PDA

View Full Version : HowTo: ClamAV



ju5t
11-07-2005, 04:30 AM
Administrator's Note:
Please see this post before following this thread, which is now approximately two years old:

http://www.directadmin.com/forum/showpost.php?p=115371&postcount=104

Note that I am not responsible for anything happening. You should test this locally before putting into production.

There are known problems with SMTP limiter at the moment. If you run SMTP limiter, please only continue if you know what you're doing.

Installing clamav, this could be put into a bash file if ya like.



wget http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.87.1.tar.gz
tar zxvf clamav-0.87.1.tar.gz
cd clamav*

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

./configure --sysconfdir=/etc && make && make install

perl -pi -e "s/^Example/#Example/g" /etc/clamd.conf
perl -pi -e 's#^LocalSocket /tmp/clamd.socket#LocalSocket /var/run/clamav/clamd#g' /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 20/MaxThreads 5/g" /etc/clamd.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamd.conf
perl -pi -e "s/^Example/#Example/g" /etc/freshclam.conf

## Create the dir for the clamav socket
mkdir /var/run/clamav

## Check for updates 24 times a day
/usr/local/bin/freshclam -d -c 24
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam' >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24' >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;



Making changes to exim.conf



pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

## Find check_message:
## Make sure it looks like this:

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept

## Save and exit

## Restart exim
/sbin/service exim restart


I have not yet looked into further configuring the service. Ran a test on http://www.gfi.com/emailsecuritytest/
With the following result in /var/log/exim/mainlog:


2005-11-07 13:06:02 1EZ5lC-0005u7-0Z H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u6-88 H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u7-Ec H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-07 13:06:02 1EZ5lC-0005u6-MA H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)

squirrelhost
11-07-2005, 04:58 AM
freshclam has been daemonized for some time, much better then setting up a cron job for this

ju5t
11-07-2005, 05:06 AM
Original post changed :)

hostpc.com
11-07-2005, 06:34 AM
Could you please edit your original post to remove the "smilies" ...

Thanks

hostpc.com
11-07-2005, 06:44 AM
2005-11-07 09:40:41 1EZ8Ar-0005lm-93 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)

The only clamav diles found were:



/usr/local/bin/clamdscan
/usr/local/sbin/clamd
/usr/local/man/man1/clamdscan.1
/usr/local/man/man5/clamd.conf.5
/usr/local/man/man8/clamd.8


Runtime failed ...

Changed


pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd


TO:


pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/usr/local/sbin/clamd

And these appeared:


2005-11-07 09:45:19 1EZ8FL-0005rN-R6 malware acl condition: clamd: unable to connect to UNIX socket /usr/local/sbin/clamd (Permission denied)
2005-11-07 09:45:19 1EZ8FL-0005rN-R6 H=www13.hostpc.com [72.35.71.67] F=<root@www13.hostpc.com> temporarily rejected after DATA

ju5t
11-07-2005, 06:51 AM
I'm sorry, forgot to start clamd in the starting post.
Never knew there was a disable smilies button, thanks for making me search a bit further, hehe.



## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam' >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24' >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;


Change the exim.conf file back to:
av_scanner = clamd:/var/run/clamav/clamd

hostpc.com
11-07-2005, 06:59 AM
Sorry, still not working:


2005-11-07 09:54:48 1EZ8OT-00065V-8B malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)
2005-11-07 09:54:48 1EZ8OT-00065V-8B H=(domain.com) [XXX.XXX.XXX.XXX] F=<hbradford@emailremoved> temporarily rejected after DATA
2005-11-07 09:54:51 1EZ8OZ-00065W-3q malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)

temporarily rejected after DATA

hostpc.com
11-07-2005, 07:03 AM
With this clamd:


2005-11-07 09:51:02 1EZ8Ks-00061y-CP H=www13.hostpc.com [72.35.71.67] F=<root@www13.hostpc.com> temporarily rejected after DATA

After, without:


2005-11-07 09:59:25 1EZ8Sz-0006Bo-HP => joe <joe@hostpc.com> F=<root@www13.hostpc.com> R=spamcheck_director T=spamcheck S=750

ju5t
11-07-2005, 07:03 AM
# ls -l /var/run/clamav
If this returns "ls: /var/run/clamav: No such file or directory":

# mkdir /var/run/clamav

# ps aux|grep clamd

Should not be running, else kill it.

# kill -9 pid

Start it
# /usr/local/sbin/clamd

Will add this to the howto.

GranTW
11-07-2005, 10:48 AM
Hi,

maybe u will have to tell clamd to run via localsocket and not port.

nano /etc/clamd.conf

Look for

# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /var/run/clamav/clamd

and make sure its uncommented and that the path matches the one in exim.conf

Then look for

TCPSocket 3310
and
TCPAddr 127.0.0.1

and comment both lines out.

save and then restart clamd.

And exim should then be able to connect through the LocalSocket :)

Thanks,
Grant

@how@
11-09-2005, 07:19 PM
error in exim

]# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

GranTW
11-10-2005, 01:34 AM
Hi,

http://www.directadmin.com/forum/showthread.php?s=&threadid=2990&perpage=20&pagenumber=2

//Grant

@how@
11-10-2005, 02:08 AM
i have exim.conf spare and i restored

i run SMTP Limiter Plugin and in exim.conf fine check_message: ((there in some SMTP Limiter)) if i add

deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept

and i restart exim
error

# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

GranTW
11-10-2005, 04:59 AM
Sorry check this post.

http://www.directadmin.com/forum/showthread.php?s=&postid=50202#post50202

//Grant

@how@
11-10-2005, 07:49 PM
Originally posted by GranTW
Sorry check this post.

http://www.directadmin.com/forum/showthread.php?s=&postid=50202#post50202

//Grant

Thanks Grant,
i run firewall i need to open port for ClamAV to update them self

and i can't send and mail by outlook all time error

An unknown error has occurred. Subject 'vvvvvv', Account: '*****@*****.net', Server: 'mail.*****.net', Protocol: SMTP, Server Response: '451 Temporary local problem - please try later', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC6A

@how@
11-10-2005, 09:31 PM
/etc/exim.conf


Аfter check_message:

deny condition = ${if def:acl_c0{${if exists{/etc/virtual/.smtp_deny/$acl_c0} {yes}}}}
message = User $acl_c0 is not allowed to use SMTP

if i add before or after i get error

deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

any help

ju5t
11-11-2005, 01:26 AM
I honestly don't know how to get this working with the SMTP limiter. We're not using it ourselfs.

Maybe ClayRabbit can assist you with that.

I will update my first post so people know this.

@how@
11-11-2005, 09:15 AM
Thanks getUP i post for ClayRabbit in SMTP Limiter Plugin

jerry2005
11-11-2005, 09:56 AM
Getting a error excuting:

perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf

Output:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Its the a debian related problem ?

ju5t
11-11-2005, 01:18 PM
Originally posted by jerry2005
Getting a error excuting:

perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf

Output:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Its the a debian related problem ?

