# # Configuration file for Plesk Premium Antivirus Filters # $Revision: 1.70 $ # ######################### # Communication section # ######################### [DaemonCommunication] # Definition of daemon's addresses separated by `,' and given # in a special form {FAMILY}:{ADDRESS} # where FAMILY is one of: # inet - TCP/IP socket used`,' then {ADDRESS} is {PORT}@{HOST} # local - UNIX socket used`,' then {ADDRESS} is {SOCKETFILE} # pid - get daemon address from pidfile`,' then {ADDRESS} is {PIDFILE} # Examples: # Address = inet:3000@localhost # Address = local:/usr/local/drweb/run/drwebd.skt # Address = pid:/usr/local/drweb/run/drwebd.pid # Address = pid:/var/drweb/run/drwebd.pid`,' inet:3000@backup_server.example.com Address = inet:3000@localhost # Enable/disable caching of the resolved daemon host # (useful only if daemon uses TCP/IP communications) Cache = yes # Timeout for the whole scanning session (seconds) Timeout = 120 # Set/unset socket option TCP_NODELAY # (Do not set this option if you have not network problem) UseTcpNodelay = no ######################## # Scan options section # ######################## [Scanning] # Enable or disable heuristic analyzer in virus-finding engine (on/off) HeuristicAnalysis = on # Strip the smallest prefix containing StripPath leading slashes # NOTE: This option works same as the -p parameter in patch utility # StripPath = 2 # Path that prefixes scan paths. Applied to path processed by StripPath. # NOTE: PrefixPath MUST NOT end with a slash (/) # PrefixPath = /sandbox/mail # Include DrWeb report to notifications into $REPORT$ # or as a separate macros $DAEMON_REPORT$ (yes/no) IncludeReport = yes # Include DrWeb extended codes to notifications into $REPORT$ # or as a separate macros $SCAN_STAT$ (yes/no) IncludeStats = yes # Max size of the report that will be created if IncludeReport is "yes", # Specify 0 for the non-restrictable size, but it's a bad idea - report can # grow to Mbytes for nested archives ReportMaxSize = 8192 # Enable or disable local scanning mode (see daemon documentation) (yes/no) # LocalScan affects only connection with first daemon in the Address list # If enabled then spool directory must be readable (writable for EVAL key) # for drwebd process (see drweb32.ini option User) LocalScan = yes # Enable or disable daemon rule filter (on/off) RuleFilter = on # Set rule to deny scanning by addresses: # * byAll - deny if all addresses (sender and recipients) are denied in DenyList # (obsolete DenyOnOne = no) # * byOne - deny if only one address (sender or recipient) is denied in DenyList # (obsolete DenyOnOne = yes) # * bySender - deny if sender's address is denied (recipients are not checked) # * bySenderAndOneRecipient - deny if sender's and one of the recipient's addresses # are denied in DenyList # * byOneRecipient - deny if one of the recipient's addresses are denied in DenyList # (sender address is not checked) # * byAllRecipients - deny if all of the recipient's addresses are denied in DenyList # (sender's address is not checked) DenyMode = byAllRecipients # Set deny(yes)/allow(no) scanning for addresses # which were not found in DenyList (see below) DenyByDefault = no # List with rules for users or domains to block scanning DenyList = /etc/drweb/users.conf # Directory used to store temporary files Spool = /var/spool/drweb/spool # Permissions for created spool files SpoolFilesMode = 0664 # Naming convention for spool files # * Std - standard, using mkstemp (template: drweb.tmp.XXXXXX) # * Tai - use TAI format template (template: %sec.%usec.drweb.tmp.XXXXXX) # * Rand48 - using exclusive open and lrand48 (template: drweb.tmp.XXXXXXXX) SpoolFilenamesMode = Std # Prefix for the spool filename (%{Spool}/%{SpoolFilenamesPrefix}XXXXXX) SpoolFilenamesPrefix = drweb.tmp. ################### # Actions section # ################### [Actions] # --------------------------------------------------------------------------- # NOTES: # # 1) If you don't use quarantine action for some reason, please check # appropriate notification message templates. If needed, remove text specifying # the location where the original message is saved. # # 2) Disinfected message should be repacked if you use "cure" or "remove" actions. # If the repacking procedure fails, then CureFail action should be applied. # Incurable and CureFail actions will never be used if you do not use # "cure" action for