1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2014 */
8 /* Code for calling virus (malware) scanners. Called from acl.c. */
11 #ifdef WITH_CONTENT_SCAN
13 typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
14 M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST} scanner_t;
15 typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
20 const uschar * options_default;
24 { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
25 { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
26 { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
27 { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
28 { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
29 { M_CMDL, US"cmdline", NULL, MC_NONE },
30 { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
31 { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
32 { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
33 { M_MKSD, US"mksd", NULL, MC_NONE },
34 { M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
35 { -1, NULL, NULL, MC_NONE } /* end-marker */
38 /* The maximum number of clamd servers that are supported in the configuration */
39 #define MAX_CLAMD_SERVERS 32
40 #define MAX_CLAMD_SERVERS_S "32"
41 /* Maximum length of the hostname that can be specified in the clamd address list */
42 #define MAX_CLAMD_ADDRESS_LENGTH 64
43 #define MAX_CLAMD_ADDRESS_LENGTH_S "64"
45 typedef struct clamd_address_container {
46 uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH+1];
47 unsigned int tcp_port;
48 } clamd_address_container;
51 # define nelements(arr) (sizeof(arr) / sizeof(arr[0]))
55 #define MALWARE_TIMEOUT 120 /* default timeout, seconds */
58 #define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
59 #define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
60 #define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
62 #define DERR_READ_ERR (1<<0) /* read error */
63 #define DERR_NOMEMORY (1<<2) /* no memory */
64 #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
65 #define DERR_BAD_CALL (1<<15) /* wrong command */
68 static const uschar * malware_regex_default = US ".+";
69 static const pcre * malware_default_re = NULL;
71 static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
72 static const pcre * drweb_re = NULL;
74 static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
75 static const pcre * fsec_re = NULL;
77 static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
78 static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
79 static const pcre * kav_re_sus = NULL;
80 static const pcre * kav_re_inf = NULL;
82 static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
83 static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\s(.*)";
84 static const pcre * ava_re_clean = NULL;
85 static const pcre * ava_re_virus = NULL;
89 /******************************************************************************/
91 /* Routine to check whether a system is big- or little-endian.
92 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
93 Needed for proper kavdaemon implementation. Sigh. */
94 #define BIG_MY_ENDIAN 0
95 #define LITTLE_MY_ENDIAN 1
96 static int test_byte_order(void);
100 short int word = 0x0001;
101 char *byte = (char *) &word;
102 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
105 BOOL malware_ok = FALSE;
107 /* Gross hacks for the -bmalware option; perhaps we should just create
108 the scan directory normally for that case, but look into rigging up the
109 needed header variables if not already set on the command-line? */
110 extern int spool_mbox_ok;
111 extern uschar spooled_message_id[17];
116 malware_errlog_defer(const uschar * str)
118 log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
123 m_errlog_defer(struct scan * scanent, const uschar * str)
125 return malware_errlog_defer(string_sprintf("%s: %s", scanent->name, str));
128 m_errlog_defer_3(struct scan * scanent, const uschar * str,
131 (void) close(fd_to_close);
132 return m_errlog_defer(scanent, str);
135 /*************************************************/
137 /* Only used by the Clamav code, which is working from a list of servers and
138 uses the returned in_addr to get a second connection to the same system.
141 m_tcpsocket(const uschar * hostname, unsigned int port,
142 host_item * host, uschar ** errstr)
144 return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5, host, errstr);
148 m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
150 if (send(sock, buf, cnt, 0) < 0) {
153 *errstr = string_sprintf("unable to send to socket (%s): %s",
161 m_pcre_compile(const uschar * re, uschar ** errstr)
163 const uschar * rerror;
167 cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
169 *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
170 re, rerror, roffset);
175 m_pcre_exec(const pcre * cre, uschar * text)
178 int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
179 ovector, nelements(ovector));
180 uschar * substr = NULL;
181 if (i >= 2) /* Got it */
182 pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
187 m_pcre_nextinlist(const uschar ** list, int * sep,
188 char * listerr, uschar ** errstr)
190 const uschar * list_ele;
191 const pcre * cre = NULL;
193 if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
194 *errstr = US listerr;
196 cre = m_pcre_compile(CUS list_ele, errstr);
201 Simple though inefficient wrapper for reading a line. Drop CRs and the
202 trailing newline. Can return early on buffer full. Null-terminate.
203 Apply initial timeout if no data ready.
205 Return: number of chars - zero for an empty line
207 -2 on timeout or error
210 recv_line(int fd, uschar * buffer, int bsize, int tmo)
216 if (!fd_ready(fd, tmo-time(NULL)))
219 /*XXX tmo handling assumes we always get a whole line */
222 while ((rcv = read(fd, p, 1)) > 0)
225 if (p-buffer > bsize-2) break;
226 if (*p == '\n') break;
231 DEBUG(D_acl) debug_printf("Malware scan: read %s (%s)\n",
232 rcv==0 ? "EOF" : "error", strerror(errno));
233 return rcv==0 ? -1 : -2;
237 DEBUG(D_acl) debug_printf("Malware scan: read '%s'\n", buffer);
241 /* return TRUE iff size as requested */
243 recv_len(int sock, void * buf, int size, int tmo)
245 return fd_ready(sock, tmo-time(NULL))
246 ? recv(sock, buf, size, 0) == size
252 /* ============= private routines for the "mksd" scanner type ============== */
257 mksd_writev (int sock, struct iovec * iov, int iovcnt)
264 i = writev (sock, iov, iovcnt);
265 while (i < 0 && errno == EINTR);
268 (void) malware_errlog_defer(
269 US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
272 for (;;) /* check for short write */
273 if (i >= iov->iov_len)
283 iov->iov_base = CS iov->iov_base + i;
290 mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
297 i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
300 (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
305 /* offset == av_buffer_size -> buffer full */
306 if (offset == av_buffer_size)
308 (void) malware_errlog_defer(US"malformed reply received from mksd");
311 } while (av_buffer[offset-1] != '\n');
313 av_buffer[offset] = '\0';
318 mksd_parse_line(struct scan * scanent, char * line)
329 if ((p = strchr (line, '\n')) != NULL)
331 return m_errlog_defer(scanent,
332 string_sprintf("scanner failed: %s", line));
335 if ((p = strchr (line, '\n')) != NULL)
340 && (p = strchr(line+4, ' ')) != NULL
345 malware_name = string_copy(US line+4);
349 return m_errlog_defer(scanent,
350 string_sprintf("malformed reply received: %s", line));
355 mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
359 const char *cmd = "MSQ\n";
360 uschar av_buffer[1024];
362 iov[0].iov_base = (void *) cmd;
364 iov[1].iov_base = (void *) scan_filename;
365 iov[1].iov_len = Ustrlen(scan_filename);
366 iov[2].iov_base = (void *) (cmd + 3);
369 if (mksd_writev (sock, iov, 3) < 0)
372 if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
375 return mksd_parse_line (scanent, CS av_buffer);
378 /*************************************************
379 * Scan content for malware *
380 *************************************************/
382 /* This is an internal interface for scanning an email; the normal interface
383 is via malware(), or there's malware_in_file() used for testing/debugging.
