HowTo: ClamAV

can you go over this step?

## Create the dir for the clamav socket
mkdir /var/run/clamav

you make a directory, but how does clamav know to run in it?
 
getUP said:
Note that I am not responsible for anything happening. You should test this locally before putting into production.

There are known problems with SMTP limiter at the moment. If you run SMTP limiter, please only continue if you know what you're doing.

Installing clamav, this could be put into a bash file if ya like.

Code: 
wget [url]http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.87.1.tar.gz[/url]
tar zxvf clamav-0.87.1.tar.gz
cd clamav*

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

./configure --sysconfdir=/etc && make && make install

perl -pi -e "s/^Example/#Example/g" /etc/clamd.conf
perl -pi -e "s/^#MaxThreads 10/MaxThreads 5/g" /etc/clamd.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamd.conf
perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
perl -pi -e "s/^Example/#Example/g" /etc/freshclam.conf

## Create the dir for the clamav socket
mkdir /var/run/clamav

## Check for updates 24 times a day
/usr/local/bin/freshclam  -d -c 24
## Start clamd
/usr/local/sbin/clamd

## Start at boot
echo '' >> /etc/rc.local; echo '## Start Freshclam'  >> /etc/rc.local; echo '/usr/local/bin/freshclam -d -c 24'  >> /etc/rc.local;
echo '' >> /etc/rc.local; echo '## Start Clamd' >> /etc/rc.local; echo '/usr/local/sbin/clamd' >> /etc/rc.local;

Making changes to exim.conf

Code: 
pico /etc/exim.conf

## Find primary_hostname and add the following line above
av_scanner = clamd:/var/run/clamav/clamd

## Find check_message:
## Make sure it looks like this:

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
  accept

## Save and exit

## Restart exim
/sbin/service exim restart

I have not yet looked into further configuring the service. Ran a test on http://www.gfi.com/emailsecuritytest/
With the following result in /var/log/exim/mainlog:
Code: 
2005-11-07 13:06:02 1EZ5lC-0005u7-0Z H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u6-88 H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2005-11-07 13:06:02 1EZ5lC-0005u7-Ec H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2005-11-07 13:06:02 1EZ5lC-0005u6-MA H=gfiservers.gfi.com [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
Click to expand...

When following the guide....

I get the following error

Code: 
[root@webbox clamav-0.88.4]# perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.

Any ideas?

Nick
 
I carefully followed the instructions in this thread and I've gone back over them several times but I'm getting the following message in my Exim log:

2006-10-04 22:35:15 1GVK0w-0000J6-Uf malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1GVK0w-0000J6-Uf: lstat() failed. ERROR
Click to expand...

Obviously this is preventing email delivery so I have disabled ClamAV in my Exim configuration file for now.

I thought this may be a file permissions issue so I added the clamav user to the /etc/group file:

mail:x:12:mail,clamav

I can see the clamd process running and there are no errors in the clamd log.

Here is what I have in my /etc/exim.conf file:

(Before # primary_hostname =)
av_scanner = clamd:/var/run/clamav/clamd
Click to expand...

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
accept
Click to expand...

Here's my clamav socket directory:

ls -lad /var/run/clamav
drwxr-xr-x 2 clamav root 4096 Oct 4 22:33 /var/run/clamav

and inside:

ls -la /var/run/clamav/
total 16
srwxrwxrwx 1 clamav clamav 0 Oct 4 22:33 clamd
-rw-rw---- 1 clamav clamav 4 Oct 4 22:33 clamd.pid
-rw-rw---- 1 clamav clamav 5 Oct 4 21:39 freshclam.pid

In my /etc/clamd.conf file I have the following:

LocalSocket /var/run/clamav/clamd
Click to expand...

Anybody have any ideas what is going on here?

Thanks!
 
OK, I found a solution. I switched ClamAV to run as the "mail" user in clamd.conf. That seems to give it permission to scan the Exim files in /var/spool/exim/scan/.

/etc/clamd.conf

User mail
Click to expand...

Maybe the How-To Guide should be updated?

Thanks!
 
debian/volatile clamav packages

If you want to use volatile packages you 'll do the follow:

- add a respository in /etc/apt/sources.list:

### Volatile
deb http://ftp.de.debian.org/debian-volatile sarge/volatile main contrib non-free

- install clamav packages:

# apt-get install clamav-daemon clamav-freshclam

- add clamav user to mail group:

# adduser clamav mail

- change permission in exim dirs:

# chmod -R g+w /var/spool/exim
# chmod -R g+s /var/spool/exim

- restart clamd

/etc/init.d/clamav-daemon restart

- watch exim log to see if all ok, after you made all config settings (exim.conf, clamd.conf):

tail -f /var/log/exim/mainlog

That's all.
 
