[Avcheck] Re: avcheck support for Sophie?

[Orlando Andico]

On Fri, 26 Apr 2002, Michael Tokarev wrote:
..
> Umm.  Don't do that.  At least directly in /tmp.  Avcheck isn't
> prepared, and in fact shouldn't, to work with word-writable directories.  
> It will create files with fixed names, something like "tmp-$PID", and
..

I'm using a /tmp/avcheck which is writable by "sweep" only.

..
> Also, for the same reason, it's a high risk to run any av software as
> root, and sophie, as long as I remember, runs as root by default.  It
> tries to create /var/run/sophie.pid file - if memory serves me right.
..

my Sophie also runs just as "sweep" user.

I have done some changes to avcheck. I notice that it often gets a -1 
error from Sophie (e.g. "file is corrupted, cannot scan" or "cannot scan 
multi-volume archive"). I did something weird. If Sophie returns a -1 to 
Avcheck, Avcheck returns 0!! this is so that the queue doesn't get too 
large. With my 55k mail users, a growing queue is a big pain.

So basically in my installation, only a "1" return from Sophie will 
trigger the infected script. All other returns will pass-through the mail.

But I don't have enough CPU power. had to disable avcheck for a while. 
Maybe when I have another 2 UltraSPARC CPU's or maybe buy a dual-Athlon 
machine.


---
Orlando Andico <orly@mozcom.com>
Mosaic Communications, Inc.