386 malware_re match condition for "malware="
387 eml_filename the file holding the email to be scanned
388 timeout if nonzero, non-default timeoutl
389 faking whether or not we're faking this up for the -bmalware test
391 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
392 where true means malware was found (condition applies)
395 malware_internal(const uschar * malware_re, const uschar * eml_filename,
396 int timeout, BOOL faking)
399 const uschar *av_scanner_work = av_scanner;
400 uschar *scanner_name;
401 unsigned long mbox_size;
405 struct scan * scanent;
406 const uschar * scanner_options;
410 /* make sure the eml mbox file is spooled up */
411 if (!(mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL)))
412 return malware_errlog_defer(US"error while creating mbox spool file");
414 /* none of our current scanners need the mbox
415 file as a stream, so we can close it right away */
416 (void)fclose(mbox_file);
419 return FAIL; /* empty means "don't match anything" */
421 /* parse 1st option */
422 if ( (strcmpic(malware_re, US"false") == 0) ||
423 (Ustrcmp(malware_re,"0") == 0) )
424 return FAIL; /* explicitly no matching */
426 /* special cases (match anything except empty) */
427 if ( strcmpic(malware_re,US"true") == 0
428 || Ustrcmp(malware_re,"*") == 0
429 || Ustrcmp(malware_re,"1") == 0
432 if ( !malware_default_re
433 && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
434 return malware_errlog_defer(errstr);
435 malware_re = malware_regex_default;
436 re = malware_default_re;
439 /* compile the regex, see if it works */
440 else if (!(re = m_pcre_compile(malware_re, &errstr)))
441 return malware_errlog_defer(errstr);
443 /* Reset sep that is set by previous string_nextinlist() call */
446 /* if av_scanner starts with a dollar, expand it first */
447 if (*av_scanner == '$')
449 if (!(av_scanner_work = expand_string(av_scanner)))
450 return malware_errlog_defer(
451 string_sprintf("av_scanner starts with $, but expansion failed: %s",
452 expand_string_message));
455 debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
456 /* disable result caching in this case */
461 /* Do not scan twice (unless av_scanner is dynamic). */
464 /* find the scanner type from the av_scanner option */
465 if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
466 return malware_errlog_defer(US"av_scanner configuration variable is empty");
467 if (!timeout) timeout = MALWARE_TIMEOUT;
468 tmo = time(NULL) + timeout;
470 for (scanent = m_scans; ; scanent++)
473 return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
475 if (strcmpic(scanner_name, US scanent->name) != 0)
477 if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
478 scanner_options = scanent->options_default;
479 if (scanent->conn == MC_NONE)
481 switch(scanent->conn)
483 case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
484 case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
485 case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5); break;
486 default: /* compiler quietening */ break;
489 return m_errlog_defer(scanent, errstr);
492 DEBUG(D_acl) debug_printf("Malware scan: %s tmo %s\n", scanner_name, readconf_printtime(timeout));
494 switch (scanent->scancode)
496 case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
498 uschar *fp_scan_option;
499 unsigned int detected=0, par_count=0;
500 uschar * scanrequest;
501 uschar buf[32768], *strhelper, *strhelper2;
502 uschar * malware_name_internal = NULL;
505 scanrequest = string_sprintf("GET %s", eml_filename);
507 while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
510 scanrequest = string_sprintf("%s%s%s", scanrequest,
511 par_count ? "%20" : "?", fp_scan_option);
514 scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
515 DEBUG(D_acl) debug_printf("Malware scan: issuing %s: %s\n",
516 scanner_name, scanrequest);
518 /* send scan request */
519 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
520 return m_errlog_defer(scanent, errstr);
522 while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= 0)
525 if (Ustrstr(buf, US"<detected type=\"") != NULL)
527 else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
529 if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
532 malware_name_internal = string_copy(strhelper+6);
535 else if (Ustrstr(buf, US"<summary code=\""))
537 malware_name = Ustrstr(buf, US"<summary code=\"11\">")
538 ? malware_name_internal : NULL;
550 case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
551 /* v0.1 - added support for tcp sockets */
552 /* v0.0 - initial release -- support for unix sockets */
556 unsigned int fsize_uint;
557 uschar * tmpbuf, *drweb_fbuf;
558 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
559 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
561 /* prepare variables */
562 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
563 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
565 if (*scanner_options != '/')
568 if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -1)
569 return m_errlog_defer_3(scanent,
570 string_sprintf("can't open spool file %s: %s",
571 eml_filename, strerror(errno)),
574 if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
577 (void)close(drweb_fd);
578 return m_errlog_defer_3(scanent,
579 string_sprintf("can't seek spool file %s: %s",
580 eml_filename, strerror(err)),
583 fsize_uint = (unsigned int) fsize;
584 if ((off_t)fsize_uint != fsize)
586 (void)close(drweb_fd);
587 return m_errlog_defer_3(scanent,
588 string_sprintf("seeking spool file %s, size overflow",
592 drweb_slen = htonl(fsize);
593 lseek(drweb_fd, 0, SEEK_SET);
595 DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s]\n",
596 scanner_name, scanner_options);
598 /* send scan request */
599 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
600 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
601 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
602 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
604 (void)close(drweb_fd);
605 return m_errlog_defer_3(scanent, string_sprintf(
606 "unable to send commands to socket (%s)", scanner_options),
610 if (!(drweb_fbuf = (uschar *) malloc (fsize_uint)))
612 (void)close(drweb_fd);
613 return m_errlog_defer_3(scanent,
614 string_sprintf("unable to allocate memory %u for file (%s)",
615 fsize_uint, eml_filename),
619 if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
622 (void)close(drweb_fd);
