ClamAV

From MattWiki
Jump to: navigation, search
Clam.png

ClamAV is a Open Source Ani-virus suite of software written for the Linux/Unix systems.

We are going to use ClamAV as our gateway mail server anti-virus solution.

ClamAV

FedoraLogo infinity-2.png Note: This Page was written with Fedora 8 & 9 in mind, and may not work correctly with other versions or distributions.

Installing ClamAV

yum install clamav clamav-update

Building and Installing ClamAV (from source files)

If this is a new install, run the following. First confirm you have the required depends

 yum -y install gmp-devel 

Then add the correct users and groups.

echo "clamav:x:509:509:ClamAV:/dev/null:/sbin/nologin" >> /etc/passwd
echo "clamav:x:509:" >> /etc/group

Download the latest source file from: http://clamav.org/download/sources, then run something like this:

cd /var/svn
wget http://voxel.dl.sourceforge.net/sourceforge/clamav/clamav-0.94.2.tar.gz
tar -xzf clamav-0.94.2.tar.gz
cd clamav-0.94.2
./configure
echo $?
make
echo $?

And if everything checks out.

monit stop clamav
sleep 10
make install && monit start clamav
echo $?

If this is an upgrade make sure you reload your running clamd process and run an freshclam.

Configuring ClamAV

First you will need to make a /etc/clamd.conf file. In that file start out with something like this.

PidFile /var/run/clamav/clamd.pid
LocalSocket /var/run/clamav/clamd.socket
User clamav

Now you need to make the Pid and Socket directory

mkdir /var/run/clamav
chown clamav:clamav /var/run/clamav

ClamAV INIT Script

Note Note: This file can be found in the Clam Setup file

Next you need a init script to start clamd with. Place the below at /etc/init.d/clamd:

#!/bin/sh
# clamav        Script to start/stop clamd.
#
# chkconfig:    - 63 38
# description:  clamav antivirus daemon.
#
# processname: clamd
# pidfile: /var/run/clamav/clamd.pid
# 
# Source function library
. /etc/rc.d/init.d/functions

# Get network config
. /etc/sysconfig/network

###########################################################################
# CONFIGURATION

# Most configuration options are found in the clamd.conf file
# The location of configuration file
config=/etc/clamd.conf

# The prefix clamd was installed to
prefix=/usr/local

###########################################################################
# SCRIPT

RETVAL=0

start() {
       echo -n $"Starting Clamav: "
       daemon $prefix/sbin/clamd
       RETVAL1=$?
       echo
       [ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/clamd
       return $RETVAL1
}

stop() {
       echo -n $"Stopping Clamav: "
       killproc clamd
       RETVAL=$?
       echo
       [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd
       return $RETVAL
}

restart() {
       stop
       start
}

case "$1" in
 start)
       start
       ;;
 stop)
       stop
       ;;
 status)
       status clamd
       ;;
 restart)
       restart
       ;;
 *)
        echo $"Usage: $0 {start|stop|status|restart}"
        exit 1

esac
exit $?

Name the above something like /etc/init.d/clamd and run:

chmod 755 /etc/init.d/clamd
/sbin/chkconfig --add clamd
/sbin/chkconfig clamd on
/sbin/chkconfig --list clamd

Now you need a virus database. ClamAV will not run until you run FreshClam so lets do it.

FreshClam

FreshClam Config File

To Start out there may be a /etc/freshclam.conf file already in place if so run:

mv /etc/freshclam.conf /etc/freshclam.conf.default

My FreshClam config file looks like this:

LogSyslog yes
PidFile /var/run/clamav/freshclam.pid
DatabaseMirror database.clamav.net
MaxAttempts 5
Checks 50

If you don't feel like rebuilding you config file you can just remove the example line in your default file.

FreshClam INIT Script

Note Note: This file can be found in the Clam Setup file

Make the following file as /etc/init.d/freshclamd

#!/bin/sh
# freshclam        Script to start/stop freshclam.
# Source function library
. /etc/rc.d/init.d/functions
# Get network config
. /etc/sysconfig/network
###########################################################################
# CONFIGURATION

# Most configuration options are found in the freshclam.conf file
# The location of configuration file
config=/etc/freshclam.conf

# The prefix freshclam was installed to
prefix=/usr/local

###########################################################################
# SCRIPT 

RETVAL=0
            
start() {
        echo -n $"Starting Freshclam: "
        daemon $prefix/sbin/freshclam -p /var/run/clamav/freshclam.pid
        RETVAL1=$?
        echo
        [ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/freshclam
        return $RETVAL1
}

stop() {
        echo -n $"Stopping Freshclam: "
        killproc freshclam
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/freshclam
        return $RETVAL
}

restart() {
        stop
        start
}

case "$1" in
 start)
        start
        ;;
 stop)
        stop
        ;;
 status)
        status freshclam
        ;;
 restart)
        restart
        ;;
 *)
        echo $"Usage: $0 {start|stop|status|restart}"
        exit 1
esac
exit $?

