Locked

CentOS_TIPS_019

Sophos Anti-Virus for Linux + amavisd-new による Postfix/ウイルス対策

postfixによる配送経路上で、Sophos Antivirus for Linuxによるウイルス対策をするためのシステムを構築します。
2016年以降ランサムウェアをはじめウイルス付スパムが頻発しており、Sophos社製品は比較的早期に検出してくれています。

  • 参考URL

http://permalink.gmane.org/gmane.comp.kde.devel.kroupware/24775

構成イメージ

graphviz-mail_routine-f330030bd43f6dc7323ac229dedb60e96bdf27e3.png

バージョン情報

ここでは、以下のバージョンについて記載しています。

  • CentOS6

$ cat /etc/redhat-release
CentOS release 6.8 (Final)

Sophos Antivirus for Linux インストール

  • 公式サイト

https://www.sophos.com/ja-jp/products/free-tools/sophos-antivirus-for-linux.aspx

公式サイトよりsav-linux-free-9.tgzを入手します。
適当なディレクトリ上で展開し、インストールスクリプトを実行することでインストールは完了しますが、ここではrpmパッケージを作成/インストールします。
なお、rpmパッケージ化するメリットは殆ど無い(同じパッケージを複数のサーバに配布が容易になる程度。バージョンアップの際には要注意)ので、単体/少数のサーバであれば直接インストールしてしまっても良いように思います。

chroot化して使用可能なCentOS環境を作成します。

# cd /var/tmp
# wget http://ftp.riken.jp/Linux/centos/6.8/os/x86_64/Packages/centos-release-6-8.el6.centos.12.3.x86_64.rpm
# mkdir chroot
# rpm -i --root=/var/tmp/chroot --nodeps centos-release-6-8.el6.centos.12.3.x86_64.rpm
# yum --installroot=/var/tmp/chroot groupinstall -y "Base"
# yum --installroot=/var/tmp/chroot install -y rpm-build

# cp /usr/share/zoneinfo/Asia/Tokyo /var/tmp/chroot/etc/localtime
# cp /etc/resolv.conf /var/tmp/chroot/etc/
# cp sav-linux-free-9.tgz /var/tmp/chroot/root/

# mount --rbind /dev /var/tmp/chroot/dev
# mount -t proc none /var/tmp/chroot/proc
# mount --rbind /sys /var/tmp/chroot/sys

Sophos Antivirus for Linuxをインストールします。

# chroot /var/tmp/chroot /bin/bash

bash-4.1# cd /root
bash-4.1# tar zxf sav-linux-free-9.tgz
bash-4.1# ./sophos-av/install.sh

Sophos Anti-Virus
=================
Copyright (c) 1989-2016 Sophos Limited. All rights reserved.

Welcome to the Sophos Anti-Virus installer. Sophos Anti-Virus contains an on-access scanner, an on-demand command-line scanner, the Sophos Anti-Virus daemon, and the Sophos Anti-Virus GUI.

On-access scanner         Scans files as they are accessed, and grants access
                          to only those that are threat-free.
On-demand scanner         Scans the computer, or parts of the computer,
                          immediately.
Sophos Anti-Virus daemon  Background process that provides control, logging,
                          and email alerting for Sophos Anti-Virus.
Sophos Anti-Virus GUI     User interface accessed through a web browser.


Press <return> to display Licence. Then press <spc> to scroll forward.

(ライセンス表示)

Do you accept the licence? Yes(Y)/No(N) [N]
> y
(ライセンス確認)

Where do you want to install Sophos Anti-Virus? [/opt/sophos-av]
>
(インストール先/デフォルトのまま使用します)

Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
> n
(オンアクセススキャンは無効/有効にした場合は、別途、カーネルモジュールのインストール等が必要となります)

On-access scanning disabled. Use savscan for on-demand scanning.
Sophos recommends that you configure Sophos Anti-Virus to auto-update.

It can update either from Sophos directly (requiring username/password details) or from your own server (directory or website (possibly requiring username/password)).

Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s]
>
(Sophos社からアップデートのデータを受けます/デフォルト)

Updating directly from Sophos.
Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s]
> f
(フリーバージョンを使用)

The Free version of Sophos Anti-Virus for Linux comes with no support.
Forums are available for our free tools at http://openforum.sophos.com/
Do you need a proxy to access Sophos updates? Yes(Y)/No(N) [N]
>
(アップデートにプロキシは不要/構成に応じて)

Fetching free update credentials.
Installing Sophos Anti-Virus....
Starting Sophos Anti-Virus daemon:                         [  OK  ]

Installation completed.

インストールの完了と共に、プロセスが起動されますので停止しておきます。
bash-4.1# service sav-protect stop
Stopping Sophos Anti-Virus daemon:                         [  OK  ]

パッケージの作成。
bash-4.1# /opt/sophos-av/update/mkinstpkg -r --sophos --update-type=s
...
Fetching free update credentials.
Commandline:  --enableSavProtectOnBoot=True --update-free=True --update-source-username=******** --update-source-password=******** --instdir=/opt/sophos-av --update-cache-path=/opt/sophos-av/update/cache/Primary --update-type=s --update-source-path=sophos: --acceptlicence=True --enableRMS=false --automatic=True --enableOnAccess=false --update-period-minutes=60
RPM package creation was successful. Package should be present in the default system location.