624 return m_errlog_defer_3(scanent,
625 string_sprintf("can't read spool file %s: %s",
626 eml_filename, strerror(err)),
629 (void)close(drweb_fd);
631 /* send file body to socket */
632 if (send(sock, drweb_fbuf, fsize, 0) < 0)
635 return m_errlog_defer_3(scanent, string_sprintf(
636 "unable to send file body to socket (%s)", scanner_options),
639 (void)close(drweb_fd);
643 drweb_slen = htonl(Ustrlen(eml_filename));
645 DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
646 scanner_name, scanner_options);
648 /* send scan request */
649 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
650 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
651 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
652 (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
653 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
654 return m_errlog_defer_3(scanent, string_sprintf(
655 "unable to send commands to socket (%s)", scanner_options),
659 /* wait for result */
660 if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
661 return m_errlog_defer_3(scanent,
662 US"unable to read return code", sock);
663 drweb_rc = ntohl(drweb_rc);
665 if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
666 return m_errlog_defer_3(scanent,
667 US"unable to read the number of viruses", sock);
668 drweb_vnum = ntohl(drweb_vnum);
670 /* "virus(es) found" if virus number is > 0 */
675 /* setup default virus name */
676 malware_name = US"unknown";
678 /* set up match regex */
680 drweb_re = m_pcre_compile(drweb_re_str, &errstr);
682 /* read and concatenate virus names into one string */
683 for (i = 0; i < drweb_vnum; i++)
685 int size = 0, off = 0, ovector[10*3];
686 /* read the size of report */
687 if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
688 return m_errlog_defer_3(scanent,
689 US"cannot read report size", sock);
690 drweb_slen = ntohl(drweb_slen);
691 tmpbuf = store_get(drweb_slen);
693 /* read report body */
694 if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
695 return m_errlog_defer_3(scanent,
696 US"cannot read report string", sock);
697 tmpbuf[drweb_slen] = '\0';
699 /* try matcher on the line, grab substring */
700 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
701 ovector, nelements(ovector));
704 const char * pre_malware_nb;
706 pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
708 if (i==0) /* the first name we just copy to malware_name */
709 malware_name = string_append(NULL, &size, &off,
712 else /* concatenate each new virus name to previous */
713 malware_name = string_append(malware_name, &size, &off,
714 2, "/", pre_malware_nb);
716 pcre_free_substring(pre_malware_nb);
722 const char *drweb_s = NULL;
724 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
725 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
726 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
727 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
728 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
729 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
730 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
731 * and others are ignored */
733 return m_errlog_defer_3(scanent,
734 string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
743 case M_AVES: /* "aveserver" scanner type -------------------------------- */
748 /* read aveserver's greeting and see if it is ready (2xx greeting) */
750 recv_line(sock, buf, sizeof(buf), tmo);
752 if (buf[0] != '2') /* aveserver is having problems */
753 return m_errlog_defer_3(scanent,
754 string_sprintf("unavailable (Responded: %s).",
755 ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
758 /* prepare our command */
759 (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
763 DEBUG(D_acl) debug_printf("Malware scan: issuing %s %s\n",
765 if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
766 return m_errlog_defer(scanent, errstr);
770 /* read response lines, find malware name and final response */
771 while (recv_line(sock, buf, sizeof(buf), tmo) > 0)
775 if (buf[0] == '5') /* aveserver is having problems */
777 result = m_errlog_defer(scanent,
778 string_sprintf("unable to scan file %s (Responded: %s).",
782 if (Ustrncmp(buf,"322",3) == 0)
784 uschar *p = Ustrchr(&buf[4], ' ');
786 malware_name = string_copy(&buf[4]);
790 if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
791 return m_errlog_defer(scanent, errstr);
793 /* read aveserver's greeting and see if it is ready (2xx greeting) */
795 recv_line(sock, buf, sizeof(buf), tmo);
797 if (buf[0] != '2') /* aveserver is having problems */
798 return m_errlog_defer_3(scanent,
799 string_sprintf("unable to quit dialogue (Responded: %s).",
800 ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
811 case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
815 uschar av_buffer[1024];
816 static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
817 US"CONFIGURE\tTIMEOUT\t0\n",
818 US"CONFIGURE\tMAXARCH\t5\n",
819 US"CONFIGURE\tMIME\t1\n" };
823 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
824 scanner_name, scanner_options);
826 memset(av_buffer, 0, sizeof(av_buffer));
827 for (i = 0; i != nelements(cmdopt); i++)
830 if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
831 return m_errlog_defer(scanent, errstr);
833 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
834 if (bread > 0) av_buffer[bread]='\0';
836 return m_errlog_defer_3(scanent,
837 string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
839 for (j = 0; j < bread; j++)
840 if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
844 /* pass the mailfile to fsecure */
845 file_name = string_sprintf("SCAN\t%s\n", eml_filename);
847 if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
848 return m_errlog_defer(scanent, errstr);
851 /* todo also SUSPICION\t */
853 fsec_re = m_pcre_compile(fsec_re_str, &errstr);
855 /* read report, linewise. Apply a timeout as the Fsecure daemon
856 sometimes wants an answer to "PING" but they won't tell us what */
858 uschar * p = av_buffer;
864 i = av_buffer+sizeof(av_buffer)-p;
865 if ((bread= ip_recv(sock, p, i-1, tmo-time(NULL))) < 0)
866 return m_errlog_defer_3(scanent,
867 string_sprintf("unable to read result (%s)", strerror(errno)),
870 for (p[bread] = '\0'; q = strchr(p, '\n'); p = q+1)
874 /* Really search for virus again? */
876 /* try matcher on the line, grab substring */
877 malware_name = m_pcre_exec(fsec_re, p);
879 if (Ustrstr(p, "OK\tScan ok."))
