In this section
•Special Aspects of Component Configuration
The component uses configuration parameters which can be found in the [ClamD] section of the integrated configuration file of Dr.Web for UNIX Mail Servers.
The section contains the following parameters:
Parameter |
Description |
|---|---|
LogLevel {logging level} |
Logging level of the component. If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used. Default value: Notice |
Log {log type} |
Logging method of the component. Default value: Auto |
ExePath {path to file} |
Executable path to the component. Default value: <opt_dir>/bin/drweb-clamd. •For GNU/Linux: /opt/drweb.com/bin/drweb-clamd. •For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-clamd |
Start {Boolean} |
The component must be launched by the Dr.Web ConfigD configuration daemon. When you specify the Yes value for this parameter, it instructs the configuration daemon to start the component immediately; and when you specify the No value, it instructs the configuration daemon to terminate the component immediately. Default value: No |
Endpoint.<tag>.ClamdSocket {IP address | UNIX socket} |
Create a new connection point naming it <tag> and allocates a socket (IPv4 address or address of a UNIX socket) for clients that need to scan files for threats. Only one socket can be specified for one <tag> point. Default value: not set |
[Endpoint.<tag>.]DetectSuspicious {Boolean} |
Inform about suspicious files detected by the heuristic analyzer. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: Yes |
[Endpoint.<tag>.]DetectAdware {Boolean} |
Inform about files containing adware. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: Yes |
[Endpoint.<tag>.]DetectDialers {Boolean} |
Inform about files containing dialers. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: Yes |
[Endpoint.<tag>.]DetectJokes {Boolean} |
Inform about files containing jokes. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: No |
[Endpoint.<tag>.]DetectRiskware {Boolean} |
Inform about files containing riskware. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: No |
[Endpoint.<tag>.]DetectHacktools {Boolean} |
Inform about files containing hacktools. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: No |
[Endpoint.<tag>.]ReadTimeout {time interval} |
Maximum time-out to wait for data from a client. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: 5s |
[Endpoint.<tag>.]StreamMaxLength {size} |
Maximum size of data that can be received from a client (for transmitting data to scan as a stream of bytes). If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: 25mb |
[Endpoint.<tag>.]ScanTimeout {time interval} |
Maximum time to scan one file (or one portion of data) received from a client. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Acceptable values: from 1 second (1s) to 1 hour (1h). Default value: 3m |
[Endpoint.<tag>.]HeuristicAnalysis {On | Off} |
Enable heuristic analysis for scanning. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. Default value: On |
[Endpoint.<tag>.]PackerMaxLevel {integer} |
Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, etc. The maximum nesting level is the limit beyond which packed objects inside other packed objects are not scanned. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]ArchiveMaxLevel {integer} |
Maximum nesting level for archives (zip, rar, etc.) that can be scanned. Archives may include archives in which other archives may also be enclosed and so on. The maximum nesting level is the limit beyond which archives inside archives are not scanned. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]MailMaxLevel {integer} |
Maximum nesting level for files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]ContainerMaxLevel {integer} |
Maximum nesting level for other types of objects containing other objects (for instance, for HTML pages or jar files). The maximum nesting level is the limit beyond which objects inside objects are not scanned. If the Endpoint.<tag> prefix is specified, it means that the parameter value is set only for the <tag> connection point; otherwise, it is set for all points which do not have another value of this parameter specified for them. The value of this parameter can be any integer number greater than 0. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]MaxCompressionRatio {integer} |
Maximum allowed compression ratio of compressed/packed objects (ratio between the uncompressed size and the compressed size). If the ratio of an object exceeds the limit, this object will be skipped during the scanning. The compression ratio must not be smaller than 2. Default value: 500 |
Special Aspects of Component Configuration
Parameters marked with an optional Endpoint.<tag> prefix can be grouped. Each group defines a unique connection point (endpoint) that can be used by clients to connect to the component and has a unique <tag> identifier assigned to it. All the scanning parameters belonging to the same group define the settings that are applicable only when data is scanned for the clients connected to the corresponding connection point. If a parameter is specified without an Endpoint.<tag>, prefix, this sets the value for all connection points. If you delete some parameter from some connection point, then instead of reverting to the program hard-coded default value for this parameter, the program will use the current value of the corresponding “parent” parameter of the same name (set without the Endpoint.<tag> prefix).
|
The ClamdSocket parameter must always be specified with an Endpoint.<tag> prefix, as it defines both a listening socket and a group (connection point) to which this socket corresponds. |
Example
Let us assume that we need to set up two connection points for two groups of external applications (servers)—let the groups be called servers1 and servers2. And the servers from the servers1 group can connect through a UNIX socket, whereas the servers form the servers2 group can connect via a network connection. Moreover, let us assume that heuristic analysis must be disabled by default, but must be used for servers from the servers2 group. The following example shows how to configure this:
1)In the configuration file:
[ClamD] |
2)For command-line-based management tool Dr.Web Ctl:
# drweb-ctl cfset ClamD.HeuristicAnalysis Off |
|
Both ways have an equal effect but if you edit the configuration file, you will also need to apply the changed settings by sending a SIGHUP signal to the drweb-configd component (to do that, you can issue the drweb-ctl reload command). |
