ClamAV
From Wiki.mattrude.com
ClamAV is a Open Source Ani-virus suite of software written for the Linux/Unix systems.
We are going to use ClamAV as our gateway mail server anti-virus solution.
Contents |
ClamAV
Note: This Page was written with Fedora 8 & 9 in mind, and may not have been tested on any other versions.
Installing ClamAV
yum install clamav clamav-update
Building and Installing ClamAV (from source files)
If this is a new install, run the following. First confirm you have the required depends
yum -y install gmp-devel
Then add the correct users and groups.
echo "clamav:x:509:509:ClamAV:/dev/null:/sbin/nologin" >> /etc/passwd echo "clamav:x:509:" >> /etc/group
Download the latest source file from: http://clamav.org/download/sources, then run something like this:
cd /var/svn wget http://voxel.dl.sourceforge.net/sourceforge/clamav/clamav-0.94.2.tar.gz tar -xzf clamav-0.94.2.tar.gz cd clamav-0.94.2 ./configure echo $? make echo $?
And if everything checks out.
monit stop clamav sleep 10 make install && monit start clamav echo $?
If this is an upgrade make sure you reload your running clamd process and run an freshclam.
Configuring ClamAV
First you will need to make a /etc/clamd.conf file. In that file start out with something like this.
PidFile /var/run/clamav/clamd.pid LocalSocket /var/run/clamav/clamd.socket User clamav
Now you need to make the Pid and Socket directory
mkdir /var/run/clamav chown clamav:clamav /var/run/clamav
ClamAV INIT Script
Note: This file can be found in the Clam Setup file
Next you need a init script to start clamd with. Place the below at /etc/init.d/clamd:
#!/bin/sh
# clamav Script to start/stop clamd.
#
# chkconfig: - 63 38
# description: clamav antivirus daemon.
#
# processname: clamd
# pidfile: /var/run/clamav/clamd.pid
#
# Source function library
. /etc/rc.d/init.d/functions
# Get network config
. /etc/sysconfig/network
###########################################################################
# CONFIGURATION
# Most configuration options are found in the clamd.conf file
# The location of configuration file
config=/etc/clamd.conf
# The prefix clamd was installed to
prefix=/usr/local
###########################################################################
# SCRIPT
RETVAL=0
start() {
echo -n $"Starting Clamav: "
daemon $prefix/sbin/clamd
RETVAL1=$?
echo
[ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/clamd
return $RETVAL1
}
stop() {
echo -n $"Stopping Clamav: "
killproc clamd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status clamd
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $?
Name the above something like /etc/init.d/clamd and run:
chmod 755 /etc/init.d/clamd /sbin/chkconfig --add clamd /sbin/chkconfig clamd on /sbin/chkconfig --list clamd
Now you need a virus database. ClamAV will not run until you run FreshClam so lets do it.
FreshClam
FreshClam Config File
To Start out there may be a /etc/freshclam.conf file already in place if so run:
mv /etc/freshclam.conf /etc/freshclam.conf.default
My FreshClam config file looks like this:
LogSyslog yes PidFile /var/run/clamav/freshclam.pid DatabaseMirror database.clamav.net MaxAttempts 5 Checks 50
If you don't feel like rebuilding you config file you can just remove the example line in your default file.
FreshClam INIT Script
Note: This file can be found in the Clam Setup file
Make the following file as /etc/init.d/freshclamd
#!/bin/sh
# freshclam Script to start/stop freshclam.
# Source function library
. /etc/rc.d/init.d/functions
# Get network config
. /etc/sysconfig/network
###########################################################################
# CONFIGURATION
# Most configuration options are found in the freshclam.conf file
# The location of configuration file
config=/etc/freshclam.conf
# The prefix freshclam was installed to
prefix=/usr/local
###########################################################################
# SCRIPT
RETVAL=0
start() {
echo -n $"Starting Freshclam: "
daemon $prefix/sbin/freshclam -p /var/run/clamav/freshclam.pid
RETVAL1=$?
echo
[ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/freshclam
return $RETVAL1
}
stop() {
echo -n $"Stopping Freshclam: "
killproc freshclam
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/freshclam
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status freshclam
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $?
Name the above something like /etc/init.d/freshclamd and run:
/sbin/chkconfig --add freshclam /sbin/chkconfig freshclam on /sbin/chkconfig --list freshclam
ClamSMTP
This section assumes you have a working ClamAV installation.