883 /* copy down the trailing partial line then read another chunk */
884 i = av_buffer+sizeof(av_buffer)-p;
885 memmove(av_buffer, p, i);
894 case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
898 uschar * scanrequest;
900 unsigned long kav_reportlen, bread;
904 /* get current date and time, build scan request */
906 /* pdp note: before the eml_filename parameter, this scanned the
907 directory; not finding documentation, so we'll strip off the directory.
908 The side-effect is that the test framework scanning may end up in
909 scanning more than was requested, but for the normal interface, this is
912 strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
913 scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
914 p = Ustrrchr(scanrequest, '/');
918 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
919 scanner_name, scanner_options);
921 /* send scan request */
922 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
923 return m_errlog_defer(scanent, errstr);
925 /* wait for result */
926 if (!recv_len(sock, tmpbuf, 2, tmo))
927 return m_errlog_defer_3(scanent,
928 US"unable to read 2 bytes from socket.", sock);
930 /* get errorcode from one nibble */
931 kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
934 case 5: case 6: /* improper kavdaemon configuration */
935 return m_errlog_defer_3(scanent,
936 US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
939 return m_errlog_defer_3(scanent,
940 US"reported 'scanning not completed' (code 1).", sock);
942 return m_errlog_defer_3(scanent,
943 US"reported 'kavdaemon damaged' (code 7).", sock);
946 /* code 8 is not handled, since it is ambigous. It appears mostly on
947 bounces where part of a file has been cut off */
949 /* "virus found" return codes (2-4) */
950 if (kav_rc > 1 && kav_rc < 5)
954 /* setup default virus name */
955 malware_name = US"unknown";
957 report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
959 /* read the report, if available */
960 if (report_flag == 1)
962 /* read report size */
963 if (!recv_len(sock, &kav_reportlen, 4, tmo))
964 return m_errlog_defer_3(scanent,
965 US"cannot read report size", sock);
967 /* it's possible that avp returns av_buffer[1] == 1 but the
968 reportsize is 0 (!?) */
969 if (kav_reportlen > 0)
971 /* set up match regex, depends on retcode */
974 if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
979 if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
983 /* read report, linewise */
984 while (kav_reportlen > 0)
986 if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
988 kav_reportlen -= bread+1;
990 /* try matcher on the line, grab substring */
991 if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
997 else /* no virus found */
1003 case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
1005 const uschar *cmdline_scanner = scanner_options;
1006 const pcre *cmdline_trigger_re;
1007 const pcre *cmdline_regex_re;
1009 uschar * commandline;
1010 void (*eximsigchld)(int);
1011 void (*eximsigpipe)(int);
1012 FILE *scanner_out = NULL;
1014 FILE *scanner_record = NULL;
1015 uschar linebuffer[32767];
1020 if (!cmdline_scanner)
1021 return m_errlog_defer(scanent, errstr);
1023 /* find scanner output trigger */
1024 cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1025 "missing trigger specification", &errstr);
1026 if (!cmdline_trigger_re)
1027 return m_errlog_defer(scanent, errstr);
1029 /* find scanner name regex */
1030 cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1031 "missing virus name regex specification", &errstr);
1032 if (!cmdline_regex_re)
1033 return m_errlog_defer(scanent, errstr);
1035 /* prepare scanner call; despite the naming, file_name holds a directory
1036 name which is documented as the value given to %s. */
1038 file_name = string_copy(eml_filename);
1039 p = Ustrrchr(file_name, '/');
1042 commandline = string_sprintf(CS cmdline_scanner, file_name);
1044 /* redirect STDERR too */
1045 commandline = string_sprintf("%s 2>&1", commandline);
1047 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
1048 scanner_name, commandline);
1050 /* store exims signal handlers */
1051 eximsigchld = signal(SIGCHLD,SIG_DFL);
1052 eximsigpipe = signal(SIGPIPE,SIG_DFL);
1054 if (!(scanner_out = popen(CS commandline,"r")))
1057 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1058 return m_errlog_defer(scanent,
1059 string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1061 scanner_fd = fileno(scanner_out);
1063 file_name = string_sprintf("%s/scan/%s/%s_scanner_output",
1064 spool_directory, message_id, message_id);
1066 if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1069 (void) pclose(scanner_out);
1070 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1071 return m_errlog_defer(scanent, string_sprintf(
1072 "opening scanner output file (%s) failed: %s.",
1073 file_name, strerror(err)));
1076 /* look for trigger while recording output */
1077 while ((rcnt = recv_line(scanner_fd, linebuffer,
1078 sizeof(linebuffer), tmo)))
1086 (void) pclose(scanner_out);
1087 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1088 return m_errlog_defer(scanent, string_sprintf(
1089 "unable to read from scanner (%s): %s",
1090 commandline, strerror(err)));
1093 if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
1096 (void) pclose(scanner_out);
1097 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1098 return m_errlog_defer(scanent, string_sprintf(
1099 "short write on scanner output file (%s).", file_name));
1101 putc('\n', scanner_record);
1102 /* try trigger match */
1104 && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
1109 (void)fclose(scanner_record);
1110 sep = pclose(scanner_out);
1111 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1113 return m_errlog_defer(scanent,
1115 ? string_sprintf("running scanner failed: %s", strerror(sep))
1116 : string_sprintf("scanner returned error code: %d", sep));
1121 /* setup default virus name */
1122 malware_name = US"unknown";
1124 /* re-open the scanner output file, look for name match */
1125 scanner_record = fopen(CS file_name, "rb");