No, you can do it manually.

Open /etc/clamd.conf


Search for Example and replace it with #Example
Search for MaxThreads and set it to MaxThreads 5
Uncomment if needed.
Search for #ScanMail and replace it with ScanMail
Search for LocalSocket and set it to LocalSocket /var/run/clamav/clamd
Make sure you perform the mkdir command as in the starting post


Save & Close

Open /etc/freshclam.conf


Search for Example and replace it with #Example


Save & Close

This is exactly the same though done manually.

jw00dy
11-14-2005, 10:53 PM
Thank you getUP, I've been looking for something on how to setup clamav. And this worked as hoped.

Thank you!

jerry2005
11-15-2005, 03:33 AM
Thx m8 , i got it working on a debian box(3.1)

Output of the test:

2005-11-15 12:34:21 1Ebz4v-0001uw-Ni H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:22 1Ebz4v-0001ux-V0 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:22 1Ebz4w-0001uw-9U H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:22 1Ebz4w-0001uw-Oj H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:23 1Ebz4x-0001ux-0J H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:23 1Ebz4x-0001ux-FY H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-15 12:34:24 1Ebz4y-0001uw-0B H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Eicar-Test-Signature)
2005-11-15 12:34:24 1Ebz4y-0001ux-Dt H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains malformed MIME (demime acl condition: 'message/partial' MIME type)
2005-11-15 12:34:24 1Ebz4y-0001uw-FU H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains malformed MIME (demime acl condition: 'message/partial' MIME type)
2005-11-15 12:34:24 1Ebz4y-0001ux-Se H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains malformed MIME (demime acl condition: 'message/partial' MIME type)
2005-11-15 12:34:25 1Ebz4y-0001uw-UC H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains malformed MIME (demime acl condition: 'message/partial' MIME type)
2005-11-15 12:34:25 1Ebz4z-0001ux-B6 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains malformed MIME (demime acl condition: 'message/partial' MIME type)
2005-11-15 12:34:26 1Ebz50-0001uw-Bk H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:26 1Ebz50-0001ux-OT H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-15 12:34:26 1Ebz50-0001uw-RQ H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-15 12:34:27 1Ebz51-0001ux-73 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)

Looks fine to me .....

For debian users: i added the following files to start freshclam and the Clamd at boot :

/etc/init.d/Freshclam

Content:

#!/bin/sh
# Freshclam update

case "$1" in
'start')
/usr/local/bin/freshclam -d -c 24
;;
'stop')
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0




/etc/init.d/Clamd

Content:

#!/bin/sh
# Antivirus daemon

case "$1" in
'start')
/usr/local/sbin/clamd
;;
'stop')
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0

@how@
11-17-2005, 12:17 AM
work fine without SMTP Limiter Plugin (exim)
i run APF, do i need to open port for update ?

jw00dy
11-17-2005, 09:59 AM
I run APF too, and I did not have to. And i turned on logging to check to see if it updates and it appears to work. :D

@how@
11-17-2005, 11:49 PM
thanks, update work fine:)

stevef
11-19-2005, 07:12 AM
I'm getting following error:

Starting exim: 2005-11-19 15:59:06 Exim configuration error in line 557 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

I'm running this on Debian 3.1. I've looked at the thread provided by GranTW, but that fix only seems to be for Redhat.

Anyone know how to fix that error on Debian 3.1?

thanks,

@how@
11-19-2005, 07:22 AM
Originally posted by stevef
I'm getting following error:

Starting exim: 2005-11-19 15:59:06 Exim configuration error in line 557 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

I'm running this on Debian 3.1. I've looked at the thread provided by GranTW, but that fix only seems to be for Redhat.

Anyone know how to fix that error on Debian 3.1?

thanks,

this what you need

Originally posted by GranTW
check this post.

http://www.directadmin.com/forum/showthread.php?s=&postid=50202#post50202

//Grant

stevef
11-19-2005, 08:50 AM
That's the solution for Redhat users. I'm running Debian which doesn't support rpm as far as I know :)

stevef
11-20-2005, 08:55 AM
Fixed this under Debian with an upgrade of Exim to 4.54, files found on http://files.directadmin.com/services/debian_3.1/da_exim-4.54.deb

sander815
11-21-2005, 12:05 AM
upgrading clamav, is that just a matter of dling the latest tar.gz, and then ./configure, make, make install?

@how@
11-25-2005, 06:54 AM
if you want ClamAV work with Plugin SMTP Limiter

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
deny condition = ${if def:acl_c0{${if exists{/etc/virtual/.smtp_deny/$acl_c0} {yes}}}}
message = User $acl_c0 is not allowed to use SMTP
accept

work 100%

decafranky
11-27-2005, 01:40 PM
Hi,

I am running CentOS 4.2, i get an error when i run perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf


Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


What am i doing wrong?

Greetz,

Franky

RenDprogrammeur
11-27-2005, 04:23 PM
Doesn't work on Redhat Enterprise 3.0

1.25.5

decafranky
11-27-2005, 04:26 PM
Hi,

I have done a perfect install tonight on CentOS 4.2.

I'll post a howto tomorow.

Greetz,

Franky

decafranky
11-27-2005, 04:28 PM
I have wrote it down for myself in Dutch, i translate it tomorrow and post it here.

Tested on CentOS 4.2.



1. wget http://dag.wieers.com/packages/clamav/clamav-0.87-1.2.el4.rf.i386.rpm
wget http://dag.wieers.com/packages/clamav/clamd-0.87-1.2.el4.rf.i386.rpm
wget http://dag.wieers.com/packages/clamav/clamav-devel-0.87.1-1.2.el4.rf.i386.rpm

rpm -Uvh clamav-0.87-1.2.el4.rf.i386.rpm
rpm -Uvh clamd-0.87-1.2.el4.rf.i386.rpm
rpm -Uvh clamav-devel-0.87.1-1.2.el4.rf.i386.rpm

vi /etc/crontab
toevoegen: 53 * * * * /usr/bin/freshclam

service clamd start

2. vi /etc/exim.conf

a) bovenaan onder commentaarregels toevoegen:

av_scanner = clamd:127.0.0.1 3310

b) # ACL that is used after the DATA command
check_message:
accept

vervangen in:
# ACL that is used after the DATA command
check_message:
# Virus Check
deny message = This message contains a virus or other malware ($malware_name)
demime = *
malware = *
accept

3. vi /etc/group

mail:x:12:mail

vervangen in:

mail:x:12:mail,clamav

4. vi /etc/clamd.conf

LocalSocket /tmp/clamd vervangen door #LocalSocket /tmp/clamd
#TCPSocket 3310 vervangen door TCPSocket 3310
#TCPAddr 127.0.0.1 vervangen door TCPAddr 127.0.0.1

