Posts Tagged Clamav
Posted by mike Filed Under Squirrelmail with Comments Off
Transferring Mail to IMAP
You may have mail that you want to move to the new IMAP account you created with Postfix and Squirrelmail. In this case create a directory, in the example OldMail has been created.
The Postfix Training Manual has more information.
If you move mail from a different account, or from another Outlook Express account by either forwarding mail to a folder or drag and drop you may want to scan for viruses. You can do this manually with clamav. In this example the virtual mail is located in /var/vmail and it is a recursive scan “-r” and only going to put infected file discoveries on screen.
clamscan -r –infected /var/vmail
———– SCAN SUMMARY ———–
Known viruses: 806314
Engine version: 0.96.1
Scanned directories: 116
Scanned files: 129
Infected files: 0
Data scanned: 0.24 MB
Data read: 0.24 MB (ratio 1.00:1)
Time: 6.315 sec (0 m 6 s)
Posted by mike Filed Under Uncategorized with Comments Off
Install Amavisd-New on CentOS 5
Amavisd-new isn’t in the CentOS repositories, so the first thing you’ll need to do is to install the Dag Wieers/RPMForge repository into your YUM configuration. First, go to the Dag Wieers/RPMForge website.
http://dag.wieers.com/rpm/FAQ.php#B
Copy and paste the appropriate command for your Red Hat-style distro to the command-line of your local computer.
To keep the RPMForge packages from overriding official CentOS packages, install the YUM Priorities plug-in.
yum install yum-priorities
Then, open the /etc/yum/pluginconf.d/priorities.conf file, and verify that the following lines are present:
[main]
enabled = 1
Open the /etc/yum.repos.d/CentOS-Base.repo file, or whatever its equivalent it for your distro, and add the line:
priority=1
to the “base”, “addons”, “updates”, and “extras” sections of the file. Add the line:
priority=2
to the “centosplus” and “contrib” sections of the file. (Again, the section names may vary, depending on which particular distro that you’re running.)
Open the /etc/yum.repos.d/rpmforge.repo file, and add the line:
priority=11
To test your configuration, run the command,
yum check-update
When it finishes, you should see a line similar to:
818 packages excluded due to repository priority protections
ClamAV and Spamassassin Install
Before you install amavisd-new you will want to install both clamav and spamassassin as it will make it easier when you install amavisd-new.
yum install clamav clamav-milter spamassassin
You will need to edity /etc/default/spamassassin to get it to start. Change enabled to 1.
Enabled = 1
service spamassassin start
Amavisd-new Installation
This program is used to tie the scanning programs ClamAv and SpamAssassin to Postfix.
yum install amavisd-new
To start the program it is best to start it with the debug mode.
/usr/sbin/amavisd debug
Use CTRL+C to stop it.
Setup Requirements for amavisd-new
You need to add a user and group that can run the amavisd daemon.
useradd vscan
groupadd vscan
Create a directory for the program:
mkdir /var/vscan
Create these sub-directories:
mkdir /var/vscan/tmp
mkdir /var/vscan/var
mkdir /var/vscan/db
mkdir /var/vscan/home
Change ownership and permissions for the vscan.
chown -R vscan:vscan /var/vscan
chmod -R 750 /var/vscan
Edit the /etc/amavisd.conf
The key to this file is to edit the MYHOME to reflect the change to /var/vscan. Other settings are evaluated later in this document.
Each major section of the /etc/amavisd.conf file will be examined with explanations.
# COMMONLY ADJUSTED SETTINGS:
# @bypass_virus_checks_maps = (1); # controls running of anti-virus code
# @bypass_spam_checks_maps = (1); # controls running of anti-spam code
# $bypass_decode_parts = 1; # controls running of decoders&dearchivers
You have the option to bypass virus and spam checks. The primary reason for this choice would be to reduce the load on your server. If you want to bypass a check uncomment the line. When mail is processed by amavisd it follows this order:
1. virus scan
2. banned email
3. spam scan
4. invalid header scan
This process has a purpose in that the most dangerous option is evaluated first to the least dangerous. This process order may even cause greater load on the server but has been considered to be more important in the long run for the server.
Be sure that you set up a user and group for use with amavisd. Here the user and group that were created is vscan. Enter that information into this section of the conf file.
$daemon_user = ‘vscan’; # (no default; customary: vscan or amavis), -u
$daemon_group = ‘vscan’; # (no default; customary: vscan or amavis), -g
Enter the correct domain for your server.
