1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2014 */
8 /* Code for calling virus (malware) scanners. Called from acl.c. */
11 #ifdef WITH_CONTENT_SCAN
13 typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
14 M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST} scanner_t;
15 typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
20 const uschar * options_default;
24 { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
25 { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
26 { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
27 { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
28 { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
29 { M_CMDL, US"cmdline", NULL, MC_NONE },
30 { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
31 { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
32 { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
33 { M_MKSD, US"mksd", NULL, MC_NONE },
34 { M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
35 { -1, NULL, NULL, MC_NONE } /* end-marker */
38 /* The maximum number of clamd servers that are supported in the configuration */
39 #define MAX_CLAMD_SERVERS 32
40 #define MAX_CLAMD_SERVERS_S "32"
42 typedef struct clamd_address {
49 # define nelements(arr) (sizeof(arr) / sizeof(arr[0]))
53 #define MALWARE_TIMEOUT 120 /* default timeout, seconds */
56 #define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
57 #define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
58 #define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
60 #define DERR_READ_ERR (1<<0) /* read error */
61 #define DERR_NOMEMORY (1<<2) /* no memory */
62 #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
63 #define DERR_BAD_CALL (1<<15) /* wrong command */
66 static const uschar * malware_regex_default = US ".+";
67 static const pcre * malware_default_re = NULL;
69 static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
70 static const pcre * drweb_re = NULL;
72 static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
73 static const pcre * fsec_re = NULL;
75 static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
76 static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
77 static const pcre * kav_re_sus = NULL;
78 static const pcre * kav_re_inf = NULL;
80 static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
81 static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\s(.*)";
82 static const pcre * ava_re_clean = NULL;
83 static const pcre * ava_re_virus = NULL;
87 /******************************************************************************/
89 /* Routine to check whether a system is big- or little-endian.
90 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
91 Needed for proper kavdaemon implementation. Sigh. */
92 #define BIG_MY_ENDIAN 0
93 #define LITTLE_MY_ENDIAN 1
94 static int test_byte_order(void);
98 short int word = 0x0001;
99 char *byte = (char *) &word;
100 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
103 BOOL malware_ok = FALSE;
105 /* Gross hacks for the -bmalware option; perhaps we should just create
106 the scan directory normally for that case, but look into rigging up the
107 needed header variables if not already set on the command-line? */
108 extern int spool_mbox_ok;
109 extern uschar spooled_message_id[17];
114 malware_errlog_defer(const uschar * str)
116 log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
121 m_errlog_defer(struct scan * scanent, const uschar * str)
123 return malware_errlog_defer(string_sprintf("%s: %s", scanent->name, str));
126 m_errlog_defer_3(struct scan * scanent, const uschar * str,
129 (void) close(fd_to_close);
130 return m_errlog_defer(scanent, str);
133 /*************************************************/
135 /* Only used by the Clamav code, which is working from a list of servers and
136 uses the returned in_addr to get a second connection to the same system.
139 m_tcpsocket(const uschar * hostname, unsigned int port,
140 host_item * host, uschar ** errstr)
142 return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5, host, errstr);
146 m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
148 if (send(sock, buf, cnt, 0) < 0)
152 *errstr = string_sprintf("unable to send to socket (%s): %s",
160 m_pcre_compile(const uschar * re, uschar ** errstr)
162 const uschar * rerror;
166 cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
168 *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
169 re, rerror, roffset);
174 m_pcre_exec(const pcre * cre, uschar * text)
177 int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
178 ovector, nelements(ovector));
179 uschar * substr = NULL;
180 if (i >= 2) /* Got it */
181 pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
186 m_pcre_nextinlist(const uschar ** list, int * sep,
187 char * listerr, uschar ** errstr)
189 const uschar * list_ele;
190 const pcre * cre = NULL;
192 if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
193 *errstr = US listerr;
195 cre = m_pcre_compile(CUS list_ele, errstr);
200 Simple though inefficient wrapper for reading a line. Drop CRs and the
201 trailing newline. Can return early on buffer full. Null-terminate.
202 Apply initial timeout if no data ready.
204 Return: number of chars - zero for an empty line
206 -2 on timeout or error
209 recv_line(int fd, uschar * buffer, int bsize, int tmo)
215 if (!fd_ready(fd, tmo-time(NULL)))
218 /*XXX tmo handling assumes we always get a whole line */
221 while ((rcv = read(fd, p, 1)) > 0)
224 if (p-buffer > bsize-2) break;
225 if (*p == '\n') break;
230 DEBUG(D_acl) debug_printf("Malware scan: read %s (%s)\n",
231 rcv==0 ? "EOF" : "error", strerror(errno));
232 return rcv==0 ? -1 : -2;
236 DEBUG(D_acl) debug_printf("Malware scan: read '%s'\n", buffer);
240 /* return TRUE iff size as requested */
242 recv_len(int sock, void * buf, int size, int tmo)
244 return fd_ready(sock, tmo-time(NULL))
245 ? recv(sock, buf, size, 0) == size
251 /* ============= private routines for the "mksd" scanner type ============== */
256 mksd_writev (int sock, struct iovec * iov, int iovcnt)
263 i = writev (sock, iov, iovcnt);
264 while (i < 0 && errno == EINTR);
267 (void) malware_errlog_defer(
268 US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
271 for (;;) /* check for short write */
272 if (i >= iov->iov_len)
282 iov->iov_base = CS iov->iov_base + i;
289 mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
296 i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
299 (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
304 /* offset == av_buffer_size -> buffer full */
305 if (offset == av_buffer_size)
307 (void) malware_errlog_defer(US"malformed reply received from mksd");
310 } while (av_buffer[offset-1] != '\n');
312 av_buffer[offset] = '\0';
317 mksd_parse_line(struct scan * scanent, char * line)
328 if ((p = strchr (line, '\n')) != NULL)
330 return m_errlog_defer(scanent,
331 string_sprintf("scanner failed: %s", line));
334 if ((p = strchr (line, '\n')) != NULL)
339 && (p = strchr(line+4, ' ')) != NULL
344 malware_name = string_copy(US line+4);
348 return m_errlog_defer(scanent,
349 string_sprintf("malformed reply received: %s", line));
354 mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
358 const char *cmd = "MSQ\n";
359 uschar av_buffer[1024];
361 iov[0].iov_base = (void *) cmd;
363 iov[1].iov_base = (void *) scan_filename;
364 iov[1].iov_len = Ustrlen(scan_filename);
365 iov[2].iov_base = (void *) (cmd + 3);
368 if (mksd_writev (sock, iov, 3) < 0)
371 if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
374 return mksd_parse_line (scanent, CS av_buffer);
379 clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
384 while ((s = string_nextinlist(&optstr, subsep, NULL, 0)))
385 if (Ustrncmp(s, "retry=", 6) == 0)
387 int sec = readconf_readtime((s += 6), '\0', FALSE);
397 /*************************************************
398 * Scan content for malware *
399 *************************************************/
401 /* This is an internal interface for scanning an email; the normal interface
402 is via malware(), or there's malware_in_file() used for testing/debugging.