This installation package won't run on x86 32-bit systems because it has been created on an x86_64 system.


You have been granted a license to use the Licensed Products by Sophos for Your Internal Use only (see the Sophos End User License Agreement for details). Any use by You of the minipackages created using the Sophos Licensed Products are for use solely within Your organization.

作成されたパッケージの確認。
bash-4.1# rpm -qpi rpmbuild/RPMS/x86_64/savinstpkg-0.0-1.x86_64.rpm
Name        : savinstpkg                   Relocations: (not relocatable)
Version     : 0.0                               Vendor: Sophos Limited
Release     : 1                             Build Date: 2016年06月06日 01時44分16秒
Install Date: (not installed)               Build Host: example.jp
Group       : System/Security               Source RPM: savinstpkg-0.0-1.src.rpm
Size        : 5222874                          License: Copyright (c) 1989-2010 Sophos Limited. All rights reserved.
Signature   : (none)
Packager    : info@sophos.com
URL         : http://www.sophos.com
Summary     : SAV for Linux installer
Description :
Installer for the SAV for Linux product.

パッケージを取得した後、chroot環境を削除します。

# cp /var/tmp/chroot/root/rpmbuild/RPMS/x86_64/savinstpkg-0.0-1.x86_64.rpm {パッケージ管理ディレクトリ}

# umount -l /var/tmp/chroot/dev
# umount /var/tmp/chroot/proc
# umount -l /var/tmp/chroot/sys

# rm -rf /var/tmp/chroot

パッケージをインストール。

# yum install savinstpkg
...
依存性を解決しました

================================================================================
 パッケージ            アーキテクチャ    バージョン       リポジトリー     容量
================================================================================
インストールしています:
 savinstpkg            x86_64            0.0-1            private         5.0 M

トランザクションの要約
================================================================================
インストール         1 パッケージ

インストールの完了と共にプロセスが起動されますので、そのまま動作確認を行います。

# /opt/sophos-av/bin/savdstatus
Sophos Anti-Virus is active but on-access scanning is not running

$ wget -O /tmp/eicar.data https://secure.eicar.org/eicar.com
$ sweep /tmp/eicar.data
SAVScan ウイルス検出ユーティリティ
バージョン 5.21.0 [Linux/AMD64]
ウイルスデータバージョン  5.28, 2016年5月
11457249種類のウイルス、トロイの木馬、ワームを検出します。
Copyright (c) 1989-2016 Sophos Limited. All rights reserved.

...

>>> ウイルス‘EICAR-AV-Test’がファイル /tmp/eicar.data に発見されました

ファイル 1 個を 8秒で検索しました。
1 個のウイルスが発見されました。
1 個のファイル(1 個中)が感染しています。
検出に関する詳細は、ソフォス Web サイトの次のリンクを参照してください。
脅威解析センター: http://www.sophos.com/ja-jp/threat-center.aspx
検索が終了しました。

デフォルトの設定では、ウイルス検知時にroot宛てにメールが送信されるため、無効化しておきます。

# /opt/sophos-av/bin/savconfig -v
Email: root@localhost
EmailDemandSummaryIfThreat: true
EmailLanguage: English
EmailNotifier: true
EmailServer: localhost:25
...

# /opt/sophos-av/bin/savconfig set EmailNotifier false

# /opt/sophos-av/bin/savconfig -v
Email: root@localhost
EmailDemandSummaryIfThreat: true
EmailLanguage: English
EmailNotifier: false
EmailServer: localhost:25
...

amavisd-new インストール

postfixと連携するためのフィルタとしてamavisd-newをepelよりインストールします。

依存性を解決しました

================================================================================
 パッケージ                      アーキテクチャ
                                             バージョン         リポジトリー
                                                                           容量
================================================================================
インストールしています:
 amavisd-new                     noarch      2.9.1-2.el6        epel      836 k
依存性関連でのインストールをします。:
 lrzip                           x86_64      0.616-5.el6        epel      188 k
 p7zip                           x86_64      16.02-2.el6        epel      710 k
 p7zip-plugins                   x86_64      16.02-2.el6        epel      982 k
 perl-Authen-SASL                noarch      2.13-3.el6         base       52 k
 perl-Convert-ASN1               noarch      0.22-1.el6         base       43 k
 perl-GSSAPI                     x86_64      0.26-6.el6         base       64 k
 perl-LDAP                       noarch      1:0.40-3.el6       base      354 k
 perl-Mail-SPF                   noarch      2.8.0-2.el6        epel      138 k
 perl-Razor-Agent                x86_64      2.85-6.el6         epel      119 k
 perl-Text-Iconv                 x86_64      1.7-6.el6          base       22 k
 perl-XML-Filter-BufferText      noarch      1.01-8.el6         base      9.6 k
 perl-XML-LibXML                 x86_64      1:1.70-5.el6       base      364 k
 perl-XML-NamespaceSupport       noarch      1.10-3.el6         base       17 k
 perl-XML-SAX                    noarch      0.96-7.el6         base       78 k
 perl-XML-SAX-Writer             noarch      0.50-8.el6         base       24 k
 unzoo                           x86_64      4.4-7.el6          epel       21 k