5. exim hercompileren

wget http://files.directadmin.com/services/da_exim-4.54-1.src.rpm

rpm -ivh da_exim-4.54-1.src.rpm

cd /usr/src/redhat/SOURCES

vi ./da_exim-Makefile

bovenaan toevoegen: WITH_OLD_DEMIME = yes

cd /usr/src/redhat/SPECS

rpmbuild -bb exim.spec

cd /usr/src/redhat/RPMS/i386

rpm --force -i da_exim-4.51-1.i386.rpm

6. service exim restart

7. verstuur testvirus en controleer log in /var/log/exim

Muzza
12-01-2005, 04:19 PM
Info: I am running redhat 9.0

I added everything as per the initial post in this thread, but i can't send emails out

unless i comment out




# ACL that is used after the DATA command
check_message:
#deny message = This message contains malformed MIME ($demime_reason)
#demime = *
#condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#deny message = This message contains a virus or other harmful content ($malware_name)
#demime = *
#malware = *
#deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
#demime = bat:com:pif:prf:scr:vbs
#warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept



however my understanding of this is that it means even if a virus is found by clamav it will still get passed through

I've had a look back at our email server log to find these sorts of error messages, looks like it might be a permissions issue




2005-12-02 00:00:01 1Ehoyf-0001aJ-29 malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1Ehoyf-0001aJ-29: Acc
ess denied. ERROR
2005-12-02 00:00:01 1Ehoyf-0001aJ-29 H=(relay2.star-track.com.au) [203.18.109.18] F=<abc@myurl.com> temporaril
y rejected after DATA

@how@
12-01-2005, 05:58 PM
stop clamd then start again and will work fine

SupermanInNY
12-02-2005, 04:53 PM
I'm having a bit of a problme with this prcoess:




somedomain.com:/root # perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Any pointers?

WBEL 3.0
clamav-0.87.1

HostPerfect
12-15-2005, 05:59 AM
How to fix the problem with:

Starting exim: 2005-12-15 15:29:26 Exim configuration error in line 556 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

What to do? :confused:

Explain it in steps please :o

GranTW
12-15-2005, 06:02 AM
Hi,

follow the instructions here to install the lastest Exim.

http://www.directadmin.com/forum/showthread.php?s=&threadid=9968

Thanks,
Grant

ju5t
12-15-2005, 07:31 AM
Originally posted by SupermanInNY
I'm having a bit of a problme with this prcoess:


Any pointers?

WBEL 3.0
clamav-0.87.1

Open /etc/clamd.conf with an editor, search for LocalSocket and make sure it looks like:

LocalSocket /var/run/clamav/clamd
Save and exit and complete the other steps.

RenDprogrammeur
12-15-2005, 07:39 AM
How can i remove this the best because it doesn't work !

sHuKKo
12-16-2005, 05:18 AM
Thanks to original howto writer getUP and decafranky for extra information.
--------------

Tested on CentOS 4.2. *64 BIT*



1.
#cd /root
#mkdir clam
#cd clam

wget http://dag.wieers.com/packages/clamav-0.87-1.2.el4.rf.x86_64.rpm
wget http://dag.wieers.com/packages/clamav-db-0.87-1.2.el4.rf.x86_64.rpm
wget http://dag.wieers.com/packages/clamav-devel-0.87-1.2.el4.rf.x86_64.rpm
wget http://dag.wieers.com/packages/clamd-0.87-1.2.el4.rf.x86_64.rpm

#rpm -Uvh *


nano /etc/crontab

add below line to the end of the file:

53 * * * * root /usr/bin/freshclam

ctrl+x
y

#service clamd start

2. nano /etc/exim.conf

a) find : ctrl+w

# primary_hostname =
right below comments
add below line after this:

av_scanner = clamd:127.0.0.1 3310

b) find : ctrl+w

# ACL that is used after the DATA command
check_message:
accept

replace with:



check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept



3. nano /etc/group
find :

mail:x:12:mail

replace with :

mail:x:12:mail,clamav

4. nano /etc/clamd.conf

find :

#LocalSocket /var/run/clamav/clamd.sock

and make sure it looks like this:

# Path to a local socket file the daemon will listen on.
# Default: disabled
#LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.
# Default: disabled
FixStaleSocket

# TCP port address.
# Default: disabled
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: disabled
TCPAddr 127.0.0.1




5.

:: OPTIONAL IF NEEDED ::

my exim version is already 4.54-1 because of newly installed server.
If your exim version is below that version upgrade your exim like this:

wget http://files.directadmin.com/services/da_exim-4.54-1.src.rpm

rpm -ivh da_exim-4.54-1.src.rpm

cd /usr/src/redhat/SOURCES

vi ./da_exim-Makefile

bovenaan toevoegen: WITH_OLD_DEMIME = yes

cd /usr/src/redhat/SPECS

rpmbuild -bb exim.spec

cd /usr/src/redhat/RPMS/i386

rpm --force -i da_exim-4.51-1.i386.rpm

6.

#service exim restart

#service clamd restart

7. check your mail and clamav logs

#tail -f /var/log/exim/reject.log

#tail -f /var/log/clamav/clamd.log

8. OPTIONAL

You can verify and test your installation using the tests on:

http://www.gfi.com/emailsecuritytest/

Maniak
12-18-2005, 08:59 AM
Hello all,

I've got a question, I setup spamassassin, MailScanner and ClamAV and all are running I can see that on process id list.

I've got that for clamav:

clamav 4267 0.0 0.0 4640 1032 ? Ss 13:13 0:00 /usr/bin/freshcla
clamav 4281 0.0 0.0 4636 1028 ? Ss 13:13 0:00 /usr/bin/freshcla


I have then no idea why it doesn't work when I try to connect to localhost 3310.

If someone have an idea, I'll be happy to read an answer.

Thanks!

Maniak

ballyn
12-18-2005, 09:27 AM
It's the clamd process that opens the port... check if that process is running.

The port is configured in the clamd.conf file. For performance and security reasons, however, I'd recommend using the socket instead of the tcp port (which is the default).

Maniak
12-18-2005, 09:35 AM
Hello,

No in fact not running! I have troubles to make clamav works fine, I'm fusing FC3 on an AMD Opteron 64 bits.

I found a lotta rpms files but noone seems to work fine with my FC =( i'm a bit confused about which to choose.

MailScanner works fine, but noway to setup clamav :(

servertweak
12-28-2005, 01:01 PM
i get this error

05-12-28 12:57:08 1EriM8-0005Gf-4r malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)




Centos 4.2

@how@
12-28-2005, 07:34 PM
Originally posted by servertweak
i get this error

05-12-28 12:57:08 1EriM8-0005Gf-4r malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)




Centos 4.2

here
http://www.directadmin.com/forum/showthread.php?s=&threadid=10478#post59815

memoriess
01-08-2006, 01:44 PM
Hi,

I have followed the steps strictly but still encountering this error.

# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

How do I solve this? What does SMTP limiter plugin for? Anyway to disable it

ju5t
01-09-2006, 02:46 AM
Originally posted by memoriess
Hi,

I have followed the steps strictly but still encountering this error.

# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"

How do I solve this? What does SMTP limiter plugin for? Anyway to disable it

Which OS?

missionaire
01-09-2006, 12:36 PM
Originally posted by getUP
Which OS?

Hi,

I am having the same problem as well. I am running on Linux, Fedora 4.

Please help. Thanks.

@how@
01-11-2006, 12:42 AM
Easy update with this ;) to clamav-0.88
if you miss some in install will be fix to clamav-0.88

wget http://www.web4host.net/tools/ClamAV-update-tools.sh
chmod 755 ClamAV-update-tools.sh
./ClamAV-update-tools.sh




Wael

jw00dy
01-11-2006, 11:39 PM
Thank you, that worked excellent on CentOS 3.5

ju5t
01-16-2006, 01:18 AM
As for the demime errors, reinstalling Exim should be solving that.



wget http://files.directadmin.com/services/da_exim-4.60-1.src.rpm
rpm -ivh da_exim-4.60-1.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -bb exim.spec
cd /usr/src/redhat/RPMS/i386
rpm -Uvh --force --nodeps da_exim-4-60-1.i386.rpm

betoranaldi
01-18-2006, 03:11 PM
nevermind

Dennis
01-24-2006, 01:50 AM
Hi,

wanted to update my ClamAV and used the script from @how@ but he did not update......still got the message it is outdated in my freshclam.log. Any pointers?

Thanks!!

Dennis

@how@
01-24-2006, 10:37 AM
killall clamd -9
take backup for
/etc/clamd.conf
/etc/freshclam.conf
then
wget http://ovh.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.tar.gz
tar zxvf clamav-0.88.tar.gz
cd clamav-0.88
./configure --sysconfdir=/etc && make && make install
restore backup file
/etc/clamd.conf
/etc/freshclam.conf
start it again
/usr/local/sbin/clamd



Wael

kawing05
01-24-2006, 09:39 PM
anyone tested the guide at debian is working? cos I would like to install at debian box. Thank for all

@how@
04-07-2006, 03:04 AM
Originally posted by @how@
Easy update with this ;) to clamav-0.88
if you miss some in install will be fix to clamav-0.88

wget http://www.web4host.net/tools/ClamAV-update-tools.sh
chmod 755 ClamAV-update-tools.sh
./ClamAV-update-tools.sh




Wael

ClamAV 0.88.1

Wael

jw00dy
04-07-2006, 12:27 PM
Thanks Wael

@how@
04-30-2006, 10:35 PM
ClamAV 88.2

wget http://www.web4host.net/tools/ClamAV-update-tools.sh
chmod 755 ClamAV-update-tools.sh
./ClamAV-update-tools.sh



Wael

jw00dy
04-30-2006, 10:47 PM
Thank you Wael :cool:

Your script still has 88.1 though, so those who download it will need to change the script to get 88.2

Otherwise, worked perfect. Thanks again.

@how@
04-30-2006, 11:00 PM
Originally posted by jw00dy
Thank you Wael :cool:

Your script still has 88.1 though, so those who download it will need to change the script to get 88.2

Otherwise, worked perfect. Thanks again.

you need to delete old file and download again :)

jw00dy
04-30-2006, 11:03 PM
I did. I am showing 88.2 now.

The_cobra666
05-02-2006, 06:45 AM
2006-05-02 15:36:38 1Fav3O-0006ws-Tw malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
2006-05-02 15:36:38 1Fav3O-0006ws-Tw H=localhost (81.164.13.74) [127.0.0.1] F=<thsdfsdfs@futuredesigning.com> temporarily rejected after DATA
2006-05-02 15:36:42 1Fav3S-0006wt-Ja malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
2006-05-02 15:36:42 1Fav3S-0006wt-Ja H=localhost (81.164.13.74) [127.0.0.1] F=<thesdfsdf@futuredesigning.com> temporarily rejected after DATA
2006-05-02 15:36:46 1Fav3W-0006wu-0Z malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
2006-05-02 15:36:46 1Fav3W-0006wu-0Z H=localhost (81.164.13.74) [127.0.0.1] F=<thesdfsfd@futuredesigning.com> temporarily rejected after DATA

Any idea's? When I disable clam it works just fine.

@how@
05-02-2006, 10:17 AM
Originally posted by The_cobra666
2006-05-02 15:36:38 1Fav3O-0006ws-Tw malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
2006-05-02 15:36:38 1Fav3O-0006ws-Tw H=localhost (81.164.13.74) [127.0.0.1] F=<thsdfsdfs@futuredesigning.com> temporarily rejected after DATA
2006-05-02 15:36:42 1Fav3S-0006wt-Ja malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
2006-05-02 15:36:42 1Fav3S-0006wt-Ja H=localhost (81.164.13.74) [127.0.0.1] F=<thesdfsdf@futuredesigning.com> temporarily rejected after DATA
2006-05-02 15:36:46 1Fav3W-0006wu-0Z malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
2006-05-02 15:36:46 1Fav3W-0006wu-0Z H=localhost (81.164.13.74) [127.0.0.1] F=<thesdfsfd@futuredesigning.com> temporarily rejected after DATA

Any idea's? When I disable clam it works just fine.



nano -w /etc/exim.conf

At the end of comments section add this:

av_scanner = clamd:127.0.0.1 3310

Type in Ctrl-W and search for the second instance of check_message

Change:

# ACL that is used after the DATA command
check_message:
accept

To this:

# ACL that is used after the DATA command
check_message:
# Virus Check
deny message = This message contains a virus or other malware ($malware_name)
demime = *
malware = *
accept

Do a Ctrl-X and save.

Now restart Exim

/etc/init.d/exim restart

The_cobra666
05-02-2006, 10:49 AM
2006-05-02 19:47:54 exim 4.61 daemon started: pid=1395, -q15m, listening for SMTP on port 25 (IPv4) port 587 (IPv4)
2006-05-02 19:48:43 1FayzL-0000Na-Bm malware acl condition: clamd: connection to 127.0.0.1, port 3310 failed (Connection refused)
2006-05-02 19:48:43 1FayzL-0000Na-Bm H=astra.telenet-ops.be [195.130.132.58] F=<the_cobra666@futuredesigning.com> temporarily rejected after DATA

Disabeling clamd again.

Edit: Great can't send any emails now even with clamd disabled... Stopping clamd is ==> clamd stop right?

jw00dy
05-02-2006, 10:50 AM
Do you have a firewall that is blocking that port?

The_cobra666
05-02-2006, 10:52 AM
Originally posted by jw00dy
Do you have a firewall that is blocking that port?

I am on a VPS and for what I now I do not have any firewall. Strange thing is, clamd used to work before... but now sundenly it blocks everything.

jw00dy
05-02-2006, 10:54 AM
Hmmm, interesting... I'm not sure.

The_cobra666
05-02-2006, 10:55 AM
I've deleted the added line's to the exim.conf can recive and send mails now.

