1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
7 * Copyright (c) The Exim Maintainers 2017
10 /* Code for calling virus (malware) scanners. Called from acl.c. */
13 #ifdef WITH_CONTENT_SCAN
15 typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
16 M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST, M_FPROT6D} scanner_t;
17 typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
22 const uschar * options_default;
26 { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
27 { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
28 { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
29 { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
30 { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
31 { M_CMDL, US"cmdline", NULL, MC_NONE },
32 { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
33 { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
34 { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
35 { M_MKSD, US"mksd", NULL, MC_NONE },
36 { M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
37 { M_FPROT6D, US"f-prot6d", US"localhost 10200", MC_TCP },
38 { -1, NULL, NULL, MC_NONE } /* end-marker */
41 /* The maximum number of clamd servers that are supported in the configuration */
42 #define MAX_CLAMD_SERVERS 32
43 #define MAX_CLAMD_SERVERS_S "32"
45 typedef struct clamd_address {
52 # define nelements(arr) (sizeof(arr) / sizeof(arr[0]))
56 #define MALWARE_TIMEOUT 120 /* default timeout, seconds */
59 #define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
60 #define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
61 #define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
63 #define DERR_READ_ERR (1<<0) /* read error */
64 #define DERR_NOMEMORY (1<<2) /* no memory */
65 #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
66 #define DERR_BAD_CALL (1<<15) /* wrong command */
69 static const uschar * malware_regex_default = US ".+";
70 static const pcre * malware_default_re = NULL;
72 static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
73 static const pcre * drweb_re = NULL;
75 static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
76 static const pcre * fsec_re = NULL;
78 static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
79 static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
80 static const pcre * kav_re_sus = NULL;
81 static const pcre * kav_re_inf = NULL;
83 static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
84 static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\s(.*)";
85 static const pcre * ava_re_clean = NULL;
86 static const pcre * ava_re_virus = NULL;
88 static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
89 static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
90 static const pcre * fprot6d_re_error = NULL;
91 static const pcre * fprot6d_re_virus = NULL;
95 /******************************************************************************/
97 /* Routine to check whether a system is big- or little-endian.
98 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
99 Needed for proper kavdaemon implementation. Sigh. */
100 #define BIG_MY_ENDIAN 0
101 #define LITTLE_MY_ENDIAN 1
102 static int test_byte_order(void);
106 short int word = 0x0001;
107 char *byte = CS &word;
108 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
111 BOOL malware_ok = FALSE;
113 /* Gross hacks for the -bmalware option; perhaps we should just create
114 the scan directory normally for that case, but look into rigging up the
115 needed header variables if not already set on the command-line? */
116 extern int spool_mbox_ok;
117 extern uschar spooled_message_id[MESSAGE_ID_LENGTH+1];
122 malware_errlog_defer(const uschar * str)
124 log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
129 m_errlog_defer(struct scan * scanent, const uschar * hostport,
132 return malware_errlog_defer(string_sprintf("%s %s : %s",
133 scanent->name, hostport ? hostport : CUS"", str));
136 m_errlog_defer_3(struct scan * scanent, const uschar * hostport,
137 const uschar * str, int fd_to_close)
139 (void) close(fd_to_close);
140 return m_errlog_defer(scanent, hostport, str);
143 /*************************************************/
145 /* Only used by the Clamav code, which is working from a list of servers and
146 uses the returned in_addr to get a second connection to the same system.
149 m_tcpsocket(const uschar * hostname, unsigned int port,
150 host_item * host, uschar ** errstr, const blob * fastopen_blob)
152 return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5,
153 host, errstr, fastopen_blob);
157 m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
159 if (send(sock, buf, cnt, 0) < 0)
163 *errstr = string_sprintf("unable to send to socket (%s): %s",
171 m_pcre_compile(const uschar * re, uschar ** errstr)
173 const uschar * rerror;
177 cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
179 *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
180 re, rerror, roffset);
185 m_pcre_exec(const pcre * cre, uschar * text)
188 int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
189 ovector, nelements(ovector));
190 uschar * substr = NULL;
191 if (i >= 2) /* Got it */
192 pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
197 m_pcre_nextinlist(const uschar ** list, int * sep,
198 char * listerr, uschar ** errstr)
200 const uschar * list_ele;
201 const pcre * cre = NULL;
203 if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
204 *errstr = US listerr;
207 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "RE: ",
208 string_printing(list_ele));
209 cre = m_pcre_compile(CUS list_ele, errstr);
215 Simple though inefficient wrapper for reading a line. Drop CRs and the
216 trailing newline. Can return early on buffer full. Null-terminate.
217 Apply initial timeout if no data ready.
219 Return: number of chars - zero for an empty line
221 -2 on timeout or error
224 recv_line(int fd, uschar * buffer, int bsize, int tmo)
230 if (!fd_ready(fd, tmo-time(NULL)))
233 /*XXX tmo handling assumes we always get a whole line */
236 while ((rcv = read(fd, p, 1)) > 0)
239 if (p-buffer > bsize-2) break;
240 if (*p == '\n') break;
245 DEBUG(D_acl) debug_printf_indent("Malware scan: read %s (%s)\n",
246 rcv==0 ? "EOF" : "error", strerror(errno));
247 return rcv==0 ? -1 : -2;
251 DEBUG(D_acl) debug_printf_indent("Malware scan: read '%s'\n", buffer);
255 /* return TRUE iff size as requested */
257 recv_len(int sock, void * buf, int size, int tmo)
259 return fd_ready(sock, tmo-time(NULL))
260 ? recv(sock, buf, size, 0) == size
266 /* ============= private routines for the "mksd" scanner type ============== */
271 mksd_writev (int sock, struct iovec * iov, int iovcnt)
278 i = writev (sock, iov, iovcnt);
279 while (i < 0 && errno == EINTR);
282 (void) malware_errlog_defer(
283 US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
286 for (;;) /* check for short write */
287 if (i >= iov->iov_len)
297 iov->iov_base = CS iov->iov_base + i;
304 mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
311 i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
314 (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
319 /* offset == av_buffer_size -> buffer full */
320 if (offset == av_buffer_size)
322 (void) malware_errlog_defer(US"malformed reply received from mksd");
325 } while (av_buffer[offset-1] != '\n');
327 av_buffer[offset] = '\0';
332 mksd_parse_line(struct scan * scanent, char * line)
343 if ((p = strchr (line, '\n')) != NULL)
345 return m_errlog_defer(scanent, NULL,
346 string_sprintf("scanner failed: %s", line));
349 if ((p = strchr (line, '\n')) != NULL)
354 && (p = strchr(line+4, ' ')) != NULL
359 malware_name = string_copy(US line+4);
363 return m_errlog_defer(scanent, NULL,
364 string_sprintf("malformed reply received: %s", line));
369 mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
373 const char *cmd = "MSQ\n";
374 uschar av_buffer[1024];
376 iov[0].iov_base = (void *) cmd;
378 iov[1].iov_base = (void *) scan_filename;
379 iov[1].iov_len = Ustrlen(scan_filename);
380 iov[2].iov_base = (void *) (cmd + 3);
383 if (mksd_writev (sock, iov, 3) < 0)
386 if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
389 return mksd_parse_line (scanent, CS av_buffer);
394 clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
399 while ((s = string_nextinlist(&optstr, subsep, NULL, 0)))
400 if (Ustrncmp(s, "retry=", 6) == 0)
402 int sec = readconf_readtime((s += 6), '\0', FALSE);
412 /*************************************************
413 * Scan content for malware *
414 *************************************************/
416 /* This is an internal interface for scanning an email; the normal interface
417 is via malware(), or there's malware_in_file() used for testing/debugging.