405 malware_re match condition for "malware="
406 eml_filename the file holding the email to be scanned
407 timeout if nonzero, non-default timeoutl
408 faking whether or not we're faking this up for the -bmalware test
410 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
411 where true means malware was found (condition applies)
414 malware_internal(const uschar * malware_re, const uschar * eml_filename,
415 int timeout, BOOL faking)
418 const uschar *av_scanner_work = av_scanner;
419 uschar *scanner_name;
420 unsigned long mbox_size;
424 struct scan * scanent;
425 const uschar * scanner_options;
429 /* make sure the eml mbox file is spooled up */
430 if (!(mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL)))
431 return malware_errlog_defer(US"error while creating mbox spool file");
433 /* none of our current scanners need the mbox
434 file as a stream, so we can close it right away */
435 (void)fclose(mbox_file);
438 return FAIL; /* empty means "don't match anything" */
440 /* parse 1st option */
441 if ( (strcmpic(malware_re, US"false") == 0) ||
442 (Ustrcmp(malware_re,"0") == 0) )
443 return FAIL; /* explicitly no matching */
445 /* special cases (match anything except empty) */
446 if ( strcmpic(malware_re,US"true") == 0
447 || Ustrcmp(malware_re,"*") == 0
448 || Ustrcmp(malware_re,"1") == 0
451 if ( !malware_default_re
452 && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
453 return malware_errlog_defer(errstr);
454 malware_re = malware_regex_default;
455 re = malware_default_re;
458 /* compile the regex, see if it works */
459 else if (!(re = m_pcre_compile(malware_re, &errstr)))
460 return malware_errlog_defer(errstr);
462 /* Reset sep that is set by previous string_nextinlist() call */
465 /* if av_scanner starts with a dollar, expand it first */
466 if (*av_scanner == '$')
468 if (!(av_scanner_work = expand_string(av_scanner)))
469 return malware_errlog_defer(
470 string_sprintf("av_scanner starts with $, but expansion failed: %s",
471 expand_string_message));
474 debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
475 /* disable result caching in this case */
480 /* Do not scan twice (unless av_scanner is dynamic). */
483 /* find the scanner type from the av_scanner option */
484 if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
485 return malware_errlog_defer(US"av_scanner configuration variable is empty");
486 if (!timeout) timeout = MALWARE_TIMEOUT;
487 tmo = time(NULL) + timeout;
489 for (scanent = m_scans; ; scanent++)
492 return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
494 if (strcmpic(scanner_name, US scanent->name) != 0)
496 if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
497 scanner_options = scanent->options_default;
498 if (scanent->conn == MC_NONE)
500 switch(scanent->conn)
502 case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
503 case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
504 case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5); break;
505 default: /* compiler quietening */ break;
508 return m_errlog_defer(scanent, errstr);
511 DEBUG(D_acl) debug_printf("Malware scan: %s tmo %s\n", scanner_name, readconf_printtime(timeout));
513 switch (scanent->scancode)
515 case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
517 uschar *fp_scan_option;
518 unsigned int detected=0, par_count=0;
519 uschar * scanrequest;
520 uschar buf[32768], *strhelper, *strhelper2;
521 uschar * malware_name_internal = NULL;
524 scanrequest = string_sprintf("GET %s", eml_filename);
526 while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
529 scanrequest = string_sprintf("%s%s%s", scanrequest,
530 par_count ? "%20" : "?", fp_scan_option);
533 scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
534 DEBUG(D_acl) debug_printf("Malware scan: issuing %s: %s\n",
535 scanner_name, scanrequest);
537 /* send scan request */
538 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
539 return m_errlog_defer(scanent, errstr);
541 while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= 0)
544 if (Ustrstr(buf, US"<detected type=\"") != NULL)
546 else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
548 if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
551 malware_name_internal = string_copy(strhelper+6);
554 else if (Ustrstr(buf, US"<summary code=\""))
556 malware_name = Ustrstr(buf, US"<summary code=\"11\">")
557 ? malware_name_internal : NULL;
569 case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
570 /* v0.1 - added support for tcp sockets */
571 /* v0.0 - initial release -- support for unix sockets */
575 unsigned int fsize_uint;
576 uschar * tmpbuf, *drweb_fbuf;
577 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
578 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
580 /* prepare variables */
581 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
582 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
584 if (*scanner_options != '/')
587 if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -1)
588 return m_errlog_defer_3(scanent,
589 string_sprintf("can't open spool file %s: %s",
590 eml_filename, strerror(errno)),
593 if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
596 (void)close(drweb_fd);
597 return m_errlog_defer_3(scanent,
598 string_sprintf("can't seek spool file %s: %s",
599 eml_filename, strerror(err)),
602 fsize_uint = (unsigned int) fsize;
603 if ((off_t)fsize_uint != fsize)
605 (void)close(drweb_fd);
606 return m_errlog_defer_3(scanent,
607 string_sprintf("seeking spool file %s, size overflow",
611 drweb_slen = htonl(fsize);
612 lseek(drweb_fd, 0, SEEK_SET);
614 DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s]\n",
615 scanner_name, scanner_options);
617 /* send scan request */
618 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
619 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
620 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
621 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
623 (void)close(drweb_fd);
624 return m_errlog_defer_3(scanent, string_sprintf(
625 "unable to send commands to socket (%s)", scanner_options),
629 if (!(drweb_fbuf = (uschar *) malloc (fsize_uint)))
631 (void)close(drweb_fd);
632 return m_errlog_defer_3(scanent,
633 string_sprintf("unable to allocate memory %u for file (%s)",
634 fsize_uint, eml_filename),
638 if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
641 (void)close(drweb_fd);
