antivirus
Prev Kernun UTM Reference (5) Next

Name

antivirus — format of antivirus component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the antivirus component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in antivirus configuration directives:

enabling (see common(5))

antivirus-protocol (name-usage obligatory)

Which antivirus software is used (selects communication protocol).

clamav-file

Clam AntiVirus communicating via file

icap

generic antivirus communicating via ICAP

kav-debug-level (name-usage optional)

Debug level of the Kaspersky antivirus

L0 (0)

Logging off.

L1 (1)

Scanning status only, no tracing data is output.

L2 (2)

Error messages and critical faults.

L3 (3)

Warning messages.

L4 (4)

Informational messages.

L5 (5)

Detailed informational messages.

L6 (6)

Informational messages with extra details.

L7 (7)

Application traces.

L8 (8)

Enhanced tracing.

L9 (9)

Debug output. This is a recommended level for bug reports.

L10 (10)

Full tracing detail. This is a maximum supported level of logging detail.

virus-status (name-usage obligatory)

Antivirus detection status. This enumeration is used when checking results of an antivirus run.

found

Mail or document scanned, at least one virus found.

free

Mail or document scanned, no virus was found.

skipped

Mail or document not scanned or antivirus disabled.

unknown

Antivirus returned an unknown response.

error

Antivirus failed.

database-source (name-usage obligatory)

Antivirus database source.

none

No database is used.

file

Path to a file in the filesystem.

ITEMS AND SECTIONS

Configuration of antivirus library component consists of following prototypes:


* antivirus name { ... }
  antivirus-keepalive ... ;
  use-antivirus ... ;
  antivirus-mode ... ;
  accept-antivirus-status ... ;
    

Description:

antivirus name {


  connection ... ;
  sock-opt { ... }
  timeout ... ;
  comm-dir ... ;
  altq ... ;
  max-checked-size ... ;
  icap-pass-200-with-pure-body ... ;
  persistent-stream ... ;
  clamav-agent { ... }
}

        

Settings of antivirus checking.

Constraints:

ICAP Antivirus engine is not available as agent.

CLAMAV-AGENT are allowed only for CLAMAV-* antiviruses.

Items & subsections:

connection clamav-file inet-socket;

connection icap inet-socket [uri];

Connection to antivirus (socket and protocol).

<branching element> (type: antivirus-protocol)

inet-socket (type: sock)

Server IP address/hostname

uri (type: str, optional, default: "/av")

URI for ICAP GET request. The scheme, host and port may be omitted so the URI can be written as an absolute path.

sock-opt {


  conn-timeout ... ;
  recv-bufsize ... ;
  close-timeout ... ;
  send-bufsize ... ;
  log-limit ... ;
}

            

Connection to antivirus options.

The sock-opt section is derived from sock-opt section prototype. For detail description of it, see netio(5).

Changes to the sock-opt section:

Item recv-timeout is not valid.

Item send-timeout is not valid.

timeout [sec];

Total timeout for checking of one document.

sec (type: uint16, optional, default: 300)

comm-dir [path];

Directory used for communication with antivirus.

path (type: str, optional, default: "/data/tmp/antivirus")

altq altq [paltq paltq];

ALTQ queues for data sent to antivirus.

altq (type: name of pf-queue, see pf-queue(5))

queue name

paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)

priority queue name (if set, used for TCP ACK without data)

max-checked-size bytes [skip];

Maximum size of document sent to antivirus engine.

If the document is larger, only the first part of given size is checked. If a virus is found, the appropriate status is returned. If the document is clean, the rest of document is forwarded without checking.

An alternative behavior can be configured when oversized documents are not checked and status SKIPPED is returned.

bytes (type: uint64)

Size limit in bytes.

skip (type: key, optional)

This flag causes skipping check for oversized documents.

icap-pass-200-with-pure-body [status];

ICAP server option - handle 200 OK response with pure document body (without HTTP error response header) as virus-free response. Without this option, all 200 OK responses are considered to be virus-found ones.

status (type: enabling, optional, default: enable)

persistent-stream;

Keeping the antivirus connection alive between several attempts of checking the same file.

clamav-agent {


  phase ... ;
* tag ... ;
  exclude-pua ... ;
* clamd-raw ... ;
  custom-db-source ... ;
* custom-db-url ... ;
* freshclam-raw ... ;
}

            

ClamAV antivirus engine component.

If used, this section defines parameters of a local agent listening on antivirus connection addresses and executing antivirus scanning.

Items & subsections:

phase [number];

Application Startup Phase.

number (type: uint8, optional, default: 40)

Phase number; the lower one, the earlier start.

tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)

Constraints:

Tag must contain letters, digits, hyphens and dots, only.

exclude-pua [list];

ExcludePUA configuration option values.

list (type: str, optional, default: "Packed,PUA.Win.Packer,EncryptedDoc")

clamd-raw line;

Raw lines of clamd.cfg file.

line (type: str)

custom-db-source none;

custom-db-source [file] [file];

Source of virus database URL set.

<branching element> (type: database-source, optional, default: file)

file (type: str, optional, default: "/usr/local/kernun/license.clamav.dat")

custom-db-url url;

Additional custom URL of virus database.

url (type: str)

freshclam-raw line;

Raw lines of freshclam.cfg file.

line (type: str)

[End of section antivirus.clamav-agent description.]

[End of section antivirus description.]

antivirus-keepalive channel [interval interval] [chunk chunk] [limit limit];

Antivirus usage mode.

Check document by antivirus, with settings for passing initial part of unchecked data through the antivirus module during antivirus checking.

channel (type: name-list of antivirus, see above)

Name of ANTIVIRUS global section used.

interval interval (type: uint16, optional, default: 0)

Seconds between passing blocks of unchecked data (0 = do not send unchecked data).

chunk chunk (type: uint32, optional, default: 0)

Size of each block of unchecked data.

limit limit (type: uint32, optional, default: 0)

Maximum size of unchecked data passed before antivirus check is completed. Remaining data will be passed only after successful checking.

use-antivirus disable;

use-antivirus enable channel;

Antivirus usage mode.

If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any MAIL-ACL and DOC-ACL can have VIRUS item specified.

<branching element> (type: enabling)

channel (type: name-list of antivirus, see above)

antivirus-mode disable [interval interval] [chunk chunk] [limit limit];

antivirus-mode enable channel [interval interval] [chunk chunk] [limit limit];

Antivirus usage mode.

If omitted, or disabled, no antivirus is enabled. In this case, neither any ANTIVIRUS global section can be present nor any ACL can have VIRUS item specified.

If enabled, it can be configured for passing initial part of unchecked data to the client before the antivirus check is completed. In this case, if a virus is found later, the connection to the client is broken.

<branching element> (type: enabling)

channel (type: name-list of antivirus, see above)

interval interval (type: uint16, optional, default: 0)

Seconds between passing blocks of unchecked data (0 = do not send unchecked data).

chunk chunk (type: uint32, optional, default: 0)

Size of each block of unchecked data.

limit limit (type: uint32, optional, default: 0)

Maximum size of unchecked data passed before antivirus check is completed. Remaining data will be passed only after successful checking.

accept-antivirus-status status;

Defines set of antivirus status codes (in addition to FREE) that allow further passing of data. Other status codes cause termination of data transfer. If not set, data are passed only if the antivirus returns status FREE.

status (type: virus-status-set)

SEE ALSO

configuration(7), common(5), netio(5), pf-queue(5)

Prev Up Next
altq Home application