ClamAV Antivirus HOWTO

[hci]

This is an update to the how to on adding ClamAV to your DA server using rpm's. The original was close to 2 years old and did not work without changes when I added ClamAV to a new server.

The original is located here for reference:
http://www.directadmin.com/forum/sho...&threadid=3860

This is a very basic how to on adding support for ClamAV to your Directadmin server. It simply rejects all messages containing viruses. Please do not try this on a production box unless you are sure you know what you are doing and do it at your own risk. Your Directadmin box must be running Exiscan patch which all new DA releases are AFAIK. I am running on CentOS 4.2 so if you are not it could go differently.

This is based on info from here:

http://www.timj.co.uk/linux/exim.php

SSH into your box as root.

cd /var/tmp

Now we must download and install ClamAV and Clamd.

www.clamav.net or various Fedora rpm's:
http://crash.fce.vutbr.cz/crash-hat/

Since I was running CentOS 4.2 and it based on Fedora Core 3

wget http://crash.fce.vutbr.cz/crash-hat/....88-1.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/....88-1.i386.rpm

rpm -Uvh clamav-0.88-1.i386.rpm
rpm -Uvh clamav-server-0.88-1.i386.rpm

Now add a cronjob to keep ClamAV up to date.

export EDITOR=nano

crontab -e

Add an entry to your crontab as follows:

46 * * * * /usr/bin/freshclam --quiet

Change 46 to a random number between 1-60 to be considerate to server load.

Alt-X to save and exit.

Next type:

clamd start
chkconfig clamd on
freshclam

This should start clamd and bring your virus signatures up to date.

Now we need to edit exim.conf. The -w turns off wordwrap in nano.

nano -w /etc/exim.conf

At the end of comments section add this:

av_scanner = clamd:127.0.0.1 3310

Type in Ctrl-W and search for the second instance of check_message

Change:

# ACL that is used after the DATA command
check_message:
accept

To this:

# ACL that is used after the DATA command
check_message:
# Virus Check
deny message = This message contains a virus or other malware ($malware_name)
demime = *
malware = *
accept

Do a Ctrl-X and save.

Now restart Exim

/etc/init.d/exim restart

Does it work? It should refuse all virus infected messages. Test it extensively before trusting it. Also, occasionally the ClamAV software may need updated so log in and do a freshclam to see all is ok once in a while. Unlike Mailscanner this rejects infected messages before accepting them. If you cannot get this to work please post here so someone may help you.

Matthew

[jlasman]

A thousand thanks, Matthew.

I've moved the thread; it's really a HowTo.

(Don't worry; your link still works.)

This looks like a good addition to the official SpamBlocker script.

Please everyone keep this thread updated so we can make sure it works. Unless we get some bad reviews it's going into the next SpamBlocker in a week .

Jeff

[ZPillay]

Starting exim: 2006-02-18 00:35:53 Exim configuration error in line 558 of /etc/exim.conf:
error in ACL: unknown ACL condition/modifier in "demime = *"


I get that error...
Using DA 1.262 with exim on CentOS 4.2

everything went fine till there

You know what could have caused this?

[hci]

Quote:

error in ACL: unknown ACL condition/modifier in "demime = *"

Look here.

http://www.directadmin.com/forum/sho...0202#post50202

My DA was a fresh install. Is yours maybe a little older and had Exim compiled differently?

Matthew

[hostpc.com]

Anyone who has converted to dovecot will need to re-patch for that ... otherwise, it works fine.

Joe

[@how@]

Thanks, work fine



Wael

[getUP]

You mean like some months old, heh. Been working fine for ages now.

http://www.directadmin.com/forum/sho...threadid=10478

[@how@]

Quote:

Originally posted by getUP
You mean like some months old, heh. Been working fine for ages now.

http://www.directadmin.com/forum/sho...threadid=10478

Yes
http://www.directadmin.com/forum/sho...threadid=10478
work fine with me tested in 5 server



Wael

[getUP]

Besides, I'm pretty sure my howto covers other OS' as well, instead of the RPM based systems only.