Name the above something like /etc/init.d/freshclamd and run:

/sbin/chkconfig --add freshclam
/sbin/chkconfig freshclam on
/sbin/chkconfig --list freshclam

ClamSMTP

This section assumes you have a working ClamAV installation.

ClamSMTP Installation

./configure --prefix=/usr --sysconfdir=/etc
make && make install
echo $?
mkdir /tmp/clamav
touch /var/log/virus.log
chown clamav:clamav /tmp/clamav /var/log/virus.log
Note Note: This file can be found in the Clam Setup file

Then make a the config file (/etc/clamsmtpd.conf) something like

OutAddress : 10026
Listen : 127.0.0.1:10025
ClamAddress : /var/run/clamav/clamd.socket
Header : 'X-Virus-Scanned: ClamAV using ClamSMTP Determined that this email is: CLEAN'
PidFile : /var/run/clamav/clamsmtpd.pid
Action : drop
Quarantine : on
TransparentProxy : off
User : clamav
TempDirectory : /tmp/clamav
VirusAction : /usr/local/sbin/clam-virus-action.sh

ClamSMTP INIT Script

Note Note: This file can be found in the Clam Setup file

Now that you have ClamSMTP installed you need to start it. Here is my working ClamSMTP init script. Place this script in /etc/init.d/clamsmtpd.

#!/bin/sh
# clamsmtpd        Script to start/stop clamsmtpd.
# Source function library
. /etc/rc.d/init.d/functions
# Get network config
. /etc/sysconfig/network
###########################################################################
# CONFIGURATION

# Most configuration options are found in the clamsmtpd.conf file
# The location of configuration file
config=/etc/clamsmtpd.conf

# The prefix clamsmtpd was installed to
prefix=/usr

###########################################################################
# SCRIPT 

RETVAL=0
            
start() {
        echo -n $"Starting Clamsmtpd: "
        daemon $prefix/sbin/clamsmtpd -p /var/run/clamav/clamsmtpd.pid
        RETVAL1=$?
        echo
        [ $RETVAL1 -eq 0 ] && touch /var/lock/subsys/clamsmtpd
        return $RETVAL1
}

stop() {
        echo -n $"Stopping Clamsmtpd: "
        killproc clamsmtpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamsmtpd
        return $RETVAL
}

restart() {
        stop
        start
}

case "$1" in
 start)
        start
        ;;
 stop)
        stop
        ;;
 status)
        status clamsmtpd
        ;;
 restart)
        restart
        ;;
 *)
        echo $"Usage: $0 {start|stop|status|restart}"
        exit 1
esac
exit $?

After you have created your new init script run:

chmod 755 /etc/init.d/clamsmtpd
/sbin/chkconfig --add clamsmtpd
/sbin/chkconfig clamsmtpd on
/sbin/service clamsmtpd start

ClamSMTP Virus Action Script

Note Note: This file can be found in the Clam Setup file

The Virus Action Script is what is done after ClamAV finds a virus. In the current setup all virus are put into the /tmp/clamav folder. You with the following logs and emails you can find the offending file and retrieve it if necessary.

  • /usr/local/sbin/clam-virus-action.sh
LOGFILE=/var/log/virus.log

echo "`date +%b' '%d' '%T` Virus=$VIRUS  To=$RECIPIENTS  From=$SENDER  File=$EMAIL" >> $LOGFILE

echo "An email sent to $RECIPIENTS was blocked by the anti-virus system. 
If you believe this was in error please forward this email to your system administrator.

--------------------------------------------------------------------
 Sender: $SENDER
 `grep 'Subject:' $EMAIL`
 Recipient: $RECIPIENTS
 Virus Found: $VIRUS
 File: $EMAIL


 Your Faithful Employees,
 -ClamAV & ClamSMTP


 Here is the header of the offending message:
--------------------------------------------------------------------

`formail -X "" < $EMAIL`

--------------------------------------------------------------------
" |mail -s 'A Virus was Blocked' $RECIPIENTS

ClamSMTP References

Finding what triggered the virus flag

The ClamAV log displays the virus found in the file (/var/log/virus.log). Now after you have found the virus name in question run a command like this.

grep -iR <Virus-Name-From-Log> /var/lib/clamav/

Something like this.

grep -iR Email.Phishing.RB-2646 /var/lib/clamav/

Now take the Hex output from this command and run it threw a Hex to ASCII convert try:

This will display what in the file triggered the virus flag.

Fighting Viruses

Online Virus scanning sites:

Upload a file to ClamAV