[exim] Virus scanning email with Sophos (or other AV engines…

Top Page
Delete this message
Reply to this message
Author: Mike Tubby
Date:  
To: Exim User List
Subject: [exim] Virus scanning email with Sophos (or other AV engines) on mail servers

I run am email system with three public mail relay servers which act as
the MX and front ends for a couple of hundred domains.

These relay servers run Exim and perform a wide range of 'email firewall
functions' policing the SMTP protocol, checking RBLs, SPF, DKIM, URBL,
sender verify, recipient verify, and perform a first-pass SPAM check
using SpamAssassin and fist-pass AV check using Clam-AV if the mail is
accepted it is handed off to the domain owner's mail server - a
different machine that handles one or more end-user domains - typically
also based on Exim and Dovecot.

The mail servers only allow SMTP in from the mail relay machines but do
not fully 'trust' them, instead they run further user or domain specific
checks typically using Rspamd and Sophos AV this time round.  We like
the idea of scanning a second time with a different AV engine and this
appears to be appropriate as while Clam-AV catches the majority of
malware Sophos does find the odd one or two a week that get through Clam-AV.

The problem that I have is that in the old says we used Sophos+Sophie
and it was reliable.  Sophie was discontinued so I switched to command
line based scanning using various incantations:

#
# See: https://www.baruwa.com/docs/advanced/additional-antivirus.html
#
#av_scanner = cmdline:\
#               /opt/sophos-av/bin/savscan -nb -sc -f -all -rec -ss
-archive -loopback --no-follow-symlinks --no-reset-atime -tnef -mime -oe
-pua -suspicious %s:\
#               found in file:'(.+)'

#av_scanner = cmdline:\
#               /opt/sophos-av/bin/savscan -ss -all -rec -archive -mime %s:\
#               found in file:'(.+)'

#av_scanner = cmdline:\
#               /usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef %s:\
#               found in file:'(.+)'


but they stopped working at some point (can't remember when) due to the
return code so I hacked together a wrapper script:

#!/bin/bash

/usr/local/bin/savscan -ss -all -rec -archive -mime -tnef $1
exit 0;


and use this in Exim:

#
# Wrapper for Sophos AV with correct return code
#
av_scanner = cmdline:\
                /usr/local/bin/sophos_wrapper %s:\
                found in file:'(.+)'


which works for 99.99% of the time, but occasionally Sophos AV ("sweep")
seems to get spawned multiple times and runs away with system resources
(loadav > 40) and the mail server grinds to a halt - like its got stuck
with multiple recursions.

Once the system is wedged "killall -KILL exim" will recover it but I
have to clean out /var/lib/exim/scan and there's a chance that the
problem email will be delivered again.

I'm using the last sav-linux-free-9.tgz community edition from Sophos
before they retired it - it still updates its definitions daily and
works fine otherwise.

Has anyone else experienced this issue with Sophos?

Is there a different/better way to use Sophos?

Should I switch to a different AV as second line of defence?

What are other people doing?


Regards


Mike


PS. System is 64-bit Devuan 4 Linux (like Debian Bullseye but without
systemd) on Intel Xeon. Exim 4.94.2 built from source.