$mydomain = ‘example.com’; # a convenient default for other settings
The $MYHOIME setting is critical to getting amavid to work correctly. The /var/vscan directory will need to be created and permissions set. Here is a list of the important files and directories that should be created in /var/vscan.
/var/vscan
total 32
drwxr-xr-x 7 vscan vscan 4096 Sep 18 06:22 .
drwxr-xr-x 22 root root 4096 Jul 12 06:06 ..
-rw-r—– 1 vscan vscan 0 Sep 18 17:21 amavisd.lock
-rw-r—– 1 vscan vscan 6 Sep 18 06:22 amavisd.pid
srwxr-x— 1 vscan vscan 0 Sep 18 06:22 amavisd.sock
drwxr-xr-x 2 vscan vscan 4096 Sep 18 06:22 db
drwxr-xr-x 2 vscan vscan 4096 Sep 29 2007 home
drwx—— 2 vscan vscan 4096 Sep 19 05:51 .spamassassin
drwxr-xr-x 7 vscan vscan 4096 Sep 19 05:51 tmp
drwxr-xr-x 2 vscan vscan 4096 Sep 29 2007 var
The quarantine directory /var/virusmails must also be created and permissions set. This directory is used to house spam or infected email for further review. The mail is compressed with .gz to save space which can be an issue over time. The number of email placed in the quarantine depends on your settings if you are saving infected email and at what level is spam being placed in a quarantine, these settings are reviewed below.
# $MYHOME = ‘/var/vscan’; # a convenient default for other settings, -H
$TEMPBASE = “$MYHOME/tmp”; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = ‘/var/virusmails’; # -Q
This section simply shows you the directories that are in the /var/vscan folder and what they are used for.
# $db_home = “$MYHOME/db”; # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = “$MYHOME/var”; # working directory for SpamAssassin, -S
# $lock_file = “$MYHOME/var/amavisd.lock”; # -L
# $pid_file = “$MYHOME/var/amavisd.pid”; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
The log level of amavisd will help you find the information that you will need. The default log level is 0. Typically on a mail server if you have just set up the system or if you need lots of information for evaluation of the mail system increase the level, level 5 is not overwhelming data. You can see that the system uses syslog. If your Linux version is not using syslog you will need to modify the setup to reflect the logging system that you are using.
$log_level = 0; # verbosity 0..5, -d
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_facility = ‘mail’; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, … local7
$syslog_priority = ‘debug’; # Syslog base (minimal) priority as a string,
# choose from: emerg, alert, crit, err, warning, notice, info, debug
This line lists the socket port that should be listening. Note this is only on the localhost and will not allow connections from the Internet. This is the port you should have set up with Postfix.
$inet_socket_port = 10024; # listen on this local TCP port(s)
Spam levels are set within amavisd not within Spamassassin. When mail is analyzed for Spam it is evaluated by Spamassassin and given a numerical score. These scores are derived from an analysis of the entire message. Messages with a Spam score of 1.9 or less are considered safe from Spam mail and will be delivered with no restrictions. If the returned score is 2 or greater amavisd will then perform additional alterations of the email if so configured. Listed below are the default levels in which amavisd performs. The first tag will by default alert the system but pass the mail onto the user’s MUA.
The tag2 level is set at 6.2 which modifies the header with a Spam header which is determined by this setting further down in the amavisd.conf. One thought is to alter this header so that it will not be confused by any other headers set by additional programs that a user can configure. The mail is passed on to the user’s MUA which may take additional action based on this Spam header. So if mail does not arrive at the user it could be that the MUA is dumping the mail based on this header.
$sa_spam_subject_tag = ‘***SPAM*** ‘;
The kill level takes an entirely different action. Once the kill level is reached the mail is either bounced or deleted, depending on the options that you select. The DSN (delivery status notification) is set at 10, anything above that will not receive any notification. Note that there is also an option to turn off the quarantine once a message reaches a certain level, the default is 25.
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
This is the reinjection port once the mail has gone through the content filter.
# $notify_method = ‘smtp:[127.0.0.1]:10025′;
# $forward_method = ‘smtp:[127.0.0.1]:10025′; # set to undef with milter!
These are the default settings for how to handle detected virus, banned mail and Spam. You can uncomment the line and modify the outcome to D_DISCARD, D_BOUNCE or D_PASS.