420 malware_re match condition for "malware="
421 scan_filename the file holding the email to be scanned, if we're faking
422 this up for the -bmalware test, else NULL
423 timeout if nonzero, non-default timeoutl
425 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
426 where true means malware was found (condition applies)
429 malware_internal(const uschar * malware_re, const uschar * scan_filename,
433 const uschar *av_scanner_work = av_scanner;
434 uschar *scanner_name;
435 unsigned long mbox_size;
439 struct scan * scanent;
440 const uschar * scanner_options;
443 uschar * eml_filename, * eml_dir;
446 return FAIL; /* empty means "don't match anything" */
448 /* Ensure the eml mbox file is spooled up */
450 if (!(mbox_file = spool_mbox(&mbox_size, scan_filename, &eml_filename)))
451 return malware_errlog_defer(US"error while creating mbox spool file");
453 /* None of our current scanners need the mbox file as a stream (they use
454 the name), so we can close it right away. Get the directory too. */
456 (void) fclose(mbox_file);
457 eml_dir = string_copyn(eml_filename, Ustrrchr(eml_filename, '/') - eml_filename);
459 /* parse 1st option */
460 if (strcmpic(malware_re, US"false") == 0 || Ustrcmp(malware_re,"0") == 0)
461 return FAIL; /* explicitly no matching */
463 /* special cases (match anything except empty) */
464 if ( strcmpic(malware_re,US"true") == 0
465 || Ustrcmp(malware_re,"*") == 0
466 || Ustrcmp(malware_re,"1") == 0
469 if ( !malware_default_re
470 && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
471 return malware_errlog_defer(errstr);
472 malware_re = malware_regex_default;
473 re = malware_default_re;
476 /* compile the regex, see if it works */
477 else if (!(re = m_pcre_compile(malware_re, &errstr)))
478 return malware_errlog_defer(errstr);
480 /* if av_scanner starts with a dollar, expand it first */
481 if (*av_scanner == '$')
483 if (!(av_scanner_work = expand_string(av_scanner)))
484 return malware_errlog_defer(
485 string_sprintf("av_scanner starts with $, but expansion failed: %s",
486 expand_string_message));
489 debug_printf_indent("Expanded av_scanner global: %s\n", av_scanner_work);
490 /* disable result caching in this case */
495 /* Do not scan twice (unless av_scanner is dynamic). */
498 /* find the scanner type from the av_scanner option */
499 if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
500 return malware_errlog_defer(US"av_scanner configuration variable is empty");
501 if (!timeout) timeout = MALWARE_TIMEOUT;
502 tmo = time(NULL) + timeout;
504 for (scanent = m_scans; ; scanent++)
507 return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
509 if (strcmpic(scanner_name, US scanent->name) != 0)
511 DEBUG(D_acl) debug_printf_indent("Malware scan: %s tmo=%s\n",
512 scanner_name, readconf_printtime(timeout));
514 if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
515 scanner_options = scanent->options_default;
516 if (scanent->conn == MC_NONE)
519 DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
520 switch(scanent->conn)
522 case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
523 case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
524 case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5); break;
525 default: /* compiler quietening */ break;
528 return m_errlog_defer(scanent, CUS callout_address, errstr);
532 switch (scanent->scancode)
534 case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
536 uschar *fp_scan_option;
537 unsigned int detected=0, par_count=0;
538 uschar * scanrequest;
539 uschar buf[32768], *strhelper, *strhelper2;
540 uschar * malware_name_internal = NULL;
543 scanrequest = string_sprintf("GET %s", eml_filename);
545 while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
548 scanrequest = string_sprintf("%s%s%s", scanrequest,
549 par_count ? "%20" : "?", fp_scan_option);
552 scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
553 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
554 scanner_name, scanrequest);
556 /* send scan request */
557 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
558 return m_errlog_defer(scanent, CUS callout_address, errstr);
560 while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= 0)
563 if (Ustrstr(buf, US"<detected type=\"") != NULL)
565 else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
567 if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
570 malware_name_internal = string_copy(strhelper+6);
573 else if (Ustrstr(buf, US"<summary code=\""))
575 malware_name = Ustrstr(buf, US"<summary code=\"11\">")
576 ? malware_name_internal : NULL;
588 case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
589 /* v0.1 - added support for tcp sockets */
590 /* v0.0 - initial release -- support for unix sockets */
594 unsigned int fsize_uint;
595 uschar * tmpbuf, *drweb_fbuf;
596 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
597 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
599 /* prepare variables */
600 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
601 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
603 if (*scanner_options != '/')
606 if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -1)
607 return m_errlog_defer_3(scanent, NULL,
608 string_sprintf("can't open spool file %s: %s",
609 eml_filename, strerror(errno)),
612 if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
615 badseek: err = errno;
616 (void)close(drweb_fd);
617 return m_errlog_defer_3(scanent, NULL,
618 string_sprintf("can't seek spool file %s: %s",
619 eml_filename, strerror(err)),
622 fsize_uint = (unsigned int) fsize;
623 if ((off_t)fsize_uint != fsize)
625 (void)close(drweb_fd);
626 return m_errlog_defer_3(scanent, NULL,
627 string_sprintf("seeking spool file %s, size overflow",
631 drweb_slen = htonl(fsize);
632 if (lseek(drweb_fd, 0, SEEK_SET) < 0)
635 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s remote scan [%s]\n",
636 scanner_name, scanner_options);
638 /* send scan request */
639 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
640 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
641 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
642 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
644 (void)close(drweb_fd);
645 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
646 "unable to send commands to socket (%s)", scanner_options),
650 if (!(drweb_fbuf = US malloc(fsize_uint)))
652 (void)close(drweb_fd);
653 return m_errlog_defer_3(scanent, NULL,
654 string_sprintf("unable to allocate memory %u for file (%s)",
655 fsize_uint, eml_filename),
659 if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
662 (void)close(drweb_fd);
664 return m_errlog_defer_3(scanent, NULL,
