Switched from clamavmodule to clamd

Gordon Colyn gordon at itnt.co.za
Tue May 27 22:31:11 IST 2008


1 more thing.  I moved to clamd and couldn't get the clamd to scan any 
emails until I found that the /etc/freshclam.conf file must be updated to 
match the path where the signature files are listed.  Once done run 
freshcalm to update to the latest signatures.

Here is an abbreviated setup process of all updates that I did on my servers 
to get clamd working ;

edit /etc/freshclam.conf
DatabaseDirectory /usr/local/share/clamav

edit /etc/clamd.conf

AllowSupplementaryGroups true
ArchiveBlockEncrypted true
DatabaseDirectory /usr/local/share/clamav
DetectBrokenExecutables true
FixStaleSocket true
LocalSocket /tmp/clamd
LogFacility LOG_MAIL
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 10M
LogSyslog true
MaxConnectionQueueLength 30
MaxThreads 50
PidFile /var/run/clamav/clamd.pid
ReadTimeout 300
TemporaryDirectory /tmp
User clamav


edit /etc/MailScanner/MailScanner.conf

Incoming Work User = clamav
Incoming Work Group = clamav

Incoming Work Permissions = 0640

Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* 
/usr/local/share/clamav/*.cvd

Virus Scanners = clamd

Clamd Port = 3310
Clamd Socket = /tmp/clamd
Clamd Lock File = # /var/lock/subsys/clamd
Clamd Use Threads = no

For mailwatch
edit /var/www/html/mailscanner/functions.php

  case 'clamd':
   define(VIRUS_REGEX, '/(.+) was infected: (\S+)/');
   break;

To confirm it is all ok, run MailScanner --lint and look for confirmation of 
the scan finding the test Virus, ie;

MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamavmodule, clamd, clamavmodule, 
clamd
===========================================================================
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
Filename Checks:  (1 eicar.com)
Other Checks: Found 1 problems
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

Regards

Gordon


----- Original Message ----- 
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Tuesday, May 27, 2008 10:11 PM
Subject: Re: Switched from clamavmodule to clamd


Ooh, can someone add this to the Wiki please?

Thanks!
Jules.

Stephen Swaney wrote:
> Ronny T. Lampert wrote:
>>> In the MailScanner.conf:
>>>
>>> Virus Scanners = clamd
>>> ClamAVmodule Maximum Compression Ratio = 1000
>>> Clamd Port = 3310
>>> Clamd Socket = /tmp/clamd.socket
>>> Clamd Lock File = /var/lock/subsys/clamd
>>
>> You might have to adjust (obviously) the Socket and the Lock File.
>> You get those from the clamd.conf file.
>>
>>> In the /etc/clamd.conf file:
>>>
>>> ScanMail no
>>>
>>> # With this option enabled ClamAV will try to detect
>>> phishing attempts by using
>>> # signatures.
>>> # Default: yes
>>> #PhishingSignatures yes
>>>
>>> # Scan URLs found in mails for phishing attempts using
>>> heuristics.
>>> # Default: yes
>>> #PhishingScanURLs yes
>>>
>>> # Perform HTML normalisation and decryption of MS
>>> Script Encoder code.
>>> # Default: yes
>>> #ScanHTML yes
>>>
>>> Do I need to turn off the defaults above as
>>> MailScanner handles these or just leave things as is?
>>
>> This should be OK. The fancy stuff (HTML, Phishing etc) is done by
>> MailScanner. You don't want to get overzealous or else too many false
>> positives creep up.
>> Depending on your setup you might have to adjust the
>>
>> User clamav
>>
>> setting in clamd.conf because the clamav user per default is NOT able
>> to read the queue files for postfix (I run MailScanner as the postfix
>> user).
>> Using "root" is a quick workaround, but dangerous (obviously).
>>
>> Also you want to set the following to match your CPUs
>>
>> clamd.conf:
>>
>> MaxThreads 16
>>
>>
>> and in MailScanner.conf:
>>
>> Clamd Use Threads = yes
>>
>>
>>> Also, does MailScanner handle the clam definition
>>> updates automatically? or do I need to enable a
>>> freshclam run? or cron freshclam?
>>
>> freshclam can be set (and usually is by default in
>> /etc/freshclam.conf, see option NotifyClamd) to notify clamd to
>> reload the definitions.
>> So, yes.
>>
>> Cheers,
>> Ronny
>>
> You also probably want to add a keep-alive script for clamd. It
> doesn't fail often but I have seen it fail.
>
> And you should make sure that the NotifyClamd option is set in
> freshclam.conf.
>
>    # Send the RELOAD command to clamd.
>    # Default: no
>    NotifyClamd /path/to/clamd.conf
>
> Alternately you may want to disable the freshclam cron updates and run
> freshclam in daemon mode:
>
>    freshclam --daemon --daemon-notify=/path/to/clamd.conf -c 24
>
> This will check every hour and notify clamd if an update occurs.
>
> Best regards,
>
> Steve
>
> Steve Swaney
> steve at fsl.com
>
> www.fsl.com
>
>>
>>
>>
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list