1126 while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1129 if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1132 (void)fclose(scanner_record);
1134 else /* no virus found */
1135 malware_name = NULL;
1139 case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
1144 uschar av_buffer[1024];
1146 /* pass the scan directory to sophie */
1147 file_name = string_copy(eml_filename);
1148 if ((p = Ustrrchr(file_name, '/')))
1151 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
1152 scanner_name, scanner_options);
1154 if ( write(sock, file_name, Ustrlen(file_name)) < 0
1155 || write(sock, "\n", 1) != 1
1157 return m_errlog_defer_3(scanent,
1158 string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
1161 /* wait for result */
1162 memset(av_buffer, 0, sizeof(av_buffer));
1163 if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
1164 return m_errlog_defer_3(scanent,
1165 string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
1169 if (av_buffer[0] == '1') {
1170 uschar * s = Ustrchr(av_buffer, '\n');
1173 malware_name = string_copy(&av_buffer[2]);
1175 else if (!strncmp(CS av_buffer, "-1", 2))
1176 return m_errlog_defer_3(scanent, US"scanner reported error", sock);
1177 else /* all ok, no virus */
1178 malware_name = NULL;
1183 case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
1185 /* This code was originally contributed by David Saez */
1186 /* There are three scanning methods available to us:
1187 * (1) Use the SCAN command, pointing to a file in the filesystem
1188 * (2) Use the STREAM command, send the data on a separate port
1189 * (3) Use the zINSTREAM command, send the data inline
1190 * The zINSTREAM command was introduced with ClamAV 0.95, which marked
1191 * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1192 * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
1193 * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
1194 * WITH_OLD_CLAMAV_STREAM is defined.
1195 * See Exim bug 926 for details. */
1197 uschar *p, *vname, *result_tag, *response_end;
1200 uschar av_buffer[1024];
1201 uschar *hostname = US"";
1203 uschar *clamav_fbuf;
1204 int clam_fd, result;
1206 unsigned int fsize_uint;
1207 BOOL use_scan_command = FALSE;
1208 clamd_address_container * clamd_address_vector[MAX_CLAMD_SERVERS];
1209 int num_servers = 0;
1210 #ifdef WITH_OLD_CLAMAV_STREAM
1212 uschar av_buffer2[1024];
1215 uint32_t send_size, send_final_zeroblock;
1218 if (*scanner_options == '/')
1219 /* Local file; so we def want to use_scan_command and don't want to try
1220 * passing IP/port combinations */
1221 use_scan_command = TRUE;
1224 const uschar *address = scanner_options;
1225 uschar address_buffer[MAX_CLAMD_ADDRESS_LENGTH + 20];
1227 /* Go through the rest of the list of host/port and construct an array
1228 * of servers to try. The first one is the bit we just passed from
1229 * scanner_options so process that first and then scan the remainder of
1230 * the address buffer */
1233 clamd_address_container *this_clamd;
1235 /* The 'local' option means use the SCAN command over the network
1236 * socket (ie common file storage in use) */
1237 if (strcmpic(address,US"local") == 0)
1239 use_scan_command = TRUE;
1243 /* XXX: If unsuccessful we should free this memory */
1245 (clamd_address_container *)store_get(sizeof(clamd_address_container));
1247 /* extract host and port part */
1248 if( sscanf(CS address, "%" MAX_CLAMD_ADDRESS_LENGTH_S "s %u",
1249 this_clamd->tcp_addr, &(this_clamd->tcp_port)) != 2 )
1251 (void) m_errlog_defer(scanent,
1252 string_sprintf("invalid address '%s'", address));
1256 clamd_address_vector[num_servers] = this_clamd;
1258 if (num_servers >= MAX_CLAMD_SERVERS)
1260 (void) m_errlog_defer(scanent,
1261 US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1262 "specified; only using the first " MAX_CLAMD_SERVERS_S );
1265 } while ((address = string_nextinlist(&av_scanner_work, &sep,
1267 sizeof(address_buffer))) != NULL);
1269 /* check if we have at least one server */
1271 return m_errlog_defer(scanent,
1272 US"no useable server addresses in malware configuration option.");
1275 /* See the discussion of response formats below to see why we really
1276 don't like colons in filenames when passing filenames to ClamAV. */
1277 if (use_scan_command && Ustrchr(eml_filename, ':'))
1278 return m_errlog_defer(scanent,
1279 string_sprintf("local/SCAN mode incompatible with" \
1280 " : in path to email filename [%s]", eml_filename));
1282 /* We have some network servers specified */
1285 /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
1286 * only supports AF_INET, but we should probably be looking to the
1287 * future and rewriting this to be protocol-independent anyway. */
1289 while (num_servers > 0)
1292 int current_server = random_number( num_servers );
1295 debug_printf("trying server name %s, port %u\n",
1296 clamd_address_vector[current_server]->tcp_addr,
1297 clamd_address_vector[current_server]->tcp_port);
1299 /* Lookup the host. This is to ensure that we connect to the same IP
1300 * on both connections (as one host could resolve to multiple ips) */
1301 sock= m_tcpsocket(clamd_address_vector[current_server]->tcp_addr,
1302 clamd_address_vector[current_server]->tcp_port,
1303 &connhost, &errstr);
1306 /* Connection successfully established with a server */
1307 hostname = clamd_address_vector[current_server]->tcp_addr;
1311 log_write(0, LOG_MAIN, "malware acl condition: %s: %s",
1312 scanent->name, errstr);
1314 /* Remove the server from the list. XXX We should free the memory */
1316 for (i = current_server; i < num_servers; i++)
1317 clamd_address_vector[i] = clamd_address_vector[i+1];
1320 if (num_servers == 0)
1321 return m_errlog_defer(scanent, US"all servers failed");
1325 if ((sock = ip_unixsocket(scanner_options, &errstr)) < 0)
1326 return m_errlog_defer(scanent, errstr);
1329 /* have socket in variable "sock"; command to use is semi-independent of
1330 * the socket protocol. We use SCAN if is local (either Unix/local
1331 * domain socket, or explicitly told local) else we stream the data.