@how@
05-05-2006, 03:11 AM
Originally posted by The_cobra666
I've deleted the added line's to the exim.conf can recive and send mails now.

Yes you can now recive and send but without ClamAV

The_cobra666
05-05-2006, 08:04 AM
Originally posted by @how@
Yes you can now recive and send but without ClamAV

That I now :) can't find away around the problem so don't think I will have any other chois.

xemaps
05-05-2006, 10:26 AM
This is my conf which works

after comment of my exim.conf 2.0 (FC3 EXIM4.60)


av_scanner = clamd:/var/run/clamav/clamd

and later



# ACL that is used after the DATA command
check_message:
deny message = This message content malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = May contains a virus or malware ($malware_name)
demime = *
malware = *
deny message = Attachement Not accepted (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clamav
accept


sometimes need reboot after update when the socket is busy

rldev
05-15-2006, 06:44 AM
Is their a way to prevent clamav from taking down all incoming email when it get's stuck or crashes? I had this problem this weekend. Clam stopped working and so did all incoming mail with it. It has has a couple of times in the past year. The problem is there does not seem to be real way to automatically monitor this becuase everything thinks it's working. This is a major problem.

Also is it all or nothing for Clam? Can some users use it and others not?

nobaloney
05-16-2006, 08:58 AM
The ClamAV installation in the How-To is system-wide.

Our first NoBaloney Official version of ClamAV will not be user-by-user.

Our second version will.

But that's user as in domain owner, not user as in email box holder.

Whether or not DirectAdmin will use our NoBaloney Official version will of course be up to them, but in the past they've been interested in, and have used, our exim.conf files (and we of course have added their official sections as well).

Jeff

rldev
05-16-2006, 09:35 AM
I look forward to it Jeff.

Hopefully someone knows the answer to my question. I can not have Clam crap out and halt all incoming email. I should just disable it for now.

bigboy
05-20-2006, 11:01 AM
FreeBSD5.4 Install clamav at ports

i cannot send mail from outlook

outlook error


av_scanner = clamd:/var/run/clamav/clamd


cat /var/log/clamav/clamd.log


ERROR: Socket file /var/run/clamav/clamd could not be bound: Permission denied
+++ Started at Sun May 21 08:20:32 2006
clamd daemon 0.88.2 (OS: freebsd5.4, ARCH: i386, CPU: i386)
Log file size limited to 1048576 bytes.
Running as user clamav (UID 106, GID 106)




An unknown error has occurred. Subject 'test', Account: 'support', Server: 'mail.xxxxxt.com', Protocol: SMTP, Server Response: '451 Temporary local problem - please try later', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC6A


cat /var/log/exim/mainlog



2006-05-21 00:49:44 1FhVa7-000Da8-LJ malware acl condition: clamd: connection to 127.0.0.1, port 3310 failed (Bad file descriptor)
2006-05-21 00:49:44 1FhVa7-000Da8-LJ H=ppp-124.121.20.4.revip2.asianet.co.th (home15ddc4daa7) [124.121.20.4] F=<support@thaipowerhost.com> temporarily rejected after DATA
2006-05-21 00:49:55 1FhVaH-000DaP-TS malware acl condition: clamd: connection to 127.0.0.1, port 3310 failed (Bad file descriptor)
2006-05-21 00:49:55 1FhVaH-000DaP-TS H=ppp-124.121.20.4.revip2.asianet.co.th (home15ddc4daa7) [124.121.20.4] F=<support@thaipowerhost.com> temporarily rejected after DATA
2006-05-21 00:49:59 1FhVZY-000DXB-U4 => roselove1@chaiyo.com F=<sookna@sookna.com> R=lookuphost T=remote_smtp S=934 H=mail2.chaiyo.com [203.150.226.23] C="250 ok 1148146709 qp 14963"
2006-05-21 00:49:59 1FhVZY-000DXB-U4 Completed

@how@
05-29-2006, 11:08 PM
here other how to
http://www.directadmin.com/forum/showthread.php?s=&threadid=12099

bigboy
05-30-2006, 07:04 PM
Dear Sir

i need Script for FreeBSD

matthewventura
06-06-2006, 06:51 AM
can you go over this step?

## Create the dir for the clamav socket
mkdir /var/run/clamav

you make a directory, but how does clamav know to run in it?

Arkaos
09-24-2006, 03:55 AM
Originally posted by getUP
Note that I am not responsible for anything happening. You should test this locally before putting into production.

There are known problems with SMTP limiter at the moment. If you run SMTP limiter, please only continue if you know what you're doing.

Installing clamav, this could be put into a bash file if ya like.



wget http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.87.1.tar.gz
tar zxvf clamav-0.87.1.tar.gz
cd clamav*

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

./configure --sysconfdir=/etc && make && make install

perl -pi -e "s/^Example/#Example/g" /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 10/MaxThreads 5/g" /etc/clamd.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamd.conf
perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
perl -pi -e "s/^Example/#Example/g" /etc/freshclam.conf

## Create the dir for the clamav socket
mkdir /var/run/clamav

## Check for updates 24 times a day
/usr/local/bin/freshclam -d -c 24
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam' >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24' >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;



Making changes to exim.conf



pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

## Find check_message:
## Make sure it looks like this:

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept

## Save and exit

## Restart exim
/sbin/service exim restart


I have not yet looked into further configuring the service. Ran a test on http://www.gfi.com/emailsecuritytest/
With the following result in /var/log/exim/mainlog:


2005-11-07 13:06:02 1EZ5lC-0005u7-0Z H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u6-88 H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u7-Ec H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-07 13:06:02 1EZ5lC-0005u6-MA H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)


When following the guide....

I get the following error



[root@webbox clamav-0.88.4]# perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Any ideas?

Nick

dude2006
10-05-2006, 10:37 AM
I carefully followed the instructions in this thread and I've gone back over them several times but I'm getting the following message in my Exim log:


2006-10-04 22:35:15 1GVK0w-0000J6-Uf malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1GVK0w-0000J6-Uf: lstat() failed. ERROR

Obviously this is preventing email delivery so I have disabled ClamAV in my Exim configuration file for now.

I thought this may be a file permissions issue so I added the clamav user to the /etc/group file:

mail:x:12:mail,clamav

I can see the clamd process running and there are no errors in the clamd log.

Here is what I have in my /etc/exim.conf file:

(Before # primary_hostname =)

av_scanner = clamd:/var/run/clamav/clamd


check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept

Here's my clamav socket directory:

ls -lad /var/run/clamav
drwxr-xr-x 2 clamav root 4096 Oct 4 22:33 /var/run/clamav

and inside:

ls -la /var/run/clamav/
total 16
srwxrwxrwx 1 clamav clamav 0 Oct 4 22:33 clamd
-rw-rw---- 1 clamav clamav 4 Oct 4 22:33 clamd.pid
-rw-rw---- 1 clamav clamav 5 Oct 4 21:39 freshclam.pid

In my /etc/clamd.conf file I have the following:


LocalSocket /var/run/clamav/clamd

Anybody have any ideas what is going on here?