Hi everyone

I got this errors when installing ClamAV 0.90.3
[root@localhost clamav-0.90.3]# /usr/local/sbin/clamd
/usr/local/sbin/clamd: error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory
[root@localhost clamav-0.90.3]# /usr/local/bin/freshclam -d -c 24
/usr/local/bin/freshclam: error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory
Click to expand...

can anyone help me please ? thanks
 
libclamav.so.2: cannot open shared object file

Normally, installation of clamav as described comes with the library.

1. try to see if libclamav.so.2 is in /usr/local/lib

I guess yes

2. verify that /usr/local/lib is inside the file /etc/ld.so.conf

with pico or nana for example. If not, add it (or the path where you found libclamav.so.2 in step 1)

3. run :

ldconfig

=============
should work.

Michel
 
btw, even if the line user/local/lib is already in tehre, just run ldconfig.
That worked for me. :)


Also with:
[root@webbox clamav-0.88.4]# perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamd.conf
Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"
syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"
Execution of -e aborted due to compilation errors.
Click to expand...

I used this from the ClamAV mail-help-files:
Code: 
perl -pi -e "s#^LocalSocket /tmp/clamd#LocalSocket /var/run/clamav/clamd#" /etc/clamd.conf

You can also edit the replacements in the /etc/clamd.conf file manually.
 
When I received this error:
2007-08-03 14:43:55 1IGwVW-0006Ic-T3 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (No such file or directory)
Click to expand...
I went to /var/run/clamav and saw I dind't have a clamd, but a clamd.socket

I went for a reboot, and made sure it wouldn't start again.
I commented the line : av_scanner = clamd:/var/run/clamav/clamd in /etc/exim.conf
And I removed the new added lines in /etc/rc.local
Then I rebooted



I did the install steps again.
Instead of the perl commands, I edited the clamd.conf file manually, using this post


I didn't restart exim yet, which led me to the following errors in the Exim log:
2007-08-03 16:42:12 1IGyM0-0001RS-BH malware acl condition: unable to connect to sophie UNIX socket (/var/run/sophie). errno=2
2007-08-03 16:42:12 1IGyM0-0001RS-BH H=(svfm6eae.rgihocim.comcast.net) [219.139.79.104] F=<[email protected]> temporarily rejected after DATA
Click to expand...
Sending email via webmail, also gave me this error (and some more text):
451 Temporary local problem - please try later
Click to expand...


I restarted Exim, and from there it worked, finally :)

The test results:
2007-08-03 16:55:43 1IGyZ5-0001Ve-C9 => **** <****@****.com> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=4977
2007-08-03 16:55:43 1IGyZ5-0001Ve-C9 Completed
2007-08-03 16:55:44 1IGyZ5-0001Vd-Un <= [email protected] H=gfiservers.gfi.com (S44374) [69.20.55.130] P=esmtp S=3656 id=S44374ntjfwTP5gD9UL00000565@S44374 T="Long subject vulnerability test (Outlook Express 6)" from <[email protected]> for ****@****.com
2007-08-03 16:55:44 1IGyZ5-0001Vd-Un => **** <****@****.com> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=3824
2007-08-03 16:55:44 1IGyZ5-0001Vd-Un Completed
2007-08-03 16:55:44 unexpected disconnection while reading SMTP command from (u5o67d.apoaoydu.rr.com) [123.16.72.219]
2007-08-03 16:55:44 1IGyZ6-0001Ve-0i <= [email protected] H=gfiservers.gfi.com (S44374) [69.20.55.130] P=esmtp S=4257 id=S443748xSSd694NDh6P00000566@S44374 T="hide.hta" from <[email protected]> for ****@****.com
2007-08-03 16:55:44 1IGyZ6-0001Ve-0i => **** <****@****.com> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=4425
2007-08-03 16:55:44 1IGyZ6-0001Ve-0i Completed
2007-08-03 16:55:44 1IGyZ6-0001Vd-Ix <= [email protected] H=gfiservers.gfi.com (S44374) [69.20.55.130] P=esmtp S=3617 id=S44374mCn571zZfbUeh00000567@S44374 T="Long subject vulnerability test (Outlook 2000)" from <[email protected]> for ****@****.com
2007-08-03 16:55:44 1IGyZ6-0001Vd-Ix => **** <****@****.com> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=3785
2007-08-03 16:55:44 1IGyZ6-0001Vd-Ix Completed
2007-08-03 16:55:44 1IGyZ6-0001Ve-LV H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2007-08-03 16:55:45 1IGyZ7-0001Vd-77 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
2007-08-03 16:55:45 1IGyZ7-0001Ve-A3 H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (Exploit.ObjCodebase.Calc)
2007-08-03 16:55:45 1IGyZ7-0001Vd-Ri H=gfiservers.gfi.com (S44374) [69.20.55.130] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (GFI.VBS.Test)
Click to expand...

