[Avcheck] Re: avcheck support for Sophie?
Orlando Andico
orly@mozcom.com
Fri, 26 Apr 2002 18:43:46 +0800 (PHT)
On Fri, 26 Apr 2002, Michael Tokarev wrote:
..
> Umm. Don't do that. At least directly in /tmp. Avcheck isn't
> prepared, and in fact shouldn't, to work with word-writable directories.
> It will create files with fixed names, something like "tmp-$PID", and
..
I'm using a /tmp/avcheck which is writable by "sweep" only.
..
> Also, for the same reason, it's a high risk to run any av software as
> root, and sophie, as long as I remember, runs as root by default. It
> tries to create /var/run/sophie.pid file - if memory serves me right.
..
my Sophie also runs just as "sweep" user.
I have done some changes to avcheck. I notice that it often gets a -1
error from Sophie (e.g. "file is corrupted, cannot scan" or "cannot scan
multi-volume archive"). I did something weird. If Sophie returns a -1 to
Avcheck, Avcheck returns 0!! this is so that the queue doesn't get too
large. With my 55k mail users, a growing queue is a big pain.
So basically in my installation, only a "1" return from Sophie will
trigger the infected script. All other returns will pass-through the mail.
But I don't have enough CPU power. had to disable avcheck for a while.
Maybe when I have another 2 UltraSPARC CPU's or maybe buy a dual-Athlon
machine.
---
Orlando Andico <orly@mozcom.com>
Mosaic Communications, Inc.