Search Site:

About

Linux

Printers?

Programming

Windows?

Download

Skins

Edit - To Do - AllRecentChanges

EmailServer /
ClamAV
 Recent Changes Printable View Page History Edit Page

This page is part of the EmailServer article.
This setup is configured to use Amavisd-New.

ClamAV Antivirus

Clam AntiVirus is a totally free -in all senses of the word- antivirus scanner. It is released under the GPL and has seen a lot of activity in the recent past.
Its virus definitions are generally good and new virus definitions can be automatically downloaded several times a day.

To install ClamAV, I recommend installing from source or getting the binary from the Crash-Hat yum repository.

Download the latest source from http://www.clamav.net/stable.php then:

# groupadd clamav
# useradd -g clamav -s /bin/false -c "Clam AntiVirus" -M clamav
# gpasswd -a clamav amavis
# cd /usr/local/src/
# tar xzvf clamav-#.##.#.tar.gz
# cd /usr/local/src/clamav-#.##.#
# ./configure --sysconfdir=/etc
# make
# make install
# cp /usr/local/src/clamav-#.##.#/contrib/init/RedHat/clamd /etc/init.d/
# chmod 0755 /etc/init.d/clamd
# chkconfig --add clamd
# chkconfig --levels 235 clamd on

Note: you may need to upgrade the zlib library to the latest version if the configure step complains about it.

Edit /etc/clamd.conf and add/modify the following parameters:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 10M
LogTime
LogSyslog
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
MaxConnectionQueueLength 30
MaxThreads 20
ReadTimeout 300
User clamav
AllowSupplementaryGroups
DetectBrokenExecutables
ScanMail
ArchiveMaxCompressionRatio 300

All other parameters should be commented, in particular Example and TCPSocket.

Now we need to tell Amavisd-New to enable virus scanning. Edit /etc/amavisd.conf and comment out the following :

# @bypass_virus_checks_maps = (1);  <- This line should be commented out

Look for the following section in /etc/amavisd.conf and uncomment it:

@av_scanners = (
['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
...

Automated update of Virus definitions

Edit the /etc/freshclam.conf:

#Example <- This line should be commented out

Now create a new crontab -e job to launch the updater:

05 * * * * /usr/local/bin/freshclam --quiet

Now freshclam will check for updates five minutes past every hour.

Note: Make sure that the name of the socket file clamd.sock matches the one used by clamd above!

Testing the AntiVirus

Start our AntiVirus service and restart our setup to check if everything works fine.

# service postfix stop
# service amavisd stop
# service clamd stop

# service clamd start
# service amavisd start
# service postfix start

Note: Postfix should always start after amavisd!

Send an email with the following in the message body (in an HTML email) or as an attachment (in a text file if you are sending the email as plain text only):
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This is a recognised fake virus signature that should trigger the ClamAV. That message should normally only be received by the account we set up in /etc/amavisd.conf. See AmavisdNew for the configuration options. Note: plain text message bodies are not scaned for viruses as they are safe, only attachments are scanned for threats. On the other hand, HTML message bodies are scanned and treated as attachments.

Resources

< SpamAssassinImproved | EmailServer | SquirrelMail >

Comments
fgrtv pbaeyoMonday 02 April 2007, at 10:09 GMT+8 [X]
rozdxb kufvgh vjoyfi ynfoukjx gprjdn wxkfytg rqwk
Enter your comment (no links allowed): Author:

Edit Page - Page History - Printable View - Recent Changes - WikiHelp - Search - RSS -
Page last modified on Friday 26 May 2006, at 11:50 GMT+8 - Viewed 943 times