# $final_virus_destiny = D_DISCARD;
# $final_banned_destiny = D_BOUNCE;
# $final_spam_destiny = D_BOUNCE;
# $final_bad_header_destiny = D_PASS;
Connecting amavisd-new to Postfix
In creating a connection with Postfix it is important to not send the main back into Postfix on port 25 creating a mail loop. So it is important to create a connection to a separate port to bring back mail that has been scanned. amavisd-new uses port 10024 by default.
You must add a content filter connection to the main.cf.
content_filter = amavisd-new:[127.0.0.1]:10024
Testing the Connection for ESMTP Commands
$ telnet localhost 10024
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 [127.0.0.1] ESMTP amavisd-new service ready
EHLO mail.example.com
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 XFORWARD NAME ADDR PROTO HELO
quit
221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel
Connection closed by foreign host.
Now create a transport in the master.cf file.
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: “man 5 master”).
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -v
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
This setup uses a copy of the typical smtp transport. The name that you list must be exactly the same as the name in the content_filter setting for main.cf. The max number of concurrent processes is set to 2 to help manage resources. This should be reviewed after the server is running for awhile. The increased timeout setting will help if amavisd-new takes an extended time so that Postfix does not give up.
Configure a Reinjection Path
This is a way for amavisd-new to send mail back into the Postfix queue without creating a loop.
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: “man 5 master”).
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -v
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
The reason many of these smptd restrictions are set to = with nothing behind it is that Postfix has already run these checks and you want to make sure that they are not run again. Remember you are sending the output back to your queue so you do not want to repeat what you have already done and you do not want to create a loop.
Posted by mike Filed Under Virus Control with Comments Off
Install of Amavisd-New on Ubuntu 8.10
One of the most frustrating problems with setting up any mail server is the configuration required for anti-virus protection and Spam checking. Amavisd-new provides an excellent tool to help in setting that up. This is a step-by-step process in providing your mail server, the example is Ubuntu 8.10, with the ability to scan all incoming mail for viruses and Spam.
apt-get install amavisd-new
Starting Amavisd-New
In order to get amavisd-new running, execute the command below to view content in debug mode so you can see what it is doing. One thing you will notice is that by default there is no virus program attached nor any scanning for Spam as it is disabled by default. The point to note here is the modules that it is using, the ports, and the general look and fell of the program.
/etc/init.d/amavis debug
Trying to run amavisd-new in debug mode…
Jan 9 12:46:47.927 nag.example.com /usr/sbin/amavisd-new[4384]: starting. /usr/sbin/amavisd-new at nag.example.com amavisd-new-2.6.1 (20080629), Unicode aware, LANG=”en_US.UTF-8″
Jan 9 12:46:47.928 nag.example.com /usr/sbin/amavisd-new[4384]: user=, EUID: 112 (112); group=, EGID: 123 123 (123 123)
Jan 9 12:46:47.928 nag.example.com /usr/sbin/amavisd-new[4384]: Perl version 5.010000
Jan 9 12:46:47.980 nag.example.com /usr/sbin/amavisd-new[4384]: INFO: no optional modules: IO::Socket::INET6
Jan 9 12:46:47.982 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: 2009/01/09-12:46:47 Amavis (type Net::Server::PreForkSimple) starting! pid(4384)
Jan 9 12:46:47.987 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Binding to UNIX socket file /var/lib/amavis/amavisd.sock using SOCK_STREAM
Jan 9 12:46:47.988 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Group Not Defined. Defaulting to EGID ’123 123′
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: User Not Defined. Defaulting to EUID ’112′
Jan 9 12:46:47.989 nag.example.com /usr/sbin/amavisd-new[4384]: Net::Server: Setting up serialization via flock
Jan 9 12:46:47.990 nag.example.com /usr/sbin/amavisd-new[4384]: after_chroot_init: EUID: 112 (112); EGID: 123 123 (123 123)
Jan 9 12:46:47.990 nag.example.com /usr/sbin/amavisd-new[4384]: config files read: /usr/share/amavis/conf.d/10-debian_scripts, /usr/share/amavis/conf.d/20-package, /etc/amavis/conf.d/01-debian, /etc/amavis/conf.d/05-domain_id, for .tar tried: pax
Jan 9 12:46:48.037 nag.example.com /usr/sbin/amavisd-new[4384]: Found decoder for .tar at /bin/cpio
Jan 9 12:46:48.038 nag.example.com /usr/sbin/amavisd-new[4384]: Found decoder for .deb at /usr/bin/ar
—cut—
Enable Virus Checks and Spam Checks
Verify that clamav is running .