665 string_sprintf("can't read spool file %s: %s",
666 eml_filename, strerror(err)),
669 (void)close(drweb_fd);
671 /* send file body to socket */
672 if (send(sock, drweb_fbuf, fsize, 0) < 0)
675 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
676 "unable to send file body to socket (%s)", scanner_options),
682 drweb_slen = htonl(Ustrlen(eml_filename));
684 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s local scan [%s]\n",
685 scanner_name, scanner_options);
687 /* send scan request */
688 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
689 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
690 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
691 (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
692 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
693 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
694 "unable to send commands to socket (%s)", scanner_options),
698 /* wait for result */
699 if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
700 return m_errlog_defer_3(scanent, CUS callout_address,
701 US"unable to read return code", sock);
702 drweb_rc = ntohl(drweb_rc);
704 if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
705 return m_errlog_defer_3(scanent, CUS callout_address,
706 US"unable to read the number of viruses", sock);
707 drweb_vnum = ntohl(drweb_vnum);
709 /* "virus(es) found" if virus number is > 0 */
715 /* setup default virus name */
716 malware_name = US"unknown";
718 /* set up match regex */
720 drweb_re = m_pcre_compile(drweb_re_str, &errstr);
722 /* read and concatenate virus names into one string */
723 for (i = 0; i < drweb_vnum; i++)
727 /* read the size of report */
728 if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
729 return m_errlog_defer_3(scanent, CUS callout_address,
730 US"cannot read report size", sock);
731 drweb_slen = ntohl(drweb_slen);
732 tmpbuf = store_get(drweb_slen);
734 /* read report body */
735 if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
736 return m_errlog_defer_3(scanent, CUS callout_address,
737 US"cannot read report string", sock);
738 tmpbuf[drweb_slen] = '\0';
740 /* try matcher on the line, grab substring */
741 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
742 ovector, nelements(ovector));
745 const char * pre_malware_nb;
747 pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
749 if (i==0) /* the first name we just copy to malware_name */
750 g = string_cat(NULL, US pre_malware_nb);
752 /*XXX could be string_append_listele? */
753 else /* concatenate each new virus name to previous */
754 g = string_append(g, 2, "/", pre_malware_nb);
756 pcre_free_substring(pre_malware_nb);
759 malware_name = string_from_gstring(g);
763 const char *drweb_s = NULL;
765 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
766 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
767 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
768 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
769 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
770 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
771 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
772 * and others are ignored */
774 return m_errlog_defer_3(scanent, CUS callout_address,
775 string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
784 case M_AVES: /* "aveserver" scanner type -------------------------------- */
789 /* read aveserver's greeting and see if it is ready (2xx greeting) */
791 recv_line(sock, buf, sizeof(buf), tmo);
793 if (buf[0] != '2') /* aveserver is having problems */
794 return m_errlog_defer_3(scanent, CUS callout_address,
795 string_sprintf("unavailable (Responded: %s).",
796 ((buf[0] != 0) ? buf : US "nothing") ),
799 /* prepare our command */
800 (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
804 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
806 if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
807 return m_errlog_defer(scanent, CUS callout_address, errstr);
811 /* read response lines, find malware name and final response */
812 while (recv_line(sock, buf, sizeof(buf), tmo) > 0)
816 if (buf[0] == '5') /* aveserver is having problems */
818 result = m_errlog_defer(scanent, CUS callout_address,
819 string_sprintf("unable to scan file %s (Responded: %s).",
823 if (Ustrncmp(buf,"322",3) == 0)
825 uschar *p = Ustrchr(&buf[4], ' ');
827 malware_name = string_copy(&buf[4]);
831 if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
832 return m_errlog_defer(scanent, CUS callout_address, errstr);
834 /* read aveserver's greeting and see if it is ready (2xx greeting) */
836 recv_line(sock, buf, sizeof(buf), tmo);
838 if (buf[0] != '2') /* aveserver is having problems */
839 return m_errlog_defer_3(scanent, CUS callout_address,
840 string_sprintf("unable to quit dialogue (Responded: %s).",
841 ((buf[0] != 0) ? buf : US "nothing") ),
852 case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
856 uschar av_buffer[1024];
857 static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
858 US"CONFIGURE\tTIMEOUT\t0\n",
859 US"CONFIGURE\tMAXARCH\t5\n",
860 US"CONFIGURE\tMIME\t1\n" };
864 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
865 scanner_name, scanner_options);
867 memset(av_buffer, 0, sizeof(av_buffer));
868 for (i = 0; i != nelements(cmdopt); i++)
871 if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
872 return m_errlog_defer(scanent, CUS callout_address, errstr);
874 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
875 if (bread > 0) av_buffer[bread]='\0';
877 return m_errlog_defer_3(scanent, CUS callout_address,
878 string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
880 for (j = 0; j < bread; j++)
881 if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
885 /* pass the mailfile to fsecure */
886 file_name = string_sprintf("SCAN\t%s\n", eml_filename);
888 if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
889 return m_errlog_defer(scanent, CUS callout_address, errstr);
892 /* todo also SUSPICION\t */
894 fsec_re = m_pcre_compile(fsec_re_str, &errstr);
896 /* read report, linewise. Apply a timeout as the Fsecure daemon
897 sometimes wants an answer to "PING" but they won't tell us what */
899 uschar * p = av_buffer;
905 i = av_buffer+sizeof(av_buffer)-p;
906 if ((bread= ip_recv(sock, p, i-1, tmo-time(NULL))) < 0)
907 return m_errlog_defer_3(scanent, CUS callout_address,
908 string_sprintf("unable to read result (%s)", strerror(errno)),
911 for (p[bread] = '\0'; (q = Ustrchr(p, '\n')); p = q+1)
915 /* Really search for virus again? */
917 /* try matcher on the line, grab substring */
918 malware_name = m_pcre_exec(fsec_re, p);
920 if (Ustrstr(p, "OK\tScan ok."))
