FreeBSD 5.4 Clamav tutorial

eds132

eds132

Verified User
Joined
Aug 16, 2005
Messages
31
Location
Rapid City, SD
I have been lurking around for a quick and simple tutorial too install clamav for exim on DA now for a while. The majority of the tutorials here are a little dated for most of which call for exiscan patches and so forth. I decided to write my own for all FreeBSD 5.x DA users.

Software
FreeBSD 5.4
DirectAdmin 1.26.1
Exim 4.50

I am a huge fan of KISS(keep it simple stupid) so if there is a fancier way of doing this then oh well.



First I start with a fresh version of ports.
#rm -rf /usr/ports
#cd /usr
#ftp ftp.freebsd.org
#ftp> cd pub/FreeBSD/ports/ports
#ftp>get ports.tar.gz
#tar -xvzf ports.tar.gz
#cd /usr/ports/security/clamav
#make install
##I get curl and milter(no purpose just habbit from sendmail days) ##
##add the lines
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
##to /etc/rc.conf##
##configure clam and freshclam confs in /usr/local/etc/
#/usr/local/etc/rc.d/clamav-clamd.sh start
#/usr/local/etc/rc.d/clamav-clamav-freshclam.sh start
#cp /etc/exim.conf /etc/exim.conf.bak
#pico -w /etc/exim.conf
##add this line at the top of the config
av_scanner = clamd:/var/run/clamav/clamd
##add this with the other alcs (around line 317)
acl_smtp_mime = check_mime
##add this section above check_message:
check_mime:
warn decode = default
deny message = I don't accept this file type
##one line
condition = ${if match {${lc:$mime_filename}} {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|.vbs)$\N} {1}{0}}
deny message = Hiding of file extensions(CLSID hidden) is not allowed
condition = ${if match {$mime_filename} {\N\{[a-hA-H0-9-]{25,}\}\N}{1}{0}}
accept
##add these lines between check_message: and accept
deny message = This email may contain virii ($malware_name)
malware = *
warn message = X-Antivirus-Scanner: Scanned with ClamAV

##save and exit pico
##I am lazy, first off. I run exim to check config
##If no errors, then i use the DA interface to restart exim and make sure it is ##running.
#exim --(to check config for errors)

##done
I test using
http://www.eicar.org/anti_virus_test_file.htm virus sigs.... with this setup only two of 24 get through.......
 
vingertop said:
Works nice with exim 4.53.1 too.
I sure do agree with you on the outdated posts ;-)
Click to expand...

I noticed my freshclam was not updating :

ClamAV update process started at Sun Jan 29 02:15:15 2006
Trying again in 5 secs...
ClamAV update process started at Sun Jan 29 02:15:20 2006
Trying again in 5 secs...
ClamAV update process started at Sun Jan 29 02:15:25 2006
Giving up on database.clamav.net...
ERROR: Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working.

Adding the following line to the IPFW firewall i`m using got the updates flowing again :

allow tcp from me to any out via $oif setup $ks uid clamav

Any ideas on how to control these high tcp ports freshclam is using ?
 
vingertop said:
Any ideas on how to control these high tcp ports freshclam is using ?
Click to expand...

Ok, I am pretty sure freshclam first does a DNS look up find a server out of the mirror pool so port 53/UDP outgoing and I believe it uses 80/tcp for the inital request for the updated cvd file. Of course all of the responces are in the dynamic range. I dont know of a way to realy control those with out breaking something else lol.
 
OK, thanks Dude, i got the config of proftpd adjusted to a specific range , it would be very nice for me to control these ranges, i also checked my best friend Google , but no real answer for now.

Thanks again for your reply.
 
##one line
condition = ${if match {${lc:$mime_filename}} {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|.vbs)$\N} {1}{0}}
deny message = Hiding of file extensions(CLSID hidden) is not allowed
condition = ${if match {$mime_filename} {\N\{[a-hA-H0-9-]{25,}\}\N}{1}{0}}
accept
Click to expand...

