c-rosenberg/savdi.conf

## savdi.conf
#
# Sopos SAVDI 2.6 example Config to be used with Rspamd (https://rspamd.com)
#
# Heinlein Support 2018 <support@heinlein-support.de>
#

pidfile: /var/run/savdi.pid

  # adjust to local system
user: sophos
group: sophos

  # adjust to local system
virusdatadir: /opt/savdi-spamfilter-av/lib/sav
idedir: /opt/savdi-spamfilter-av/lib/sav

threadcount: 30
maxqueuedsessions: 2

  # What to do when the daemon must exit
  # Options are:-
  #     DONTWAIT (just exit now!)
  #     REQUEST  (wait for current requests to complete)
  #     SESSION  (wait for current sessions to complete)
  # Case 1) An exception has occurred and operation could be compromised
onexception: REQUEST

  # Case 2) A request has been made for it to exit
  # If there are long running sessions then REQUEST should be considered
onrequest: REQUEST

log {

  # Specify the logging mechanism {CONSOLE|FILE|SYSLOG}

  type: SYSLOG

    # Specify the level of logging required
    # 0 = errors+threats
    # 1 = (0) + process events
    # 2 = (1) + session events
    # Default is 2
  loglevel: 1

}

channel {

    commprotocol {

        # Use TCP socket
      type: IP
      address: 127.0.0.1
      subnet: 127.0.0.0/8
      port: 4010

        # Use unix socket
      #type: UNIX
      #socket: /var/run/savdid/savdid.sock

        # idle timeout in secs when waiting for a request
        # 0, the default, is forever
      requesttimeout: 120

        # timeout in secs between characters when sending data
      sendtimeout: 2

        # idle timeout in secs between characters when receiving data
      recvtimeout: 5
    }

    scanprotocol {

      type: SSSP

       # allow sending data over TCP connection
      allowscandata: YES

       # disable local file scanning (only needed by Amavis)
      #allowscanfile: NO
      #allowscanfile: SUBDIR

       # max size of a mail or file
      maxscandata: 1024000
       # max filesize to be scanned in memory
      maxmemorysize: 512000
       # path for tmp files (when maxmemorysize < filesize < maxscandata)
      tmpfilestub: /tmp/savid_tmp

       # Log each request made by a client? (DEBUG)
      # logrequests: YES

    }

    scanner {

        type: SAVI
        inprocess: YES
        maxscantime: 5
        maxrequesttime: 10

        # deny scanning local dirs
        deny: /dev
        deny: /etc
        deny: /home
        deny: /var


        ### EXPERIMENTAL NOT OFFICIAL DOCUMENTED SETTING START
        #
        # CXMail is our context based detection
        #
        # This particular detection is fired on Microsoft office
        # attachments(often compressed) that have macros inside. These macros
        # work as a file dropper/downloader and access the internet to download
        # a malware payload. The URL's accessed by these attachments change on a
        # regular basis and will automatically switch to a new one if the
        # existing one is blocked.  /

        contextstr: Genes/Extn/ProdVer OEM:Email:1.0.0

        ### EXPERIMENTAL NOT OFFICIAL DOCUMENTED SETTING END


        #Some SAVI/Engine options

          # Any option that is part of a group is also included in this group.
        savigrp: GrpSuper 1
          # All archive and compressed archive file formats (e.g. ZIP, UUE, etc).
        savigrp: GrpArchiveUnpack 1
          # All “clean” file formats.
        savigrp: GrpClean 1
          # Executable files.
        savigrp: GrpExecutable 1
          # File formats commonly in use on the internet.
        savigrp: GrpInternet 1
          # File formats that do not fall into any of the above categories.
        savigrp: GrpMisc 1
          # Office suite file formats from Microsfoft and other supported vendors.
        savigrp: GrpMSOffice 1
          # File formats that contain an executable stub that
          # automatically decompresses the body of the file.
        savigrp: GrpSelfExtract 1
          # Compression formats commonly used in HTTP and supported by web browsers.
        savigrp: GrpWebArchive 1
          # HTML encoding schemes commonly used in web pages.
        savigrp: GrpWebEncoding 1
          # Enables or disables disinfection of all files for which disinfection is supported.
        savigrp: GrpDisinfect 0

        savists: Base64 1
        savists: Bzip2 1
        savists: EnableAutoStop 1
        savists: ITSS 1
        #savists: Mime 1
        savists: MSCabinet 1
        savists: MSCompress 1
        savists: Msi 1
        savists: StrictPdf 1
        savists: StrongPdf 1
        savists: Xml 1
        savists: TnefAttachmentHandling 1
        savists: TnefEmbedHandling 1
        savists: GzipDecompression 1
        savists: TarDecompression 1
        savists: RarDecompression 1
        savists: ArjDecompression 1
        savists: ZipDecompression 1
    }
}
	#
	# Sopos SAVDI 2.6 example Config to be used with Rspamd (https://rspamd.com)
	#
	# Heinlein Support 2018 <support@heinlein-support.de>
	#