Thanks!

dude2006
10-05-2006, 11:27 AM
OK, I found a solution. I switched ClamAV to run as the "mail" user in clamd.conf. That seems to give it permission to scan the Exim files in /var/spool/exim/scan/.

/etc/clamd.conf


User mail

Maybe the How-To Guide should be updated?

Thanks!

oldsparky
11-18-2006, 01:58 PM
If you want to use volatile packages you 'll do the follow:

- add a respository in /etc/apt/sources.list:

### Volatile
deb http://ftp.de.debian.org/debian-volatile sarge/volatile main contrib non-free

- install clamav packages:

# apt-get install clamav-daemon clamav-freshclam

- add clamav user to mail group:

# adduser clamav mail

- change permission in exim dirs:

# chmod -R g+w /var/spool/exim
# chmod -R g+s /var/spool/exim

- restart clamd

/etc/init.d/clamav-daemon restart

- watch exim log to see if all ok, after you made all config settings (exim.conf, clamd.conf):

tail -f /var/log/exim/mainlog

That's all.

PeterJ
06-20-2007, 04:58 PM
Hi everyone

I got this errors when installing ClamAV 0.90.3


[root@localhost clamav-0.90.3]# /usr/local/sbin/clamd
/usr/local/sbin/clamd: error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory
[root@localhost clamav-0.90.3]# /usr/local/bin/freshclam -d -c 24
/usr/local/bin/freshclam: error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory


can anyone help me please ? thanks

koudou
07-25-2007, 03:11 AM
Normally, installation of clamav as described comes with the library.

1. try to see if libclamav.so.2 is in /usr/local/lib

I guess yes

2. verify that /usr/local/lib is inside the file /etc/ld.so.conf

with pico or nana for example. If not, add it (or the path where you found libclamav.so.2 in step 1)

3. run :

ldconfig

=============
should work.

Michel

Duboux
08-03-2007, 05:47 AM
btw, even if the line user/local/lib is already in tehre, just run ldconfig.
That worked for me. :)


Also with:

[root@webbox clamav-0.88.4]# perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.

I used this from the ClamAV mail-help-files:

perl -pi -e "s#^LocalSocket /tmp/clamd#LocalSocket /var/run/clamav/clamd#" /etc/clamd.conf

You can also edit the replacements in the /etc/clamd.conf file manually.

Randy
08-03-2007, 06:56 AM
Anyone tried this?: http://www.howtoforge.com/ispconfig_sanesecurity_clamav_debian_ubuntu

Duboux
08-03-2007, 08:28 AM
When I received this error:

2007-08-03 14:43:55 1IGwVW-0006Ic-T3 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)
I went to /var/run/clamav and saw I dind't have a clamd, but a clamd.socket

I went for a reboot, and made sure it wouldn't start again.
I commented the line : av_scanner = clamd:/var/run/clamav/clamd in /etc/exim.conf
And I removed the new added lines in /etc/rc.local
Then I rebooted



I did the install steps again.
Instead of the perl commands, I edited the clamd.conf file manually, using this post (http://www.directadmin.com/forum/showpost.php?p=60228&postcount=20)


I didn't restart exim yet, which led me to the following errors in the Exim log:

2007-08-03 16:42:12 1IGyM0-0001RS-BH malware acl condition: unable to connect to sophie UNIX socket (/var/run/sophie). errno=2
2007-08-03 16:42:12 1IGyM0-0001RS-BH H=(svfm6eae.rgihocim.comcast.net) [219.139.79.104] F=<xbhsybdv@rrhhar3.bumeran.com> temporarily rejected after DATA
Sending email via webmail, also gave me this error (and some more text):

451 Temporary local problem - please try later


I restarted Exim, and from there it worked, finally :)

The test results:

2007-08-03 16:55:43 1IGyZ5-0001Ve-C9 => **** <****@****.com> F=<emailtesting@gfi.com> R=virtual_user T=virtual_localdelivery S=4977
2007-08-03 16:55:43 1IGyZ5-0001Ve-C9 Completed
2007-08-03 16:55:44 1IGyZ5-0001Vd-Un <= emailtesting@gfi.com H=gfiservers.gfi.com (S44374) [69.20.55.130] P=esmtp S=3656 id=S44374ntjfwTP5gD9UL00000565@S44374 T="Long subject vulnerability test (Outlook Express 6)" from <emailtesting@gfi.com> for ****@****.com
2007-08-03 16:55:44 1IGyZ5-0001Vd-Un => **** <****@****.com> F=<emailtesting@gfi.com> R=virtual_user T=virtual_localdelivery S=3824
2007-08-03 16:55:44 1IGyZ5-0001Vd-Un Completed
2007-08-03 16:55:44 unexpected disconnection while reading SMTP command from (u5o67d.apoaoydu.rr.com) [123.16.72.219]
2007-08-03 16:55:44 1IGyZ6-0001Ve-0i <= emailtesting@gfi.com H=gfiservers.gfi.com (S44374) [69.20.55.130] P=esmtp S=4257 id=S443748xSSd694NDh6P00000566@S44374 T="hide.hta" from <emailtesting@gfi.com> for ****@****.com
2007-08-03 16:55:44 1IGyZ6-0001Ve-0i => **** <****@****.com> F=<emailtesting@gfi.com> R=virtual_user T=virtual_localdelivery S=4425
2007-08-03 16:55:44 1IGyZ6-0001Ve-0i Completed
2007-08-03 16:55:44 1IGyZ6-0001Vd-Ix <= emailtesting@gfi.com H=gfiservers.gfi.com (S44374) [69.20.55.130] P=esmtp S=3617 id=S44374mCn571zZfbUeh00000567@S44374 T="Long subject vulnerability test (Outlook 2000)" from <emailtesting@gfi.com> for ****@****.com
2007-08-03 16:55:44 1IGyZ6-0001Vd-Ix => **** <****@****.com> F=<emailtesting@gfi.com> R=virtual_user T=virtual_localdelivery S=3785
2007-08-03 16:55:44 1IGyZ6-0001Vd-Ix Completed
2007-08-03 16:55:44 1IGyZ6-0001Ve-LV H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2007-08-03 16:55:45 1IGyZ7-0001Vd-77 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2007-08-03 16:55:45 1IGyZ7-0001Ve-A3 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2007-08-03 16:55:45 1IGyZ7-0001Vd-Ri H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)

I don't know exactly which steps I've done to get to a working version: Exim + SpamBlocker2 + ClamAV

Also, # ls /var/run/clamav/ shows me clamd and not clamd.socket


But I hope this post will help you a little.. ;)

ah24
08-05-2007, 01:31 PM
Hi I have another question very important. On DA forum I wrote this post and I dont know how to fix it :(
If you know how to fix this problem I would be grateful.

