HowTo: ClamAV

ju5t

Verified User
Joined
Sep 14, 2005
Messages
384
Administrator's Note:
Please see this post before following this thread, which is now approximately two years old:
Note that I am not responsible for anything happening. You should test this locally before putting into production.

There are known problems with SMTP limiter at the moment. If you run SMTP limiter, please only continue if you know what you're doing.

Installing clamav, this could be put into a bash file if ya like.

Code:
wget [url]http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.87.1.tar.gz[/url]
tar zxvf clamav-0.87.1.tar.gz
cd clamav*

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

./configure --sysconfdir=/etc && make && make install

perl -pi -e "s/^Example/#Example/g" /etc/clamd.conf
perl -pi -e 's#^LocalSocket /tmp/clamd.socket#LocalSocket /var/run/clamav/clamd#g' /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 20/MaxThreads 5/g" /etc/clamd.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamd.conf
perl -pi -e "s/^Example/#Example/g" /etc/freshclam.conf

## Create the dir for the clamav socket
mkdir /var/run/clamav

## Check for updates 24 times a day
/usr/local/bin/freshclam  -d -c 24
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam'  >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24'  >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;
Making changes to exim.conf

Code:
pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

## Find check_message:
## Make sure it looks like this:

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
  accept

## Save and exit

## Restart exim
/sbin/service exim restart
I have not yet looked into further configuring the service. Ran a test on http://www.gfi.com/emailsecuritytest/
With the following result in /var/log/exim/mainlog:
Code:
2005-11-07 13:06:02 1EZ5lC-0005u7-0Z H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u6-88 H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u7-Ec H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-07 13:06:02 1EZ5lC-0005u6-MA H=gfiservers.gfi.com [69.20.55.130] F=<emailtesting@gfi.com> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
 
Last edited:

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,178
Location
Schenectady, NY
2005-11-07 09:40:41 1EZ8Ar-0005lm-93 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)

The only clamav diles found were:

/usr/local/bin/clamdscan
/usr/local/sbin/clamd
/usr/local/man/man1/clamdscan.1
/usr/local/man/man5/clamd.conf.5
/usr/local/man/man8/clamd.8
Runtime failed ...

Changed

pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

TO:

pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/usr/local/sbin/clamd
And these appeared:

2005-11-07 09:45:19 1EZ8FL-0005rN-R6 malware acl condition: clamd: unable to connect to UNIX socket /usr/local/sbin/clamd (Permission denied)
2005-11-07 09:45:19 1EZ8FL-0005rN-R6 H=www13.hostpc.com [72.35.71.67] F=<root@www13.hostpc.com> temporarily rejected after DATA
 
Last edited:

ju5t

Verified User
Joined
Sep 14, 2005
Messages
384
I'm sorry, forgot to start clamd in the starting post.
Never knew there was a disable smilies button, thanks for making me search a bit further, hehe.

Code:
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam'  >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24'  >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;
Change the exim.conf file back to:
av_scanner = clamd:/var/run/clamav/clamd
 
Last edited:

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,178
Location
Schenectady, NY
Sorry, still not working:

2005-11-07 09:54:48 1EZ8OT-00065V-8B malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)
2005-11-07 09:54:48 1EZ8OT-00065V-8B H=(domain.com) [XXX.XXX.XXX.XXX] F=<hbradford@emailremoved> temporarily rejected after DATA
2005-11-07 09:54:51 1EZ8OZ-00065W-3q malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)

temporarily rejected after DATA
 

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,178
Location
Schenectady, NY
With this clamd:

2005-11-07 09:51:02 1EZ8Ks-00061y-CP H=www13.hostpc.com [72.35.71.67] F=<root@www13.hostpc.com> temporarily rejected after DATA
After, without:

2005-11-07 09:59:25 1EZ8Sz-0006Bo-HP => joe <joe@hostpc.com> F=<root@www13.hostpc.com> R=spamcheck_director T=spamcheck S=750
 

ju5t

Verified User
Joined
Sep 14, 2005
Messages
384
# ls -l /var/run/clamav
If this returns "ls: /var/run/clamav: No such file or directory":

# mkdir /var/run/clamav

# ps aux|grep clamd

Should not be running, else kill it.

# kill -9 pid

Start it
# /usr/local/sbin/clamd

Will add this to the howto.
 

GranTW

Verified User
Joined
Sep 23, 2005
Messages
135
Hi,

maybe u will have to tell clamd to run via localsocket and not port.

nano /etc/clamd.conf

Look for

# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /var/run/clamav/clamd

and make sure its uncommented and that the path matches the one in exim.conf

Then look for

TCPSocket 3310
and
TCPAddr 127.0.0.1

and comment both lines out.

save and then restart clamd.

And exim should then be able to connect through the LocalSocket :)

Thanks,
Grant
 

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
error in exim
Code:
]# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
  error in ACL: unknown ACL condition/modifier in "demime = *"
 

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
i have exim.conf spare and i restored

i run SMTP Limiter Plugin and in exim.conf fine check_message: ((there in some SMTP Limiter)) if i add
Code:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
  accept
and i restart exim
error
Code:
# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
  error in ACL: unknown ACL condition/modifier in "demime = *"
 
Last edited:

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
GranTW said:
Thanks Grant,
i run firewall i need to open port for ClamAV to update them self

and i can't send and mail by outlook all time error

An unknown error has occurred. Subject 'vvvvvv', Account: '*****@*****.net', Server: 'mail.*****.net', Protocol: SMTP, Server Response: '451 Temporary local problem - please try later', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC6A
 
Last edited:

@how@

Verified User
Joined
Mar 2, 2005
Messages
962
Location
Kingdom of Bahrain
/etc/exim.conf


Аfter check_message:
Code:
  deny condition = ${if def:acl_c0{${if exists{/etc/virtual/.smtp_deny/$acl_c0} {yes}}}}
       message = User $acl_c0 is not allowed to use SMTP
if i add before or after i get error
Code:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
any help
 

ju5t

Verified User
Joined
Sep 14, 2005
Messages
384
I honestly don't know how to get this working with the SMTP limiter. We're not using it ourselfs.

Maybe ClayRabbit can assist you with that.

I will update my first post so people know this.
 

jerry2005

Verified User
Joined
May 13, 2005
Messages
92
Location
Netherlands
Getting a error excuting:

perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf

Output:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Its the a debian related problem ?
 

ju5t

Verified User
Joined
Sep 14, 2005
Messages
384
jerry2005 said:
Getting a error excuting:

perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf

Output:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Its the a debian related problem ?
No, you can do it manually.

Open /etc/clamd.conf
Code:
Search for Example and replace it with #Example
Search for MaxThreads and set it to MaxThreads 5
    Uncomment if needed.
Search for #ScanMail and replace it with ScanMail
Search for LocalSocket and set it to LocalSocket /var/run/clamav/clamd
    Make sure you perform the mkdir command as in the starting post
Save & Close

Open /etc/freshclam.conf
Code:
Search for Example and replace it with #Example
Save & Close

This is exactly the same though done manually.
 
Top