924 /* copy down the trailing partial line then read another chunk */
925 i = av_buffer+sizeof(av_buffer)-p;
926 memmove(av_buffer, p, i);
935 case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
939 uschar * scanrequest;
941 unsigned long kav_reportlen;
946 /* get current date and time, build scan request */
948 /* pdp note: before the eml_filename parameter, this scanned the
949 directory; not finding documentation, so we'll strip off the directory.
950 The side-effect is that the test framework scanning may end up in
951 scanning more than was requested, but for the normal interface, this is
954 strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
955 scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
956 p = Ustrrchr(scanrequest, '/');
960 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
961 scanner_name, scanner_options);
963 /* send scan request */
964 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
965 return m_errlog_defer(scanent, CUS callout_address, errstr);
967 /* wait for result */
968 if (!recv_len(sock, tmpbuf, 2, tmo))
969 return m_errlog_defer_3(scanent, CUS callout_address,
970 US"unable to read 2 bytes from socket.", sock);
972 /* get errorcode from one nibble */
973 kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
976 case 5: case 6: /* improper kavdaemon configuration */
977 return m_errlog_defer_3(scanent, CUS callout_address,
978 US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
981 return m_errlog_defer_3(scanent, CUS callout_address,
982 US"reported 'scanning not completed' (code 1).", sock);
984 return m_errlog_defer_3(scanent, CUS callout_address,
985 US"reported 'kavdaemon damaged' (code 7).", sock);
988 /* code 8 is not handled, since it is ambiguous. It appears mostly on
989 bounces where part of a file has been cut off */
991 /* "virus found" return codes (2-4) */
992 if (kav_rc > 1 && kav_rc < 5)
996 /* setup default virus name */
997 malware_name = US"unknown";
999 report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
1001 /* read the report, if available */
1002 if (report_flag == 1)
1004 /* read report size */
1005 if (!recv_len(sock, &kav_reportlen, 4, tmo))
1006 return m_errlog_defer_3(scanent, CUS callout_address,
1007 US"cannot read report size", sock);
1009 /* it's possible that avp returns av_buffer[1] == 1 but the
1010 reportsize is 0 (!?) */
1011 if (kav_reportlen > 0)
1013 /* set up match regex, depends on retcode */
1016 if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
1017 kav_re = kav_re_sus;
1021 if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
1022 kav_re = kav_re_inf;
1025 /* read report, linewise. Using size from stream to read amount of data
1026 from same stream is safe enough. */
1027 /* coverity[tainted_data] */
1028 while (kav_reportlen > 0)
1030 if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
1032 kav_reportlen -= bread+1;
1034 /* try matcher on the line, grab substring */
1035 if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
1041 else /* no virus found */
1042 malware_name = NULL;
1047 case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
1049 const uschar *cmdline_scanner = scanner_options;
1050 const pcre *cmdline_trigger_re;
1051 const pcre *cmdline_regex_re;
1053 uschar * commandline;
1054 void (*eximsigchld)(int);
1055 void (*eximsigpipe)(int);
1056 FILE *scanner_out = NULL;
1058 FILE *scanner_record = NULL;
1059 uschar linebuffer[32767];
1064 if (!cmdline_scanner)
1065 return m_errlog_defer(scanent, NULL, errstr);
1067 /* find scanner output trigger */
1068 cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1069 "missing trigger specification", &errstr);
1070 if (!cmdline_trigger_re)
1071 return m_errlog_defer(scanent, NULL, errstr);
1073 /* find scanner name regex */
1074 cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1075 "missing virus name regex specification", &errstr);
1076 if (!cmdline_regex_re)
1077 return m_errlog_defer(scanent, NULL, errstr);
1079 /* prepare scanner call; despite the naming, file_name holds a directory
1080 name which is documented as the value given to %s. */
1082 file_name = string_copy(eml_filename);
1083 p = Ustrrchr(file_name, '/');
1086 commandline = string_sprintf(CS cmdline_scanner, file_name);
1088 /* redirect STDERR too */
1089 commandline = string_sprintf("%s 2>&1", commandline);
1091 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
1092 scanner_name, commandline);
1094 /* store exims signal handlers */
1095 eximsigchld = signal(SIGCHLD,SIG_DFL);
1096 eximsigpipe = signal(SIGPIPE,SIG_DFL);
1098 if (!(scanner_out = popen(CS commandline,"r")))
1101 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1102 return m_errlog_defer(scanent, NULL,
1103 string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1105 scanner_fd = fileno(scanner_out);
1107 file_name = string_sprintf("%s/%s_scanner_output", eml_dir, message_id);
1109 if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1112 (void) pclose(scanner_out);
1113 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1114 return m_errlog_defer(scanent, NULL, string_sprintf(
1115 "opening scanner output file (%s) failed: %s.",
1116 file_name, strerror(err)));
1119 /* look for trigger while recording output */
1120 while ((rcnt = recv_line(scanner_fd, linebuffer,
1121 sizeof(linebuffer), tmo)))
1128 (void) pclose(scanner_out);
1129 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1130 return m_errlog_defer(scanent, NULL, string_sprintf(
1131 "unable to read from scanner (%s): %s",
1132 commandline, strerror(err)));
1135 if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
1138 (void) pclose(scanner_out);
1139 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1140 return m_errlog_defer(scanent, NULL, string_sprintf(
1141 "short write on scanner output file (%s).", file_name));
1143 putc('\n', scanner_record);
1144 /* try trigger match */
1146 && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
1151 (void)fclose(scanner_record);
1152 sep = pclose(scanner_out);
1153 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1155 return m_errlog_defer(scanent, NULL,
1157 ? string_sprintf("running scanner failed: %s", strerror(sep))
1158 : string_sprintf("scanner returned error code: %d", sep));
1163 /* setup default virus name */
1164 malware_name = US"unknown";
1166 /* re-open the scanner output file, look for name match */
1167 scanner_record = fopen(CS file_name, "rb");
1168 while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1171 if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1174 (void)fclose(scanner_record);
1176 else /* no virus found */
1177 malware_name = NULL;
1181 case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
1186 uschar av_buffer[1024];
1188 /* pass the scan directory to sophie */
1189 file_name = string_copy(eml_filename);
1190 if ((p = Ustrrchr(file_name, '/')))
1193 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
1194 scanner_name, scanner_options);
1196 if ( write(sock, file_name, Ustrlen(file_name)) < 0
1197 || write(sock, "\n", 1) != 1
1199 return m_errlog_defer_3(scanent, CUS callout_address,
1200 string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
1203 /* wait for result */
1204 memset(av_buffer, 0, sizeof(av_buffer));
1205 if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
1206 return m_errlog_defer_3(scanent, CUS callout_address,
1207 string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
1211 if (av_buffer[0] == '1') {
1212 uschar * s = Ustrchr(av_buffer, '\n');
1215 malware_name = string_copy(&av_buffer[2]);
1217 else if (!strncmp(CS av_buffer, "-1", 2))
1218 return m_errlog_defer_3(scanent, CUS callout_address,
1219 US"scanner reported error", sock);
1220 else /* all ok, no virus */
1221 malware_name = NULL;
1226 case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
1228 /* This code was originally contributed by David Saez */
1229 /* There are three scanning methods available to us:
1230 * (1) Use the SCAN command, pointing to a file in the filesystem
1231 * (2) Use the STREAM command, send the data on a separate port
1232 * (3) Use the zINSTREAM command, send the data inline
1233 * The zINSTREAM command was introduced with ClamAV 0.95, which marked
1234 * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1235 * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
1236 * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
1237 * WITH_OLD_CLAMAV_STREAM is defined.
