Virus scanning - e.g. Sophos
555 views
Skip to first unread message
Christoph Haas
Feb 14, 2018, 12:56:55 PM2/14/18
to rspamd
Dear list,
I tried malware scanning with ClamAV for a few days but the detection rate has been so bad that I decided to try something else.
Sophos provides their Linux scanner for free (beer). So I installed it and have a savd and savscand process running. However I can't figure out how to use that with rspamd. The source code mentions TCP port 4010 but the daemons do not open any listeners. Is the free version not sufficient?
Unfortunately the documentation of the antivirus module is very sparse. May someone show me the right way?
Thanks… Christoph
Alex JOST
Feb 15, 2018, 3:04:33 AM2/15/18
to rsp...@googlegroups.com
Am 14.02.2018 um 18:56 schrieb Christoph Haas:
> Dear list,
>
> I tried malware scanning with ClamAV for a few days but the detection rate
> has been so bad that I decided to try something else.
Did you try the signatures provided by Sanesecurity.com? We are catching
> Dear list,
>
> I tried malware scanning with ClamAV for a few days but the detection rate
> has been so bad that I decided to try something else.
lots of malware and spam with them.
--
Alex JOST
Patrick Lesky
Mar 4, 2018, 2:23:39 PM3/4/18
to rspamd
Hello Cristoph,
You need to to install savdi (SAV Dynamic Interface) as well which works as an interface between rspamd and savscan. Savdi needs to be run as a daemon and offers an IP listener on port 4010 (default) for rspamd to connect to. You can create a Systemd Unit File for running savdi as a service.
Regards,
Regards,
Patrick
googl...@posteule.de
Mar 30, 2018, 11:47:03 AM3/30/18
to rspamd
Hi,
I've just installed Sophos + SAVDI using the following configuration (based on the clamav configuration):
And the corresponding savdid.conf
Worth to mention: the 'max_size' (rspamd) and 'maxscandata' (savdid) parameter should match. The default for SAVDI was 500.000 and SAVDI was complaining with "Invalid data parameters have been given (REJ 4)".
Maybe that helps or someone has additional information?
Ralf
I've just installed Sophos + SAVDI using the following configuration (based on the clamav configuration):
# cat local.d/antivirus.conf
sophos {
attachments_only = true;
servers = "127.0.0.1:4010";
symbol = "SOPHOS_VIRUS";
type = "sophos";
whitelist = "/etc/rspamd/antivirus.wl";
# If `max_size` is set, messages > n bytes in size are not scanned
max_size = 50000000;
}
And the corresponding savdid.conf
pidfile: /var/run/savdid.pid
user: savdid
threadcount: 3
maxqueuedsessions: 2
virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav
onexception: REQUEST
onrequest: REQUEST
log {
type: SYSLOG
# omit 'logdir' when using SYSLOG
loglevel: 2
}
channel {
commprotocol {
type: IP
address: 127.0.0.1
port: 4010
requesttimeout: 120
sendtimeout: 2
recvtimeout: 5
}
scanprotocol {
type: SSSP
allowscanfile: SUBDIR
allowscandata: YES
# If SCANDATA is allowed:-
# maximum amount of data, in bytes, the client can send
maxscandata: 50000000
# maximum amount, in bytes, to held in memory before using a temp file
maxmemorysize: 250000
# path name and stub for generating temp file names.
tmpfilestub: /tmp/savid_tmp
logrequests: YES
}
scanner {
type: SAVI
inprocess: YES
maxscantime: 3
maxrequesttime: 10
deny: /dev
deny: /home
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
savists: Xml 1
}
}
Worth to mention: the 'max_size' (rspamd) and 'maxscandata' (savdid) parameter should match. The default for SAVDI was 500.000 and SAVDI was complaining with "Invalid data parameters have been given (REJ 4)".
Maybe that helps or someone has additional information?
Ralf
Reply all
Reply to author
Forward
0 new messages