643 return m_errlog_defer_3(scanent,
644 string_sprintf("can't read spool file %s: %s",
645 eml_filename, strerror(err)),
648 (void)close(drweb_fd);
650 /* send file body to socket */
651 if (send(sock, drweb_fbuf, fsize, 0) < 0)
654 return m_errlog_defer_3(scanent, string_sprintf(
655 "unable to send file body to socket (%s)", scanner_options),
658 (void)close(drweb_fd);
662 drweb_slen = htonl(Ustrlen(eml_filename));
664 DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
665 scanner_name, scanner_options);
667 /* send scan request */
668 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
669 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
670 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
671 (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
672 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
673 return m_errlog_defer_3(scanent, string_sprintf(
674 "unable to send commands to socket (%s)", scanner_options),
678 /* wait for result */
679 if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
680 return m_errlog_defer_3(scanent,
681 US"unable to read return code", sock);
682 drweb_rc = ntohl(drweb_rc);
684 if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
685 return m_errlog_defer_3(scanent,
686 US"unable to read the number of viruses", sock);
687 drweb_vnum = ntohl(drweb_vnum);
689 /* "virus(es) found" if virus number is > 0 */
694 /* setup default virus name */
695 malware_name = US"unknown";
697 /* set up match regex */
699 drweb_re = m_pcre_compile(drweb_re_str, &errstr);
701 /* read and concatenate virus names into one string */
702 for (i = 0; i < drweb_vnum; i++)
704 int size = 0, off = 0, ovector[10*3];
705 /* read the size of report */
706 if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
707 return m_errlog_defer_3(scanent,
708 US"cannot read report size", sock);
709 drweb_slen = ntohl(drweb_slen);
710 tmpbuf = store_get(drweb_slen);
712 /* read report body */
713 if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
714 return m_errlog_defer_3(scanent,
715 US"cannot read report string", sock);
716 tmpbuf[drweb_slen] = '\0';
718 /* try matcher on the line, grab substring */
719 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
720 ovector, nelements(ovector));
723 const char * pre_malware_nb;
725 pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
727 if (i==0) /* the first name we just copy to malware_name */
728 malware_name = string_append(NULL, &size, &off,
731 else /* concatenate each new virus name to previous */
732 malware_name = string_append(malware_name, &size, &off,
733 2, "/", pre_malware_nb);
735 pcre_free_substring(pre_malware_nb);
741 const char *drweb_s = NULL;
743 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
744 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
745 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
746 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
747 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
748 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
749 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
750 * and others are ignored */
752 return m_errlog_defer_3(scanent,
753 string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
762 case M_AVES: /* "aveserver" scanner type -------------------------------- */
767 /* read aveserver's greeting and see if it is ready (2xx greeting) */
769 recv_line(sock, buf, sizeof(buf), tmo);
771 if (buf[0] != '2') /* aveserver is having problems */
772 return m_errlog_defer_3(scanent,
773 string_sprintf("unavailable (Responded: %s).",
774 ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
777 /* prepare our command */
778 (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
782 DEBUG(D_acl) debug_printf("Malware scan: issuing %s %s\n",
784 if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
785 return m_errlog_defer(scanent, errstr);
789 /* read response lines, find malware name and final response */
790 while (recv_line(sock, buf, sizeof(buf), tmo) > 0)
794 if (buf[0] == '5') /* aveserver is having problems */
796 result = m_errlog_defer(scanent,
797 string_sprintf("unable to scan file %s (Responded: %s).",
801 if (Ustrncmp(buf,"322",3) == 0)
803 uschar *p = Ustrchr(&buf[4], ' ');
805 malware_name = string_copy(&buf[4]);
809 if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
810 return m_errlog_defer(scanent, errstr);
812 /* read aveserver's greeting and see if it is ready (2xx greeting) */
814 recv_line(sock, buf, sizeof(buf), tmo);
816 if (buf[0] != '2') /* aveserver is having problems */
817 return m_errlog_defer_3(scanent,
818 string_sprintf("unable to quit dialogue (Responded: %s).",
819 ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
830 case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
834 uschar av_buffer[1024];
835 static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
836 US"CONFIGURE\tTIMEOUT\t0\n",
837 US"CONFIGURE\tMAXARCH\t5\n",
838 US"CONFIGURE\tMIME\t1\n" };
842 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
843 scanner_name, scanner_options);
845 memset(av_buffer, 0, sizeof(av_buffer));
846 for (i = 0; i != nelements(cmdopt); i++)
849 if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
850 return m_errlog_defer(scanent, errstr);
852 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
853 if (bread > 0) av_buffer[bread]='\0';
855 return m_errlog_defer_3(scanent,
856 string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
858 for (j = 0; j < bread; j++)
859 if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
863 /* pass the mailfile to fsecure */
864 file_name = string_sprintf("SCAN\t%s\n", eml_filename);
866 if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
867 return m_errlog_defer(scanent, errstr);
870 /* todo also SUSPICION\t */
872 fsec_re = m_pcre_compile(fsec_re_str, &errstr);
874 /* read report, linewise. Apply a timeout as the Fsecure daemon
875 sometimes wants an answer to "PING" but they won't tell us what */
877 uschar * p = av_buffer;
883 i = av_buffer+sizeof(av_buffer)-p;
884 if ((bread= ip_recv(sock, p, i-1, tmo-time(NULL))) < 0)
885 return m_errlog_defer_3(scanent,
886 string_sprintf("unable to read result (%s)", strerror(errno)),
889 for (p[bread] = '\0'; q = Ustrchr(p, '\n'); p = q+1)
893 /* Really search for virus again? */
895 /* try matcher on the line, grab substring */
896 malware_name = m_pcre_exec(fsec_re, p);
898 if (Ustrstr(p, "OK\tScan ok."))