トランザクションの要約
================================================================================
インストール        17 パッケージ

合計容量: 3.9 M
総ダウンロード容量: 710 k
インストール済み容量: 11 M

Sophos Anti-Virus Dynamic Interface インストール

無償評価版のダウンロードサイト内の「Network Storage Antivirus」よりOS環境に応じたファイル(ここではsavdi-23-linux-64bit.tar)をダウンロードします。

インストールスクリプト(./savdi-install/savdi_install.sh)の実行でインストール可能ですが、ここではパッケージを作成/インストールします。

  • 参考URL - パッケージ化用SPECファイル

https://github.com/nazx/rpmbuild

# yum install savdi
...
依存性を解決しました

================================================================================
 パッケージ            アーキテクチャ    バージョン       リポジトリー     容量
================================================================================
インストールしています:
 savdi                 x86_64            2.3.0-0          private         809 k

トランザクションの要約
================================================================================
インストール         1 パッケージ

savdid設定。

--- savdid.conf.org
+++ savdid.conf
@@ -7,12 +7,10 @@
 # Only used when running in daemon mode
 # Default is /var/run/savdid.pid

-pidfile: /var/tmp/savdi/new.pid
-
 # User name and group for daemon to switch to for normal running
 # savdi must be running as root for this to be useful
-#user: savdi
-#group: savdi
+user: sophosav
+group: amavis

 # No of worker threads to start up
 # Normally should be at least the maximum no of clients
@@ -28,8 +26,8 @@
 # is not advised.

 # NB The following two lines may be modified by the *nix install script
-#virusdatadir: /var/sav/vdbs
-#idedir: /var/sav/vdbs
+virusdatadir: /opt/sophos-av/lib/sav
+idedir: /opt/sophos-av/lib/sav

 #virusdataname: vdl

@@ -51,7 +49,7 @@
     type: FILE

     # Where to write the log files (if FILE is selected)
-    logdir: /var/tmp/savdi/log/
+    logdir: /opt/sophos-av/log

     # Specify the level of logging required
     # 0 = errors+threats
@@ -77,12 +75,13 @@
         type: IP

         # IP Address to listen on, default is 0.0.0.0 (any)
-        address: 0.0.0.0
+        address: 127.0.0.1
         port: 4020

         # Subnet of acceptable client IP addresses.
         # Default is to accept from any client.
         # subnet: 127.0.0.1/24
+        subnet: 127.0.0.1/8

         # idle timeout in secs when waiting for a request
         # 0 is forever. Default: 0
@@ -246,12 +245,13 @@

         # IP Address to listen on, default is 0.0.0.0 (any)

-        address: 0.0.0.0
+        address: 127.0.0.1
         port: 4010

         # Subnet of acceptable client IP addresses

         #subnet: 172.18.33.14/16
+        subnet: 127.0.0.0/8

         # idle timeout in secs when waiting for a request
         # 0, the default, is forever
@@ -268,7 +268,7 @@
         type: SSSP

         # Do we allow the client to use SCANFILE?
-        allowscanfile: DIR
+        allowscanfile: SUBDIR

         # Do we allow the client to use SCANDATA?
         allowscandata: YES
@@ -282,7 +282,7 @@
         tmpfilestub: /tmp/savid_tmp

         # Log each request made by a client?
-        # logrequests: YES
+        logrequests: YES
     }

     scanner {

サービス起動。

# mkdir /tmp/savid_tmp
# chown sophosav:amavis /tmp/savid_tmp

# chkconfig --add savdid
# service savdid start

postfix - amavisd - savdid 連携

amavisd設定。

--- amavisd.conf.org
+++ amavisd.conf
@@ -1,3 +1,4 @@
+
 use strict;

 # a minimalistic configuration file for amavisd-new with all necessary settings
@@ -8,6 +9,7 @@


 # COMMONLY ADJUSTED SETTINGS:
+#$undecipherable_subject_tag = ''; # disable password-zip Subject: UNCHECKED

 # @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
 # @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
@@ -17,12 +19,12 @@
 $daemon_user  = "amavis";     # (no default;  customary: vscan or amavis), -u
 $daemon_group = "amavis";     # (no default;  customary: vscan or amavis), -g

-$mydomain = 'example.com';   # a convenient default for other settings
+$mydomain = 'example.jp';   # a convenient default for other settings

 # $MYHOME = '/var/amavis';   # a convenient default for other settings, -H
 $TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
 $ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
-$QUARANTINEDIR = "/var/virusmails";
+#$QUARANTINEDIR = "/var/virusmails";  # -Q
 # $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
 # $release_format = 'resend';     # 'attach', 'plain', 'resend'
 # $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'
@@ -113,7 +115,7 @@
 # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
 #   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)

-$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
+#$virus_admin               = "virusalert\@$mydomain";  # notifications recip.

