[Avcheck] avcheck new version ?

Piotr Klaban makler+avcheck at man.torun.pl
Thu Mar 25 18:01:48 MSK 2004 

Hi,

It seems that in the near future there should be
new version of avcheck released.

1. At least it should contain patch for a new version of drweb.
   Lately I have updated two versions of drweb to 4.31
   and avcheck does not work without a patch. For many
   users it could be hard to look for a patch in avcheck list...

2. The second patch would be Clamav support patch.

3. The third patch - update for KAV 5.x (I do not know anything
   on KAV 5.x).

4. The fourth update - uchroot fix - I send it in the separate e-mail.


I have thought of a new functionality also. Because
Sophos here was far away behind Clamav at virus catching,
I think avcheck interface could/should be changed
to support multiple antyvir programs. I think it would help
to spread free opensource ClamAV.

Possible advantages:

  1. [CASCADING]

     avcheck -s Clamav:/var/spool/clamav/./var/run/clamd.sock \
             -s Sophie:/var/spool/sophie/./var/run/sophie

     You can install ClamAV, update avcheck and have two antyvir
     programs run at the same host: one commercial and one free.
     You do not need to create two separate filters in postfix.

  2. [REDUNDANCY]

     avcheck -s Clamav:/topdir/./var/run/clamd.sock,Sophie:/stopdir/./var/run/sophie
     avcheck -s Clamav:/topdir/./var/run/sophie,Sophie:/2topdir/./var/run/sophie

     You can run two instances of the same (or not the same) antyvir
     programs for redundancy. If the first does not work
     (because of a misconfiguration, wrong virus database update,
     short on RAM etc.) then avcheck would try to connect
     to the second instance.

  3. [BOTH]

     avcheck -s type:1topdir/1socket,type:2topdir/2socket -s type:3topdir/3socket

I have changed the following in the avcheck interface:

a) '-d /var/spool/clamav/./tst' would not contain chrooted directory anymore.
   It is optional and defaults to '-d /tst'. Subdirectory where the checked
   emails are stored is the same for all the antyvir configurations.
   E.g.: there should be /var/spool/sophie/tst and /var/spool/clamav/tst
   NOTE: both tst directories MUST be located at the same device, since
   for moving files between /tst subdirectories I use link() syscall.

b) the '-s' option can be specified multiple times (for cascading virus checking)
   and can contain multiple engines separated with a coma (for redundancy).
   The engine definition is different now (not backward compatible):

   -s Type:/ChrootedDir/./SocketPath
   -s Type:IP.NUM.BER:PORT/ChrootedDir

c) the new '-a' option for continue scanning after the first virus is found.
   I.e. if Clamav would found a virus, avcheck would stop scanning.
   With '-a' option avcheck would continue scanning the e-mail with next antyvir program.
   It could be used just for statistics or for comparision etc.

What do you think of that?
Is the cascading and redundancy needed?
Should the engine definition format be changed?

BTW: maybe scan_PROG functions should be moved to the separate files,
as a type of modules?

-- 
Piotr Klaban

More information about the Avcheck mailing list