Hi,
We use the SAVDI to scan all files being uploaded and in case the EICAR file signature exists in the file (not at the beginning of the file) the file passes the scan.
Attached is the conf file for the SAVDI settings.
# No of worker threads to start up
threadcount: 5
# Where to find the virus data if it is held somewhere other than normal
# These options can be specified under the SAVI configuration but that
# is not advised.
#virusdatadir: C:\Program Files\Sophos\Sophos Anti-Virus
#virusdataname: vdl
#idedir: C:\Program Files\Sophos\Sophos Anti-Virus
# What to do when the daemon must exit
# Options are:-
# DONTWAIT (just exit now!)
# REQUEST (wait for current requests to complete)
# SESSION (wait for current sessions to complete)
# Case 1) An exception has occurred and operation could be compromised
onexception: REQUEST
# Case 2) A request has been made for it to exit
# If there are long running sessions then REQUEST should be considered
onrequest: SESSION
log {
# Specify the logging mechanism {CONSOLE|FILE|SYSLOG}
type: FILE
# Where to write the log files (if FILE is selected)
logdir: C:\ProgramData\Sophos\SAV Dynamic Interface\Logs\
# Specify the level of logging required
# 0 = errors+threats
# 1 = (0) + process events
# 2 = (1) + session events
loglevel: 0
}
# A number of channels are included here as samples, new channels may
# be added, others removed. There needs to be at least one of course.
# Unwanted channels should be removed.
#
# Define a channel for ICAP over IP
channel {
# Send to the log requests received from clients
# For debugging. Default: NO
# logrequests: YES
commprotocol {
type: IP
# IP Address to listen on, default is 0.0.0.0 (any)
# address: 127.0.0.1
port: 1344
# Subnet of acceptable client IP addresses.
# Default is to accept from any client.
# subnet: 127.0.0.1/24
# idle timeout in secs when waiting for a request
# 0 is forever. Default: 0
# requesttimeout: 120
# timeout in secs between characters when sending data
sendtimeout: 2
# idle timeout in secs between characters when receiving data
recvtimeout: 10
}
service {
# The name of the service, arbitrary as long as the client
# uses the same name.
name: avscan
# The type of service, for now can only be avscan
type: avscan
scanprotocol {
# The type of protocol in use. Can only be ICAP.
type: ICAP
# Version of the configuration for this service.
# Update when changes are made that may alter the
# result returned to the client. Default: XXX
version: 1.01
# Objects sent for scanning can be retained if they are
# infected or cause the service a problem. Allowed values
# are NONE, MALWARE, PROBLEM, ALL. ALL meaning both
# MALWARE and PROBLEM. Default: NONE
# retain: NONE
# A list of file extensions for files which the client
# should not send to this server. The list is sent as-is
# to the client. See ICAP Transfer-Ignore header. A
# Transfer-Complete: * header is automatically added.
# Default is none.
# dontsend: .jpg, .gif, .bmp, .tiff
# 204 is the ICAP code indicating that the object
# sent for processing is unmodified and OK and will
# not be returned to the client. Default: NO
# allow204: NO
# Don't automatically close the connection after a
# transaction. Default: NO
keepalive: YES
# Maximum permitted size, in bytes, of the body in a request.
# Zero is no limit. Default: 0
# maxbodysize: 0
# Maximum amount of memory, in bytes, to use for an object, before
# putting it into a temporary file. Default: 1000000
#maxmemorysize: 1024
# Maximum size of the chunks, in bytes, for returned data, 0 is
# no maximum. Default: 0
# maxchunksize: 0
# Where to place and name temporary files
# Default: <standard temp directory>/SAVDI_
# On *nix systems: /var/tmp/SAVDI_
tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\icap_
# The block-* options determine what to do with files
# that result in some sort of error.
# Any of these files may be infected.
# NB Files identified as malware are always blocked.
# Treat zip-bombs as malignant. Zip-bombs are compressed
# files that have many files which are vary highly
# compressed. They are intended to either deny use of
# a scanner by keeping it occupied for excessive periods
# or use excessive resources, such as disc space on the
# end-point. Default: YES
# block-bombs: YES
# Block encrypted files. Encrypted files cannot be scanned
# and may harbour malware. Default: NO
# block-encrypted: NO
# Block corrupt files. Some files are simply corrupt, others
# may not conform to the standard, or one of its known
# variants, but may still be usable. Default: NO
# block-corrupt: NO
# Block timeouts. It took too long to scan the file and
# the scan was terminated early. (See the maxscantime
# option in the scanner section.) Default: YES
# block-timeouts: YES
# The AV engine returned some other error. Scanning of the
# file possibly did not complete. Default: YES
# block-errors: YES
# The AV engine caused an exception. Exceptions can be
# considered as errors that were not caught in time.
# Scanning of the file did not complete. Default: YES
# block-exceptions: YES
# At least one client (c-icap) seems to always expect a
# body, even an empty one. Default: NO
# forceemptybody: YES
}