 $mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
 $mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
@@ -147,9 +149,12 @@
 # OTHER MORE COMMON SETTINGS (defaults may suffice):

 # $myhostname = 'host.example.com';  # must be a fully-qualified domain name!
+$myhostname = 'example.jp';

 # $notify_method  = 'smtp:[127.0.0.1]:10025';
 # $forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!
+$notify_method  = 'smtp:[127.0.0.1]:10025';
+$forward_method = 'smtp:[127.0.0.1]:10025';

 # $final_virus_destiny      = D_DISCARD;
 # $final_banned_destiny     = D_DISCARD;
@@ -157,6 +162,19 @@
 # $final_bad_header_destiny = D_PASS;
 # $bad_header_quarantine_method = undef;

+$final_virus_destiny      = D_DISCARD;
+$final_banned_destiny     = D_DISCARD;
+$final_spam_destiny       = D_DISCARD;
+$final_bad_header_destiny = D_PASS;
+$warnvirussender  = 0;
+$warnspamsender   = 0;
+$warnbannedsender = 0;
+$warnbadhsender   = 0;
+$virus_quarantine_to = 'report-to@example.jp';
+$banned_quarantine_to = 'report-to@example.jp';
+$spam_quarantine_to = 'report-to@example.jp';
+#$bad_header_quarantine_to = 'report-to@example.jp';
+
 # $os_fingerprint_method = 'p0f:*:2345';  # to query p0f-analyzer.pl

 ## hierarchy by which a final setting is chosen:
@@ -353,12 +371,17 @@


 @av_scanners = (
+
+### AVG AV settings
+#['AVG Anti-Virus',
+#\&ask_daemon, ["SCAN {}\n", '127.0.0.1:54322'],
+#qr/^200 [oO][kK]/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],

 # ### http://www.sophos.com/
-# ['Sophos-SSSP',
+['Sophos-SSSP',
 #   \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'],
-#           # or: ["{}", 'sssp:[127.0.0.1]:4010'],
-#   qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],
+   \&ask_daemon, ["{}", 'sssp:[127.0.0.1]:4010'],
+   qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],

 # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
 # ['Sophie',
@@ -376,10 +399,10 @@
 # settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1