sudo /etc/init.d/clamav-daemon start
Modify this line in /etc/default/spamassassin
ENABLED=1
It is 0 by default so you must enable Spamassassin to be able to run, now start it.
sudo /etc/init.d/spamassassin start
To enable amavisd-new to work with Spamassassin and clamav you need to modify the /etc/amavis/conf.d/15-content_filter_mode. Uncomment the lines as the root user so they now look like the example and restart amavisd-new in debug mode to view the activity. Now you will see that clamav and Spamassassin are now working with amavisd-new.
15-content_filter_mode
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
Jan 9 12:54:47.978 nag.example.com /usr/sbin/amavisd-new[4563]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: FRISK F-Prot Antivirus
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: Trend Micro FileScanner
Jan 9 12:54:47.979 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: drweb – DrWeb Antivirus
Jan 9 12:54:47.980 nag.example.com /usr/sbin/amavisd-new[4563]: No secondary av scanner: KasperskyLab kavscanner
Jan 9 12:54:48.003 nag.example.com /usr/sbin/amavisd-new[4563]: SpamControl: initializing Mail::SpamAssassin
Jan 9 12:54:48.004 nag.example.com /usr/sbin/amavisd-new[4563]: SpamAssassin debug facilities: info
Jan 9 12:54:49.559 nag.example.com /usr/sbin/amavisd-new[4563]: SpamControl: init_pre_fork on SpamAssassin done
Jan 9 12:54:49.576 nag.example.com /usr/sbin/amavisd-new[4573]: SpamControl: init_child on SpamAssassin done
Finish the Amavisd-New Configuration
Create Necessary users and folders as root.
# useradd vscan
# mkdir /var/vscan
# mkdir /var/vscan/tmp
# mkdir /var/vscan/var
# mkdir /var/vscan/db
# mkdir /var/vscan/home
# chown -R vscan:vscan /var/vscan
# chmod -R 750 /var/vscan
Creating a Reinjection Port
The process that you see below shows how mail arrives at the server and is then sent to a content_filter on port 10024, on to the qmgr and then to amavisd-new which then executes the scanning with both Spamassassin and clamav. When the scanning is complete you do not want to send the scanned mail back to port 10024 because you will create a loop. So you need to create a reinjection port so that the mail that has been scanned will be recognized as complete. The reinjection port that is used is port 10025. This section will now show you how to set up those two ports and activate Spamassassin and clamav.
Edit main.cf and Add Content Filter
#Amavisd SetUp
content_filter=amavisd-new:[127.0.0.1]:10024
Edit master.cf and Add Reinjection
amavisd-new unix - - n - 2 smtp
-o smtp_data_done_timeout=1200s
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
Add clamav to the group amavis
amavis:x:123:clamav
Send an email and watch the system as it runs in debug mode.
sendmail -f mike@example.com tom@example.com </etc/postfix/main.cf
Review File Contents for Amavisd-New
cd /etc/amavis/conf.d
Once you have install amavisd-new you will find a number of files that make up the configuration for amaavisd-new and how it interacts with Spamassassin and clamav. These files, at least the important parts, are listed here with a brief description.
01-debian
These are the various ways of compressing files. Do not modify.
# SETTINGS RARELY MODIFIED BY THE LOCAL ADMIN
$ENV{PATH} = $path = ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin’;
$file = ‘file’;
$gzip = ‘gzip’;
$bzip2 = ‘bzip2′;
$lzop = ‘lzop’;
$rpm2cpio = ['rpm2cpio.pl','rpm2cpio'];
$cabextract = ‘cabextract’;
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
#$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; #disabled (non-free, no security support)
$unfreeze = undef;
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj'];
#$unrar = ['rar', 'unrar']; #disabled (non-free, no security support)
$unrar = ['unrar-free'];
$zoo = ‘zoo’;
#$lha = ‘lha’; #disabled (non-free, no security support)
$lha = undef;
$pax = ‘pax’;
$cpio = ‘cpio’;
$ar = ‘ar’;
$ripole = ‘ripole’;
$dspam = ‘dspam’;
1; # ensure a defined return
05-domain_id
# amavisd-new needs to know which email domains are to be considered local
# to the administrative domain. Only emails to “local” domains are subject
# to certain functionality, such as the addition of spam tags.
#
# Default local domains to $mydomain and all subdomains. Remember to
# override or redefine this if $mydomain is changed later in the config
# sequence.
@local_domains_acl = ( “.$mydomain” );
1; # ensure a defined return
05-node_id
If you have problems with your FQDN you can alter that manually here.
