ClamAV and Sophos

Nuno Fernandes npf-mlists at eurotux.com
Tue Mar 22 15:06:46 CET 2016 

On Tuesday 22 March 2016 10:00:23 Dino Edwards wrote:
> I'm trying to figure out how to integrate Sophos with amavis in addition to
> clamav in Ubuntu.

I'm also using this scenario but with Centos. So it should be somewhat the 
same.

> I'm a little confused on how to go about integrating it.
> As I understand, I need to download and install the following:
> 
> Sophos Antivirus for Linux 9.1
> 
> Then I need to enter an entry like below in my amavis config?
> 
> ### http://www.sophos.com/
>   ['Sophos Anti Virus (savscan)',   # formerly known as 'sweep'
>     ['/opt/sophos-av/bin/savscan', 'savscan'],  # 'sweep'
>     '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
>     '--no-reset-atime {}',
>     [0,2], qr/Virus .*? found/m,
>     qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
>   ],

With this configuration you will be calling the antivirus at each mail. It will 
load all the virus definitions, scan the file and then exit. It will be slow.

I use the daemon version where a daemon starts, loads the virus database and 
then listen for incoming scan request. You can do that with either:

- Sophos-SSSP daemon - it's a daemon that comes with the sophos install files
- Sophie - an opensource daemon

I tested the first one and had a few problems and then reverted back to sophie:

Here is my conf:

['Sophie',
  \&ask_daemon, ["{}/\n", '/tmp/sophie.sock'], # was: sophie:/var/run/sophie
  #\&ask_daemon, ["{}/\n", '/var/spool/qmailscan/run/sophie'], # was: 
sophie:/var/run/sophie
  qr/(?x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
  qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], #no /m on old cfg


> Do I also need to install SAV Dynamic interface 2.2 from Sophos?

Don't know for sure.

> Does anyone have a definitive guide on how to get this going?

I've create our own internal RPMs for centos for sophos and savi. So for us is 
just a matter of installing the rpms, register the sophos and changing the 
amavisd.conf.
>From sophos the only file that we require is sav-linux-9-i386.tgz (don't know 
why it is named i386).

Hope it helps.

Best regards,
Nuno Fernandes

More information about the amavis-users mailing list