902 /* copy down the trailing partial line then read another chunk */
903 i = av_buffer+sizeof(av_buffer)-p;
904 memmove(av_buffer, p, i);
913 case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
917 uschar * scanrequest;
919 unsigned long kav_reportlen, bread;
923 /* get current date and time, build scan request */
925 /* pdp note: before the eml_filename parameter, this scanned the
926 directory; not finding documentation, so we'll strip off the directory.
927 The side-effect is that the test framework scanning may end up in
928 scanning more than was requested, but for the normal interface, this is
931 strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
932 scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
933 p = Ustrrchr(scanrequest, '/');
937 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
938 scanner_name, scanner_options);
940 /* send scan request */
941 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
942 return m_errlog_defer(scanent, errstr);
944 /* wait for result */
945 if (!recv_len(sock, tmpbuf, 2, tmo))
946 return m_errlog_defer_3(scanent,
947 US"unable to read 2 bytes from socket.", sock);
949 /* get errorcode from one nibble */
950 kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
953 case 5: case 6: /* improper kavdaemon configuration */
954 return m_errlog_defer_3(scanent,
955 US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
958 return m_errlog_defer_3(scanent,
959 US"reported 'scanning not completed' (code 1).", sock);
961 return m_errlog_defer_3(scanent,
962 US"reported 'kavdaemon damaged' (code 7).", sock);
965 /* code 8 is not handled, since it is ambigous. It appears mostly on
966 bounces where part of a file has been cut off */
968 /* "virus found" return codes (2-4) */
969 if (kav_rc > 1 && kav_rc < 5)
973 /* setup default virus name */
974 malware_name = US"unknown";
976 report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
978 /* read the report, if available */
979 if (report_flag == 1)
981 /* read report size */
982 if (!recv_len(sock, &kav_reportlen, 4, tmo))
983 return m_errlog_defer_3(scanent,
984 US"cannot read report size", sock);
986 /* it's possible that avp returns av_buffer[1] == 1 but the
987 reportsize is 0 (!?) */
988 if (kav_reportlen > 0)
990 /* set up match regex, depends on retcode */
993 if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
998 if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
1002 /* read report, linewise */
1003 while (kav_reportlen > 0)
1005 if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
1007 kav_reportlen -= bread+1;
1009 /* try matcher on the line, grab substring */
1010 if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
1016 else /* no virus found */
1017 malware_name = NULL;
1022 case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
1024 const uschar *cmdline_scanner = scanner_options;
1025 const pcre *cmdline_trigger_re;
1026 const pcre *cmdline_regex_re;
1028 uschar * commandline;
1029 void (*eximsigchld)(int);
1030 void (*eximsigpipe)(int);
1031 FILE *scanner_out = NULL;
1033 FILE *scanner_record = NULL;
1034 uschar linebuffer[32767];
1039 if (!cmdline_scanner)
1040 return m_errlog_defer(scanent, errstr);
1042 /* find scanner output trigger */
1043 cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1044 "missing trigger specification", &errstr);
1045 if (!cmdline_trigger_re)
1046 return m_errlog_defer(scanent, errstr);
1048 /* find scanner name regex */
1049 cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1050 "missing virus name regex specification", &errstr);
1051 if (!cmdline_regex_re)
1052 return m_errlog_defer(scanent, errstr);
1054 /* prepare scanner call; despite the naming, file_name holds a directory
1055 name which is documented as the value given to %s. */
1057 file_name = string_copy(eml_filename);
1058 p = Ustrrchr(file_name, '/');
1061 commandline = string_sprintf(CS cmdline_scanner, file_name);
1063 /* redirect STDERR too */
1064 commandline = string_sprintf("%s 2>&1", commandline);
1066 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
1067 scanner_name, commandline);
1069 /* store exims signal handlers */
1070 eximsigchld = signal(SIGCHLD,SIG_DFL);
1071 eximsigpipe = signal(SIGPIPE,SIG_DFL);
1073 if (!(scanner_out = popen(CS commandline,"r")))
1076 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1077 return m_errlog_defer(scanent,
1078 string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1080 scanner_fd = fileno(scanner_out);
1082 file_name = string_sprintf("%s/scan/%s/%s_scanner_output",
1083 spool_directory, message_id, message_id);
1085 if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1088 (void) pclose(scanner_out);
1089 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1090 return m_errlog_defer(scanent, string_sprintf(
1091 "opening scanner output file (%s) failed: %s.",
1092 file_name, strerror(err)));
1095 /* look for trigger while recording output */
1096 while ((rcnt = recv_line(scanner_fd, linebuffer,
1097 sizeof(linebuffer), tmo)))
1104 (void) pclose(scanner_out);
1105 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1106 return m_errlog_defer(scanent, string_sprintf(
1107 "unable to read from scanner (%s): %s",
1108 commandline, strerror(err)));
1111 if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
1114 (void) pclose(scanner_out);
1115 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1116 return m_errlog_defer(scanent, string_sprintf(
1117 "short write on scanner output file (%s).", file_name));
1119 putc('\n', scanner_record);
1120 /* try trigger match */
1122 && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
1127 (void)fclose(scanner_record);
1128 sep = pclose(scanner_out);
1129 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1131 return m_errlog_defer(scanent,
1133 ? string_sprintf("running scanner failed: %s", strerror(sep))
1134 : string_sprintf("scanner returned error code: %d", sep));
1139 /* setup default virus name */
1140 malware_name = US"unknown";
1142 /* re-open the scanner output file, look for name match */
1143 scanner_record = fopen(CS file_name, "rb");
1144 while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1147 if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1150 (void)fclose(scanner_record);
1152 else /* no virus found */
1153 malware_name = NULL;
1157 case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
1162 uschar av_buffer[1024];
