savdid.conf

#
# Sopos SAVDI 2.6 example Config to be used with Rspamd (https://rspamd.com)
# Heinlein Support 2018 <support@heinlein-support.de> 
# Modified by Bastian Machek 2019 <bm@machek.systems> for use with kopano-virusd
#

pidfile: /var/run/savdi.pid

  # adjust to local system
user: sophosav
group: sophosav

  # adjust to local system
virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav

threadcount: 5
maxqueuedsessions: 2

  # What to do when the daemon must exit
  # Options are:-
  #     DONTWAIT (just exit now!)
  #     REQUEST  (wait for current requests to complete)
  #     SESSION  (wait for current sessions to complete)
  # Case 1) An exception has occurred and operation could be compromised
onexception: REQUEST

  # Case 2) A request has been made for it to exit
  # If there are long running sessions then REQUEST should be considered
onrequest: REQUEST

log {

  # Specify the logging mechanism {CONSOLE|FILE|SYSLOG}

  type: FILE

    # Where to write the log files (if FILE is selected)
  logdir: /var/log/savdi/

    # Specify the level of logging required
    # 0 = errors+threats
    # 1 = (0) + process events
    # 2 = (1) + session events
    # Default is 2
  loglevel: 3

}

channel {

    commprotocol {

        # Use TCP socket
      type: IP
      address: 127.0.0.1
      subnet: 127.0.0.0/8
      port: 4010

        # Use unix socket
      #type: UNIX
      #socket: /var/run/savdid/savdid.sock

        # idle timeout in secs when waiting for a request
        # 0, the default, is forever
      # requesttimeout: 120

        # timeout in secs between characters when sending data
      sendtimeout: 2

        # idle timeout in secs between characters when receiving data
      recvtimeout: 5
    }

    scanprotocol {

      type: SSSP

       # allow sending data over TCP connection
      allowscandata: YES

       # disable local file scanning (only needed by Amavis)
      # allowscanfile: FILE
      #allowscanfile: SUBDIR

       # max size of a mail or file
      maxscandata: 100000000
       # max filesize to be scanned in memory
      maxmemorysize: 512000
       # path for tmp files (when maxmemorysize < filesize < maxscandata)
      tmpfilestub: /tmp/savid_tmp

       # Log each request made by a client? (DEBUG)
      # logrequests: YES
      
    }

    scanner {

        type: SAVI
        inprocess: YES
        maxscantime: 5
        maxrequesttime: 10

        # deny scanning local dirs
        deny: /dev
        deny: /etc
        deny: /home
        deny: /var


        ### EXPERIMENTAL NOT OFFICIAL DOCUMENTED SETTING START
        #
        # CXMail is our context based detection
        #
        # This particular detection is fired on Microsoft office
        # attachments(often compressed) that have macros inside. These macros
        # work as a file dropper/downloader and access the internet to download
        # a malware payload. The URL's accessed by these attachments change on a
        # regular basis and will automatically switch to a new one if the
        # existing one is blocked.  /

        contextstr: Genes/Extn/ProdVer OEM:Email:1.0.0

        ### EXPERIMENTAL NOT OFFICIAL DOCUMENTED SETTING END


        #Some SAVI/Engine options

          # Any option that is part of a group is also included in this group.
        savigrp: GrpSuper 1
          # All archive and compressed archive file formats (e.g. ZIP, UUE, etc).
        savigrp: GrpArchiveUnpack 1
          # All “clean” file formats.
        savigrp: GrpClean 1
          # Executable files.
        savigrp: GrpExecutable 1
          # File formats commonly in use on the internet.
        savigrp: GrpInternet 1
          # File formats that do not fall into any of the above categories.
        savigrp: GrpMisc 1
          # Office suite file formats from Microsfoft and other supported vendors.
        savigrp: GrpMSOffice 1
          # File formats that contain an executable stub that
          # automatically decompresses the body of the file.
        savigrp: GrpSelfExtract 1
          # Compression formats commonly used in HTTP and supported by web browsers.
        savigrp: GrpWebArchive 1
          # HTML encoding schemes commonly used in web pages.
        savigrp: GrpWebEncoding 1
          # Enables or disables disinfection of all files for which disinfection is supported.
        savigrp: GrpDisinfect 0

        savists: Base64 1
        savists: Bzip2 1
        savists: EnableAutoStop 1
        savists: ITSS 1
        #savists: Mime 1
        savists: MSCabinet 1
        savists: MSCompress 1
        savists: Msi 1
        savists: StrictPdf 1
        savists: StrongPdf 1
        savists: Xml 1
        savists: TnefAttachmentHandling 1
        savists: TnefEmbedHandling 1
        savists: GzipDecompression 1
        savists: TarDecompression 1
        savists: RarDecompression 1
        savists: ArjDecompression 1
        savists: ZipDecompression 1
    }
}