"On centos 4.4 still errors after instalation clamav:
I was install clamav from this post:
http://www.directadmin.com/forum/sho...highlight=clam


./update.script CLAMAV

at the end of install clamav:


Quote:
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
clamd: no process killed
freshclam: no process killed
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
ClamAV auto start when server reboot
clamd: no process killed
freshclam: no process killed
./update.script: line 617: /usr/local/bin/freshclam: no such file or directory
./update.script: line 617: /usr/local/sbin/clamd: no such file or directory"


and during restart clamd procss i have this: :(((

[admin@ah24 ~]$ /etc/init.d/clamd restart
/etc/init.d/clamd: line 32: Killall: command not found
cat: /var/run/clamd.pid: no such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]

SupermanInNY
08-05-2007, 02:04 PM
Hi I have another question very important. On DA forum I wrote this post and I dont know how to fix it :(
If you know how to fix this problem I would be grateful.

"On centos 4.4 still errors after instalation clamav:
I was install clamav from this post:
http://www.directadmin.com/forum/sho...highlight=clam


./update.script CLAMAV

at the end of install clamav:


Quote:
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
clamd: no process killed
freshclam: no process killed
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
ClamAV auto start when server reboot
clamd: no process killed
freshclam: no process killed
./update.script: line 617: /usr/local/bin/freshclam: no such file or directory
./update.script: line 617: /usr/local/sbin/clamd: no such file or directory"


and during restart clamd procss i have this: :(((

[admin@ah24 ~]$ /etc/init.d/clamd restart
/etc/init.d/clamd: line 32: Killall: command not found
cat: /var/run/clamd.pid: no such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]



The locate of the update.script has moved.
As such, when you run the script it is looking for the wrong path.

Create the following folder:

/usr/local/updatescript/
and place the update.script in it.
Then run it from there.
The 'old' path of /usr/local/directadmin/customapache/update is no longer valid for the script.
So create that directory, move the update.script to it and then run the ./update.script CLAMAV

Hope that helps.

-Alon.

Randy
08-05-2007, 02:10 PM
Anyone tried this?: http://www.howtoforge.com/ispconfig_sanesecurity_clamav_debian_ubuntu

Nobody tried it in combination with DA en Weals DA-Install?

ah24
08-05-2007, 04:27 PM
Bugs in update.script

SupermanInNY, I exactly have this path /usr/local/updatescript
Problem is in file update.script. There are many errors with links
Is:
ln -s /etc/init.d/freshclam /sbin/freshclam
Should be:
ln -s /etc/init.d/freshclam /usr/local/bin/freshclam

Is:
ln -s /etc/init.d/clamd /sbin/clamd
Should be:
ln -s /etc/init.d/clamd /usr/local/sbin/clamd


but clamd still down and cant start

rldev
08-07-2007, 09:20 AM
I have the same problems. I can not get clamd to work at all since using the update script.(not blaming the script but it does not seem to use standard clam dirs). There should really be DA support for CLAM by now.

ah24
08-07-2007, 09:42 AM
i have centos 4.4 fresh copy, DA newest and I thinking what is possible that others users install clamav without any errors? My Centos is like tear water, zero personal changes. So.....how ?? what is going?

ah24
08-08-2007, 09:33 AM
rdlev have the same problem as I


I have the same problems. I can not get clamd to work at all since using the update script.(not blaming the script but it does not seem to use standard clam dirs). There should really be DA support for CLAM by now.

nobaloney
08-08-2007, 01:37 PM
I'm not sure what update script you're using for ClamAV. ClamAV will probably be supported by DirectAdmin once SpamBlocker3 is released.

Until then there are many ways of installing ClamAV, all subtly different.

Jeff

ah24
08-08-2007, 02:10 PM
first script from there: http://www.directadmin.com/forum/sho...threadid=10478

second script from there:
http://directadmin.com/forum/showthread.php?t=12099&highlight=clam

both generate errors in my system.

thx for reply Jeff.

nobaloney
08-12-2007, 12:34 PM
Your link fir the first one didn't work for me; we use it.

The proper link is:

http://www.directadmin.com/forum/showthread.php?threadid=10478

I don't know why it doesn't work for you; perhaps you should try (if possible) deleting every reference to clamav and clamd from your system, and then try it again.

# find / -name "*clam*"
Delete all you find.

Then try again.

Let us know exactly what errors you're getting.

Jeff

ah24
08-12-2007, 01:43 PM
Hi everyone, Hi Jeff.


I will deleting every reference to clamav and clamd from my system, and then try again install.
# find / -name "*clam*"

installing script from your link: http://www.directadmin.com/forum/sho...threadid=10478


This errors:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.
mkdir: can't create folder `/var/run/clamav': File exist
/usr/local/bin/freshclam: error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory
/usr/local/sbin/clamd: error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory


[root@ah24 bin]# /etc/init.d/clamd status
bash: /etc/init.d/clamd: No such file or directory

nobaloney
08-12-2007, 03:55 PM
I have no idea why this is failing. The last time I installed it was about a week ago and I had no problems installing it.

Jeff

ah24
08-13-2007, 11:20 AM
I found this: http://www.wains.be/index.php/2006/12/19/centosrhelfedora-web-proxy-antivirus-clamav/

This link is very interesting. Propably work, I did not test yet.

Splet
10-17-2007, 12:42 PM
Fix for the perl replace line, please update the original post. MaxThread line updated too, since clamav config file defaults to 20 threads now (clamav-0.91.2):


perl -pi -e 's#^LocalSocket /tmp/clamd.socket#LocalSocket /var/run/clamav/clamd#g' /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 20/MaxThreads 5/g" /etc/clamd.conf

tarquel
11-14-2007, 06:07 PM
mkdir: can't create folder `/var/run/clamav': File exist


Despite the other errors, you might want to look at this first i.e. does it exist already, and if so, then the script assumes that it should as it is trying to create a folder, and a file named that already exists as that name in that location it would seem.

Just a thought...

Regards
Nath.

parsdade
09-13-2009, 10:50 AM
Administrator's Note:
Please see this post before following this thread, which is now approximately two years old:


Note that I am not responsible for anything happening. You should test this locally before putting into production.

There are known problems with SMTP limiter at the moment. If you run SMTP limiter, please only continue if you know what you're doing.