1238 * See Exim bug 926 for details. */
1240 uschar *p, *vname, *result_tag;
1242 uschar av_buffer[1024];
1243 uschar *hostname = US"";
1245 uschar *clamav_fbuf;
1246 int clam_fd, result;
1248 unsigned int fsize_uint;
1249 BOOL use_scan_command = FALSE;
1250 clamd_address * cv[MAX_CLAMD_SERVERS];
1251 int num_servers = 0;
1252 #ifdef WITH_OLD_CLAMAV_STREAM
1254 uschar av_buffer2[1024];
1257 uint32_t send_size, send_final_zeroblock;
1261 /*XXX if unixdomain socket, only one server supported. Needs fixing;
1262 there's no reason we should not mix local and remote servers */
1264 if (*scanner_options == '/')
1267 const uschar * sublist;
1270 /* Local file; so we def want to use_scan_command and don't want to try
1271 * passing IP/port combinations */
1272 use_scan_command = TRUE;
1273 cd = (clamd_address *) store_get(sizeof(clamd_address));
1275 /* extract socket-path part */
1276 sublist = scanner_options;
1277 cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0);
1280 if (clamd_option(cd, sublist, &subsep) != OK)
1281 return m_errlog_defer(scanent, NULL,
1282 string_sprintf("bad option '%s'", scanner_options));
1287 /* Go through the rest of the list of host/port and construct an array
1288 * of servers to try. The first one is the bit we just passed from
1289 * scanner_options so process that first and then scan the remainder of
1290 * the address buffer */
1294 const uschar * sublist;
1298 /* The 'local' option means use the SCAN command over the network
1299 * socket (ie common file storage in use) */
1300 /*XXX we could accept this also as a local option? */
1301 if (strcmpic(scanner_options, US"local") == 0)
1303 use_scan_command = TRUE;
1307 cd = (clamd_address *) store_get(sizeof(clamd_address));
1309 /* extract host and port part */
1310 sublist = scanner_options;
1311 if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0)))
1313 (void) m_errlog_defer(scanent, NULL,
1314 string_sprintf("missing address: '%s'", scanner_options));
1317 if (!(s = string_nextinlist(&sublist, &subsep, NULL, 0)))
1319 (void) m_errlog_defer(scanent, NULL,
1320 string_sprintf("missing port: '%s'", scanner_options));
1323 cd->tcp_port = atoi(CS s);
1326 /*XXX should these options be common over scanner types? */
1327 if (clamd_option(cd, sublist, &subsep) != OK)
1328 return m_errlog_defer(scanent, NULL,
1329 string_sprintf("bad option '%s'", scanner_options));
1331 cv[num_servers++] = cd;
1332 if (num_servers >= MAX_CLAMD_SERVERS)
1334 (void) m_errlog_defer(scanent, NULL,
1335 US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1336 "specified; only using the first " MAX_CLAMD_SERVERS_S );
1339 } while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
1342 /* check if we have at least one server */
1344 return m_errlog_defer(scanent, NULL,
1345 US"no useable server addresses in malware configuration option.");
1348 /* See the discussion of response formats below to see why we really
1349 don't like colons in filenames when passing filenames to ClamAV. */
1350 if (use_scan_command && Ustrchr(eml_filename, ':'))
1351 return m_errlog_defer(scanent, NULL,
1352 string_sprintf("local/SCAN mode incompatible with" \
1353 " : in path to email filename [%s]", eml_filename));
1355 /* Set up the very first data we will be sending */
1356 if (!use_scan_command)
1357 #ifdef WITH_OLD_CLAMAV_STREAM
1358 { cmd_str.data = US"STREAM\n"; cmd_str.len = 7; }
1360 { cmd_str.data = US"zINSTREAM"; cmd_str.len = 10; }
1364 cmd_str.data = string_sprintf("SCAN %s\n", eml_filename);
1365 cmd_str.len = Ustrlen(cmd_str.data);
1368 /* We have some network servers specified */
1371 /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
1372 * only supports AF_INET, but we should probably be looking to the
1373 * future and rewriting this to be protocol-independent anyway. */
1375 while (num_servers > 0)
1377 int i = random_number(num_servers);
1378 clamd_address * cd = cv[i];
1380 DEBUG(D_acl) debug_printf_indent("trying server name %s, port %u\n",
1381 cd->hostspec, cd->tcp_port);
1383 /* Lookup the host. This is to ensure that we connect to the same IP
1384 * on both connections (as one host could resolve to multiple ips) */
1387 if ((sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
1388 &connhost, &errstr, &cmd_str)) >= 0)
1390 /* Connection successfully established with a server */
1391 hostname = cd->hostspec;
1395 if (cd->retry <= 0) break;
1396 while (cd->retry > 0) cd->retry = sleep(cd->retry);
1401 (void) m_errlog_defer(scanent, CUS callout_address, errstr);
1403 /* Remove the server from the list. XXX We should free the memory */
1405 for (; i < num_servers; i++)
1409 if (num_servers == 0)
1410 return m_errlog_defer(scanent, NULL, US"all servers failed");
1415 if ((sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
1417 hostname = cv[0]->hostspec;
1420 if (cv[0]->retry <= 0)
1421 return m_errlog_defer(scanent, CUS callout_address, errstr);
1422 while (cv[0]->retry > 0) cv[0]->retry = sleep(cv[0]->retry);
1425 /* have socket in variable "sock"; command to use is semi-independent of
1426 * the socket protocol. We use SCAN if is local (either Unix/local
1427 * domain socket, or explicitly told local) else we stream the data.
