All,
Environment: Devuan 3.0 Beowulf 64-bit on Xeon - like Debian Buster but
without systemd ;-) Exim 4.93.04 built from source. Sophos Linux free
command line scanner.
Low volume mail server with mail relays in front doing SpamAssassin and
Clam-AV but want to run second line of defense with Rspamd and Sophos
Linux free edition on the internal machine.
In Exim config AV Scanner is:
av_scanner = cmdline:\
/usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive %s:\
found in file:'(.+)'
at the bottom of acl_check_data:
#
# Reject messages if they have a virus
#
warn log_message = MALWARE: About to scan
deny malware = *
message = Message rejected: Contains malware
($malware_name)
log_message = MALWARE: Rejected message with: $malware_name
#
# accept the rest
#
accept
Send myself the Eicar test virus as an attachment and I get:
2020-11-07 15:43:38 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] Warning: RSPAMD: Marked message as spam [Score: 11.1]
2020-11-07 15:43:38 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] Warning: MALWARE: About to scan
2020-11-07 15:43:43 1kbQNO-00015b-QC malware acl condition: cmdline :
scanner returned error code: 512
2020-11-07 15:43:43 1kbQNO-00015b-QC H=relay1.thorcom.net
[195.171.43.32] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no
F=<[email protected]> temporarily rejected after DATA
Error number 512 is not defined by Sophos as a return value.
Sophos manual for savscan says it returns:
0 If no errors are encountered and no threats are detected.
1 If you interrupt savscan (usually by pressing CRTL+C) or
kill the process.
2 If some error preventing further execution is encountered.
3 If threats or virus fragments are detected.
*Shell test*
root@mail:~# cat test.sh
#!/bin/bash
/usr/local/bin/savscan -nb -sc -f -all -rec -ss -archive -loopback
--no-follow-symlinks --no-reset-atime -tnef -mime -oe -pua -suspicious
/etc/passwd
echo $? " " >&2
/usr/local/bin/savscan -nb -sc -f -all -rec -ss -archive -loopback
--no-follow-symlinks --no-reset-atime -tnef -mime -oe -pua -suspicious
/tmp/eicar.com
echo $? " " >&2
Returns 0 and 3 as per savscan documentation.
*C test*
#include <stdlib.h>
#include <stdio.h>
int main (void)
{
int rc;
rc = system("/usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive /etc/passwd");
printf("rc: %d\n", rc);
rc = system("/usr/local/bin/savscan -ss -all -rec -archive -mime
-tnef -archive /tmp/eicar.com");
printf("rc: %d\n", rc);
exit(0);
}
Returns 0 and 768.
If 768 is being returned for 'virus found' then we have a <<8 or * 256
problem somewhere in Sophos to C language return code handling compared
with the documation and what happens in bash.
If this is the case then the 512 I am seeing means "some error
preventing further execution is encountered".
Can anyone shine any light on this?
Mike
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
