mod-antivirus
Prev Kernun UTM Reference (5) Next

Name

mod-antivirus — format of mod-antivirus component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the mod-antivirus component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in mod-antivirus configuration directives:

enabling (see common(5))

antivirus-protocol (name-usage obligatory)

Which antivirus software is used (selects communication protocol).

drweb-file

DrWeb antivirus communicating via file

drweb-net

DrWeb antivirus communicating via network

clamav-file

Clam AntiVirus communicating via file

clamav-net

Clam AntiVirus communicating via network

icap

generic antivirus communicating via ICAP

virus-status (name-usage obligatory)

Antivirus detection status. This enumeration is used when checking results of an antivirus run.

found

Mail or document scanned, at least one virus found.

free

Mail or document scanned, no virus was found.

skipped

Mail or document not scanned or antivirus disabled.

unknown

Antivirus returned an unknown response.

error

Antivirus failed.

ITEMS AND SECTIONS

Configuration of mod-antivirus library component consists of following prototypes:


* antivirus name { ... }
  antivirus-keepalive ... ;
  use-antivirus ... ;
  antivirus-mode ... ;
  accept-antivirus-status ... ;
    

Description:

antivirus name {


  connection ... ;
  sock-opt { ... }
  timeout ... ;
  comm-dir ... ;
  altq ... ;
  max-checked-size ... ;
  icap-pass-200-with-pure-body ... ;
  persistent-stream ... ;
}

        

Settings of antivirus checking.

Items & subsections:

connection drweb-file inet-socket;

connection drweb-net inet-socket;

connection clamav-file inet-socket;

connection clamav-net inet-socket;

connection icap inet-socket [uri];

Connection to antivirus (socket and protocol).

<branching element> (type: antivirus-protocol)

inet-socket (type: sock)

Server IP address/hostname

uri (type: str, optional, default: "/av")

URI for ICAP GET request (scheme, host and port may be omitted).

sock-opt {


  conn-timeout ... ;
  recv-bufsize ... ;
  close-timeout ... ;
  send-bufsize ... ;
  log-limit ... ;
}

            

Connection to antivirus options.

The sock-opt section is derived from sock-opt section prototype. For detail description of it, see netio(5).

Changes to the sock-opt section:

Item recv-timeout is not valid.

Item send-timeout is not valid.

timeout sec;

Total timeout for checking of one document.

sec (type: uint16)

comm-dir [path];

Directory used for communication with antivirus.

path (type: str, optional, default: "/data/tmp/antivirus")

altq altq [paltq paltq];

ALTQ queues for data sent to antivirus.

altq (type: str)

queue name

paltq paltq (type: str, optional, default: "")

priority queue name (if set, used for TCP ACK without data)

max-checked-size bytes [skip];

Maximum size of document sent to antivirus engine.

If the document is larger, only the first part of given size is checked. If a virus is found, the appropriate status is returned. If the document is clean, the rest of document is forwarded without checking.

An alternative behavior can be configured when oversized documents are not checked and status SKIPPED is returned.

bytes (type: uint64)

Size limit in bytes.

skip (type: key, optional)

This flag causes skipping check for oversized documents.

icap-pass-200-with-pure-body [status];

ICAP server option - handle 200 OK response with pure document body (without HTTP error response header) as virus-free response. Without this option, all 200 OK responses are considered to be virus-found ones.

status (type: enabling, optional, default: enable)

persistent-stream;

Keeping the antivirus connection alive between several attempts of checking the same file.

[End of section antivirus description.]

antivirus-keepalive channel [interval interval] [chunk chunk] [limit limit];

Antivirus usage mode.

Check document by antivirus, with settings for passing initial part of unchecked data through the antivirus module during antivirus checking.

channel (type: name-list of antivirus, see above)

Name of ANTIVIRUS global section used.

interval interval (type: uint16, optional, default: 0)

Seconds between passing blocks of unchecked data (0 = do not send unchecked data).

chunk chunk (type: uint32, optional, default: 0)

Size of each block of unchecked data.

limit limit (type: uint32, optional, default: 0)

Maximum size of unchecked data passed before antivirus check is completed. Remaining data will be passed only after successful checking.

use-antivirus disable;

use-antivirus enable channel;

Antivirus usage mode.

If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.

<branching element> (type: enabling)

channel (type: name-list of antivirus, see above)

antivirus-mode disable [interval interval] [chunk chunk] [limit limit];

antivirus-mode enable channel [interval interval] [chunk chunk] [limit limit];

Antivirus usage mode.

If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any ACL can have VIRUS item specified.

If enabled, it can be configured for passing initial part of unchecked data to the client before the antivirus check is completed. In this case, if a virus is found later, the connection to the client is broken.

<branching element> (type: enabling)

channel (type: name-list of antivirus, see above)

interval interval (type: uint16, optional, default: 0)

Seconds between passing blocks of unchecked data (0 = do not send unchecked data).

chunk chunk (type: uint32, optional, default: 0)

Size of each block of unchecked data.

limit limit (type: uint32, optional, default: 0)

Maximum size of unchecked data passed before antivirus check is completed. Remaining data will be passed only after successful checking.

accept-antivirus-status status;

Defines set of antivirus status codes (in addition to FREE) that allow further passing of data. Other status codes cause termination of data transfer. If not set, data are passed only if the antivirus returns status FREE.

status (type: virus-status-set)

SEE ALSO

configuration(7), common(5), netio(5)

Prev Up Next
mod-antispam Home mod-html-filter