1428 * How we stream the data depends upon how we were built. */
1430 if (!use_scan_command)
1432 #ifdef WITH_OLD_CLAMAV_STREAM
1433 /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
1434 * that port on a second connection; then in the scan-method-neutral
1435 * part, read the response back on the original connection. */
1437 DEBUG(D_acl) debug_printf_indent(
1438 "Malware scan: issuing %s old-style remote scan (PORT)\n",
1441 /* Pass the string to ClamAV (7 = "STREAM\n"), if not already sent */
1443 if (m_sock_send(sock, cmd_str.data, cmd_str.len, &errstr) < 0)
1444 return m_errlog_defer(scanent, CUS callout_address, errstr);
1446 memset(av_buffer2, 0, sizeof(av_buffer2));
1447 bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), tmo-time(NULL));
1450 return m_errlog_defer_3(scanent, CUS callout_address,
1451 string_sprintf("unable to read PORT from socket (%s)",
1455 if (bread == sizeof(av_buffer2))
1456 return m_errlog_defer_3(scanent, CUS callout_address,
1457 "buffer too small", sock);
1460 return m_errlog_defer_3(scanent, CUS callout_address,
1461 "ClamAV returned null", sock);
1463 av_buffer2[bread] = '\0';
1464 if(sscanf(CS av_buffer2, "PORT %u\n", &port) != 1)
1465 return m_errlog_defer_3(scanent, CUS callout_address,
1466 string_sprintf("Expected port information from clamd, got '%s'",
1470 sockData = m_tcpsocket(connhost.address, port, NULL, &errstr, NULL);
1472 return m_errlog_defer_3(scanent, CUS callout_address, errstr, sock);
1474 # define CLOSE_SOCKDATA (void)close(sockData)
1475 #else /* WITH_OLD_CLAMAV_STREAM not defined */
1476 /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
1477 chunks, <n> a 4-byte number (network order), terminated by a zero-length
1480 DEBUG(D_acl) debug_printf_indent(
1481 "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1484 /* Pass the string to ClamAV (10 = "zINSTREAM\0"), if not already sent */
1486 if (send(sock, cmd_str.data, cmd_str.len, 0) < 0)
1487 return m_errlog_defer_3(scanent, CUS hostname,
1488 string_sprintf("unable to send zINSTREAM to socket (%s)",
1492 # define CLOSE_SOCKDATA /**/
1495 /* calc file size */
1496 if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
1500 return m_errlog_defer_3(scanent, NULL,
1501 string_sprintf("can't open spool file %s: %s",
1502 eml_filename, strerror(err)),
1505 if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
1508 b_seek: err = errno;
1509 CLOSE_SOCKDATA; (void)close(clam_fd);
1510 return m_errlog_defer_3(scanent, NULL,
1511 string_sprintf("can't seek spool file %s: %s",
1512 eml_filename, strerror(err)),
1515 fsize_uint = (unsigned int) fsize;
1516 if ((off_t)fsize_uint != fsize)
1518 CLOSE_SOCKDATA; (void)close(clam_fd);
1519 return m_errlog_defer_3(scanent, NULL,
1520 string_sprintf("seeking spool file %s, size overflow",
1524 if (lseek(clam_fd, 0, SEEK_SET) < 0)
1527 if (!(clamav_fbuf = US malloc(fsize_uint)))
1529 CLOSE_SOCKDATA; (void)close(clam_fd);
1530 return m_errlog_defer_3(scanent, NULL,
1531 string_sprintf("unable to allocate memory %u for file (%s)",
1532 fsize_uint, eml_filename),
1536 if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
1539 free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd);
1540 return m_errlog_defer_3(scanent, NULL,
1541 string_sprintf("can't read spool file %s: %s",
1542 eml_filename, strerror(err)),
1545 (void)close(clam_fd);
1547 /* send file body to socket */
1548 #ifdef WITH_OLD_CLAMAV_STREAM
1549 if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0)
1551 free(clamav_fbuf); CLOSE_SOCKDATA;
1552 return m_errlog_defer_3(scanent, NULL,
1553 string_sprintf("unable to send file body to socket (%s:%u)",
1558 send_size = htonl(fsize_uint);
1559 send_final_zeroblock = 0;
1560 if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
1561 (send(sock, clamav_fbuf, fsize_uint, 0) < 0) ||
1562 (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
1565 return m_errlog_defer_3(scanent, NULL,
1566 string_sprintf("unable to send file body to socket (%s)", hostname),
1574 #undef CLOSE_SOCKDATA
1577 { /* use scan command */
1578 /* Send a SCAN command pointing to a filename; then in the then in the
1579 * scan-method-neutral part, read the response back */
1581 /* ================================================================= */
1583 /* Prior to the reworking post-Exim-4.72, this scanned a directory,
1584 which dates to when ClamAV needed us to break apart the email into the
1585 MIME parts (eg, with the now deprecated demime condition coming first).
1586 Some time back, ClamAV gained the ability to deconstruct the emails, so
1587 doing this would actually have resulted in the mail attachments being
1588 scanned twice, in the broken out files and from the original .eml.
1589 Since ClamAV now handles emails (and has for quite some time) we can
1590 just use the email file itself. */
1591 /* Pass the string to ClamAV (7 = "SCAN \n" + \0), if not already sent */
1593 DEBUG(D_acl) debug_printf_indent(
1594 "Malware scan: issuing %s local-path scan [%s]\n",
1595 scanner_name, scanner_options);
1598 if (send(sock, cmd_str.data, cmd_str.len, 0) < 0)
1599 return m_errlog_defer_3(scanent, CUS callout_address,
1600 string_sprintf("unable to write to socket (%s)", strerror(errno)),
1603 /* Do not shut down the socket for writing; a user report noted that
1604 * clamd 0.70 does not react well to this. */
1606 /* Commands have been sent, no matter which scan method or connection
1607 * type we're using; now just read the result, independent of method. */
1609 /* Read the result */
1610 memset(av_buffer, 0, sizeof(av_buffer));
1611 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1616 return m_errlog_defer(scanent, CUS callout_address,
1617 string_sprintf("unable to read from socket (%s)",
1618 errno == 0 ? "EOF" : strerror(errno)));
1620 if (bread == sizeof(av_buffer))
1621 return m_errlog_defer(scanent, CUS callout_address,
1622 US"buffer too small");
1623 /* We're now assured of a NULL at the end of av_buffer */
1625 /* Check the result. ClamAV returns one of two result formats.
