HOW TO: Syncronising ClamAV antivirus scans with Clamd service file size limits

This section contains user-submitted tutorials.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 8296
Joined: 2011-09-08 17:48

HOW TO: Syncronising ClamAV antivirus scans with Clamd service file size limits

Post by jimimaseye » 2016-01-28 17:32

INTRODUCTION

By default the service installation of Clamd has a limit in the file size of the email message that it can receive. If it receives a file too big HMS errors with Code: HM5406. This writeup details the two steps to prevent this situation.

THE DETAIL

In my installation of Clamd (found here: viewtopic.php?f=21&t=26829&p=164310#p164310) its default size limit is 25MB. (Your Clamd installation will also have a default if you have not specified one but may be a different value, maybe as low as 10MB.)

This value is in effect in absence of the following parameter from CLAMD.CONF:

StreamMaxLength

By default Hmailserver has no limit set on the size of mail message that it will pass to ClamAV for scanning. This is set in Hmailserver - Settings - Antivirus, GENERAL tab and has a value of ZERO under 'Maximum Message Size To Scan'.

The problem is that if a message is passed to Clamd from HMS that exceeds the default (25MB in my case) then the following error will occur:

Code: Select all

"ERROR"	2416	"2016-01-28 12:46:58.525"	"Severity: 3 (Medium), Code: HM5406, Source: ClamAVVirusScanner::Scan, Description: Unable to write data to stream port."
THE SOLUTION - HOW TO AVOID THIS ERROR

In order to ensure that this condition doesnt happen, HMS should be set to send no message with a size higher than that value that Clamd is set at.

First you must determine your current CLAMD default value. You can determine this by reading your Clamd.log file and in the entries just after startup of the service you should see:
Thu Jan 28 13:29:23 2016* -> Limits: File size limit set to 26214400 bytes.
note: 26214400 \1048576 = 25 MB

* (Tip: to get the 'date and timestamp' on your entries in your Clamd.log file, add "LogTime yes" to Clamd.conf. :wink: )

1, The same value should now then be set in HMS by entering the value in KILOBYTES calculated thus:
  • value (M) * 1048576 / 1000 (rounded DOWN)
eg
  • 20 MB = (20*1048576/1000) = 20971
    15 MB = 15728
    25 MB = 26214
2, You may choose to change the value you wish Clamd to accept in MESSAGE size. (The default value in Linux ClamAV is a smaller 10MB message size. Remember 'message size' is the size of the entire email, with encoding, headers, attachments, the lot. They can be considerably bigger than just the size of the attachments. For a better idea, see the physical size of an .EML file in the data directory).

In CLAMD.CONF, enter the following line:
  • StreamMaxLength 20M
where '20M' means 20MB ('18M' would be 18MB, etc) and represents your choice of size.

You will need to restart the Clamd service for the new settings to take effect (and dont forget to reflect your new choice in HMS - (1) above.)

TAKE NOTE


There are other message size restrictions also tailorable within HMS notably under:

SETTINGS - PROTOCOLS - SMTP - Max Message Size and
DOMAINS - 'Limits' tab - Max Message Size (this value overrides the above value).

Therefore it is possible that these values may be lower and will already limit the maximum size of a message. You should bear this in mind when deciding what size messages you want to receive and what sizes you want actually being scanned.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply