ClamAV

ClamAV is a Open Source Ani-virus suite of software written for the Linux/Unix systems.

We are going to use ClamAV as our gateway mail server anti-virus solution.

Installing ClamAV
yum install clamav clamav-update

Building and Installing ClamAV (from source files)
If this is a new install, run the following. First confirm you have the required depends yum -y install gmp-devel Then add the correct users and groups. echo "clamav:x:509:509:ClamAV:/dev/null:/sbin/nologin" >> /etc/passwd echo "clamav:x:509:" >> /etc/group

Download the latest source file from: http://clamav.org/download/sources, then run something like this: cd /var/svn wget http://voxel.dl.sourceforge.net/sourceforge/clamav/clamav-0.94.2.tar.gz tar -xzf clamav-0.94.2.tar.gz cd clamav-0.94.2 ./configure echo $? make echo $? And if everything checks out. monit stop clamav sleep 10 make install && monit start clamav echo $? If this is an upgrade make sure you reload your running clamd process and run an freshclam.

Configuring ClamAV
First you will need to make a /etc/clamd.conf file. In that file start out with something like this. PidFile /var/run/clamav/clamd.pid LocalSocket /var/run/clamav/clamd.socket User clamav Now you need to make the Pid and Socket directory mkdir /var/run/clamav chown clamav:clamav /var/run/clamav

ClamAV INIT Script
Next you need a init script to start clamd with. Place the below at /etc/init.d/clamd: # # # . /etc/rc.d/init.d/functions . /etc/sysconfig/network config=/etc/clamd.conf prefix=/usr/local RETVAL=0 start { echo -n $"Starting Clamav: " daemon $prefix/sbin/clamd RETVAL1=$? echo [ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/clamd return $RETVAL1 } stop { echo -n $"Stopping Clamav: " killproc clamd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd return $RETVAL } restart { stop start } case "$1" in start)        start        ;;  stop) stop ;; status)        status clamd        ;;  restart) restart ;; *)         echo $"Usage: $0 {start|stop|status|restart}"         exit 1 esac exit $?
 * 1) !/bin/sh
 * 2) clamav        Script to start/stop clamd.
 * 1) chkconfig:    - 63 38
 * 2) description:  clamav antivirus daemon.
 * 1) processname: clamd
 * 2) pidfile: /var/run/clamav/clamd.pid
 * 1) Source function library
 * 1) Get network config
 * 1) CONFIGURATION
 * 1) CONFIGURATION
 * 1) Most configuration options are found in the clamd.conf file
 * 2) The location of configuration file
 * 1) The prefix clamd was installed to
 * 1) SCRIPT
 * 1) SCRIPT

Name the above something like /etc/init.d/clamd and run: chmod 755 /etc/init.d/clamd /sbin/chkconfig --add clamd /sbin/chkconfig clamd on /sbin/chkconfig --list clamd Now you need a virus database. ClamAV will not run until you run FreshClam so lets do it.

FreshClam Config File
To Start out there may be a /etc/freshclam.conf file already in place if so run: mv /etc/freshclam.conf /etc/freshclam.conf.default My FreshClam config file looks like this: LogSyslog yes PidFile /var/run/clamav/freshclam.pid DatabaseMirror database.clamav.net MaxAttempts 5 Checks 50 If you don't feel like rebuilding you config file you can just remove the example line in your default file.

FreshClam INIT Script
Make the following file as /etc/init.d/freshclamd . /etc/rc.d/init.d/functions . /etc/sysconfig/network config=/etc/freshclam.conf prefix=/usr/local RETVAL=0 start { echo -n $"Starting Freshclam: " daemon $prefix/sbin/freshclam -p /var/run/clamav/freshclam.pid RETVAL1=$? echo [ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/freshclam return $RETVAL1 } stop { echo -n $"Stopping Freshclam: " killproc freshclam RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/freshclam return $RETVAL } restart { stop start } case "$1" in start)         start         ;;  stop) stop ;; status)         status freshclam         ;;  restart) restart ;; *)         echo $"Usage: $0 {start|stop|status|restart}"         exit 1 esac exit $? Name the above something like /etc/init.d/freshclamd and run: /sbin/chkconfig --add freshclam /sbin/chkconfig freshclam on /sbin/chkconfig --list freshclam
 * 1) !/bin/sh
 * 2) freshclam        Script to start/stop freshclam.
 * 3) Source function library
 * 1) Get network config
 * 1) CONFIGURATION
 * 1) CONFIGURATION
 * 1) Most configuration options are found in the freshclam.conf file
 * 2) The location of configuration file
 * 1) The prefix freshclam was installed to
 * 1) SCRIPT
 * 1) SCRIPT

ClamSMTP
This section assumes you have a working ClamAV installation.