1626 In the basic mode, the response is of the form:
1627 infected: -> "<filename>: <virusname> FOUND"
1628 not-infected: -> "<filename>: OK"
1629 error: -> "<filename>: <errcode> ERROR
1630 If the ExtendedDetectionInfo option has been turned on, then we get:
1631 "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1632 for the infected case. Compare:
1633 /tmp/eicar.com: Eicar-Test-Signature FOUND
1634 /tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1636 In the streaming case, clamd uses the filename "stream" which you should
1637 be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1638 client app will replace "stream" with the original filename before returning
1639 results to stdout, but the trace shows the data).
1641 We will assume that the pathname passed to clamd from Exim does not contain
1642 a colon. We will have whined loudly above if the eml_filename does (and we're
1643 passing a filename to clamd). */
1646 return m_errlog_defer(scanent, CUS callout_address,
1647 US"ClamAV returned null");
1649 /* strip newline at the end (won't be present for zINSTREAM)
1650 (also any trailing whitespace, which shouldn't exist, but we depend upon
1651 this below, so double-check) */
1652 p = av_buffer + Ustrlen(av_buffer) - 1;
1653 if (*p == '\n') *p = '\0';
1655 DEBUG(D_acl) debug_printf_indent("Malware response: %s\n", av_buffer);
1657 while (isspace(*--p) && (p > av_buffer))
1661 /* colon in returned output? */
1662 if(!(p = Ustrchr(av_buffer,':')))
1663 return m_errlog_defer(scanent, CUS callout_address, string_sprintf(
1664 "ClamAV returned malformed result (missing colon): %s",
1667 /* strip filename */
1668 while (*p && isspace(*++p)) /**/;
1671 /* It would be bad to encounter a virus with "FOUND" in part of the name,
1672 but we should at least be resistant to it. */
1673 p = Ustrrchr(vname, ' ');
1674 result_tag = p ? p+1 : vname;
1676 if (Ustrcmp(result_tag, "FOUND") == 0)
1678 /* p should still be the whitespace before the result_tag */
1679 while (isspace(*p)) --p;
1681 /* Strip off the extended information too, which will be in parens
1682 after the virus name, with no intervening whitespace. */
1685 /* "(hash:size)", so previous '(' will do; if not found, we have
1686 a curious virus name, but not an error. */
1687 p = Ustrrchr(vname, '(');
1691 malware_name = string_copy(vname);
1692 DEBUG(D_acl) debug_printf_indent("Malware found, name \"%s\"\n", malware_name);
1695 else if (Ustrcmp(result_tag, "ERROR") == 0)
1696 return m_errlog_defer(scanent, CUS callout_address,
1697 string_sprintf("ClamAV returned: %s", av_buffer));
1699 else if (Ustrcmp(result_tag, "OK") == 0)
1701 /* Everything should be OK */
1702 malware_name = NULL;
1703 DEBUG(D_acl) debug_printf_indent("Malware not found\n");
1707 return m_errlog_defer(scanent, CUS callout_address,
1708 string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1713 case M_SOCK: /* "sock" scanner type ------------------------------------- */
1714 /* This code was derived by Martin Poole from the clamd code contributed
1715 by David Saez and the cmdline code
1719 uschar * commandline;
1720 uschar av_buffer[1024];
1721 uschar * linebuffer;
1722 uschar * sockline_scanner;
1723 uschar sockline_scanner_default[] = "%s\n";
1724 const pcre *sockline_trig_re;
1725 const pcre *sockline_name_re;
1727 /* find scanner command line */
1728 if ( (sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1730 && *sockline_scanner
1732 { /* check for no expansions apart from one %s */
1733 uschar * s = Ustrchr(sockline_scanner, '%');
1735 if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
1736 return m_errlog_defer_3(scanent, NULL,
1737 US"unsafe sock scanner call spec", sock);
1740 sockline_scanner = sockline_scanner_default;
1741 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "cmdline: ",
1742 string_printing(sockline_scanner));
1744 /* find scanner output trigger */
1745 sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1746 "missing trigger specification", &errstr);
1747 if (!sockline_trig_re)
1748 return m_errlog_defer_3(scanent, NULL, errstr, sock);
1750 /* find virus name regex */
1751 sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1752 "missing virus name regex specification", &errstr);
1753 if (!sockline_name_re)
1754 return m_errlog_defer_3(scanent, NULL, errstr, sock);
1756 /* prepare scanner call - security depends on expansions check above */
1757 commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
1758 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "expanded: ",
1759 string_printing(commandline));
1761 /* Pass the command string to the socket */
1762 if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
1763 return m_errlog_defer(scanent, CUS callout_address, errstr);
1765 /* Read the result */
1766 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1769 return m_errlog_defer_3(scanent, CUS callout_address,
1770 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1773 if (bread == sizeof(av_buffer))
1774 return m_errlog_defer_3(scanent, CUS callout_address,
1775 US"buffer too small", sock);
1776 av_buffer[bread] = '\0';
1777 linebuffer = string_copy(av_buffer);
1778 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
1779 string_printing(linebuffer));
1781 /* try trigger match */
1782 if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
1784 if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1785 malware_name = US "unknown";
1786 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "name: ",
1787 string_printing(malware_name));
1789 else /* no virus found */
1790 malware_name = NULL;
1794 case M_MKSD: /* "mksd" scanner type ------------------------------------- */
1796 char *mksd_options_end;
1797 int mksd_maxproc = 1; /* default, if no option supplied */
1800 if (scanner_options)
1802 mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
1803 if ( *scanner_options == '\0'
1804 || *mksd_options_end != '\0'
1806 || mksd_maxproc > 32
1808 return m_errlog_defer(scanent, CUS callout_address,
1809 string_sprintf("invalid option '%s'", scanner_options));
1812 if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
1813 return m_errlog_defer(scanent, CUS callout_address, errstr);
1815 malware_name = NULL;
1817 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
1819 if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
1827 case M_AVAST: /* "avast" scanner type ----------------------------------- */
1831 uschar * scanrequest;
1832 enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
1835 /* According to Martin Tuma @avast the protocol uses "escaped
1836 whitespace", that is, every embedded whitespace is backslash
1837 escaped, as well as backslash is protected by backslash.
