On Mar 24, 2008, at 2:03 PM, Erik P. Olsen wrote:
Hi,
I am new on clamav and I have a few questions on some of the items
in the
clamd.conf file:
1. LocalSocket must be specified, it says, but what is it used for
and what
would it normally be?
2. TCPAddr. Again, I don't know what it is used for and what
INADDR_ANY is.
3. DetectPUA. What sort of applications is detected with this setting?
Would someone be kind enough as to clarify these questions for me?
Thanks in advance,
--
Here's an acceptable explanation of Unix local sockets:
http://www.frostbytes.com/~jimf/papers/sockets/sockets.html
They're used as a communications channel between processes running
locally on your system. Other systems can't see them or uses them.
There are other socket types (tcp/ip) that we use all the time on the
internet. A listener, in this case the Clamav daemon, clamd, opens a
socket and other products such as clamdscan can use it to request
clamd scan something. That something can be a stream of data, a file
or directory, or an archive such as a zip or tar file.
Clamd is configured to use a tcp/ip socket with an assigned port
number to listen on when it is to do this over the network verses
locally. A local socket is a special file and will show up using the
'ls' command. A tcp/ip socket shows up when using the netstat tool.
The TCPAddr is the IP address assigned to your network interface. For
systems that have multiple network cards this will cause clamd to bind
to one but not the other, based on the address. A tcp/ip socket
becomes the combination of the TCPAddr and the port number given to
the process - technically it's a listening socket until a connection
is made by another system. Clamd typically listens on port 3310 but
can listen on any port you give it.
INADDR_ANY is shorthand for listen on every IP you find. That would
include all active network interfaces, virtual interfaces, wireless
interfaces, and even the localhost psuedo interface, lo0 which by
default always uses address 127.0.0.1. The expansion of the shorthand
term is INternet ADDRess, Any.
You should choose either a tcp/ip socket using TCPAddr, or a Unix
socket, but not both. If you don't intend to run clamd then you don't
need either one. The current version of ClamAV allows using both but
that was not always so and I'm not sure I can successfully
rationallize why I'd want both. I use a local socket for self-
contained systems, and a tcp/ip socket for client-server
configurations where one clamav installation services several client
systems over the network but only for email. It creates a lot of
network traffic to scan an entire disk across the net.
DetectPUA is an abbreviation for Detect Possibly Unwanted
Applications. This is a method of detection that does not use
patterns, but rather analyzes the scanned data and makes some
decisions about its nature. This is not unlike trying to predict the
weather based on previous weather samples and it may or may not work.
I consider it a work in progress but not something that is ready to
use on the corporate mail system.
If this is useful, send a card to Luca in Italy - he keeps the ClamAV
Wiki going.
dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html