 # ### http://www.clamav.net/
-# ['ClamAV-clamd',
-#   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
-#   qr/\bOK$/m, qr/\bFOUND$/m,
-#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+#['ClamAV-clamd',
+#  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
+#  qr/\bOK$/m, qr/\bFOUND$/m,
+#  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 # # NOTE: run clamd under the same user as amavisd - or run it under its own
 # #   uid such as clamav, add user clamav to the amavis group, and then add
 # #   AllowSupplementaryGroups to clamd.conf;
@@ -445,93 +468,93 @@
 # ],
 # # NOTE: If using amavis-milter, change length to:
 # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
-
-  ### http://www.kaspersky.com/  (kav4mailservers)
-  ['KasperskyLab AVP - aveclient',
-    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
-     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
-    '-p /var/run/aveserver -s {}/*',
-    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
-    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
-  ],
-  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
-  # currupted or protected archives are to be handled
-
-  ### http://www.kaspersky.com/
-  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
-    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
-    qr/infected: (.+)/m,
-    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
-    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
-  ],
-
-  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
-  ### products and replaced by aveserver and aveclient
-  ['KasperskyLab AVPDaemonClient',
-    [ '/opt/AVP/kavdaemon',       'kavdaemon',
-      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
-      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
-      '/opt/AVP/avpdc', 'avpdc' ],
-    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
-    # change the startup-script in /etc/init.d/kavd to:
-    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
-    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
-    # adjusting /var/amavis above to match your $TEMPBASE.
-    # The '-f=/var/amavis' is needed if not running it as root, so it
-    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
-    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
-    #   directory $TEMPBASE specifies) in the 'Names=' section.
-    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
-    # cp AvpDaemonClient /opt/AVP/
-    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
-
-  ### http://www.centralcommand.com/
-  ['CentralCommand Vexira (new) vascan',
-    ['vascan','/usr/lib/Vexira/vascan'],
-    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
-    "--log=/var/log/vascan.log {}",
-    [0,3], [1,2,5],
-    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
-    # Adjust the path of the binary and the virus database as needed.
-    # 'vascan' does not allow to have the temp directory to be the same as
-    # the quarantine directory, and the quarantine option can not be disabled.
-    # If $QUARANTINEDIR is not used, then another directory must be specified
-    # to appease 'vascan'. Move status 3 to the second list if password
-    # protected files are to be considered infected.
-
-  ### http://www.avira.com/
-  ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
-  ['Avira AntiVir', ['antivir','vexira'],
-    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
-    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
-         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
-    # NOTE: if you only have a demo version, remove -z and add 214, as in:
-    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
-
-  ### http://www.avira.com/
-  ### Avira for UNIX 3.x
-  ['Avira AntiVir', ['avscan'],
-   '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
-   qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],
-
-  ### http://www.commandsoftware.com/
-  ['Command AntiVirus for Linux', 'csav',
-    '-all -archive -packed {}', [50], [51,52,53],
-    qr/Infection: (.+)/m ],
-
-  ### http://www.symantec.com/
-  ['Symantec CarrierScan via Symantec CommandLineScanner',
-    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
-    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
-    qr/^(?:Info|Virus Name):\s+(.+)/m ],
-
-  ### http://www.symantec.com/
-  ['Symantec AntiVirus Scan Engine',
-    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
-    [0], qr/^Infected\b/m,
-    qr/^(?:Info|Virus Name):\s+(.+)/m ],
-    # NOTE: check options and patterns to see which entry better applies
-
+#
+#  ### http://www.kaspersky.com/  (kav4mailservers)
+#  ['KasperskyLab AVP - aveclient',
+#    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
+#     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
+#    '-p /var/run/aveserver -s {}/*',
+#    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
+#    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
+#  ],
+#  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
+#  # currupted or protected archives are to be handled
+#
+#  ### http://www.kaspersky.com/
+#  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
+#    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
+#    qr/infected: (.+)/m,
+#    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
+#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
+#  ],
+#
+#  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
+#  ### products and replaced by aveserver and aveclient
+#  ['KasperskyLab AVPDaemonClient',
+#    [ '/opt/AVP/kavdaemon',       'kavdaemon',
+#      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
+#      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
+#      '/opt/AVP/avpdc', 'avpdc' ],
+#    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
+#    # change the startup-script in /etc/init.d/kavd to:
+#    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
+#    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
+#    # adjusting /var/amavis above to match your $TEMPBASE.
+#    # The '-f=/var/amavis' is needed if not running it as root, so it
+#    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
+#    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
+#    #   directory $TEMPBASE specifies) in the 'Names=' section.
+#    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
+#    # cp AvpDaemonClient /opt/AVP/
+#    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
+#
+#  ### http://www.centralcommand.com/
+#  ['CentralCommand Vexira (new) vascan',
+#    ['vascan','/usr/lib/Vexira/vascan'],
+#    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
+#    "--log=/var/log/vascan.log {}",
+#    [0,3], [1,2,5],
+#    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
+#    # Adjust the path of the binary and the virus database as needed.
+#    # 'vascan' does not allow to have the temp directory to be the same as
