Switched from clamavmodule to clamd
gordon at itnt.co.za
Tue May 27 22:31:11 IST 2008
1 more thing. I moved to clamd and couldn't get the clamd to scan any
emails until I found that the /etc/freshclam.conf file must be updated to
match the path where the signature files are listed. Once done run
freshcalm to update to the latest signatures.
Here is an abbreviated setup process of all updates that I did on my servers
to get clamd working ;
Incoming Work User = clamav
Incoming Work Group = clamav
Incoming Work Permissions = 0640
Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/*
Virus Scanners = clamd
Clamd Port = 3310
Clamd Socket = /tmp/clamd
Clamd Lock File = # /var/lock/subsys/clamd
Clamd Use Threads = no
define(VIRUS_REGEX, '/(.+) was infected: (\S+)/');
To confirm it is all ok, run MailScanner --lint and look for confirmation of
the scan finding the test Virus, ie;
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamavmodule, clamd, clamavmodule,
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
Filename Checks: (1 eicar.com)
Other Checks: Found 1 problems
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
----- Original Message -----
From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Tuesday, May 27, 2008 10:11 PM
Subject: Re: Switched from clamavmodule to clamd
Ooh, can someone add this to the Wiki please?
Stephen Swaney wrote:
> Ronny T. Lampert wrote:
>>> In the MailScanner.conf:
>>> Virus Scanners = clamd
>>> ClamAVmodule Maximum Compression Ratio = 1000
>>> Clamd Port = 3310
>>> Clamd Socket = /tmp/clamd.socket
>>> Clamd Lock File = /var/lock/subsys/clamd
>> You might have to adjust (obviously) the Socket and the Lock File.
>> You get those from the clamd.conf file.
>>> In the /etc/clamd.conf file:
>>> ScanMail no
>>> # With this option enabled ClamAV will try to detect
>>> phishing attempts by using
>>> # signatures.
>>> # Default: yes
>>> #PhishingSignatures yes
>>> # Scan URLs found in mails for phishing attempts using
>>> # Default: yes
>>> #PhishingScanURLs yes
>>> # Perform HTML normalisation and decryption of MS
>>> Script Encoder code.
>>> # Default: yes
>>> #ScanHTML yes
>>> Do I need to turn off the defaults above as
>>> MailScanner handles these or just leave things as is?
>> This should be OK. The fancy stuff (HTML, Phishing etc) is done by
>> MailScanner. You don't want to get overzealous or else too many false
>> positives creep up.
>> Depending on your setup you might have to adjust the
>> User clamav
>> setting in clamd.conf because the clamav user per default is NOT able
>> to read the queue files for postfix (I run MailScanner as the postfix
>> Using "root" is a quick workaround, but dangerous (obviously).
>> Also you want to set the following to match your CPUs
>> MaxThreads 16
>> and in MailScanner.conf:
>> Clamd Use Threads = yes
>>> Also, does MailScanner handle the clam definition
>>> updates automatically? or do I need to enable a
>>> freshclam run? or cron freshclam?
>> freshclam can be set (and usually is by default in
>> /etc/freshclam.conf, see option NotifyClamd) to notify clamd to
>> reload the definitions.
>> So, yes.
> You also probably want to add a keep-alive script for clamd. It
> doesn't fail often but I have seen it fail.
> And you should make sure that the NotifyClamd option is set in
> # Send the RELOAD command to clamd.
> # Default: no
> NotifyClamd /path/to/clamd.conf
> Alternately you may want to disable the freshclam cron updates and run
> freshclam in daemon mode:
> freshclam --daemon --daemon-notify=/path/to/clamd.conf -c 24
> This will check every hour and notify clamd if an update occurs.
> Best regards,
> Steve Swaney
> steve at fsl.com
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner mailing list
mailscanner at lists.mailscanner.info
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner