Search Site:

About

Linux

Printers?

Programming

Windows?

Download

Skins

Edit - To Do - AllRecentChanges

Recent Changes Printable View Page History Edit Page

This page is part of the EmailServer article.
This setup is configured to use Amavisd-New.

ClamAV Antivirus

Clam AntiVirus is a totally free -in all senses of the word- antivirus scanner. It is released under the GPL and has seen a lot of activity in the recent past.
Its virus definitions are generally good and new virus definitions can be automatically downloaded several times a day.

ClamAV is available as a ready-made package.

# yum -t install clamd

If you prefer to install from source, have a look at my older article on ClamAV.

Edit /etc/clamd.conf and add/modify the following parameters:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 10M
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.socket
FixStaleSocket yes
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxFileSize 50M

All other parameters should be commented out, in particular Example, TCPSocket. and TCPAddess.

Now we need to tell Amavisd-New to enable virus scanning. Edit /etc/amavisd.conf and comment out the following :

# @bypass_virus_checks_maps = (1);  <- This line must be commented out

Look for the following section in /etc/amavisd.conf and uncomment it:

@av_scanners = (
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.socket"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
...

Automated update of Virus definitions

Edit the /etc/freshclam.conf:

#Example <- This line should be commented out

Now create a new crontab -e job to launch the updater:

05 * * * * /usr/local/bin/freshclam --quiet

Now freshclam will check for updates five minutes past every hour.

Note: Make sure that the name of the socket file clamd.socket matches the one used by clamd above!

Testing the AntiVirus

Let's restart our setup to check that everything works fine.

# service postfix stop
# service amavisd stop
# service clamd stop

# service clamd start
# service amavisd start
# service postfix start

Go to the eicar antivirus test site and download the eicar.com.txt test file.
This file is only a test signature and it should be recognised by all antivirus software as a 'virus' (so you may have to temporarily disable your desktop antivirus for the duration of the test).

Send an email with the eicar.com.txt as an attachment to a test email that you send through the server.
Look at your /var/log/maillog file and you should see something similar to:

Jan 23 15:13:01 mailserver amavis[28181]: (28181-03) Blocked INFECTED (Eicar-Test-Signature), MYNETS LOCAL [192.168.0.101] [192.168.0.101] <nkadesign@nkadesign.com> -> <renaud@nkadesign.com>, quarantine: virus-9p6fXda5rBjH, Message-ID: <49796DE5.80804@nkadesign.com>, mail_id: 9p6fXda5rBjH, Hits: -, size: 1069, 253 ms

Resources

< AmavisdNew | EmailServer | SpamAssassin >

Leave your comments below
Enter your comment (no links allowed): Author:

Edit Page - Page History - Printable View - Recent Changes - WikiHelp - Search - RSS -
Page last modified on Friday 23 January 2009, at 07:18 GMT+8 - Viewed 5938 times