HowTo: ClamAV

ju5t

Verified User
Joined
Sep 14, 2005
Messages
409
Location
Amsterdam
Administrator's Note:
Please see this post before following this thread, which is now approximately two years old:

Note that I am not responsible for anything happening. You should test this locally before putting into production.

There are known problems with SMTP limiter at the moment. If you run SMTP limiter, please only continue if you know what you're doing.

Installing clamav, this could be put into a bash file if ya like.

Code:
wget [url]http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.87.1.tar.gz[/url]
tar zxvf clamav-0.87.1.tar.gz
cd clamav*

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

./configure --sysconfdir=/etc && make && make install

perl -pi -e "s/^Example/#Example/g" /etc/clamd.conf
perl -pi -e 's#^LocalSocket /tmp/clamd.socket#LocalSocket /var/run/clamav/clamd#g' /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 20/MaxThreads 5/g" /etc/clamd.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamd.conf
perl -pi -e "s/^Example/#Example/g" /etc/freshclam.conf

## Create the dir for the clamav socket
mkdir /var/run/clamav

## Check for updates 24 times a day
/usr/local/bin/freshclam  -d -c 24
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam'  >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24'  >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;

Making changes to exim.conf

Code:
pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

## Find check_message:
## Make sure it looks like this:

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
  accept

## Save and exit

## Restart exim
/sbin/service exim restart

I have not yet looked into further configuring the service. Ran a test on http://www.gfi.com/emailsecuritytest/
With the following result in /var/log/exim/mainlog:
Code:
2005-11-07 13:06:02 1EZ5lC-0005u7-0Z H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u6-88 H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u7-Ec H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-07 13:06:02 1EZ5lC-0005u6-MA H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
 
Last edited:
2005-11-07 09:40:41 1EZ8Ar-0005lm-93 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)

The only clamav diles found were:

/usr/local/bin/clamdscan
/usr/local/sbin/clamd
/usr/local/man/man1/clamdscan.1
/usr/local/man/man5/clamd.conf.5
/usr/local/man/man8/clamd.8

Runtime failed ...

Changed

pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd


TO:

pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/usr/local/sbin/clamd

And these appeared:

2005-11-07 09:45:19 1EZ8FL-0005rN-R6 malware acl condition: clamd: unable to connect to UNIX socket /usr/local/sbin/clamd (Permission denied)
2005-11-07 09:45:19 1EZ8FL-0005rN-R6 H=www13.hostpc.com [72.35.71.67] F=<[email protected]> temporarily rejected after DATA
 
Last edited:
I'm sorry, forgot to start clamd in the starting post.
Never knew there was a disable smilies button, thanks for making me search a bit further, hehe.

Code:
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam'  >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24'  >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;

Change the exim.conf file back to:
av_scanner = clamd:/var/run/clamav/clamd
 
Last edited:
Sorry, still not working:

2005-11-07 09:54:48 1EZ8OT-00065V-8B malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)
2005-11-07 09:54:48 1EZ8OT-00065V-8B H=(domain.com) [XXX.XXX.XXX.XXX] F=<hbradford@emailremoved> temporarily rejected after DATA
2005-11-07 09:54:51 1EZ8OZ-00065W-3q malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)

temporarily rejected after DATA
 
# ls -l /var/run/clamav
If this returns "ls: /var/run/clamav: No such file or directory":

# mkdir /var/run/clamav

# ps aux|grep clamd

Should not be running, else kill it.

# kill -9 pid

Start it
# /usr/local/sbin/clamd

Will add this to the howto.
 
Hi,

maybe u will have to tell clamd to run via localsocket and not port.

nano /etc/clamd.conf

Look for

# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /var/run/clamav/clamd

and make sure its uncommented and that the path matches the one in exim.conf

Then look for

TCPSocket 3310
and
TCPAddr 127.0.0.1

and comment both lines out.

save and then restart clamd.

And exim should then be able to connect through the LocalSocket :)

Thanks,
Grant
 
error in exim
Code:
]# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
  error in ACL: unknown ACL condition/modifier in "demime = *"
 
i have exim.conf spare and i restored

i run SMTP Limiter Plugin and in exim.conf fine check_message: ((there in some SMTP Limiter)) if i add
Code:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
  accept

and i restart exim
error
Code:
# /sbin/service exim restart
Shutting down exim:
Starting exim: 2005-11-09 21:15:35 Exim configuration error in line 569 of /etc/exim.conf:
  error in ACL: unknown ACL condition/modifier in "demime = *"
 
Last edited:
GranTW said:

Thanks Grant,
i run firewall i need to open port for ClamAV to update them self

and i can't send and mail by outlook all time error

An unknown error has occurred. Subject 'vvvvvv', Account: '*****@*****.net', Server: 'mail.*****.net', Protocol: SMTP, Server Response: '451 Temporary local problem - please try later', Port: 25, Secure(SSL): No, Server Error: 451, Error Number: 0x800CCC6A
 
Last edited:
/etc/exim.conf


Аfter check_message:
Code:
  deny condition = ${if def:acl_c0{${if exists{/etc/virtual/.smtp_deny/$acl_c0} {yes}}}}
       message = User $acl_c0 is not allowed to use SMTP

if i add before or after i get error
Code:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

any help
 
I honestly don't know how to get this working with the SMTP limiter. We're not using it ourselfs.

Maybe ClayRabbit can assist you with that.

I will update my first post so people know this.
 
Getting a error excuting:

perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf

Output:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Its the a debian related problem ?
 
jerry2005 said:
Getting a error excuting:

perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf

Output:

Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.


Its the a debian related problem ?

No, you can do it manually.

Open /etc/clamd.conf
Code:
Search for Example and replace it with #Example
Search for MaxThreads and set it to MaxThreads 5
    Uncomment if needed.
Search for #ScanMail and replace it with ScanMail
Search for LocalSocket and set it to LocalSocket /var/run/clamav/clamd
    Make sure you perform the mkdir command as in the starting post

Save & Close

Open /etc/freshclam.conf
Code:
Search for Example and replace it with #Example

Save & Close

This is exactly the same though done manually.
 
Back
Top