antivirus — Kernun virus checking support


As a part of the data content inspection, the Kernun proxies can send processed documents for virus checking to various antivirus engines. The engine interfaces are configured as antivirus global sections within a system section (see the antivirus(5) manual page). The method of using of the interfaces in particular proxy is defined within the proxy configuration by different approaches:

  • In some proxies (e.g. SMTP), the general principles are defined globally on the proxy-level by the use-antivirus item, all data is handled by the same manner, and the antivirus check results are used as an entry value for the doc-acl search.

  • In some proxies (e.g. ICAP, IMAP, POP), the general principles depend on particular service, or protocol command used, thus the use-antivirus item is moved into proper ACL (service-acl, or command-acl).

  • In some proxies (e.g. FTP, HTTP), the antivirus check execution depends on the particular document. Thus, a proper doc-acl is chosen first, and within it both the antivirus engines selection (by the antivirus item) and the virus check result application (by the accept-antivirus-status) is defined.

The data can be sent to antivirus checking to more engines in parallel. After finishing all the checks, the final results is set by using the folloving rules:

  1. If some virus has been found by any engine, the result FOUND is used.

  2. Otherwise, if some engine has told that the data is clean, the result FREE is used.

  3. Otherwise, if some engine configuration has skipped the check due to data size, the result SKIPPED is used.

  4. Otherwise, if some engine return UNKNOWN status, the result UNKNOWN is used.

  5. Otherwise, the result ERROR is used.

Standard operation mode

Standard behavior of the checking module is to store the whole file to the temporary file first and then to send it to the engine(s). With large files, this may cause some problems in on-line proxies (FTP, HTTP), both on the sender and recipient side.

Some of these problems can be solved by configuring the max-checked-size parameter and ways what to do with larger files.

  • One possibility is to skip the files, i.e. pass them without check.

  • The alternative way is to check only the initial part of the file and to decide according to it. During the check, the rest of the file is still being received and stored.

Keepalive mode option

In some proxies, the check should be configured with so called keepalive option. It means that data is transferred in small chunks to the destination prior the check is finished. The document behaves like it would be virus FREE. If the final decision by the engine does not match with the ACL selected in advance, the session is reset.

This option is configured in proper item (antivirus-keepalive or antivirus-mode) by using nonzero interval and chunk elements.

Stream mode option

In some proxies, the check should be configured with so called stream option. It means that data is sent to antivirus engines periodically as soon as a multiple of defined chunk size is reached and after a successfull check, the data is forwarded to the destination. However, only three chunks can be processed by the proxy in parallel (one being read, one being checked and one being sent out). When the output channel or the antivirus check is slow, the receipt of data is suspended until a chunk is released.

This option is configured in proper item (antivirus-keepalive or antivirus-mode) by using zero (or omitted) interval element and nonzero chunk one.


The current version of antivirus support following engines:


ClamAV 0.9X.


ESET File Security v3.0.


Generic engine listening on a TCP/IP socket via the ICAP protocol. In the configuration, the socket address and target URI must be defined. In the URI, the scheme (ICAP), server name/address and optional port need not be included, if they can be derived from the connection.

The following ICAP engines was successfully tested:


Symantec Scan Engine 5.2.


Sophos Anti Virus Dynamic Interface (SAVDI) v2.0.


In the proper service of the savdid.conf, the 204 answers must be permitted:

allow204: YES


Email and Web Security 5.6


Gateway Security 4


Configuration/ICAP/Performance Agent must be enabled

See Also

Kernun: antivirus(5)


This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.