1164 /* pass the scan directory to sophie */
1165 file_name = string_copy(eml_filename);
1166 if ((p = Ustrrchr(file_name, '/')))
1169 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
1170 scanner_name, scanner_options);
1172 if ( write(sock, file_name, Ustrlen(file_name)) < 0
1173 || write(sock, "\n", 1) != 1
1175 return m_errlog_defer_3(scanent,
1176 string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
1179 /* wait for result */
1180 memset(av_buffer, 0, sizeof(av_buffer));
1181 if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
1182 return m_errlog_defer_3(scanent,
1183 string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
1187 if (av_buffer[0] == '1') {
1188 uschar * s = Ustrchr(av_buffer, '\n');
1191 malware_name = string_copy(&av_buffer[2]);
1193 else if (!strncmp(CS av_buffer, "-1", 2))
1194 return m_errlog_defer_3(scanent, US"scanner reported error", sock);
1195 else /* all ok, no virus */
1196 malware_name = NULL;
1201 case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
1203 /* This code was originally contributed by David Saez */
1204 /* There are three scanning methods available to us:
1205 * (1) Use the SCAN command, pointing to a file in the filesystem
1206 * (2) Use the STREAM command, send the data on a separate port
1207 * (3) Use the zINSTREAM command, send the data inline
1208 * The zINSTREAM command was introduced with ClamAV 0.95, which marked
1209 * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1210 * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
1211 * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
1212 * WITH_OLD_CLAMAV_STREAM is defined.
1213 * See Exim bug 926 for details. */
1215 uschar *p, *vname, *result_tag, *response_end;
1218 uschar av_buffer[1024];
1219 uschar *hostname = US"";
1221 uschar *clamav_fbuf;
1222 int clam_fd, result;
1224 unsigned int fsize_uint;
1225 BOOL use_scan_command = FALSE;
1226 clamd_address * cv[MAX_CLAMD_SERVERS];
1227 int num_servers = 0;
1228 #ifdef WITH_OLD_CLAMAV_STREAM
1230 uschar av_buffer2[1024];
1233 uint32_t send_size, send_final_zeroblock;
1236 /*XXX if unixdomain socket, only one server supported. Needs fixing;
1237 there's no reason we should not mix local and remote servers */
1239 if (*scanner_options == '/')
1242 const uschar * sublist;
1245 /* Local file; so we def want to use_scan_command and don't want to try
1246 * passing IP/port combinations */
1247 use_scan_command = TRUE;
1248 cd = (clamd_address *) store_get(sizeof(clamd_address));
1250 /* extract socket-path part */
1251 sublist = scanner_options;
1252 cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0);
1255 if (clamd_option(cd, sublist, &subsep) != OK)
1256 return m_errlog_defer(scanent,
1257 string_sprintf("bad option '%s'", scanner_options));
1262 /* Go through the rest of the list of host/port and construct an array
1263 * of servers to try. The first one is the bit we just passed from
1264 * scanner_options so process that first and then scan the remainder of
1265 * the address buffer */
1269 const uschar * sublist;
1273 /* The 'local' option means use the SCAN command over the network
1274 * socket (ie common file storage in use) */
1275 /*XXX we could accept this also as a local option? */
1276 if (strcmpic(scanner_options, US"local") == 0)
1278 use_scan_command = TRUE;
1282 cd = (clamd_address *) store_get(sizeof(clamd_address));
1284 /* extract host and port part */
1285 sublist = scanner_options;
1286 if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0)))
1288 (void) m_errlog_defer(scanent,
1289 string_sprintf("missing address: '%s'", scanner_options));
1292 if (!(s = string_nextinlist(&sublist, &subsep, NULL, 0)))
1294 (void) m_errlog_defer(scanent,
1295 string_sprintf("missing port: '%s'", scanner_options));
1298 cd->tcp_port = atoi(CS s);
1301 /*XXX should these options be common over scanner types? */
1302 if (clamd_option(cd, sublist, &subsep) != OK)
1304 return m_errlog_defer(scanent,
1305 string_sprintf("bad option '%s'", scanner_options));
1309 cv[num_servers++] = cd;
1310 if (num_servers >= MAX_CLAMD_SERVERS)
1312 (void) m_errlog_defer(scanent,
1313 US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1314 "specified; only using the first " MAX_CLAMD_SERVERS_S );
1317 } while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
1320 /* check if we have at least one server */
1322 return m_errlog_defer(scanent,
1323 US"no useable server addresses in malware configuration option.");
1326 /* See the discussion of response formats below to see why we really
1327 don't like colons in filenames when passing filenames to ClamAV. */
1328 if (use_scan_command && Ustrchr(eml_filename, ':'))
1329 return m_errlog_defer(scanent,
1330 string_sprintf("local/SCAN mode incompatible with" \
1331 " : in path to email filename [%s]", eml_filename));
1333 /* We have some network servers specified */
1336 /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
1337 * only supports AF_INET, but we should probably be looking to the
1338 * future and rewriting this to be protocol-independent anyway. */
1340 while (num_servers > 0)
1342 int i = random_number( num_servers );
1343 clamd_address * cd = cv[i];
1345 DEBUG(D_acl) debug_printf("trying server name %s, port %u\n",
1346 cd->hostspec, cd->tcp_port);
1348 /* Lookup the host. This is to ensure that we connect to the same IP
1349 * on both connections (as one host could resolve to multiple ips) */
1352 sock= m_tcpsocket(cd->hostspec, cd->tcp_port, &connhost, &errstr);
1355 /* Connection successfully established with a server */
1356 hostname = cd->hostspec;
1359 if (cd->retry <= 0) break;
1360 while (cd->retry > 0) cd->retry = sleep(cd->retry);
1365 log_write(0, LOG_MAIN, "malware acl condition: %s: %s",
1366 scanent->name, errstr);
1368 /* Remove the server from the list. XXX We should free the memory */
1370 for (; i < num_servers; i++)
1374 if (num_servers == 0)
1375 return m_errlog_defer(scanent, US"all servers failed");
1380 if ((sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
1382 hostname = cv[0]->hostspec;
1385 if (cv[0]->retry <= 0)
1386 return m_errlog_defer(scanent, errstr);
1387 while (cv[0]->retry > 0) cv[0]->retry = sleep(cv[0]->retry);
1390 /* have socket in variable "sock"; command to use is semi-independent of
1391 * the socket protocol. We use SCAN if is local (either Unix/local
1392 * domain socket, or explicitly told local) else we stream the data.
