HELP: Activate anti virus scanning TYPE: OBJECT SYNTAX: AVSCAN(METHOD=WARNING/ERROR,COMPRESS,TRACE,STATISTICS,LIBRARY='str',FUNCTION='str',PARAMETER='str')
The anti virus component can be used when reading or writing to scan the data stream for malware. The handling of found malware is configurable. By default, processing is aborted with an error. By activating the REMOVE switch of the corresponding I/O component, the written part of the affected file can be deleted.
The whole component was implemented as an exit driver to integrate FLAM with any kind of AV technology. To address a certain implementation, you can define the library and function name and you can provide a specific parameter string for this implementation. You can also define these values through the environment variables below:
If none of these variables are set, then the FLAM default implementation is used, which utilizes the ClamAV daemon (clamav.daemon:3310:10) if the AVS converter is activated (see www.clamav.net for more information). The parameter string contains up to 3 optional parts separated by colon:
The environment variable below can be used to change this string:
The quality and security of the malware detection depends on the quality of the signature database and configuration of the ClamAV daemon.
If anti virus scanning is configured correctly, the corresponding objects in the read/input or write/output parameter strings must be activated. You can also activate the AVS component with one of the environment variables below:
The component supports standard GZIP compression for the data stream. This is useful to save bandwidth if a network service (clamd) is used to scan for malware. The function should only be used if the service provider supports GZIP data streams. The service provider must indicate this. If the service provider does not support GZIP data streams, then the compression switch has no effect, to ensure anti virus scanning. The environment variable below can be used to activate GZIP compression:
To write your own service provider, the SPI documentation is published as 'FLAM Anti Virus Exit (FAVE) Service provider Interface' under the link below.
https://flam.de/ftp/FL5/doxygen/FAVE/The interface is specified in the 'FAVE.h' header file and is independent of the platform and programming language. You must simply provide a DLL/SO or load module which implements one main entry. The interface specifies an open, run and close function. The parameter string is given to the open function, which returns a handle. The run function uses the handle to scan the input data and the close function can be used to release resources allocated by the handle. The run and close function can return a code, which indicates whether malware was found (FLMRTC_VRS).
A trace flag can be activated through the exit driver to request additional trace information in error situations. A statistics flag indicates the service provider to produce additional statistics information. A re-open flag is set by the exit driver when opening an additional stream to be scanned which happens if more than one file must be scanned. It allows the service provider to implement a fast open function.
NUMBER: METHOD=WARNING/ERROR - Defines handling if a virus was found [ERROR]
WARNING - Warning if virus foundERROR - Error if virus foundSWITCH: COMPRESS - Activate GZIP compression (if service provider support it) [FALSE]SWITCH: TRACE - Activate tracing (if service provider support it) [FALSE]SWITCH: STATISTICS - Activate statistics on close (if service provider supports it) [FALSE]STRING: LIBRARY='str' - Library name for FAVE ['libfave']STRING: FUNCTION='str' - Function name of FAVE ['CLAMAVC']STRING: PARAMETER='str' - Parameter for the open call of FAVE ['clamav.daemon:3310:10']