	pidfile: /var/run/savdi.pid

	# adjust to local system
	user: sophos
	group: sophos

	# adjust to local system
	virusdatadir: /opt/savdi-spamfilter-av/lib/sav
	idedir: /opt/savdi-spamfilter-av/lib/sav

	threadcount: 30
	maxqueuedsessions: 2

	# What to do when the daemon must exit
	# Options are:-
	# DONTWAIT (just exit now!)
	# REQUEST (wait for current requests to complete)
	# SESSION (wait for current sessions to complete)
	# Case 1) An exception has occurred and operation could be compromised
	onexception: REQUEST

	# Case 2) A request has been made for it to exit
	# If there are long running sessions then REQUEST should be considered
	onrequest: REQUEST

	log {

	# Specify the logging mechanism {CONSOLE\|FILE\|SYSLOG}

	type: SYSLOG

	# Specify the level of logging required
	# 0 = errors+threats
	# 1 = (0) + process events
	# 2 = (1) + session events
	# Default is 2
	loglevel: 1

	}

	channel {

	commprotocol {

	# Use TCP socket
	type: IP
	address: 127.0.0.1
	subnet: 127.0.0.0/8
	port: 4010

	# Use unix socket
	#type: UNIX
	#socket: /var/run/savdid/savdid.sock

	# idle timeout in secs when waiting for a request
	# 0, the default, is forever
	requesttimeout: 120

	# timeout in secs between characters when sending data
	sendtimeout: 2

	# idle timeout in secs between characters when receiving data
	recvtimeout: 5
	}

	scanprotocol {

	type: SSSP

	# allow sending data over TCP connection
	allowscandata: YES

	# disable local file scanning (only needed by Amavis)
	#allowscanfile: NO
	#allowscanfile: SUBDIR

	# max size of a mail or file
	maxscandata: 1024000
	# max filesize to be scanned in memory
	maxmemorysize: 512000
	# path for tmp files (when maxmemorysize < filesize < maxscandata)
	tmpfilestub: /tmp/savid_tmp

	# Log each request made by a client? (DEBUG)
	# logrequests: YES

	}

	scanner {

	type: SAVI
	inprocess: YES
	maxscantime: 5
	maxrequesttime: 10

	# deny scanning local dirs
	deny: /dev
	deny: /etc
	deny: /home
	deny: /var


	### EXPERIMENTAL NOT OFFICIAL DOCUMENTED SETTING START
	#
	# CXMail is our context based detection
	#
	# This particular detection is fired on Microsoft office
	# attachments(often compressed) that have macros inside. These macros
	# work as a file dropper/downloader and access the internet to download
	# a malware payload. The URL's accessed by these attachments change on a
	# regular basis and will automatically switch to a new one if the
	# existing one is blocked. /

	contextstr: Genes/Extn/ProdVer OEM:Email:1.0.0

	### EXPERIMENTAL NOT OFFICIAL DOCUMENTED SETTING END


	#Some SAVI/Engine options

	# Any option that is part of a group is also included in this group.
	savigrp: GrpSuper 1
	# All archive and compressed archive file formats (e.g. ZIP, UUE, etc).
	savigrp: GrpArchiveUnpack 1
	# All “clean” file formats.
	savigrp: GrpClean 1
	# Executable files.
	savigrp: GrpExecutable 1
	# File formats commonly in use on the internet.
	savigrp: GrpInternet 1
	# File formats that do not fall into any of the above categories.
	savigrp: GrpMisc 1
	# Office suite file formats from Microsfoft and other supported vendors.
	savigrp: GrpMSOffice 1
	# File formats that contain an executable stub that
	# automatically decompresses the body of the file.
	savigrp: GrpSelfExtract 1
	# Compression formats commonly used in HTTP and supported by web browsers.
	savigrp: GrpWebArchive 1
	# HTML encoding schemes commonly used in web pages.
	savigrp: GrpWebEncoding 1
	# Enables or disables disinfection of all files for which disinfection is supported.
	savigrp: GrpDisinfect 0

	savists: Base64 1
	savists: Bzip2 1
	savists: EnableAutoStop 1
	savists: ITSS 1
	#savists: Mime 1
	savists: MSCabinet 1
	savists: MSCompress 1
	savists: Msi 1
	savists: StrictPdf 1
	savists: StrongPdf 1
	savists: Xml 1
	savists: TnefAttachmentHandling 1
	savists: TnefEmbedHandling 1
	savists: GzipDecompression 1
	savists: TarDecompression 1
	savists: RarDecompression 1
	savists: ArjDecompression 1
	savists: ZipDecompression 1
	}
	}