+#    # the quarantine directory, and the quarantine option can not be disabled.
+#    # If $QUARANTINEDIR is not used, then another directory must be specified
+#    # to appease 'vascan'. Move status 3 to the second list if password
+#    # protected files are to be considered infected.
+#
+#  ### http://www.avira.com/
+#  ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
+#  ['Avira AntiVir', ['antivir','vexira'],
+#    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
+#    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
+#         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
+#    # NOTE: if you only have a demo version, remove -z and add 214, as in:
+#    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
+#
+#  ### http://www.avira.com/
+#  ### Avira for UNIX 3.x
+#  ['Avira AntiVir', ['avscan'],
+#   '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
+#   qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],
+#
+#  ### http://www.commandsoftware.com/
+#  ['Command AntiVirus for Linux', 'csav',
+#    '-all -archive -packed {}', [50], [51,52,53],
+#    qr/Infection: (.+)/m ],
+#
+#  ### http://www.symantec.com/
+#  ['Symantec CarrierScan via Symantec CommandLineScanner',
+#    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
+#    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
+#    qr/^(?:Info|Virus Name):\s+(.+)/m ],
+#
+#  ### http://www.symantec.com/
+#  ['Symantec AntiVirus Scan Engine',
+#    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
+#    [0], qr/^Infected\b/m,
+#    qr/^(?:Info|Virus Name):\s+(.+)/m ],
+#    # NOTE: check options and patterns to see which entry better applies
+#
 # ### http://www.f-secure.com/products/anti-virus/  version 5.52
 #  ['F-Secure Antivirus for Linux servers',
 #   ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
@@ -540,16 +563,16 @@
 #   qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
 #   # NOTE: internal archive handling may be switched off by '--archive=no'
 #   #   to prevent fsav from exiting with status 9 on broken archives
-
-  ### http://www.f-secure.com/ version 9.14
-   ['F-Secure Linux Security',
-    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
-    '--virus-action1=report --archive=yes --auto=yes '.
-    '--list=no --nomimeerr {}', [0], [3,4,6,8],
-    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
-    # NOTE: internal archive handling may be switched off by '--archive=no'
-    #   to prevent fsav from exiting with status 9 on broken archives
-
+#
+#  ### http://www.f-secure.com/ version 9.14
+#   ['F-Secure Linux Security',
+#    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
+#    '--virus-action1=report --archive=yes --auto=yes '.
+#    '--list=no --nomimeerr {}', [0], [3,4,6,8],
+#    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
+#    # NOTE: internal archive handling may be switched off by '--archive=no'
+#    #   to prevent fsav from exiting with status 9 on broken archives
+#
 # ### http://www.avast.com/
 # ['avast! Antivirus daemon',
 #   \&ask_daemon,      # greets with 220, terminate with QUIT
@@ -560,29 +583,29 @@
 # ['avast! Antivirus - Client/Server Version', 'avastlite',
 #   '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
 #   qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
-
-  ['CAI InoculateIT', 'inocucmd',  # retired product
-    '-sec -nex {}', [0], [100],
-    qr/was infected by virus (.+)/m ],
-  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
-
-  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
-  ['CAI eTrust Antivirus', 'etrust-wrapper',
-    '-arc -nex -spm h {}', [0], [101],
-    qr/is infected by virus: (.+)/m ],
-    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
-    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
-
-  ### http://mks.com.pl/english.html
-  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
-    '-s {}/*', [0], [1,2],
-    qr/--[ \t]*(.+)/m ],
-
-  ### http://mks.com.pl/english.html
-  ['MkS_Vir daemon', 'mksscan',
-    '-s -q {}', [0], [1..7],
-    qr/^... (\S+)/m ],
-
+#
+#  ['CAI InoculateIT', 'inocucmd',  # retired product
+#    '-sec -nex {}', [0], [100],
+#    qr/was infected by virus (.+)/m ],
+#  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
+#
+#  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
+#  ['CAI eTrust Antivirus', 'etrust-wrapper',
+#    '-arc -nex -spm h {}', [0], [101],
+#    qr/is infected by virus: (.+)/m ],
+#    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
+#    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
+#
+#  ### http://mks.com.pl/english.html
+#  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
+#    '-s {}/*', [0], [1,2],
+#    qr/--[ \t]*(.+)/m ],
+#
+#  ### http://mks.com.pl/english.html
+#  ['MkS_Vir daemon', 'mksscan',
+#    '-s -q {}', [0], [1..7],
+#    qr/^... (\S+)/m ],
+#
 # ### http://www.nod32.com/,  version v2.52 (old)
 # ['ESET NOD32 for Linux Mail servers',
 #   ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
@@ -600,45 +623,45 @@
 # ['ESET Software ESETS Command Line Interface',
 #   ['/usr/bin/esets_cli', 'esets_cli'],
 #   '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
-
-  ### http://www.eset.com/, version 3.0
-  ['ESET Software ESETS Command Line Interface',
-    ['/usr/bin/esets_cli', 'esets_cli'],
-    '--subdir {}', [0], [1,2,3],
-    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
-
-  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
-  ['ESET NOD32 for Linux File servers',
-    ['/opt/eset/nod32/sbin/nod32','nod32'],
-    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
-    '-w -a --action=1 -b {}',
-    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
-
+#
+#  ### http://www.eset.com/, version 3.0
+#  ['ESET Software ESETS Command Line Interface',
+#    ['/usr/bin/esets_cli', 'esets_cli'],
+#    '--subdir {}', [0], [1,2,3],
+#    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
+#
+#  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
+#  ['ESET NOD32 for Linux File servers',
+#    ['/opt/eset/nod32/sbin/nod32','nod32'],
+#    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
+#    '-w -a --action=1 -b {}',
+#    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
+#
 # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
 # ['ESET Software NOD32 Client/Server (NOD32SS)',
 #   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT
 #   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
 #   qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
-
-  ### http://www.norman.com/products_nvc.shtml
-  ['Norman Virus Control v5 / Linux', 'nvcc',
-    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
-    qr/(?i).* virus in .* -> \'(.+)\'/m ],
-
-  ### http://www.pandasoftware.com/
-  ['Panda CommandLineSecure 9 for Linux',
-    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
-    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
-    qr/Number of files infected[ .]*: 0+(?!\d)/m,