1332 * How we stream the data depends upon how we were built. */
1334 if (!use_scan_command)
1336 #ifdef WITH_OLD_CLAMAV_STREAM
1337 /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
1338 * that port on a second connection; then in the scan-method-neutral
1339 * part, read the response back on the original connection. */
1341 DEBUG(D_acl) debug_printf(
1342 "Malware scan: issuing %s old-style remote scan (PORT)\n",
1345 /* Pass the string to ClamAV (7 = "STREAM\n") */
1346 if (m_sock_send(sock, US"STREAM\n", 7, &errstr) < 0)
1347 return m_errlog_defer(scanent, errstr);
1349 memset(av_buffer2, 0, sizeof(av_buffer2));
1350 bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), tmo-time(NULL));
1353 return m_errlog_defer_3(scanent,
1354 string_sprintf("unable to read PORT from socket (%s)",
1358 if (bread == sizeof(av_buffer2))
1359 return m_errlog_defer_3(scanent, "buffer too small", sock);
1362 return m_errlog_defer_3(scanent, "ClamAV returned null", sock);
1364 av_buffer2[bread] = '\0';
1365 if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 )
1366 return m_errlog_defer_3(scanent,
1367 string_sprintf("Expected port information from clamd, got '%s'",
1371 sockData = m_tcpsocket(connhost.address, port, NULL, &errstr);
1373 return m_errlog_defer_3(scanent, errstr, sock);
1375 # define CLOSE_SOCKDATA (void)close(sockData)
1376 #else /* WITH_OLD_CLAMAV_STREAM not defined */
1377 /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
1378 chunks, <n> a 4-byte number (network order), terminated by a zero-length
1381 DEBUG(D_acl) debug_printf(
1382 "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1385 /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
1386 if (send(sock, "zINSTREAM", 10, 0) < 0)
1387 return m_errlog_defer_3(scanent,
1388 string_sprintf("unable to send zINSTREAM to socket (%s)",
1392 # define CLOSE_SOCKDATA /**/
1395 /* calc file size */
1396 if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
1400 return m_errlog_defer_3(scanent,
1401 string_sprintf("can't open spool file %s: %s",
1402 eml_filename, strerror(err)),
1405 if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
1408 CLOSE_SOCKDATA; (void)close(clam_fd);
1409 return m_errlog_defer_3(scanent,
1410 string_sprintf("can't seek spool file %s: %s",
1411 eml_filename, strerror(err)),
1414 fsize_uint = (unsigned int) fsize;
1415 if ((off_t)fsize_uint != fsize)
1417 CLOSE_SOCKDATA; (void)close(clam_fd);
1418 return m_errlog_defer_3(scanent,
1419 string_sprintf("seeking spool file %s, size overflow",
1423 lseek(clam_fd, 0, SEEK_SET);
1425 if (!(clamav_fbuf = (uschar *) malloc (fsize_uint)))
1427 CLOSE_SOCKDATA; (void)close(clam_fd);
1428 return m_errlog_defer_3(scanent,
1429 string_sprintf("unable to allocate memory %u for file (%s)",
1430 fsize_uint, eml_filename),
1434 if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
1437 free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd);
1438 return m_errlog_defer_3(scanent,
1439 string_sprintf("can't read spool file %s: %s",
1440 eml_filename, strerror(err)),
1443 (void)close(clam_fd);
1445 /* send file body to socket */
1446 #ifdef WITH_OLD_CLAMAV_STREAM
1447 if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0)
1449 free(clamav_fbuf); CLOSE_SOCKDATA;
1450 return m_errlog_defer_3(scanent,
1451 string_sprintf("unable to send file body to socket (%s:%u)",
1456 send_size = htonl(fsize_uint);
1457 send_final_zeroblock = 0;
1458 if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
1459 (send(sock, clamav_fbuf, fsize_uint, 0) < 0) ||
1460 (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
1463 return m_errlog_defer_3(scanent,
1464 string_sprintf("unable to send file body to socket (%s)", hostname),
1472 #undef CLOSE_SOCKDATA
1475 { /* use scan command */
1476 /* Send a SCAN command pointing to a filename; then in the then in the
1477 * scan-method-neutral part, read the response back */
1479 /* ================================================================= */
1481 /* Prior to the reworking post-Exim-4.72, this scanned a directory,
1482 which dates to when ClamAV needed us to break apart the email into the
1483 MIME parts (eg, with the now deprecated demime condition coming first).
1484 Some time back, ClamAV gained the ability to deconstruct the emails, so
1485 doing this would actually have resulted in the mail attachments being
1486 scanned twice, in the broken out files and from the original .eml.