scanner {
# See the SAVDI documentation for details for configuring
# SAVI
type: SAVI
inprocess: YES
# Turn on auto-stop, ie zip-bomb detection
savists: enableautostop 1
# Turn on most of the other options
savigrp: grpsuper 1
# Limit the time taken to scan a file to this number of seconds
# Zero is forever. Default: 0
# maxscantime: 0
}
}
}
#
# Define a channel using a named pipe for SSSP
#
channel {
commprotocol {
type: Pipe
# Both forms are acceptable
# name: \\.\pipe\avscan # A server must specify \\.\
name: avscan
# timeout in secs when sending data
sendtimeout: 2
# idle timeout in secs when receiving data
recvtimeout: 60
}
scanprotocol {
type: SSSP
# Do we allow the client to use SCANFILE?
allowscanfile: SUBDIR
# Do we allow the client to use SCANDATA?
allowscandata: YES
# If SCANDATA is allowed:-
# maximum amount of data, in bytes, the client can send
maxscandata: 2000000
# maximum amount, in bytes, to held in memory before using a temp file
maxmemorysize: 250000
# path name and stub for generating temp file names.
tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\savid_tmp
# Log each request made by a client?
# logrequests: YES
}
scanner {
# type and inprocess can only be SAVI and YES for now
type: SAVI
inprocess: YES
# Max time to be allowd for scanning a single file
maxscantime: 3
# Max time in seconds to be allowed to complete a request
maxrequesttime: 10
#Some SAVI/Engine options
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
savists: Xml 1
}
}
#
# Define an IP channel for SSSP
#
channel {
commprotocol {
type: IP
# IP Address to listen on, default is 0.0.0.0 (any)
# Note the combination of the wildcard address and a
# non-special port no is not secure
address: 0.0.0.0
port: 4010
# Subnet of acceptable client IP addresses
# subnet: 172.18.32.26/30
# timeout in secs when sending data
sendtimeout: 2
# idle timeout in secs when receiving data
recvtimeout: 60
}
scanprotocol {
type: SSSP
# Do we allow the client to use SCANFILE?
allowscanfile: NO
# Do we allow the client to use SCANDATA?
allowscandata: YES
# If SCANDATA is allowed:-
# maximum amount of data, in bytes, the client can send
maxscandata: 500000000
# maximum amount, in bytes, to held in memory before using a temp file
maxmemorysize: 250000
# path name and stub for generating temp file names.
tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\savid_tmp
# Log each request made by a client?
# logrequests: YES
}
scanner {
# type and inprocess can only be SAVI and YES for now
type: SAVI
inprocess: YES
# Max time to be allowd for scanning a single file
maxscantime: 3
# Max time in seconds to be allowed to complete a request
maxrequesttime: 10
#Some SAVI/Engine options
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
savists: Xml 1
}
}
# Define a IP channel for localhost
channel {
commprotocol {
type: IP
# Note the combination of the wildcard address and a
# non-special port no is not secure
address: 127.0.0.1
port: 4010
# subnet: 127.0.0.1/24
sendtimeout: 2
recvtimeout: 2
}
scanprotocol {
type: SSSP
# Normally should be NO for an IP connection
allowscanfile: SUBDIR
allowscandata: YES
# If SCANDATA is allowed:-
# maximum amount of data, in bytes, the client can send
maxscandata: 500000000
# maximum amount, in bytes, to held in memory before using a temp file
maxmemorysize: 250000
# path name and stub for generating temp file names.
tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\savid_tmp
# logrequests: YES
}
scanner {
type: SAVI
inprocess: YES
# Max time to be allowed for scanning a single file
maxscantime: 3
# Max time in seconds to be allowed to complete a request
maxrequesttime: 10
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
}
}
# Define a IP channel for localhost for Sophie
channel {
commprotocol {
type: IP
# Note the combination of the wildcard address and a
# non-special port no is not secure
address: 127.0.0.1
port: 4009
# subnet: 127.0.0.1/24
sendtimeout: 2
recvtimeout: 2
}
scanprotocol {
type: SOPHIE
allowscandir: DIR
# logrequests: YES
}
scanner {
type: SAVI
inprocess: YES
# Max time to be allowed for scanning a single file
maxscantime: 3
# Max time in seconds to be allowed to complete a request
maxrequesttime: 10
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
}
}
Thanks
This thread was automatically locked due to age.