1393 * How we stream the data depends upon how we were built. */
1395 if (!use_scan_command)
1397 #ifdef WITH_OLD_CLAMAV_STREAM
1398 /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
1399 * that port on a second connection; then in the scan-method-neutral
1400 * part, read the response back on the original connection. */
1402 DEBUG(D_acl) debug_printf(
1403 "Malware scan: issuing %s old-style remote scan (PORT)\n",
1406 /* Pass the string to ClamAV (7 = "STREAM\n") */
1407 if (m_sock_send(sock, US"STREAM\n", 7, &errstr) < 0)
1408 return m_errlog_defer(scanent, errstr);
1410 memset(av_buffer2, 0, sizeof(av_buffer2));
1411 bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), tmo-time(NULL));
1414 return m_errlog_defer_3(scanent,
1415 string_sprintf("unable to read PORT from socket (%s)",
1419 if (bread == sizeof(av_buffer2))
1420 return m_errlog_defer_3(scanent, "buffer too small", sock);
1423 return m_errlog_defer_3(scanent, "ClamAV returned null", sock);
1425 av_buffer2[bread] = '\0';
1426 if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 )
1427 return m_errlog_defer_3(scanent,
1428 string_sprintf("Expected port information from clamd, got '%s'",
1432 sockData = m_tcpsocket(connhost.address, port, NULL, &errstr);
1434 return m_errlog_defer_3(scanent, errstr, sock);
1436 # define CLOSE_SOCKDATA (void)close(sockData)
1437 #else /* WITH_OLD_CLAMAV_STREAM not defined */
1438 /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
1439 chunks, <n> a 4-byte number (network order), terminated by a zero-length
1442 DEBUG(D_acl) debug_printf(
1443 "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1446 /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
1447 if (send(sock, "zINSTREAM", 10, 0) < 0)
1448 return m_errlog_defer_3(scanent,
1449 string_sprintf("unable to send zINSTREAM to socket (%s)",
1453 # define CLOSE_SOCKDATA /**/
1456 /* calc file size */
1457 if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
1461 return m_errlog_defer_3(scanent,
1462 string_sprintf("can't open spool file %s: %s",
1463 eml_filename, strerror(err)),
1466 if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
1469 CLOSE_SOCKDATA; (void)close(clam_fd);
1470 return m_errlog_defer_3(scanent,
1471 string_sprintf("can't seek spool file %s: %s",
1472 eml_filename, strerror(err)),
1475 fsize_uint = (unsigned int) fsize;
1476 if ((off_t)fsize_uint != fsize)
1478 CLOSE_SOCKDATA; (void)close(clam_fd);
1479 return m_errlog_defer_3(scanent,
1480 string_sprintf("seeking spool file %s, size overflow",
1484 lseek(clam_fd, 0, SEEK_SET);
1486 if (!(clamav_fbuf = (uschar *) malloc (fsize_uint)))
1488 CLOSE_SOCKDATA; (void)close(clam_fd);
1489 return m_errlog_defer_3(scanent,
1490 string_sprintf("unable to allocate memory %u for file (%s)",
1491 fsize_uint, eml_filename),
1495 if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
1498 free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd);
1499 return m_errlog_defer_3(scanent,
1500 string_sprintf("can't read spool file %s: %s",
1501 eml_filename, strerror(err)),
1504 (void)close(clam_fd);
1506 /* send file body to socket */
1507 #ifdef WITH_OLD_CLAMAV_STREAM
1508 if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0)
1510 free(clamav_fbuf); CLOSE_SOCKDATA;
1511 return m_errlog_defer_3(scanent,
1512 string_sprintf("unable to send file body to socket (%s:%u)",
1517 send_size = htonl(fsize_uint);
1518 send_final_zeroblock = 0;
1519 if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
1520 (send(sock, clamav_fbuf, fsize_uint, 0) < 0) ||
1521 (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
1524 return m_errlog_defer_3(scanent,
1525 string_sprintf("unable to send file body to socket (%s)", hostname),
1533 #undef CLOSE_SOCKDATA
1536 { /* use scan command */
1537 /* Send a SCAN command pointing to a filename; then in the then in the
1538 * scan-method-neutral part, read the response back */
1540 /* ================================================================= */
1542 /* Prior to the reworking post-Exim-4.72, this scanned a directory,
1543 which dates to when ClamAV needed us to break apart the email into the
1544 MIME parts (eg, with the now deprecated demime condition coming first).
1545 Some time back, ClamAV gained the ability to deconstruct the emails, so
1546 doing this would actually have resulted in the mail attachments being
1547 scanned twice, in the broken out files and from the original .eml.
