Autor: Mike Tubby Data: A: exim-users@exim.org Assumpte: [exim] Exim and Sophos command line AV wrong exit codes?
All,
Environment: Devuan 3.0 Beowulf 64-bit on Xeon - like Debian Buster but
without systemd ;-) Exim 4.93.04 built from source. Sophos Linux free
command line scanner.
Low volume mail server with mail relays in front doing SpamAssassin and
Clam-AV but want to run second line of defense with Rspamd and Sophos
Linux free edition on the internal machine.
In Exim config AV Scanner is:
av_scanner = cmdline:\
/usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive %s:\
found in file:'(.+)'
at the bottom of acl_check_data:
#
# Reject messages if they have a virus
#
warn log_message = MALWARE: About to scan
Send myself the Eicar test virus as an attachment and I get:
2020-11-07 15:43:38 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] Warning: RSPAMD: Marked message as spam [Score: 11.1]
2020-11-07 15:43:38 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] Warning: MALWARE: About to scan
2020-11-07 15:43:43 1kbQNO-00015b-QC malware acl condition: cmdline :
scanner returned error code: 512
2020-11-07 15:43:43 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no
F=<eicar@???> temporarily rejected after DATA
Error number 512 is not defined by Sophos as a return value.
Sophos manual for savscan says it returns:
0 If no errors are encountered and no threats are detected.
1 If you interrupt savscan (usually by pressing CRTL+C) or
kill the process.
2 If some error preventing further execution is encountered.
3 If threats or virus fragments are detected.
If 768 is being returned for 'virus found' then we have a <<8 or * 256
problem somewhere in Sophos to C language return code handling compared
with the documation and what happens in bash.
If this is the case then the 512 I am seeing means "some error
preventing further execution is encountered".