I don't know exactly which steps I've done to get to a working version: Exim + SpamBlocker2 + ClamAV

Also, # ls /var/run/clamav/ shows me clamd and not clamd.socket


But I hope this post will help you a little.. ;)
 
Last edited:
CLAMAV errors

Hi I have another question very important. On DA forum I wrote this post and I dont know how to fix it :(
If you know how to fix this problem I would be grateful.

"On centos 4.4 still errors after instalation clamav:
I was install clamav from this post:
http://www.directadmin.com/forum/sho...highlight=clam


./update.script CLAMAV

at the end of install clamav:


Quote:
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
clamd: no process killed
freshclam: no process killed
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
ClamAV auto start when server reboot
clamd: no process killed
freshclam: no process killed
./update.script: line 617: /usr/local/bin/freshclam: no such file or directory
./update.script: line 617: /usr/local/sbin/clamd: no such file or directory"


and during restart clamd procss i have this: :(((

[admin@ah24 ~]$ /etc/init.d/clamd restart
/etc/init.d/clamd: line 32: Killall: command not found
cat: /var/run/clamd.pid: no such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
 
ah24 said:
Hi I have another question very important. On DA forum I wrote this post and I dont know how to fix it :(
If you know how to fix this problem I would be grateful.

"On centos 4.4 still errors after instalation clamav:
I was install clamav from this post:
http://www.directadmin.com/forum/sho...highlight=clam


./update.script CLAMAV

at the end of install clamav:


Quote:
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
clamd: no process killed
freshclam: no process killed
./update.script: line 591: /usr/local/bin/freshclam: no such file or directory
./update.script: line 591: /usr/local/sbin/clamd: no such file or directory
ClamAV auto start when server reboot
clamd: no process killed
freshclam: no process killed
./update.script: line 617: /usr/local/bin/freshclam: no such file or directory
./update.script: line 617: /usr/local/sbin/clamd: no such file or directory"


and during restart clamd procss i have this: :(((

[admin@ah24 ~]$ /etc/init.d/clamd restart
/etc/init.d/clamd: line 32: Killall: command not found
cat: /var/run/clamd.pid: no such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] [pid | job]... or kill -l [sigspec]
Click to expand...



The locate of the update.script has moved.
As such, when you run the script it is looking for the wrong path.

Create the following folder:

/usr/local/updatescript/
and place the update.script in it.
Then run it from there.
The 'old' path of /usr/local/directadmin/customapache/update is no longer valid for the script.
So create that directory, move the update.script to it and then run the ./update.script CLAMAV

Hope that helps.

-Alon.
 
bugs in clamav installation script

Bugs in update.script

SupermanInNY, I exactly have this path /usr/local/updatescript
Problem is in file update.script. There are many errors with links
Is:
ln -s /etc/init.d/freshclam /sbin/freshclam
Should be:
ln -s /etc/init.d/freshclam /usr/local/bin/freshclam

Is:
ln -s /etc/init.d/clamd /sbin/clamd
Should be:
ln -s /etc/init.d/clamd /usr/local/sbin/clamd


but clamd still down and cant start
 
Last edited:
I have the same problems. I can not get clamd to work at all since using the update script.(not blaming the script but it does not seem to use standard clam dirs). There should really be DA support for CLAM by now.
 
errors clamav

i have centos 4.4 fresh copy, DA newest and I thinking what is possible that others users install clamav without any errors? My Centos is like tear water, zero personal changes. So.....how ?? what is going?
 
rdlev have the same problem as I

rldev said:
I have the same problems. I can not get clamd to work at all since using the update script.(not blaming the script but it does not seem to use standard clam dirs). There should really be DA support for CLAM by now.
Click to expand...
 
I'm not sure what update script you're using for ClamAV. ClamAV will probably be supported by DirectAdmin once SpamBlocker3 is released.

Until then there are many ways of installing ClamAV, all subtly different.

Jeff
 
Your link fir the first one didn't work for me; we use it.

The proper link is:

http://www.directadmin.com/forum/showthread.php?threadid=10478

I don't know why it doesn't work for you; perhaps you should try (if possible) deleting every reference to clamav and clamd from your system, and then try it again.
Code: 
# find / -name "*clam*"
Delete all you find.

Then try again.

Let us know exactly what errors you're getting.

Jeff
 
You must log in or register to reply here.
Back
Top