1548 Since ClamAV now handles emails (and has for quite some time) we can
1549 just use the email file itself. */
1550 /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
1551 file_name = string_sprintf("SCAN %s\n", eml_filename);
1553 DEBUG(D_acl) debug_printf(
1554 "Malware scan: issuing %s local-path scan [%s]\n",
1555 scanner_name, scanner_options);
1557 if (send(sock, file_name, Ustrlen(file_name), 0) < 0)
1558 return m_errlog_defer_3(scanent,
1559 string_sprintf("unable to write to socket (%s)", strerror(errno)),
1562 /* Do not shut down the socket for writing; a user report noted that
1563 * clamd 0.70 does not react well to this. */
1565 /* Commands have been sent, no matter which scan method or connection
1566 * type we're using; now just read the result, independent of method. */
1568 /* Read the result */
1569 memset(av_buffer, 0, sizeof(av_buffer));
1570 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1575 return m_errlog_defer(scanent,
1576 string_sprintf("unable to read from socket (%s)",
1577 errno == 0 ? "EOF" : strerror(errno)));
1579 if (bread == sizeof(av_buffer))
1580 return m_errlog_defer(scanent, US"buffer too small");
1581 /* We're now assured of a NULL at the end of av_buffer */
1583 /* Check the result. ClamAV returns one of two result formats.
1584 In the basic mode, the response is of the form:
1585 infected: -> "<filename>: <virusname> FOUND"
1586 not-infected: -> "<filename>: OK"
1587 error: -> "<filename>: <errcode> ERROR
1588 If the ExtendedDetectionInfo option has been turned on, then we get:
1589 "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1590 for the infected case. Compare:
1591 /tmp/eicar.com: Eicar-Test-Signature FOUND
1592 /tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1594 In the streaming case, clamd uses the filename "stream" which you should
1595 be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1596 client app will replace "stream" with the original filename before returning
1597 results to stdout, but the trace shows the data).
1599 We will assume that the pathname passed to clamd from Exim does not contain
1600 a colon. We will have whined loudly above if the eml_filename does (and we're
1601 passing a filename to clamd). */
1604 return m_errlog_defer(scanent, US"ClamAV returned null");
1606 /* strip newline at the end (won't be present for zINSTREAM)
1607 (also any trailing whitespace, which shouldn't exist, but we depend upon
1608 this below, so double-check) */
1609 p = av_buffer + Ustrlen(av_buffer) - 1;
1610 if (*p == '\n') *p = '\0';
1612 DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
1614 while (isspace(*--p) && (p > av_buffer))
1619 /* colon in returned output? */
1620 if((p = Ustrchr(av_buffer,':')) == NULL)
1621 return m_errlog_defer(scanent, string_sprintf(
1622 "ClamAV returned malformed result (missing colon): %s",
1625 /* strip filename */
1626 while (*p && isspace(*++p)) /**/;
1629 /* It would be bad to encounter a virus with "FOUND" in part of the name,
1630 but we should at least be resistant to it. */
1631 p = Ustrrchr(vname, ' ');
1632 result_tag = p ? p+1 : vname;
1634 if (Ustrcmp(result_tag, "FOUND") == 0)
1636 /* p should still be the whitespace before the result_tag */
1637 while (isspace(*p)) --p;
1639 /* Strip off the extended information too, which will be in parens
1640 after the virus name, with no intervening whitespace. */
1643 /* "(hash:size)", so previous '(' will do; if not found, we have
1644 a curious virus name, but not an error. */
1645 p = Ustrrchr(vname, '(');
1649 malware_name = string_copy(vname);
1650 DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
1653 else if (Ustrcmp(result_tag, "ERROR") == 0)
1654 return m_errlog_defer(scanent,
1655 string_sprintf("ClamAV returned: %s", av_buffer));
1657 else if (Ustrcmp(result_tag, "OK") == 0)
1659 /* Everything should be OK */
1660 malware_name = NULL;
1661 DEBUG(D_acl) debug_printf("Malware not found\n");
1665 return m_errlog_defer(scanent,
1666 string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1671 case M_SOCK: /* "sock" scanner type ------------------------------------- */
1672 /* This code was derived by Martin Poole from the clamd code contributed
1673 by David Saez and the cmdline code
1677 uschar * commandline;
1678 uschar av_buffer[1024];
1679 uschar * linebuffer;
1680 uschar * sockline_scanner;
1681 uschar sockline_scanner_default[] = "%s\n";
1682 const pcre *sockline_trig_re;
1683 const pcre *sockline_name_re;
1685 /* find scanner command line */
1686 if ((sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1688 { /* check for no expansions apart from one %s */
1689 uschar * s = Ustrchr(sockline_scanner, '%');
1691 if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
1692 return m_errlog_defer_3(scanent,
1693 US"unsafe sock scanner call spec", sock);
1696 sockline_scanner = sockline_scanner_default;
1698 /* find scanner output trigger */
1699 sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1700 "missing trigger specification", &errstr);
1701 if (!sockline_trig_re)
1702 return m_errlog_defer_3(scanent, errstr, sock);
1704 /* find virus name regex */
1705 sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1706 "missing virus name regex specification", &errstr);
1707 if (!sockline_name_re)
1708 return m_errlog_defer_3(scanent, errstr, sock);
1710 /* prepare scanner call - security depends on expansions check above */
1711 commandline = string_sprintf("%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
1712 commandline = string_sprintf( CS sockline_scanner, CS commandline);
1715 /* Pass the command string to the socket */
1716 if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
1717 return m_errlog_defer(scanent, errstr);
1719 /* Read the result */
1720 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1723 return m_errlog_defer_3(scanent,
1724 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1727 if (bread == sizeof(av_buffer))
1728 return m_errlog_defer_3(scanent, US"buffer too small", sock);
1729 av_buffer[bread] = '\0';
1730 linebuffer = string_copy(av_buffer);
1732 /* try trigger match */
1733 if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
1735 if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1736 malware_name = US "unknown";
1738 else /* no virus found */
1739 malware_name = NULL;
1743 case M_MKSD: /* "mksd" scanner type ------------------------------------- */
1745 char *mksd_options_end;
1746 int mksd_maxproc = 1; /* default, if no option supplied */
1749 if (scanner_options)
1751 mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
1752 if ( *scanner_options == '\0'
1753 || *mksd_options_end != '\0'
1755 || mksd_maxproc > 32
1757 return m_errlog_defer(scanent,
1758 string_sprintf("invalid option '%s'", scanner_options));
1761 if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
1762 return m_errlog_defer(scanent, errstr);
1764 malware_name = NULL;
1766 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
1768 if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
1776 case M_AVAST: /* "avast" scanner type ----------------------------------- */
1780 uschar * scanrequest;
1781 enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
1784 /* According to Martin Tuma @avast the protocol uses "escaped
1785 whitespace", that is, every embedded whitespace is backslash
1786 escaped, as well as backslash is protected by backslash.