Hi there,

I've been trying to impliment this solution on my FreeBSD box, but whenever I try to restart Exim using DA, it simply says Error Occured. If I restart form the command line, it starts fine but, I get this in the error logs.

2006-03-01 17:25:18 1FEIto-000GF8-1r H=XXX-XXX-XXX-XXX.jetstream.XXX.XX.XX (toshiba) [XXX.XXX.XXX.XXX] F=<[email protected]> temporarily rejected during MIME ACL checks: invalid "condition" value ""0 deny message = Hiding of file extensions(CLSID hidden) is not allowed""

Where you have ##one line, is everything under that supposed to be on one line and if so, where does the one line end? I assume the accept would be on its own line?

Your help is appreciated.

Cheers!
 
Re: Re: FreeBSD 5.4 Clamav tutorial

Sure, NP. I guess I could have been a little more clear on that! I re-read that and got a little confused my self.

I think you can do a line continuence (lol idk if that is a real word) with a \ and not worry about that text wrapping. But none the less, here is the fixed version.

##one line
condition = ${if match {${lc:$mime_filename}} {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|.vbs)$\N} {1}{0}}
##end of one line
##one line
deny message = Hiding of file extensions(CLSID hidden) is not allowed
##end of one line
##one line
condition = ${if match {$mime_filename} {\N\{[a-hA-H0-9-]{25,}\}\N}{1}{0}}
##end of one line
accept
 
Is it \.vbs or.vbs in this "one line"?

##one line
condition = ${if match {${lc:$mime_filename}} {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|.vbs)$\N} {1}{0}}
##end of one line


---
BTW. I installed ClamAV into FreeBSD 6.0 with DA. It's working :)
 
Last edited:
It should probably be escaped to work, and it doesn't hurt to escape it.

Jeff
 
Escaped vbs

jlasman said:
It should probably be escaped to work, and it doesn't hurt to escape it.

Jeff
Click to expand...

Could this be one of the reasons whey it crashes so often?

I now have to use a script that checks every 5 ins to see if clamd is running.

Bit of a pain as emails can be sent or received if clamd crashes.
 
I believe that it should be \. (backslash-dot) because otherwise in a regular expression the . has a special meaning.

But I didn't write the code so all I can say is I believe. If that's not good enough, ask on a ClamAV forum.

Neither will crash anything; If I'm right then a . without the \ in front of it won't do the match correctly. If I'm wrong either will work.

Jeff
 
jlasman said:
I believe that it should be \. (backslash-dot) because otherwise in a regular expression the . has a special meaning.

But I didn't write the code so all I can say is I believe. If that's not good enough, ask on a ClamAV forum.

Neither will crash anything; If I'm right then a . without the \ in front of it won't do the match correctly. If I'm wrong either will work.

Jeff
Click to expand...
I agree ;) you should escape that. This part actully doesnt have any thing to do with clam and it shouldn't cause clam to crash. It is actually using exim to filter out those file types. It tells the sender that those files types are not accepted and the mail is dropped.
 
Work fine with freeBSD 5.4

In the first part I download clamAV as tar.gz and do make install instread of using port

and then follow script from this line
clamav_clamd_enable="YES"

as I see many are bit confuse on #one line comment :D let's see the reply#6 by eds132

##one line
condition = ${if match {${lc:$mime_filename}} {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|.vbs)$\N} {1}{0}}
##end of one line
##one line
deny message = Hiding of file extensions(CLSID hidden) is not allowed
##end of one line
##one line
condition = ${if match {$mime_filename} {\N\{[a-hA-H0-9-]{25,}\}\N}{1}{0}}
##end of one line
accept
Click to expand...
 
kke said:
Work fine with freeBSD 5.4

In the first part I download clamAV as tar.gz and do make install instread of using port

and then follow script from this line
clamav_clamd_enable="YES"

as I see many are bit confuse on #one line comment :D let's see the reply#6 by eds132
Click to expand...

I can't prevent the text from wrapping :( oh well. I guess I coule probaly post a plain text version on the web somewhere.
 
You must log in or register to reply here.
Back
Top