Installing clamav, this could be put into a bash file if ya like.



wget http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.87.1.tar.gz
tar zxvf clamav-0.87.1.tar.gz
cd clamav*

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

./configure --sysconfdir=/etc && make && make install

perl -pi -e "s/^Example/#Example/g" /etc/clamd.conf
perl -pi -e 's#^LocalSocket /tmp/clamd.socket#LocalSocket /var/run/clamav/clamd#g' /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 20/MaxThreads 5/g" /etc/clamd.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamd.conf
perl -pi -e "s/^Example/#Example/g" /etc/freshclam.conf

## Create the dir for the clamav socket
mkdir /var/run/clamav

## Check for updates 24 times a day
/usr/local/bin/freshclam -d -c 24
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam' >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24' >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;



Making changes to exim.conf



pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

## Find check_message:
## Make sure it looks like this:

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept

## Save and exit

## Restart exim
/sbin/service exim restart


I have not yet looked into further configuring the service. Ran a test on http://www.gfi.com/emailsecuritytest/
With the following result in /var/log/exim/mainlog:


2005-11-07 13:06:02 1EZ5lC-0005u7-0Z H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u6-88 H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u7-Ec H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-07 13:06:02 1EZ5lC-0005u6-MA H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)



Hello
Dear i do This But When I Restart The Exim
Show :



[root@linux clamav-0.95.2]# /sbin/service exim restart
Shutting down exim: /etc/init.d/exim: line 40: kill: (3016) - No such process

Starting exim: 2009-09-13 17:50:17 Exim configuration error in line 501 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "($malware_name)"



How Solve it ?

nobaloney
09-15-2009, 11:27 AM
Either you don't have ClamAV installed properly, or you're not calling properly, or your exim.conf file is inconsistent with the version of exim you're running.

Jeff

quadium
11-24-2009, 09:38 PM
Is this guide still relevant with the current 1.34.4 version of DA? Also, current ClamAV is 0.95.3, can we swap out the version number and expect it to work okay??

nobaloney
11-25-2009, 10:21 AM
Only you can decide if this works for you. I still use it, and yes, I just swap out the version numbers. If I recall correctly there's a slight change in how newer versons set up the socket, which may require a minor change in exim.conf.

Jeff

pppplus
08-26-2010, 05:46 AM
Hi,

Impossible to find the right config... I do it some days ago, but impossible today. It's probably very easy, but I don't see the problem.


# ls -l /var/run/clamav
total 4
-rw-rw-r-- 1 root root 4 aoŻ 26 14:20 clamd.pid
srw-rw-rw- 1 root root 0 aoŻ 26 14:20 clamd.socket



# ps aux|grep clamd
root 9726 0.2 0.9 168680 120632 ? Ssl 14:19 0:02 /usr/local/sbin/clamd
root 11532 0.0 0.0 61312 760 pts/0 S+ 14:38 0:00 grep clamd

exim.conf : I try these 2 lines, so in the same time


av_scanner = clamd:/usr/local/sbin/clamd
av_scanner = clamd:/var/run/clamav/clamd

+


# ACL that is used after the DATA command
check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept


And last one : clamd.conf

##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##


# Comment or remove the line below.
#Example

# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log

# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
#LogFileMaxSize 2M

# Log time with each message.
# Default: no
#LogTime yes

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes

# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL

# Enable verbose logging.
# Default: no
#LogVerbose yes

# Provide additional information about the infected file, such as its
# size and hash, together with the virus name. It's recommended to enable
# this option along with SubmitDetectionStats in freshclam.conf.
#ExtendedDetectionInfo yes

# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp

# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav

# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no

# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.socket

# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup

# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660

# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes

# TCP port address.
# Default: no
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.
# Default: 15
#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M

# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000

# Maximum number of threads running at the same time.
# Default: 10
MaxThreads 5

# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
#ReadTimeout 300

# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
#CommandReadTimeout 5

# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200

# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
#MaxQueue 200

# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60

# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/

# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20

# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes

# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes

# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes

# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600

# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
#User clamav

# Initialize supplementary group access (clamd must be started by root).
# Default: no
#AllowSupplementaryGroups no

# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes

# Don't fork into background.
# Default: no
#Foreground yes

# Enable debug messages in libclamav.
# Default: no
#Debug yes

# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes

# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes

# Exclude a specific PUA category. This directive can be used multiple times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool

# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT

# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes


##
## Executable files
##

# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
#ScanPE yes

# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# Default: yes
#ScanELF yes

# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes


##
## Documents
##

# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# Default: yes
#ScanOLE2 yes

# This option enables scanning within PDF files.
# Default: yes
#ScanPDF yes


##
## Mail files
##

# Enable internal e-mail scanner.
# Default: yes
ScanMail yes

# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes


# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes

# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes

# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no

# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no

# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes

##
## Data Loss Prevention (DLP)
##

# Enable the DLP module
# Default: No
#StructuredDataDetection yes

# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5

# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes


##
## HTML
##

# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
#ScanHTML yes


##
## Archives
##

# ClamAV can scan within archives and compressed files.
# Default: yes
#ScanArchive yes

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no


##
## Limits
##

# The options below protect your system against Denial of Service attacks
# using archive bombs.

# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M

# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10

# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000


##
## Clamuko settings
##

# Enable Clamuko. Dazuko must be configured and running. Clamuko supports
# both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
# is the preferred option. For more information please visit www.dazuko.org
# Default: no
#ClamukoScanOnAccess yes

# The number of scanner threads that will be started (DazukoFS only).
# Having multiple scanner threads allows Clamuko to serve multiple
# processes simultaneously. This is particularly beneficial on SMP machines.
# Default: 3
#ClamukoScannerCount 3

# Don't scan files larger than ClamukoMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#ClamukoMaxFileSize 10M

# Set access mask for Clamuko (Dazuko only).
# Default: no
#ClamukoScanOnOpen yes
#ClamukoScanOnClose yes
#ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line. (Dazuko only)
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
# Default: disabled
#ClamukoExcludePath /home/bofh

# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# Default: yes
#Bytecode yes

# Set bytecode security level.
# Possible values:
# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned

# Set bytecode timeout in miliseconds.
#
# Default: 60000
# BytecodeTimeout 60000


Errors are (depending of line in exim)

2010-08-26 14:57:00 1Ooc0q-0003Ot-6N malware acl condition: clamd: unable to connect to UNIX socket /usr/local/sbin/clamd (Permission denied)
2010-08-26 15:22:19 1OocPL-0003zf-CD malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)


Thanks for your help

nobaloney
08-26-2010, 09:41 AM
Only you know how you installed and configured ClamAV; you need to use an av_scanner line which matches your ClamAV installation.

Jeff

pppplus
08-26-2010, 09:51 AM
Hi Jlasman !

Yes I know... but I do exactly what is written on first post of this topic !
And always the same error message.

nobaloney
08-27-2010, 07:36 AM
Check your configuration file to see how it expects to be called. Perhaps someone who's done a recent install can give you more specific help.

Jeff

frosl
11-01-2010, 05:07 AM
@pppplus:

You're calling clamd with:


av_scanner = clamd:/var/run/clamav/clamd


But, like stated in your ls -l of /var/log/clamav the file is called clamd.socket, and thus you'd have a better result calling it like that

frosl
11-01-2010, 07:09 AM
@pppplus:

You're calling clamd with:


But, like stated in your ls -l of /var/log/clamav the file is called clamd.socket, and thus you'd have a better result calling it like that

The /var/log in my comment should have been "your listing of /var/run/clamav".

Eg the conf line in exim.conf should be

av_scanner = clamd:/var/run/clamav/clamd.socket

@how@
11-21-2010, 10:17 AM
use what you want and set it in clamav.conf "PidFile" and exim.conf
END

Wael