Infected. # --------------------------------------------------------------------------- # # The action taken if an object was not checked by license limitations. # Actions: # pass - pass such messages # reject - reject such messages with permanent error # tempfail - reject such message with temporary error LicenseLimit = pass # Infected means that a message is infected with one of the known virus # Actions: # cure - cure infected attachment(s) and generate cleaned message # remove - remove infected attachment(s) and generate cleaned message # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Infected = quarantine # Suspicious means that a message is possibly infected with one of the new virus # it may be a false alarm (can occur if HeuristicAnalysis is on only) # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Suspicious = quarantine # Incurable means that a message contains infected attachment(s) # which cannot be cured. # This action is applied only if Infected = cure # Actions: # remove - remove infected attachment(s) and generate cleaned message # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Incurable = quarantine # CureFail means that daemon failed to cure (remove) files # or generated cleaned message # Actions: # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error CureFail = quarantine # RuleFilterAlert - means that the message matches FiltersRule in drweb32.ini # possible only if RuleFilter = on # Actions: # discard - discard such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # reject - reject such messages with permanent error RuleFilterAlert = reject # Adware means that a message contains an advertizing program. # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Adware = quarantine # Dialer means that a message contains a dialer program that usually is # used by porno sites. # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Dialers = quarantine # Joke means that a message contains a joke program (hoax). # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Jokes = quarantine # Riskware means that a message contains a potentially dangerous software. # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Riskware = quarantine # Hacktool means that a message contains an intrusion tool. # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # discard - discard such messages # reject - reject such messages with permanent error Hacktools = quarantine # EmptyFrom means that SMTP session was initiated with empty envelope From: # used for mail notifications (reports) and by spammers # Actions: # continue - continue processing such messages # # ATTENTION: Your MTA would not be RFC-compliant if you set up # non-continue action and can be banned by www.rfc-ignorant.org site. # "The MTA MUST accept messages with <> sender." # (rfc-2505 see 2.6.1) # # discard - discard such messages # reject - reject such messages with permanent error EmptyFrom = continue # SkipObject means that daemon found an object that cannot be checked: # password protected archive, broken archive, sym-link, # non regular file, timeout # (see SocketTimeout and FileTimeout in drweb32.ini). # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # reject - reject such messages with permanent error SkipObject = pass # ArchiveRestriction means that daemon found an object in archive with # compression ratio exceeding MaxCompressionRation, size of object is greater # than MaxFileSizeToExtract or level of nested archive is greater # than MaxArchiveLevel from drweb32.ini # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # reject - reject such messages with permanent error ArchiveRestriction = quarantine # ScanningErrors means that daemon fails to scan current object. Example of # cases: no memory, cannot read file for check (no permissions). # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # redirect - redirect to RedirectMail and discard message # (or reject if discard does not supported) # reject - reject such messages with permanent error # tempfail - reject such message with temporary error ScanningErrors = quarantine # ProcessingErrors means errors in proxy-client: no memory, misconfigured, # timeout on communication with daemon and etc. # Actions: # pass - pass such messages # quarantine - move such messages to quarantine and discard # (or reject if discard does not supported) # reject - reject such messages with permanent error # tempfail - reject such message with temporary error ProcessingErrors = reject # PassEmptyFromIfNoDaemon - if this parameter is set to yes, then messages from # <> would be passed if filter cannot connect to # daemon and ProcessingErrors is set to "reject" PassEmptyFromIfNoDaemon = no # Admin mail address (should be qualified) AdminMail = postmaster # Mail address for redirect action (should be qualified) RedirectMail = postmaster # Filter address to be used in From: (should be qualified) FilterMail = DrWEB-DAEMON # List of unnotificable viruses UnnotificableVirusesList = /etc/drweb/viruses.conf # List of unnotificable addresses UnnotificableAddressesList = /etc/drweb/addresses.conf # Quarantine directory. # The infected files could be moved in that dir # if you leave this field empty or commented out then # infected messages will not be stored Quarantine = /var/spool/drweb/infected # Permissions for quarantined files QuarantineFilesMode = 0660 # Naming convention for spool files # * Std - using mkstemp (template: drweb.quarantine.XXXXXX) # * Tai - use TAI format (template: %sec.%usec.drweb.quarantine.XXXXXX) # * Rand48 - using lrand48 (template: drweb.quarantine.XXXXXXXX) QuarantineFilenamesMode = Std # Prefix for spool filename (%{Quarantine}/%{QuarantineFilenamesPrefix}XXXXXX) QuarantineFilenamesPrefix = drweb.quarantine. ######################### # Notifications section # ######################### [VirusNotifications] # Enable or disable sending notifications to persons (yes/no) SenderNotify = yes AdminNotify = yes RcptsNotify = yes # Files with notification templates SenderTemplate = /etc/drweb/templates/en/sender_virus.msg AdminTemplate = /etc/drweb/templates/en/admin_virus.msg RcptsTemplate = /etc/drweb/templates/en/rcpts_virus.msg [MalwareNotifications] # Enable or disable sending notifications to persons (yes/no) SenderNotify = yes AdminNotify = yes RcptsNotify = yes # Files with notification templates SenderTemplate = /etc/drweb/templates/en/sender_malware.msg AdminTemplate = /etc/drweb/templates/en/admin_malware.msg RcptsTemplate = /etc/drweb/templates/en/rcpts_malware.msg [CuredNotifications] SenderNotify = yes AdminNotify = yes SenderTemplate = /etc/drweb/templates/en/sender_cured.msg AdminTemplate = /etc/drweb/templates/en/admin_cured.msg [SkipNotifications] SenderNotify = yes AdminNotify = no RcptsNotify = no SenderTemplate = /etc/drweb/templates/en/sender_skip.msg AdminTemplate = RcptsTemplate = [ArchiveRestrictionNotifications] SenderNotify = yes AdminNotify = yes RcptsNotify = no SenderTemplate = /etc/drweb/templates/en/sender_archive.msg AdminTemplate = /etc/drweb/templates/en/admin_archive.msg RcptsTemplate = [ErrorNotifications] SenderNotify = yes AdminNotify = yes RcptsNotify = no SenderTemplate = /etc/drweb/templates/en/sender_error.msg AdminTemplate = /etc/drweb/templates/en/admin_error.msg RcptsTemplate = [RuleFilterNotifications] SenderNotify = no AdminNotify = yes RcptsNotify = no SenderTemplate = AdminTemplate = /etc/drweb/templates/en/admin_rule.msg RcptsTemplate = [LicenseLimitNotifications] AdminNotify = no AdminTemplate = /etc/drweb/templates/en/admin_license.msg ################### # Logging section # ################### [Logging] # Logging detalization ( Quiet, Errors, Alerts, Info, Verbose, Debug ) Level = Info # Facility used for logging to syslog ( Daemon, Mail, Local0..7 ) SyslogFacility = Mail # Priority used for logging to syslog ( Debug, Info, Notice, Alert ) SyslogPriority = Info ################################ # Mail system settings section # ################################ [Mailer] # Name of the mail system MailSystem = QMail # Submission program (used to send notifications) called as # ${Sendmail} ${SendmailArgs} ${DefaultArgs} -f ${Sender} -- ${Recipients} # and message has been written to stdin of submission program Sendmail = /usr/sbin/sendmail # Additional (to default) arguments for submission program # Default arguments: # Qmail: no args # Exim: -i -bm -oMr drweb_scanned # Others: -i -bm # Examples: # SendmailArgs = "-FUserName" # # SendmailArgs = "" # qmail-queue program path QmailQueue = ################################ # Mail system settings section # ################################ [Agent] # Definition of agent's address. Agent is used for collecting statistic # from mail filters and sending it to stat.drweb.com. # Note: FAMILY pid is not valid # Agent should be started before mail filter. #Address = inet:3003@localhost # Timeout for the whole session (seconds) #Timeout = 10