeon - like Debian Buster but
without systemd ;-) Exim 4.93.04 built from source. Sophos Linux free
command line scanner.

Low volume mail server with mail relays in front doing SpamAssassin and
Clam-AV but want to run second line of defense with Rspamd and Sophos
Linux free edition on the internal machine.

In Exim config AV Scanner is:

av_scanner = cmdline:\
                /usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive %s:\
                found in file:'(.+)'

at the bottom of acl_check_data:


        #
        # Reject messages if they have a virus
        #
        warn    log_message = MALWARE: About to scan

        deny    malware = *
                message = Message rejected: Contains malware
($malware_name)
                log_message = MALWARE: Rejected message with: $malware_name

        #
        # accept the rest
        #
        accept


Send myself the Eicar test virus as an attachment and I get:

2020-11-07 15:43:38 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] Warning: RSPAMD: Marked message as spam [Score: 11.1]
2020-11-07 15:43:38 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] Warning: MALWARE: About to scan
2020-11-07 15:43:43 1kbQNO-00015b-QC malware acl condition: cmdline  :
scanner returned error code: 512
2020-11-07 15:43:43 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no
F=<eicar@???> temporarily rejected after DATA

Error number 512 is not defined by Sophos as a return value.

Sophos manual for savscan says it returns:

       0      If no errors are encountered and no threats are detected.
       1      If you interrupt savscan (usually by pressing CRTL+C) or
kill the process.
       2      If some error preventing further execution is encountered.
       3      If threats or virus fragments are detected.


*Shell test*

root@mail:~# cat test.sh
#!/bin/bash

/usr/local/bin/savscan -nb -sc -f -all -rec -ss -archive -loopback
--no-follow-symlinks --no-reset-atime -tnef -mime -oe -pua -suspicious
/etc/passwd
echo $? "  " >&2

/usr/local/bin/savscan -nb -sc -f -all -rec -ss -archive -loopback
--no-follow-symlinks --no-reset-atime -tnef -mime -oe -pua -suspicious
/tmp/eicar.com
echo $? "  " >&2


Returns 0 and 3 as per savscan documentation.


*C test*

#include <stdlib.h>
#include <stdio.h>

int main (void)
{
    int rc;

    rc = system("/usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive /etc/passwd");
    printf("rc: %d\n", rc);

    rc = system("/usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive /tmp/eicar.com");
    printf("rc: %d\n", rc);

    exit(0);
}

Returns 0 and 768.



If 768 is being returned for 'virus found' then we have a <<8 or * 256
problem somewhere in Sophos to C language return code handling compared
with the documation and what happens in bash.

If this is the case then the 512 I am seeing means "some error
preventing further execution is encountered".

Can anyone shine any light on this?


Mike