New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

antivirus module uses wrong ClamAV defaults on Debian #1832

Closed
Signum opened this Issue Sep 10, 2017 · 11 comments

Comments

Projects
None yet
5 participants
@Signum
Copy link

Signum commented Sep 10, 2017

Classification (Please choose one option):

  • Crash/Hang/Data loss
  • WebUI/Usability
  • Serious bug
  • Other bug
  • Feature
  • Enhancement

Reproducibility (Please choose one option):

  • Always
  • Sometimes
  • Rarely
  • Unable
  • I didn’t try
  • Not applicable

Rspamd version:

1.6.4

Operation system, CPU, memory and environment:

Debian Stretch

Description (Please provide a descriptive summary of the issue):

The documentation on how to use ClamAV as a malware scanner should be improved.
The defaults as defined in https://github.com/vstakhov/rspamd/blob/85d606bdbc00000f672e9a2c6613bbc34dadfc74/src/plugins/lua/antivirus.lua#L119 do not work on Debian. The "clamd" process by default listens to the socket file /var/run/clamav/clamd.ctl and not on TCP port 127.0.0.1:3310.

A working configuration would be (/etc/rspam.d/local.d/antivirus.conf):

clamav {
  action = "reject";
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "/var/run/clamav/clamd.ctl";
}

That also requires that the _rspamd user is part of the clamav group to be able to access the control socket. I suggest that this is made clearer.

I would also like to suggest that an error is logged if the antivirus backend could not be reached. Such an error should not go unnoticed. Thanks.

Steps to reproduce:

Install rspamd on Debian Stretch. Send a test virus (e.g. eicar.com). See in the logs that the antivirus module does nothing.

@vstakhov

This comment has been minimized.

Copy link
Member

vstakhov commented Sep 11, 2017

That's not Rspamd issue. We cannot fit all 100500 Linux distros in the world. Using of Unix sockets is extremely inconvenient because of the mess with permissions/groups and inability to dump traffic. I personally think that using of the unix socket is a very poor default. However, the default documentation clearly says that unix sockets usage is also possible. The errors are also logged properly, you are likely using the default attachments_only=true and clamav thus does not see eicar in a message itself. This logging part might be improved indeed.

@Signum

This comment has been minimized.

Copy link

Signum commented Sep 11, 2017

Let's just say that the documentation of the antivirus module is very unspecific about what the defaults are. Quote:

# servers to query (if port is unspecified, scanner-specific default is used)

Without looking at the source code it's unclear what the default may be. Would be nice to put that into the configuration file as a comment for example.

IMHO using sockets has pros and cons. The pro is that you don't open up a service for everyone on a host but just for those who you grant access. The con is that it may be harder to use if you get the permissions wrong and that tcpdump isn't working. I don't want to judge the respective distros' approaches. I'm just a stupid ignorant sysadmin who tried hard to get AV scanning working. :) And good documentation and clear error messages help with that.

@vstakhov

This comment has been minimized.

@Signum

This comment has been minimized.

Copy link

Signum commented Sep 12, 2017

Forget about the sockets. I heard you.

My point is: the defaults are not documented (except in the source code (where the user is not looking)).

@mxoneil

This comment has been minimized.

Copy link

mxoneil commented Sep 12, 2017

On Debian 9....
You need to specifiy the:
TCPAddr localhost
TCPSocket 3310
in the clamav.conf so that rspamd can connect to it.
And:
servers = "127.0.0.1:3310";
in rspamd antivirus.conf

Should work without issue.

It is documented in both rspamd and clamav how to set the port/socket.

@vstakhov vstakhov closed this Sep 23, 2017

@supersophie

This comment has been minimized.

Copy link

supersophie commented Jan 1, 2018

That's not Rspamd issue.

No, but your example config mislead the user. Was this your intention?

@FlorianHeigl

This comment has been minimized.

Copy link

FlorianHeigl commented Jun 16, 2018

Look, if there's multiple, unrelated people coming here explicitly telling you there's documentation issues:
how big do you think the chance is that you're right in thinking there's no problem?

@vstakhov

This comment has been minimized.

Copy link
Member

vstakhov commented Jun 16, 2018

100%

@vstakhov

This comment has been minimized.

Copy link
Member

vstakhov commented Jun 16, 2018

Or even 146% as I'm inclined to ignore issues about the documentation without patches.

@FlorianHeigl

This comment has been minimized.

Copy link

FlorianHeigl commented Jun 16, 2018

It must be nice to be without doubt.
You wrote good software. The way you act is why you don't automatically get the patches from everyone.
Maybe one day you'll understand.
Fare well.

@supersophie

This comment has been minimized.

Copy link

supersophie commented Jun 16, 2018

Or even 146% as I'm inclined to ignore issues about the documentation without patches.

Your answer doesn't make any sense. You documentation is wrong. It does not work. I don't understand the mindset.

If you have no time for correcting the dox ( and I understood that you are too busy), is there somebody else who could help you?

@rspamd rspamd locked as too heated and limited conversation to collaborators Jun 16, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.