1838 The returned lines contain the name of the scanned file, a tab
1842 [E] - some error occured
1843 Such marker follows the first non-escaped TAB. */
1844 if ( ( !ava_re_clean
1845 && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
1847 && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
1849 return malware_errlog_defer(errstr);
1851 /* wait for result */
1852 for (avast_stage = AVA_HELO;
1853 (nread = recv_line(sock, buf, sizeof(buf), tmo)) > 0;
1856 int slen = Ustrlen(buf);
1859 DEBUG(D_acl) debug_printf_indent("got from avast: %s\n", buf);
1860 switch (avast_stage)
1863 if (Ustrncmp(buf, "220", 3) != 0)
1864 goto endloop; /* require a 220 */
1868 if (Ustrncmp(buf, "210", 3) == 0)
1869 break; /* ignore 210 responses */
1870 if (Ustrncmp(buf, "200", 3) != 0)
1871 goto endloop; /* require a 200 */
1876 /* Check for another option to send. Newline-terminate it. */
1877 if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
1880 scanrequest = string_sprintf("%s\n", scanrequest);
1881 avast_stage = AVA_OPT; /* just sent option */
1885 scanrequest = string_sprintf("SCAN %s\n", eml_dir);
1886 avast_stage = AVA_RSP; /* just sent command */
1889 /* send config-cmd or scan-request to socket */
1890 len = Ustrlen(scanrequest);
1891 if (send(sock, scanrequest, len, 0) < 0)
1893 scanrequest[len-1] = '\0';
1894 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
1895 "unable to send request '%s' to socket (%s): %s",
1896 scanrequest, scanner_options, strerror(errno)), sock);
1902 if (Ustrncmp(buf, "210", 3) == 0)
1903 break; /* ignore the "210 SCAN DATA" message */
1905 if (pcre_exec(ava_re_clean, NULL, CS buf, slen,
1906 0, 0, ovector, nelements(ovector)) > 0)
1909 if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
1910 { /* remove backslash in front of [whitespace|backslash] */
1912 for (p = malware_name; *p; ++p)
1913 if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
1914 for (p0 = p; *p0; ++p0) *p0 = p0[1];
1916 avast_stage = AVA_DONE;
1920 if (Ustrncmp(buf, "200 SCAN OK", 11) == 0)
1921 { /* we're done finally */
1922 if (send(sock, "QUIT\n", 5, 0) < 0) /* courtesy */
1923 return m_errlog_defer_3(scanent, CUS callout_address,
1925 "unable to send quit request to socket (%s): %s",
1926 scanner_options, strerror(errno)),
1928 malware_name = NULL;
1929 avast_stage = AVA_DONE;
1933 /* here for any unexpected response from the scanner */
1936 case AVA_DONE: log_write(0, LOG_PANIC, "%s:%d:%s: should not happen",
1937 __FILE__, __LINE__, __FUNCTION__);
1947 case AVA_RSP: return m_errlog_defer_3(scanent, CUS callout_address,
1950 "invalid response from scanner: '%s'", buf)
1952 ? US"EOF from scanner"
1953 : US"timeout from scanner",
1960 case M_FPROT6D: /* "f-prot6d" scanner type ----------------------------------- */
1964 uschar * linebuffer;
1965 uschar * scanrequest;
1966 uschar av_buffer[1024];
1968 if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
1969 || (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
1970 return malware_errlog_defer(errstr);
1972 scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
1973 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
1974 scanner_name, scanrequest);
1976 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
1977 return m_errlog_defer(scanent, CUS callout_address, errstr);
1979 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1982 return m_errlog_defer_3(scanent, CUS callout_address,
1983 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1986 if (bread == sizeof(av_buffer))
1987 return m_errlog_defer_3(scanent, CUS callout_address,
1988 US"buffer too small", sock);
1990 av_buffer[bread] = '\0';
1991 linebuffer = string_copy(av_buffer);
1993 m_sock_send(sock, US"QUIT\n", 5, 0);
1995 if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
1996 return m_errlog_defer_3(scanent, CUS callout_address,
1997 string_sprintf("scanner reported error (%s)", e), sock);
1999 if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
2000 malware_name = NULL;
2004 } /* scanner type switch */
2007 (void) close (sock);
2008 malware_ok = TRUE; /* set "been here, done that" marker */
2011 /* match virus name against pattern (caseless ------->----------v) */
2012 if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
2014 DEBUG(D_acl) debug_printf_indent(
2015 "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
2023 /*************************************************
2024 * Scan an email for malware *
2025 *************************************************/
2027 /* This is the normal interface for scanning an email, which doesn't need a
2028 filename; it's a wrapper around the malware_file function.
2031 malware_re match condition for "malware="
2032 timeout if nonzero, timeout in seconds
2034 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2035 where true means malware was found (condition applies)
2038 malware(const uschar * malware_re, int timeout)
2040 int ret = malware_internal(malware_re, NULL, timeout);
2042 if (ret == DEFER) av_failed = TRUE;
2047 /*************************************************
2048 * Scan a file for malware *
2049 *************************************************/
2051 /* This is a test wrapper for scanning an email, which is not used in
2052 normal processing. Scan any file, using the Exim scanning interface.
2053 This function tampers with various global variables so is unsafe to use
2054 in any other context.
2057 eml_filename a file holding the message to be scanned
2059 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2060 where true means malware was found (condition applies)
2063 malware_in_file(uschar *eml_filename)
2065 uschar message_id_buf[64];
2068 /* spool_mbox() assumes various parameters exist, when creating
2069 the relevant directory and the email within */
2071 (void) string_format(message_id_buf, sizeof(message_id_buf),
2072 "dummy-%d", vaguely_random_number(INT_MAX));
2073 message_id = message_id_buf;
2074 sender_address = US"malware-sender@example.net";
2076 recipients_list = NULL;
2077 receive_add_recipient(US"malware-victim@example.net", -1);
2078 enable_dollar_recipients = TRUE;
2080 ret = malware_internal(US"*", eml_filename, 0);
2082 Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
2085 /* don't set no_mbox_unspool; at present, there's no way for it to become
2086 set, but if that changes, then it should apply to these tests too */
2090 /* silence static analysis tools */
2100 if (!malware_default_re)
2101 malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
2103 drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
2105 fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
2107 kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
2109 kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
2111 ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
2113 ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
2114 if (!fprot6d_re_error)
2115 fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
2116 if (!fprot6d_re_virus)
2117 fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
2120 #endif /*WITH_CONTENT_SCAN*/
git://git.exim.org / exim.git / blob