FLAM Issue Tracker - FL5
View Issue Details
0000950FL52.2 Subprogram FLUC (CONV)public2018-10-18 14:532018-10-24 15:51
Falk Reichbott 
Falk Reichbott 
0000950: Support anti virus scanning at read and write with FLAM
Like hashing and signature generation and verification it would be usefule to integrate anti virus scanning (AVS) into FLAM. Especially for flucFS it woud be use fule to scann for viruses before write a file. But also for the mainframes a server based solution for virus scanning are useful, especially if data read from remote systems like windows.

The solution must support a service provider interface (FAVE) to integrate with different AV solutions (Avira, Kaperski, Symantec, ...)
No tags attached.
Issue History
2018-10-18 14:53Falk ReichbottNew Issue
2018-10-18 14:53Falk ReichbottStatusnew => assigned
2018-10-18 14:53Falk ReichbottAssigned To => Falk Reichbott
2018-10-18 14:56Falk ReichbottNote Added: 0001198
2018-10-18 16:42Falk ReichbottNote Edited: 0001198bug_revision_view_page.php?bugnote_id=1198#r424
2018-10-18 16:52Falk ReichbottNote Edited: 0001198bug_revision_view_page.php?bugnote_id=1198#r425
2018-10-24 15:49Falk ReichbottTarget Version5.1.20 => 5.1.19
2018-10-24 15:51Falk ReichbottNote Added: 0001199
2018-10-24 15:51Falk ReichbottStatusassigned => resolved
2018-10-24 15:51Falk ReichbottFixed in Version => 5.1.19
2018-10-24 15:51Falk ReichbottResolutionopen => fixed

Falk Reichbott   
2018-10-18 14:56   
(edited on: 2018-10-18 16:52)
ClamAV (http://www.clamav.net [^]) would be the first and standard FAVE implementation by limes datentechnik gmbh. Other anti virus solutions requires licenses and must be implemented by customers it self.

libclamav is GLP based, but we plan to support simply the clamd deamon with the instream command below. The client part are written by our self (uses IDSESSION is with non-blocking sockets, and a select()/poll() loop) and the deamon must be available behind a IPv4/6 address and port. The main configuration are done for the deamon and is not related to the client. The client (FLAM) will support a command like this:


The default method will be "DELETE", the default library will be "favelib", the default function "clamav" and the DNS and port number for cmald can be configured over a new environment variable FL_CLAMAV_CONNECTION=host:port.

It is mandatory to prefix this command with n or z.
Scan a stream of data. The stream is sent to clamd in chunks, after INSTREAM,
on the same socket on which the command was sent. This avoids the overhead
of establishing new TCP connections and problems with NAT. The format of the
chunk is: <length><data> where <length> is the size of the following data in
bytes expressed as a 4 byte unsigned integer in network byte order and <data> is
the actual chunk. Streaming is terminated by sending a zero-length chunk. Note:
do not exceed StreamMaxLength as defined in clamd.conf, otherwise clamd will
reply with INSTREAM size limit exceeded and close the connection.

Falk Reichbott   
2018-10-24 15:51   
FLAM supports a new conversion component (CNVAVS)

The anti virus component can be used at read or write to scan the data
stream for malware. Over the method you can define the handling if a
virus was found. The default handling will result in an error if
suspicious code was found in the data. You can activate the remove
switch of the corresponding I/O component to delete the written part of
this file.

The whole component was implemented as exit driver to integrate FLAM
with each kind of AV technology. To address a certain implementation you
can define the library and function name and you can provide a specific
parameter string for this implementation. You can also define these
values over the environment variables below:

 * FL_FAVE_LIBRARY - Set default library for anti virus scanning (default is 'libfave')
 * FL_FAVE_FUNCTION - Set default function for anti virus scanning (default is 'CLAMAVC')
 * FL_FAVE_PARAMETER - Set default parameter for anti virus scanning (default is 'clamav.daemon:3310')

If non of these variables defined, then the FLAM default implementation
against the ClamAV daemon (clamav.deamon:3310) will be used, if the AVS
converter activated (see http://www.clamav.net/ [^] for more information).

To write your own service provider the SPI documentation is published
as 'FLAM Anti Virus Exit (FAVE) Service provider Interface'.

Additional you can activate the trace flag for the service provider to
request trace information and or a statistic flag which indicates the
service provider to produce a statistic information at close.