[hci]

Quote:

You mean like some months old, heh. Been working fine for ages now.

http://www.directadmin.com/forum/sho...threadid=10478

Actually I was referring to this how to.

http://www.directadmin.com/forum/sho...&threadid=3860

Yours is a source install. I prefer rpm's. Rpm's also make it easier in my opinion to upgrade when a new version comes along. But rpm's just won't work for some and some people would just rather use source. Your how to would be better for them. Now there are both options. ;<)

Matthew

[Remco00]

I get this:

[root@s01 tmp]# ls
clamav-0.88-1.i386.rpm clamav-server-0.88-1.i386.rpm
[root@s01 tmp]# rpm -Uvh clamav-0.88-1.i386.rpm
warning: clamav-0.88-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
curl is needed by clamav-0.88-1.i386
libcurl.so.3 is needed by clamav-0.88-1.i386
libidn is needed by clamav-0.88-1.i386
libidn.so.11 is needed by clamav-0.88-1.i386
[root@s01 tmp]# ls
clamav-0.88-1.i386.rpm clamav-server-0.88-1.i386.rpm
[root@s01 tmp]# rpm -Uvh clamav-server-0.88-1.i386.rpm
warning: clamav-server-0.88-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
clamav = 97:0.88-1 is needed by clamav-server-0.88-1.i386
libclamav.so.1 is needed by clamav-server-0.88-1.i386
libcurl.so.3 is needed by clamav-server-0.88-1.i386
libidn.so.11 is needed by clamav-server-0.88-1.i386
[root@s01 tmp]# clamd start
-bash: clamd: command not found
[root@s01 tmp]#

[hci]

Quote:

I get this:

error: Failed dependencies:
curl is needed by clamav-0.88-1.i386
libcurl.so.3 is needed by clamav-0.88-1.i386
libidn is needed by clamav-0.88-1.i386
libidn.so.11 is needed by clamav-0.88-1.i386

Are you running CentOS 4.2 or what?

libidn is on the rpm's CD with CentOS 4.2.
/centos42_rpms/libidn-0.5.6-1.i386.rpm
/centos42_rpms/libidn-devel-0.5.6-1.i386.rpm

Use rpmfind.net to find and nab the others. Whats strange is I do not recall having any troubles with dependancies.

Matthew

[Remco00]

Matthew, I run Fedora 3 and read in this forum that making a source would be the solution but don't have a clue...

[hci]

Try:

cd /var/tmp

wget http://wuarchive.wustl.edu/pub/cento...rhel4.i386.rpm
wget http://wuarchive.wustl.edu/pub/cento...rhel4.i386.rpm
wget http://wuarchive.wustl.edu/pub/cento...5.6-1.i386.rpm
wget http://wuarchive.wustl.edu/pub/cento...5.6-1.i386.rpm

rpm -Uvh them all. What do you get?

Matthew

[Remco00]

Mattew, what are those files? Can I just rpm them without risk?

[@how@]

Quote:

Originally posted by Remco00
I get this:

[root@s01 tmp]# ls
clamav-0.88-1.i386.rpm clamav-server-0.88-1.i386.rpm
[root@s01 tmp]# rpm -Uvh clamav-0.88-1.i386.rpm
warning: clamav-0.88-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
curl is needed by clamav-0.88-1.i386
libcurl.so.3 is needed by clamav-0.88-1.i386
libidn is needed by clamav-0.88-1.i386
libidn.so.11 is needed by clamav-0.88-1.i386
[root@s01 tmp]# ls
clamav-0.88-1.i386.rpm clamav-server-0.88-1.i386.rpm
[root@s01 tmp]# rpm -Uvh clamav-server-0.88-1.i386.rpm
warning: clamav-server-0.88-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
clamav = 97:0.88-1 is needed by clamav-server-0.88-1.i386
libclamav.so.1 is needed by clamav-server-0.88-1.i386
libcurl.so.3 is needed by clamav-server-0.88-1.i386
libidn.so.11 is needed by clamav-server-0.88-1.i386
[root@s01 tmp]# clamd start
-bash: clamd: command not found
[root@s01 tmp]#

update your OS then run RPM, all work fine 100%

Wael

[Jinson]

It worked beautifully, hci. Thanks alot!

Am also running CentOS here. Version 4.3.

Quote:

Originally posted by hci
This is an update to the how to on adding ClamAV to your DA server using rpm's. The original was close to 2 years old and did not work without changes when I added ClamAV to a new server.

