On Mar 24, 2008, at 2:03 PM, Erik P. Olsen wrote: > Hi, > > I am new on clamav and I have a few questions on some of the items > in the > clamd.conf file: > > 1. LocalSocket must be specified, it says, but what is it used for > and what > would it normally be? > > 2. TCPAddr. Again, I don't know what it is used for and what > INADDR_ANY is. > > 3. DetectPUA. What sort of applications is detected with this setting? > > Would someone be kind enough as to clarify these questions for me? > Thanks in advance, > -- >
Here's an acceptable explanation of Unix local sockets: http://www.frostbytes.com/~jimf/papers/sockets/sockets.html They're used as a communications channel between processes running locally on your system. Other systems can't see them or uses them. There are other socket types (tcp/ip) that we use all the time on the internet. A listener, in this case the Clamav daemon, clamd, opens a socket and other products such as clamdscan can use it to request clamd scan something. That something can be a stream of data, a file or directory, or an archive such as a zip or tar file. Clamd is configured to use a tcp/ip socket with an assigned port number to listen on when it is to do this over the network verses locally. A local socket is a special file and will show up using the 'ls' command. A tcp/ip socket shows up when using the netstat tool. The TCPAddr is the IP address assigned to your network interface. For systems that have multiple network cards this will cause clamd to bind to one but not the other, based on the address. A tcp/ip socket becomes the combination of the TCPAddr and the port number given to the process - technically it's a listening socket until a connection is made by another system. Clamd typically listens on port 3310 but can listen on any port you give it. INADDR_ANY is shorthand for "listen on every IP you find". That would include all active network interfaces, virtual interfaces, wireless interfaces, and even the localhost psuedo interface, lo0 which by default always uses address 127.0.0.1. The expansion of the shorthand term is INternet ADDRess, Any. You should choose either a tcp/ip socket using TCPAddr, or a Unix socket, but not both. If you don't intend to run clamd then you don't need either one. The current version of ClamAV allows using both but that was not always so and I'm not sure I can successfully rationallize why I'd want both. I use a local socket for self- contained systems, and a tcp/ip socket for client-server configurations where one clamav installation services several client systems over the network but only for email. It creates a lot of network traffic to scan an entire disk across the net. DetectPUA is an abbreviation for "Detect Possibly Unwanted Applications". This is a method of detection that does not use patterns, but rather analyzes the scanned data and makes some decisions about its nature. This is not unlike trying to predict the weather based on previous weather samples and it may or may not work. I consider it a work in progress but not something that is ready to use on the corporate mail system. If this is useful, send a card to Luca in Italy - he keeps the ClamAV Wiki going. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