1487 Since ClamAV now handles emails (and has for quite some time) we can
1488 just use the email file itself. */
1489 /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
1490 file_name = string_sprintf("SCAN %s\n", eml_filename);
1492 DEBUG(D_acl) debug_printf(
1493 "Malware scan: issuing %s local-path scan [%s]\n",
1494 scanner_name, scanner_options);
1496 if (send(sock, file_name, Ustrlen(file_name), 0) < 0)
1497 return m_errlog_defer_3(scanent,
1498 string_sprintf("unable to write to socket (%s)", strerror(errno)),
1501 /* Do not shut down the socket for writing; a user report noted that
1502 * clamd 0.70 does not react well to this. */
1504 /* Commands have been sent, no matter which scan method or connection
1505 * type we're using; now just read the result, independent of method. */
1507 /* Read the result */
1508 memset(av_buffer, 0, sizeof(av_buffer));
1509 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1514 return m_errlog_defer(scanent,
1515 string_sprintf("unable to read from socket (%s)",
1516 errno == 0 ? "EOF" : strerror(errno)));
1518 if (bread == sizeof(av_buffer))
1519 return m_errlog_defer(scanent, US"buffer too small");
1520 /* We're now assured of a NULL at the end of av_buffer */
1522 /* Check the result. ClamAV returns one of two result formats.
1523 In the basic mode, the response is of the form:
1524 infected: -> "<filename>: <virusname> FOUND"
1525 not-infected: -> "<filename>: OK"
1526 error: -> "<filename>: <errcode> ERROR
1527 If the ExtendedDetectionInfo option has been turned on, then we get:
1528 "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1529 for the infected case. Compare:
1530 /tmp/eicar.com: Eicar-Test-Signature FOUND
1531 /tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1533 In the streaming case, clamd uses the filename "stream" which you should
1534 be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1535 client app will replace "stream" with the original filename before returning
1536 results to stdout, but the trace shows the data).
1538 We will assume that the pathname passed to clamd from Exim does not contain
1539 a colon. We will have whined loudly above if the eml_filename does (and we're
1540 passing a filename to clamd). */
1543 return m_errlog_defer(scanent, US"ClamAV returned null");
1545 /* strip newline at the end (won't be present for zINSTREAM)
1546 (also any trailing whitespace, which shouldn't exist, but we depend upon
1547 this below, so double-check) */
1548 p = av_buffer + Ustrlen(av_buffer) - 1;
1549 if (*p == '\n') *p = '\0';
1551 DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
1553 while (isspace(*--p) && (p > av_buffer))
1558 /* colon in returned output? */
1559 if((p = Ustrchr(av_buffer,':')) == NULL)
1560 return m_errlog_defer(scanent, string_sprintf(
1561 "ClamAV returned malformed result (missing colon): %s",
1564 /* strip filename */
1565 while (*p && isspace(*++p)) /**/;
1568 /* It would be bad to encounter a virus with "FOUND" in part of the name,
1569 but we should at least be resistant to it. */
1570 p = Ustrrchr(vname, ' ');
1571 result_tag = p ? p+1 : vname;
1573 if (Ustrcmp(result_tag, "FOUND") == 0)
1575 /* p should still be the whitespace before the result_tag */
1576 while (isspace(*p)) --p;
1578 /* Strip off the extended information too, which will be in parens
1579 after the virus name, with no intervening whitespace. */
1582 /* "(hash:size)", so previous '(' will do; if not found, we have
1583 a curious virus name, but not an error. */
1584 p = Ustrrchr(vname, '(');
1588 malware_name = string_copy(vname);
1589 DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
1592 else if (Ustrcmp(result_tag, "ERROR") == 0)
1593 return m_errlog_defer(scanent,
1594 string_sprintf("ClamAV returned: %s", av_buffer));
1596 else if (Ustrcmp(result_tag, "OK") == 0)
1598 /* Everything should be OK */
1599 malware_name = NULL;
1600 DEBUG(D_acl) debug_printf("Malware not found\n");
1604 return m_errlog_defer(scanent,
1605 string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1610 case M_SOCK: /* "sock" scanner type ------------------------------------- */
1611 /* This code was derived by Martin Poole from the clamd code contributed
1612 by David Saez and the cmdline code
1616 uschar * commandline;
1617 uschar av_buffer[1024];
1618 uschar * linebuffer;
1619 uschar * sockline_scanner;
1620 uschar sockline_scanner_default[] = "%s\n";
1621 const pcre *sockline_trig_re;
1622 const pcre *sockline_name_re;
1624 /* find scanner command line */
1625 if ((sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1627 { /* check for no expansions apart from one %s */
1628 uschar * s = Ustrchr(sockline_scanner, '%');
1630 if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
1631 return m_errlog_defer_3(scanent,
1632 US"unsafe sock scanner call spec", sock);
1635 sockline_scanner = sockline_scanner_default;
1637 /* find scanner output trigger */
1638 sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1639 "missing trigger specification", &errstr);
1640 if (!sockline_trig_re)
1641 return m_errlog_defer_3(scanent, errstr, sock);
1643 /* find virus name regex */
1644 sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1645 "missing virus name regex specification", &errstr);
1646 if (!sockline_name_re)
1647 return m_errlog_defer_3(scanent, errstr, sock);
1649 /* prepare scanner call - security depends on expansions check above */
1650 commandline = string_sprintf("%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
1651 commandline = string_sprintf( CS sockline_scanner, CS commandline);
1654 /* Pass the command string to the socket */
1655 if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
1656 return m_errlog_defer(scanent, errstr);
1658 /* Read the result */
1659 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1662 return m_errlog_defer_3(scanent,
1663 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1666 if (bread == sizeof(av_buffer))
1667 return m_errlog_defer_3(scanent, US"buffer too small", sock);
1668 av_buffer[bread] = '\0';
1669 linebuffer = string_copy(av_buffer);
1671 /* try trigger match */
1672 if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
1674 if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1675 malware_name = US "unknown";
1677 else /* no virus found */
1678 malware_name = NULL;
1682 case M_MKSD: /* "mksd" scanner type ------------------------------------- */
1684 char *mksd_options_end;
1685 int mksd_maxproc = 1; /* default, if no option supplied */
1688 if (scanner_options)
1690 mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
1691 if ( *scanner_options == '\0'
1692 || *mksd_options_end != '\0'
1694 || mksd_maxproc > 32
1696 return m_errlog_defer(scanent,
1697 string_sprintf("invalid option '%s'", scanner_options));
1700 if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
1701 return m_errlog_defer(scanent, errstr);
1703 malware_name = NULL;
1705 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
1707 if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
1715 case M_AVAST: /* "avast" scanner type ----------------------------------- */
1719 uschar * scanrequest;
1720 enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
1723 /* According to Martin Tuma @avast the protocol uses "escaped
1724 whitespace", that is, every embedded whitespace is backslash
1725 escaped, as well as backslash is protected by backslash.