The original is located here for reference:
http://www.directadmin.com/forum/sho...&threadid=3860

This is a very basic how to on adding support for ClamAV to your Directadmin server. It simply rejects all messages containing viruses. Please do not try this on a production box unless you are sure you know what you are doing and do it at your own risk. Your Directadmin box must be running Exiscan patch which all new DA releases are AFAIK. I am running on CentOS 4.2 so if you are not it could go differently.

This is based on info from here:

http://www.timj.co.uk/linux/exim.php

SSH into your box as root.

cd /var/tmp

Now we must download and install ClamAV and Clamd.

www.clamav.net or various Fedora rpm's:
http://crash.fce.vutbr.cz/crash-hat/

Since I was running CentOS 4.2 and it based on Fedora Core 3

wget http://crash.fce.vutbr.cz/crash-hat/....88-1.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/....88-1.i386.rpm

rpm -Uvh clamav-0.88-1.i386.rpm
rpm -Uvh clamav-server-0.88-1.i386.rpm

Now add a cronjob to keep ClamAV up to date.

export EDITOR=nano

crontab -e

Add an entry to your crontab as follows:

46 * * * * /usr/bin/freshclam --quiet

Change 46 to a random number between 1-60 to be considerate to server load.

Alt-X to save and exit.

Next type:

clamd start
chkconfig clamd on
freshclam

This should start clamd and bring your virus signatures up to date.

Now we need to edit exim.conf. The -w turns off wordwrap in nano.

nano -w /etc/exim.conf

At the end of comments section add this:

av_scanner = clamd:127.0.0.1 3310

Type in Ctrl-W and search for the second instance of check_message

Change:

# ACL that is used after the DATA command
check_message:
accept

To this:

# ACL that is used after the DATA command
check_message:
# Virus Check
deny message = This message contains a virus or other malware ($malware_name)
demime = *
malware = *
accept

Do a Ctrl-X and save.

Now restart Exim

/etc/init.d/exim restart

Does it work? It should refuse all virus infected messages. Test it extensively before trusting it. Also, occasionally the ClamAV software may need updated so log in and do a freshclam to see all is ok once in a while. Unlike Mailscanner this rejects infected messages before accepting them. If you cannot get this to work please post here so someone may help you.

Matthew

[@how@]

you need new rpm your rpm old
Latest ClamAV stable release is: 0.88.1
http://www.clamav.net/


Wael

[Alrik]

i get

error: Failed dependencies:
zlib >= 1.2.1.2 is needed by clamav-0.88.1-1


by default da comes with 1.2.2 right?

[viki]

I got sutch errors,
What is strange, I didn't have this on prevous version 0.88

Any one has simillar problems?
Webpage with source is down.
Internal Error 500 ;((



# rpm -Uvh clamav-0.88.1-1.i386.rpm
warning: clamav-0.88.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
libcrypto.so.5 is needed by clamav-0.88.1-1.i386
libkrb5support.so.0 is needed by clamav-0.88.1-1.i386
libssl.so.5 is needed by clamav-0.88.1-1.i386


# rpm -Uvh clamav-server-0.88.1-1.i386.rpm
warning: clamav-server-0.88.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
error: Failed dependencies:
clamav = 102:0.88.1-1 is needed by clamav-server-0.88.1-1.i386
libclamav.so.1 is needed by clamav-server-0.88.1-1.i386
libcrypto.so.5 is needed by clamav-server-0.88.1-1.i386
libkrb5support.so.0 is needed by clamav-server-0.88.1-1.i386
libssl.so.5 is needed by clamav-server-0.88.1-1.i386


I check for kerberos and lib ssl:

# rpm -qa | grep ssl
openssl-0.9.7a-43.8
openssl-devel-0.9.7a-43.8
xmlsec1-openssl-1.2.6-3

# rpm -qa | grep krb
pam_krb5-2.1.8-1
krb5-libs-1.3.4-27
krb5-workstation-1.3.4-27
krb5-devel-1.3.4-27
krbafs-1.2.2-6
krbafs-devel-1.2.2-6


Must be some RPM error.
I'am running on CentOS4.3 fresh with all updates.