ClamSMTP Installation
- ClamSMTP Download Site: http://memberwebs.com/stef/software/clamsmtp/
./configure --prefix=/usr --sysconfdir=/etc make && make install echo $? mkdir /tmp/clamav touch /var/log/virus.log chown clamav:clamav /tmp/clamav /var/log/virus.log
Note: This file can be found in the Clam Setup file
Then make a the config file (/etc/clamsmtpd.conf) something like
OutAddress : 10026 Listen : 127.0.0.1:10025 ClamAddress : /var/run/clamav/clamd.socket Header : 'X-Virus-Scanned: ClamAV using ClamSMTP Determined that this email is: CLEAN' PidFile : /var/run/clamav/clamsmtpd.pid Action : drop Quarantine : on TransparentProxy : off User : clamav TempDirectory : /tmp/clamav VirusAction : /usr/local/sbin/clam-virus-action.sh
ClamSMTP INIT Script
Note: This file can be found in the Clam Setup file
Now that you have ClamSMTP installed you need to start it. Here is my working ClamSMTP init script. Place this script in /etc/init.d/clamsmtpd.
#!/bin/sh
# clamsmtpd Script to start/stop clamsmtpd.
# Source function library
. /etc/rc.d/init.d/functions
# Get network config
. /etc/sysconfig/network
###########################################################################
# CONFIGURATION
# Most configuration options are found in the clamsmtpd.conf file
# The location of configuration file
config=/etc/clamsmtpd.conf
# The prefix clamsmtpd was installed to
prefix=/usr
###########################################################################
# SCRIPT
RETVAL=0
start() {
echo -n $"Starting Clamsmtpd: "
daemon $prefix/sbin/clamsmtpd -p /var/run/clamav/clamsmtpd.pid
RETVAL1=$?
echo
[ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/clamsmtpd
return $RETVAL1
}
stop() {
echo -n $"Stopping Clamsmtpd: "
killproc clamsmtpd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamsmtpd
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status clamsmtpd
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit $?
After you have created your new init script run:
chmod 755 /etc/init.d/clamsmtpd /sbin/chkconfig --add clamsmtpd /sbin/chkconfig clamsmtpd on /sbin/service clamsmtpd start
ClamSMTP Virus Action Script
Note: This file can be found in the Clam Setup file
The Virus Action Script is what is done after ClamAV finds a virus. In the current setup all virus are put into the /tmp/clamav folder. You with the following logs and emails you can find the offending file and retrieve it if necessary.
- /usr/local/sbin/clam-virus-action.sh
LOGFILE=/var/log/virus.log echo "`date +%b' '%d' '%T` Virus=$VIRUS To=$RECIPIENTS From=$SENDER File=$EMAIL" >> $LOGFILE echo "An email sent to $RECIPIENTS was blocked by the anti-virus system. If you believe this was in error please forward this email to your system administrator. -------------------------------------------------------------------- Sender: $SENDER `grep 'Subject:' $EMAIL` Recipient: $RECIPIENTS Virus Found: $VIRUS File: $EMAIL Your Faithful Employees, -ClamAV & ClamSMTP Here is the header of the offending message: -------------------------------------------------------------------- `formail -X "" < $EMAIL` -------------------------------------------------------------------- " |mail -s 'A Virus was Blocked' $RECIPIENTS
ClamSMTP References
- ClamSMTP Manual: http://memberwebs.com/stef/software/clamsmtp/clamsmtpd.html
- ClamSMTP Config File Manual: http://memberwebs.com/stef/software/clamsmtp/clamsmtpd.conf.html
- Download Site: http://memberwebs.com/stef/software/clamsmtp/
- INIT Script for Fedora: http://memberwebs.com/stef/software/clamsmtp/contrib/clamsmtpd
- RPM Spec File: http://memberwebs.com/stef/software/clamsmtp/contrib/clamsmtp.spec
Finding what triggered the virus flag
The ClamAV log displays the virus found in the file (/var/log/virus.log). Now after you have found the virus name in question run a command like this.
grep -iR <Virus-Name-From-Log> /var/lib/clamav/
Something like this.
grep -iR Email.Phishing.RB-2646 /var/lib/clamav/
Now take the Hex output from this command and run it threw a Hex to ASCII convert try:
This will display what in the file triggered the virus flag.
Fighting Viruses
Online Virus scanning sites:
Upload a file to ClamAV