1726 The returned lines contain the name of the scanned file, a tab
1730 [E] - some error occured
1731 Such marker follows the first non-escaped TAB. */
1732 if ( ( !ava_re_clean
1733 && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
1735 && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
1737 return malware_errlog_defer(errstr);
1739 /* wait for result */
1740 for (avast_stage = AVA_HELO;
1741 (nread = recv_line(sock, buf, sizeof(buf), tmo)) > 0;
1744 int slen = Ustrlen(buf);
1747 DEBUG(D_acl) debug_printf("got from avast: %s\n", buf);
1748 switch (avast_stage)
1751 if (Ustrncmp(buf, "220", 3) != 0)
1752 goto endloop; /* require a 220 */
1756 if (Ustrncmp(buf, "210", 3) == 0)
1757 break; /* ignore 210 responses */
1758 if (Ustrncmp(buf, "200", 3) != 0)
1759 goto endloop; /* require a 200 */
1764 /* Check for another option to send. Newline-terminate it. */
1765 if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
1768 scanrequest = string_sprintf("%s\n", scanrequest);
1769 avast_stage = AVA_OPT; /* just sent option */
1773 scanrequest = string_sprintf("SCAN %s/scan/%s\n",
1774 spool_directory, message_id);
1775 avast_stage = AVA_RSP; /* just sent command */
1778 /* send config-cmd or scan-request to socket */
1779 len = Ustrlen(scanrequest);
1780 if (send(sock, scanrequest, len, 0) < 0)
1782 scanrequest[len-1] = '\0';
1783 return m_errlog_defer_3(scanent, string_sprintf(
1784 "unable to send request '%s' to socket (%s): %s",
1785 scanrequest, scanner_options, strerror(errno)), sock);
1791 if (Ustrncmp(buf, "210", 3) == 0)
1792 break; /* ignore the "210 SCAN DATA" message */
1794 if (pcre_exec(ava_re_clean, NULL, CS buf, slen,
1795 0, 0, ovector, nelements(ovector)) > 0)
1798 if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
1799 { /* remove backslash in front of [whitespace|backslash] */
1801 for (p = malware_name; *p; ++p)
1802 if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
1803 for (p0 = p; *p0; ++p0) *p0 = p0[1];
1805 avast_stage = AVA_DONE;
1809 if (Ustrncmp(buf, "200 SCAN OK", 11) == 0)
1810 { /* we're done finally */
1811 if (send(sock, "QUIT\n", 5, 0) < 0) /* courtesy */
1812 return m_errlog_defer_3(scanent, string_sprintf(
1813 "unable to send quit request to socket (%s): %s",
1814 scanner_options, strerror(errno)),
1816 malware_name = NULL;
1817 avast_stage = AVA_DONE;
1821 /* here for any unexpected response from the scanner */
1832 case AVA_RSP: return m_errlog_defer_3(scanent,
1835 "invalid response from scanner: '%s'", buf)
1837 ? US"EOF from scanner"
1838 : US"timeout from scanner",
1844 } /* scanner type switch */
1847 (void) close (sock);
1848 malware_ok = TRUE; /* set "been here, done that" marker */
1851 /* match virus name against pattern (caseless ------->----------v) */
1852 if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
1854 DEBUG(D_acl) debug_printf(
1855 "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
1863 /*************************************************
1864 * Scan an email for malware *
1865 *************************************************/
1867 /* This is the normal interface for scanning an email, which doesn't need a
1868 filename; it's a wrapper around the malware_file function.
1871 malware_re match condition for "malware="
1872 timeout if nonzero, timeout in seconds
1874 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
1875 where true means malware was found (condition applies)
1878 malware(const uschar * malware_re, int timeout)
1880 uschar * scan_filename;
1883 scan_filename = string_sprintf("%s/scan/%s/%s.eml",
1884 spool_directory, message_id, message_id);
1885 ret = malware_internal(malware_re, scan_filename, timeout, FALSE);
1886 if (ret == DEFER) av_failed = TRUE;
1892 /*************************************************
1893 * Scan a file for malware *
1894 *************************************************/
1896 /* This is a test wrapper for scanning an email, which is not used in
1897 normal processing. Scan any file, using the Exim scanning interface.
1898 This function tampers with various global variables so is unsafe to use
1899 in any other context.
1902 eml_filename a file holding the message to be scanned
1904 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
1905 where true means malware was found (condition applies)
1908 malware_in_file(uschar *eml_filename)
1910 uschar message_id_buf[64];
1913 /* spool_mbox() assumes various parameters exist, when creating
1914 the relevant directory and the email within */
1915 (void) string_format(message_id_buf, sizeof(message_id_buf),
1916 "dummy-%d", vaguely_random_number(INT_MAX));
1917 message_id = message_id_buf;
1918 sender_address = US"malware-sender@example.net";
1920 recipients_list = NULL;
1921 receive_add_recipient(US"malware-victim@example.net", -1);
1922 enable_dollar_recipients = TRUE;
1924 ret = malware_internal(US"*", eml_filename, 0, TRUE);
1926 Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
1928 /* don't set no_mbox_unspool; at present, there's no way for it to become
1929 set, but if that changes, then it should apply to these tests too */
1932 /* silence static analysis tools */
1942 if (!malware_default_re)
1943 malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
1945 drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
1947 fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
1949 kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
1951 kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
1953 ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
1955 ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
1958 #endif /*WITH_CONTENT_SCAN*/