zINSTREAM clamd example

Discussion:

(too old to reply)

carlosho17

2016-12-11 19:05:00 UTC

Hi everyone,

has anybody managed to configure zINSTREAM for a remote clamav-daemon instance ?

I'm unable to figure out the proper configuration for the streaming protocol , I have amavisd-new 2.7.1-2 on debian wheezy , and clamav-daemon0.99.2+dfsg-0+deb8u2 on debian 8 (both are backports)

E.g. I want to replace the local clamav-daemon configuration in debian 8 at /etc/amavis/conf.d/15-av_scanners

\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

by something like

\&ask_daemon, ["zINSTREAM {}\n", "xx.xx.xx.xx:3310"],

in the hope that amavisd-new will write the file contents to the tcp socket by using the INSTREAM protocol , but it fails with this message:

Dec 11 15:56:49 mx3 amavis[32229]: (32229-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="COMMAND READ TIMED OUT\n"
Dec 11 15:56:49 mx3 amavis[32229]: (32229-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x24015b0) unexpected , output="COMMAND READ TIMED OUT\n" at (eval 114) line 899.

Any help on a working zINSTREAM example will be greatly appreciated.

Regards,

Carlos Horowicz
AvasCloud SL

Steve King

2022-02-14 15:59:48 UTC

Permalink

Post by carlosho17
Hi everyone,
has anybody managed to configure zINSTREAM for a remote clamav-daemon instance ?
I'm unable to figure out the proper configuration for the streaming protocol , I have amavisd-new 2.7.1-2 on debian wheezy , and clamav-daemon0.99.2+dfsg-0+deb8u2 on debian 8 (both are backports)
E.g. I want to replace the local clamav-daemon configuration in debian 8 at /etc/amavis/conf.d/15-av_scanners
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
by something like
\&ask_daemon, ["zINSTREAM {}\n", "xx.xx.xx.xx:3310"],
Dec 11 15:56:49 mx3 amavis[32229]: (32229-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="COMMAND READ TIMED OUT\n"
Dec 11 15:56:49 mx3 amavis[32229]: (32229-01) (!)ClamAV-clamd av-scanner FAILED: CODE(0x24015b0) unexpected , output="COMMAND READ TIMED OUT\n" at (eval 114) line 899.
Any help on a working zINSTREAM example will be greatly appreciated.
Regards,
Carlos Horowicz
AvasCloud SL

This is old, but digging around I found this:
https://gist.github.com/brianroth/397334
and this:
https://github.com/steveking13/clamdstream

I have successfully used the latter.

The problem seems to be that the clamd daemon with CONTSCAN attempts to read a file from a path on a local file system, so you cannot simply replace the CONTSCAN with an INSTREAM.
Another option would be to share the filesystem between the two systems. This wouldn't be something I would want to do over a WAN link.

Both the linked code examples take a hostname and a filename, then open a connection to clamd and provide it with the appropriate data, it will then return a response.

The python code seems better suited to amavis integration. Python is installed by default on most distros, too.

Anonymous example from my mail server (using clamdstream):
Feb 14 08:36:57 hostname amavis[14549]: (14549-05) Blocked INFECTED (stream: winnow.malware.test.eicar.com.UNOFFICIAL) {DiscardedInbound,Quarantined}, [::1]
:33166 <emailaddress> -> <emailaddress>, quarantine: X/virus-virusid, Queue-ID: queueid, Message-ID: <***@domainname>, mail_id: virusid, Hits: -, size: 1111, 846 ms
Feb 14 08:36:57 hostname postfix/smtp[19829]: queueid: to=<emailaddress>, relay=127.0.0.1[127.0.0.1]:10024, delay=39, delays=39/0.01/0/0.85, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=14549-05 - INFECTED: stream: winnow.malware.test.eicar.com.UNOFFICIAL)

The "stream" in the "INFECTED" report identifies that amavis streamed the attachment.

Regards,

--
Steve

Keshav Bhatt

2023-03-21 18:31:26 UTC

Permalink

AMAVISD-NEW + REMOTE CLAMAV SERVER

If you are using amavisd-new and you want to make amavisd send emails and parts to remotely running clamAv instace this is how you need to configure your amavisd config:

```
['ClamAV-remote-stream',
\&ask_daemon, [
"{}/*",
[
'clamd:<IP>:<PORT>'
],
],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m
],
```
Please replace the IP with the IP address of the remote ClamAv instance and the PORT with the tcp port number where clamd is listening (usually 3310)

Using the "{}/*" "query command" sends all parts as a unified zINSTREAM, with amavis adding zIDSESSION and zEND markers around each part. By prefixing the addresses with "clamd:", the "remote clamd" protocol is selected based on the first address.