-    qr/Number of files infected[ .]*: 0*[1-9]/m,
-    qr/Found virus :\s*(\S+)/m ],
-  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
-  # before starting amavisd - the bases are then loaded only once at startup.
-  # To reload bases in a signature update script:
-  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
-  # Please review other options of pavcl, for example:
-  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
-
+#
+#  ### http://www.norman.com/products_nvc.shtml
+#  ['Norman Virus Control v5 / Linux', 'nvcc',
+#    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
+#    qr/(?i).* virus in .* -> \'(.+)\'/m ],
+#
+#  ### http://www.pandasoftware.com/
+#  ['Panda CommandLineSecure 9 for Linux',
+#    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
+#    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
+#    qr/Number of files infected[ .]*: 0+(?!\d)/m,
+#    qr/Number of files infected[ .]*: 0*[1-9]/m,
+#    qr/Found virus :\s*(\S+)/m ],
+#  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
+#  # before starting amavisd - the bases are then loaded only once at startup.
+#  # To reload bases in a signature update script:
+#  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
+#  # Please review other options of pavcl, for example:
+#  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
+#
 # ### http://www.pandasoftware.com/
 # ['Panda Antivirus for Linux', ['pavcl'],
 #   '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
@@ -651,71 +674,71 @@
 #   '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
 # # NOTE: the command line switches changed with scan engine 8.5 !
 # # (btw, assigning stdin to /dev/null causes RAV to fail)
-
-  ### http://www.nai.com/
-  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
-    '--secure -rv --mime --summary --noboot - {}', [0], [13],
-    qr/(?x) Found (?:
-        \ the\ (.+)\ (?:virus|trojan)  |
-        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
-        :\ (.+)\ NOT\ a\ virus)/m,
-  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
-  # sub {delete $ENV{LD_PRELOAD}},
-  ],
-  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
-  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
-  # and then clear it when finished to avoid confusing anything else.
-  # NOTE2: to treat encrypted files as viruses replace the [13] with:
-  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
-
-  ### http://www.virusbuster.hu/en/
-  ['VirusBuster', ['vbuster', 'vbengcl'],
-    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
-    qr/: '(.*)' - Virus/m ],
-  # VirusBuster Ltd. does not support the daemon version for the workstation
-  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
-  # binaries, some parameters AND return codes have changed (from 3 to 1).
-  # See also the new Vexira entry 'vascan' which is possibly related.
-
+#
+#  ### http://www.nai.com/
+#  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
+#    '--secure -rv --mime --summary --noboot - {}', [0], [13],
+#    qr/(?x) Found (?:
+#        \ the\ (.+)\ (?:virus|trojan)  |
+#        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
+#        :\ (.+)\ NOT\ a\ virus)/m,
+#  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
+#  # sub {delete $ENV{LD_PRELOAD}},
+#  ],
+#  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
+#  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
+#  # and then clear it when finished to avoid confusing anything else.
+#  # NOTE2: to treat encrypted files as viruses replace the [13] with:
+#  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
+#
+#  ### http://www.virusbuster.hu/en/
+#  ['VirusBuster', ['vbuster', 'vbengcl'],
+#    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
+#    qr/: '(.*)' - Virus/m ],
+#  # VirusBuster Ltd. does not support the daemon version for the workstation
+#  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
+#  # binaries, some parameters AND return codes have changed (from 3 to 1).
+#  # See also the new Vexira entry 'vascan' which is possibly related.
+#
 # ### http://www.virusbuster.hu/en/
 # ['VirusBuster (Client + Daemon)', 'vbengd',
 #   '-f -log scandir {}', [0], [3],
 #   qr/Virus found = (.*);/m ],
 # # HINT: for an infected file it always returns 3,
 # # although the man-page tells a different story
-
-  ### http://www.cyber.com/
-  ['CyberSoft VFind', 'vfind',
-    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
-  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
-  ],
-
-  ### http://www.avast.com/
-  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
-    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
-
-  ### http://www.ikarus-software.com/
-  ['Ikarus AntiVirus for Linux', 'ikarus',
-    '{}', [0], [40], qr/Signature (.+) found/m ],
-
-  ### http://www.bitdefender.com/
-  ['BitDefender', 'bdscan',  # new version
-    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
-    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
-    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
-
-  ### http://www.bitdefender.com/
-  ['BitDefender', 'bdc',  # old version
-    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
-    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
-    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
-  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
-  # not apply to your version of bdc, check documentation and see 'bdc --help'
-
-  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
-  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
-    '-v 1 -summary 0 -s {}', [0], [1,2],
-    qr/(?:VIR|WIR):[ \t]*(.+)/m ],
+#
+#  ### http://www.cyber.com/
+#  ['CyberSoft VFind', 'vfind',
+#    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
+#  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
+#  ],
+#
+#  ### http://www.avast.com/
+#  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
+#    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
+#
+#  ### http://www.ikarus-software.com/
+#  ['Ikarus AntiVirus for Linux', 'ikarus',
+#    '{}', [0], [40], qr/Signature (.+) found/m ],
+#
+#  ### http://www.bitdefender.com/
+#  ['BitDefender', 'bdscan',  # new version
+#    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
+#    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
+#    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
+#
+#  ### http://www.bitdefender.com/
+#  ['BitDefender', 'bdc',  # old version
+#    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
+#    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
+#    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
+#  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
+#  # not apply to your version of bdc, check documentation and see 'bdc --help'
+#
+#  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
+#  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
+#    '-v 1 -summary 0 -s {}', [0], [1,2],
+#    qr/(?:VIR|WIR):[ \t]*(.+)/m ],

