In this section
•Special Aspects of Component Configuration
The component uses configuration parameters specified in the [ClamD] section of the unified configuration file of Dr.Web for UNIX Mail Servers.
The section contains the following parameters:
Parameter |
Description |
|---|---|
LogLevel {logging level} |
Logging level of the component. If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used. Default value: Notice |
Log {log type} |
Logging method of the component. Default value: Auto |
ExePath {path to file} |
Component executable path. Default value: <opt_dir>/bin/drweb-clamd. •For GNU/Linux: /opt/drweb.com/bin/drweb-clamd. •For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-clamd |
Start {logical} |
The component must be started by the Dr.Web ConfigD configuration daemon. Setting the value of this parameter to Yes instructs the configuration daemon to start the component immediately, and setting the value of this parameter to No—to terminate the component immediately. Default value: No |
Endpoint.<tag>.ClamdSocket {IP address | UNIX socket} |
Defines a mount point named <tag> and a socket (IPv4 address or a UNIX socket address) for clients who need to scan files for threats. Only one socket can be specified for one <tag> point. Default value: not set |
[Endpoint.<tag>.]DetectSuspicious {logical} |
Inform about suspicious files detected by the heuristic analyzer. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: Yes |
[Endpoint.<tag>.]DetectAdware {logical} |
Inform about files containing adware. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: Yes |
[Endpoint.<tag>.]DetectDialers {logical} |
Inform about files containing dialers. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: Yes |
[Endpoint.<tag>.]DetectJokes {logical} |
Inform about files containing jokes. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: No |
[Endpoint.<tag>.]DetectRiskware {logical} |
Inform about files containing riskware. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: No |
[Endpoint.<tag>.]DetectHacktools {logical} |
Inform about files containing hacktools. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: No |
[Endpoint.<tag>.]ReadTimeout {time interval} |
Time-out for waiting data from a client. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: 5s |
[Endpoint.<tag>.]StreamMaxLength {size} |
Maximum size of data that can be received from a client (while passing data for scanning as a stream of bytes). If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: 25mb |
[Endpoint.<tag>.]ScanTimeout {time interval} |
Time-out for scanning one file (or one chunk of data) received from a client. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Allowed values: from 1 second (1s) to 1 hour (1h). Default value: 3m |
[Endpoint.<tag>.]HeuristicAnalysis {On | Off} |
Enable heuristic analysis during scanning. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: On |
[Endpoint.<tag>.]PackerMaxLevel {integer} |
Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, etc. The maximum nesting level is the limit beyond which packed objects inside other packed objects are not scanned. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]ArchiveMaxLevel {integer} |
Maximum nesting level for archives (.zip, .rar, etc.) that can be scanned. Archives may include archives in which other archives may also be enclosed and so on. The maximum nesting level is the limit beyond which archives inside archives are not scanned. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]MailMaxLevel {integer} |
Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]ContainerMaxLevel {integer} |
Maximum nesting level for other types of objects containing other objects (for instance, HTML pages or .jar files). These objects may include other objects, which in turn may also include others and so on. The maximum nesting level is the limit beyond which objects inside objects are not scanned. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
[Endpoint.<tag>.]MaxCompressionRatio {integer} |
Maximum allowed compression ratio of compressed/packed objects (ratio between the uncompressed size and the compressed size). If the ratio of an object exceeds the limit, this object is skipped during the scanning. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. The compression ratio must be no less than 2. Default value: 500 |
[Endpoint.<tag>.]ReportPasswordProtected {integer} |
Report an error, if the scanned files are protected with a password. If the Endpoint.<tag> prefix is specified, the parameter value is specified only for the <tag> point; otherwise, it is specified for all points that do not have a defined value of this parameter. Default value: No |
Special Aspects of Component Configuration
Parameters marked with an optional Endpoint.<tag> prefix can be grouped. Each group defines a unique connection point (endpoint) that can be used by clients to connect to the component and has a unique <tag> identifier assigned to it. All the scanning parameters belonging to the same group define the settings that are applicable only when data is scanned for the clients connected to the corresponding connection point. If a parameter is specified without an Endpoint.<tag> prefix, this sets the value for all connection points. If you delete some parameter from some connection point, the program will use a value of the corresponding “parent” parameter of the same name (set without the Endpoint.<tag> prefix) instead of a default value.
|
The ClamdSocket parameter must always be specified with an Endpoint.<tag> prefix, as it defines both a listening socket and a group (connection point) to which this socket corresponds. |
Example
Let us assume that we need to set up two connection points for two groups of external applications (servers)—let the groups be called servers1 and servers2. The servers from the servers1 group can connect through a UNIX socket, whereas the servers form the servers2 group can use a network connection. Moreover, let us assume that the heuristic analysis must be disabled by default, but must be used for the servers from the servers2 group. The following example shows how to configure this:
1)In the configuration file:
[ClamD] |
2)Using the Dr.Web Ctl command-line management tool:
# drweb-ctl cfset ClamD.HeuristicAnalysis Off |
|
Both ways have the same effect; however, if you edit the configuration file directly, you will also need to apply the changed settings (by running the drweb-ctl reload command). |