1787 The returned lines contain the name of the scanned file, a tab
1791 [E] - some error occured
1792 Such marker follows the first non-escaped TAB. */
1793 if ( ( !ava_re_clean
1794 && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
1796 && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
1798 return malware_errlog_defer(errstr);
1800 /* wait for result */
1801 for (avast_stage = AVA_HELO;
1802 (nread = recv_line(sock, buf, sizeof(buf), tmo)) > 0;
1805 int slen = Ustrlen(buf);
1808 DEBUG(D_acl) debug_printf("got from avast: %s\n", buf);
1809 switch (avast_stage)
1812 if (Ustrncmp(buf, "220", 3) != 0)
1813 goto endloop; /* require a 220 */
1817 if (Ustrncmp(buf, "210", 3) == 0)
1818 break; /* ignore 210 responses */
1819 if (Ustrncmp(buf, "200", 3) != 0)
1820 goto endloop; /* require a 200 */
1825 /* Check for another option to send. Newline-terminate it. */
1826 if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
1829 scanrequest = string_sprintf("%s\n", scanrequest);
1830 avast_stage = AVA_OPT; /* just sent option */
1834 scanrequest = string_sprintf("SCAN %s/scan/%s\n",
1835 spool_directory, message_id);
1836 avast_stage = AVA_RSP; /* just sent command */
1839 /* send config-cmd or scan-request to socket */
1840 len = Ustrlen(scanrequest);
1841 if (send(sock, scanrequest, len, 0) < 0)
1843 scanrequest[len-1] = '\0';
1844 return m_errlog_defer_3(scanent, string_sprintf(
1845 "unable to send request '%s' to socket (%s): %s",
1846 scanrequest, scanner_options, strerror(errno)), sock);
1852 if (Ustrncmp(buf, "210", 3) == 0)
1853 break; /* ignore the "210 SCAN DATA" message */
1855 if (pcre_exec(ava_re_clean, NULL, CS buf, slen,
1856 0, 0, ovector, nelements(ovector)) > 0)
1859 if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
1860 { /* remove backslash in front of [whitespace|backslash] */
1862 for (p = malware_name; *p; ++p)
1863 if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
1864 for (p0 = p; *p0; ++p0) *p0 = p0[1];
1866 avast_stage = AVA_DONE;
1870 if (Ustrncmp(buf, "200 SCAN OK", 11) == 0)
1871 { /* we're done finally */
1872 if (send(sock, "QUIT\n", 5, 0) < 0) /* courtesy */
1873 return m_errlog_defer_3(scanent, string_sprintf(
1874 "unable to send quit request to socket (%s): %s",
1875 scanner_options, strerror(errno)),
1877 malware_name = NULL;
1878 avast_stage = AVA_DONE;
1882 /* here for any unexpected response from the scanner */
1893 case AVA_RSP: return m_errlog_defer_3(scanent,
1896 "invalid response from scanner: '%s'", buf)
1898 ? US"EOF from scanner"
1899 : US"timeout from scanner",
1905 } /* scanner type switch */
1908 (void) close (sock);
1909 malware_ok = TRUE; /* set "been here, done that" marker */
1912 /* match virus name against pattern (caseless ------->----------v) */
1913 if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
1915 DEBUG(D_acl) debug_printf(
1916 "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
1924 /*************************************************
1925 * Scan an email for malware *
1926 *************************************************/
1928 /* This is the normal interface for scanning an email, which doesn't need a
1929 filename; it's a wrapper around the malware_file function.
1932 malware_re match condition for "malware="
1933 timeout if nonzero, timeout in seconds
1935 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
1936 where true means malware was found (condition applies)
1939 malware(const uschar * malware_re, int timeout)
1941 uschar * scan_filename;
1944 scan_filename = string_sprintf("%s/scan/%s/%s.eml",
1945 spool_directory, message_id, message_id);
1946 ret = malware_internal(malware_re, scan_filename, timeout, FALSE);
1947 if (ret == DEFER) av_failed = TRUE;
1953 /*************************************************
1954 * Scan a file for malware *
1955 *************************************************/
1957 /* This is a test wrapper for scanning an email, which is not used in
1958 normal processing. Scan any file, using the Exim scanning interface.
1959 This function tampers with various global variables so is unsafe to use
1960 in any other context.
1963 eml_filename a file holding the message to be scanned
1965 Returns: Exim message processing code (OK, FAIL, DEFER, ...)
1966 where true means malware was found (condition applies)
1969 malware_in_file(uschar *eml_filename)
1971 uschar message_id_buf[64];
1974 /* spool_mbox() assumes various parameters exist, when creating
1975 the relevant directory and the email within */
1976 (void) string_format(message_id_buf, sizeof(message_id_buf),
1977 "dummy-%d", vaguely_random_number(INT_MAX));
1978 message_id = message_id_buf;
1979 sender_address = US"malware-sender@example.net";
1981 recipients_list = NULL;
1982 receive_add_recipient(US"malware-victim@example.net", -1);
1983 enable_dollar_recipients = TRUE;
1985 ret = malware_internal(US"*", eml_filename, 0, TRUE);
1987 Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
1989 /* don't set no_mbox_unspool; at present, there's no way for it to become
1990 set, but if that changes, then it should apply to these tests too */
1993 /* silence static analysis tools */
2003 if (!malware_default_re)
2004 malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
2006 drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
2008 fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
2010 kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
2012 kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
2014 ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
2016 ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
2019 #endif /*WITH_CONTENT_SCAN*/
git://git.exim.org / exim.git / blob