 # ### a generic SMTP-client interface to a SMTP-based virus scanner
 # ['av_smtp', \&ask_av_smtp,
@@ -742,64 +765,64 @@

 @av_scanners_backup = (

-  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
-  ['ClamAV-clamscan', 'clamscan',
-    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
-    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+#  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
+#  ['ClamAV-clamscan', 'clamscan',
+#    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
+#    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

 # ### http://www.clamav.net/ - using remote clamd scanner as a backup
 # ['ClamAV-clamdscan', 'clamdscan',
 #   "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
 #   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

-# ['ClamAV-clamd-stream',
-#   \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd.sock'],
-#   qr/\bOK$/m, qr/\bFOUND$/m,
-#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-
-  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
-  ['F-PROT Antivirus for UNIX', ['fpscan'],
-    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
-    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
-    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
-
-  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
-  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
-    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
-    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
-
-  ### http://www.trendmicro.com/   - backs up Trophie
-  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
-    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
-
-  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
-  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
-    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
-    '-path={} -al -go -ot -cn -upn -ok-',
-    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
-
-   ### http://www.kaspersky.com/
-   ['Kaspersky Antivirus v5.5',
-     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
-      '/opt/kav/5.5/kav4unix/bin/kavscanner',
-      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
-     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
-     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
+#['ClamAV-clamd-stream',
+#  \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd.sock'],
+#  qr/\bOK$/m, qr/\bFOUND$/m,
+#  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+
+#  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
+#  ['F-PROT Antivirus for UNIX', ['fpscan'],
+#    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
+#    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
+#    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
+
+#  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
+#  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
+#    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
+#    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
+
+#  ### http://www.trendmicro.com/   - backs up Trophie
+#  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
+#    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
+
+#  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
+#  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
+#    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
+#    '-path={} -al -go -ot -cn -upn -ok-',
+#    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
+
+#   ### http://www.kaspersky.com/
+#   ['Kaspersky Antivirus v5.5',
+#     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
+#      '/opt/kav/5.5/kav4unix/bin/kavscanner',
+#      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
+#     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
+#     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
 #    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
 #    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
-   ],
+#   ],

 # Commented out because the name 'sweep' clashes with Debian and FreeBSD
 # package/port of an audio editor. Make sure the correct 'sweep' is found
 # in the path when enabling.
 #
-# ### http://www.sophos.com/   - backs up Sophie or SAVI-Perl
-# ['Sophos Anti Virus (sweep)', 'sweep',
-#   '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
-#   '--no-reset-atime {}',
-#   [0,2], qr/Virus .*? found/m,
-#   qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
-# ],
+### http://www.sophos.com/   - backs up Sophie or SAVI-Perl
+['Sophos Anti Virus (sweep)', '/usr/local/bin/sweep',
+  '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
+  '--no-reset-atime {}',
+  [0], [3],
+  qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
+],
 # # other options to consider: -idedir=/usr/local/sav

 # Always succeeds and considers mail clean.

amavisd起動。

# chkconfig amavisd on
# service amavisd start

postfix設定。

  • 参考URL

http://freedif.org/reduce-spam-and-improve-security-amavis-spamassassin-clamav-procmail-postscreen/

--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -21,6 +21,8 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o milter_macro_daemon_name=ORIGINATING
 #628      inet  n       -       n       -       -       qmqpd
 pickup    fifo  n       -       n       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
 cleanup   unix  n       -       n       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
 #qmgr     fifo  n       -       n       300     1       oqmgr
@@ -102,3 +104,31 @@ scache    unix  -       -       n       -       1       sca
 #mailman   unix  -       n       n       -       -       pipe
 #  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 #  ${nexthop} ${user}
+#
+# filter
+amavis           unix  -       -       -       -       2       smtp
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+
+# listener for filter
+127.0.0.1:10025  inet  n       -       -       -       -       smtpd
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o mynetworks=127.0.0.0/8
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -685,3 +685,7 @@ sample_directory = /usr/share/doc/postfix-2.6.6/samples
 # readme_directory: The location of the Postfix README files.
 #
 readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
+
+# filter
+#
+content_filter = amavis:[127.0.0.1]:10024

postfix設定反映。

# postfix check
# postfix reload

検知メール処理

今回の設定では、amavisd+Sophos Antivirusにより検知されたメールは本来の宛先には配送されずreport-to@example.jp宛てに転送されます。
転送されたメールには、以下のようなヘッダが追記されます。

X-Amavis-Alert: INFECTED, message contains virus: EICAR-AV-Test

X-Amavis-Alert: INFECTED, message contains virus: Troj/Agent-ARZY
X-Amavis-Alert: BANNED, message contains
        application/octet-stream,.exe,.exe-ms,#N102210_2016_01.PDF.exe

amavisdの機能のみでも、ある程度のspam判定/検知をしてくれます。

X-Spam-Flag: YES
X-Spam-Score: 18.209
X-Spam-Level: ******************
X-Spam-Status: Yes, score=18.209 tag=2 tag2=6.2 kill=6.9
        tests=[DSN_NO_MIMEVERSION=2, RCVD_IN_BL_SPAMCOP_NET=1.246,
        RCVD_IN_BRBL_LASTEXT=1.644, RCVD_IN_PBL=3.558, RCVD_IN_PSBL=2.7,
        RCVD_IN_SORBS_WEB=0.614, RCVD_IN_XBL=0.724, RDNS_NONE=1.274,
        URIBL_ABUSE_SURBL=1.948, URIBL_BLOCKED=0.001, URIBL_DBL_SPAM=2.5]
        autolearn=spam

精度を高めるためにはspamassassin等を併用すると良いように思います。

英語環境以外にインストールした場合、今回の設定例では、sweepによる検知時にウイルス名がハンドリングされません。

 qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,

検知自体は正常に行われるので、致命的な問題ではありません。通知メールのヘッダに記載されないだけで、ログで確認可能です。
解決するには、amavisd.conf内/上述の正規表現を見直すか、sweepのwrapperを作成して使用する等の対応が必要です。
以下は、wrapperスクリプトの例です。

$ cat /usr/local/bin/sweep.wrapper
#!/bin/bash
LANG=C /usr/local/bin/sweep ${@+"$@"}