ClamSMTP Installation
./configure --prefix=/usr --sysconfdir=/etc make && make install echo $? mkdir /tmp/clamav touch /var/log/virus.log chown clamav:clamav /tmp/clamav /var/log/virus.log
 * ClamSMTP Download Site: http://memberwebs.com/stef/software/clamsmtp/

Then make a the config file (/etc/clamsmtpd.conf) something like OutAddress : 10026 Listen : 127.0.0.1:10025 ClamAddress : /var/run/clamav/clamd.socket Header : 'X-Virus-Scanned: ClamAV using ClamSMTP Determined that this email is: CLEAN' PidFile : /var/run/clamav/clamsmtpd.pid Action : drop Quarantine : on TransparentProxy : off User : clamav TempDirectory : /tmp/clamav VirusAction : /usr/local/sbin/clam-virus-action.sh

ClamSMTP INIT Script
Now that you have ClamSMTP installed you need to start it. Here is my working ClamSMTP init script. Place this script in /etc/init.d/clamsmtpd. . /etc/rc.d/init.d/functions . /etc/sysconfig/network config=/etc/clamsmtpd.conf prefix=/usr RETVAL=0 start { echo -n $"Starting Clamsmtpd: " daemon $prefix/sbin/clamsmtpd -p /var/run/clamav/clamsmtpd.pid RETVAL1=$? echo [ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/clamsmtpd return $RETVAL1 } stop { echo -n $"Stopping Clamsmtpd: " killproc clamsmtpd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamsmtpd return $RETVAL } restart { stop start } case "$1" in start)         start         ;;  stop) stop ;; status)         status clamsmtpd         ;;  restart) restart ;; *)         echo $"Usage: $0 {start|stop|status|restart}"         exit 1 esac exit $? After you have created your new init script run: chmod 755 /etc/init.d/clamsmtpd /sbin/chkconfig --add clamsmtpd /sbin/chkconfig clamsmtpd on /sbin/service clamsmtpd start
 * 1) !/bin/sh
 * 2) clamsmtpd        Script to start/stop clamsmtpd.
 * 3) Source function library
 * 1) Get network config
 * 1) CONFIGURATION
 * 1) CONFIGURATION
 * 1) Most configuration options are found in the clamsmtpd.conf file
 * 2) The location of configuration file
 * 1) The prefix clamsmtpd was installed to
 * 1) SCRIPT
 * 1) SCRIPT

ClamSMTP Virus Action Script
The Virus Action Script is what is done after ClamAV finds a virus. In the current setup all virus are put into the /tmp/clamav folder. You with the following logs and emails you can find the offending file and retrieve it if necessary. LOGFILE=/var/log/virus.log echo "`date +%b' '%d' '%T` Virus=$VIRUS To=$RECIPIENTS  From=$SENDER  File=$EMAIL" >> $LOGFILE echo "An email sent to $RECIPIENTS was blocked by the anti-virus system. If you believe this was in error please forward this email to your system administrator.  Sender: $SENDER  `grep 'Subject:' $EMAIL`  Recipient: $RECIPIENTS  Virus Found: $VIRUS  File: $EMAIL  Your Faithful Employees,  -ClamAV & ClamSMTP  Here is the header of the offending message: `formail -X "" < $EMAIL` " |mail -s 'A Virus was Blocked' $RECIPIENTS
 * /usr/local/sbin/clam-virus-action.sh

ClamSMTP References

 * ClamSMTP Manual: http://memberwebs.com/stef/software/clamsmtp/clamsmtpd.html
 * ClamSMTP Config File Manual: http://memberwebs.com/stef/software/clamsmtp/clamsmtpd.conf.html
 * Download Site: http://memberwebs.com/stef/software/clamsmtp/
 * INIT Script for Fedora: http://memberwebs.com/stef/software/clamsmtp/contrib/clamsmtpd
 * RPM Spec File: http://memberwebs.com/stef/software/clamsmtp/contrib/clamsmtp.spec

Finding what triggered the virus flag
The ClamAV log displays the virus found in the file (/var/log/virus.log). Now after you have found the virus name in question run a command like this. grep -iR  /var/lib/clamav/ Something like this. grep -iR Email.Phishing.RB-2646 /var/lib/clamav/ Now take the Hex output from this command and run it threw a Hex to ASCII convert try: This will display what in the file triggered the virus flag.
 * http://nickciske.com/tools/hex.php

Fighting Viruses
Online Virus scanning sites: Upload a file to ClamAV
 * http://www.virustotal.com/
 * http://virusscan.jotti.org/
 * http://analysis.seclab.tuwien.ac.at/
 * http://cgi.clamav.net/sendvirus.cgi