# $myhostname is used by amavisd-new for node identification, and it is
# important to get it right (e.g. for ESMTP EHLO, loop detection, and so on).
chomp($myhostname = `hostname –fqdn`);
15-av_scanners
This file holds the information required for amavisd to locate the virus scanners you may have installed on your box.
15-content_filter_mode
This file turns off by default the ability of amavisd-new to scan for virus activity or check for spam.
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#
#@bypass_virus_checks_maps = (
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#
#@bypass_spam_checks_maps = (
# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return
21-ubuntu_defaults
There are settings here that you can modify to determine the action your machine should take when it discovers either a virus email or spam.
use strict;
#
# These are Ubuntu specific defaults for amavisd-new configuration
#
# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
$enable_dkim_verification = 1;
# Don’t be verbose about sending mail:
@whitelist_sender_acl = qw( .$mydomain );
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$warnbannedsender = 1;
$warnbadhsender = 1;
$virus_admin = undef;
$spam_admin = undef;
25-amavis_helpers
Functionality required for amavis helpers like amavis-release.
30-template_localization
read_l10n_templates(‘en_US’, ‘/etc/amavis’);
40-policy_banks
# DKIM signing domain whitelist. The domain to use is the domain after
# d= in the DKIM header.
@author_to_policy_bank_maps = ( {
# ‘friends.example.net’ => ‘WHITELIST,NOBANNEDCHECK’,
# ‘user1@cust.example.net’ => ‘WHITELIST,NOBANNEDCHECK’,
‘.ebay.com’ => ‘WHITELIST’,
‘.ebay.co.uk’ => ‘WHITELIST’,
‘ebay.at’ => ‘WHITELIST’,
‘ebay.ca’ => ‘WHITELIST’,
‘ebay.de’ => ‘WHITELIST’,
‘ebay.fr’ => ‘WHITELIST’,
‘.paypal.co.uk’ => ‘WHITELIST’,
‘.paypal.com’ => ‘WHITELIST’, # author signatures
‘./@paypal.com’ => ‘WHITELIST’, # 3rd-party sign. by paypal.com
‘alert.bankofamerica.com’ => ‘WHITELIST’,
‘amazon.com’ => ‘WHITELIST’,
‘cisco.com’ => ‘WHITELIST’,
‘.cnn.com’ => ‘WHITELIST’,
‘skype.net’ => ‘WHITELIST’,
‘welcome.skype.com’ => ‘WHITELIST’,
‘cc.yahoo-inc.com’ => ‘WHITELIST’,
‘cc.yahoo-inc.com/@yahoo-inc.com’ => ‘WHITELIST’,
# ‘google.com’ => ‘MILD_WHITELIST’,
# ‘googlemail.com’ => ‘MILD_WHITELIST’,
# ‘./@googlegroups.com’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroups.com’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroups.co.uk’ => ‘MILD_WHITELIST’,
# ‘./@yahoogroupes.fr’ => ‘MILD_WHITELIST’,
# ‘yousendit.com’ => ‘MILD_WHITELIST’,
# ‘meetup.com’ => ‘MILD_WHITELIST’,
# ‘dailyhoroscope@astrology.com’ => ‘MILD_WHITELIST’,
} );
50-user
# Place your configuration directives here. They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#
Posted by mike Filed Under Virus Control with Comments Off
Using Clamscan to Manually Scan Directories
Typically you would allow amavisd-new to control the scanning process. However, there may come a time when you want to manually scan a directory or file that is suspicious.
1. Scan a File
clamscan filename
2. Scan Current Working Directory
clamscan
3. Recurrsive Scan of Directory
This command will scan and only report infected files.
clamscan -r – -infected /home
4. Scan Data Stream
cat file | clamscan-
5. Scan Mail Directory
clamscan -r /var/spool/mail
Posted by mike Filed Under Virus Control with Comments Off
Create a user and group called clamav with this command:
groupadd clamav
useradd -g clamav -s /bin/false clamav
The -s /bin/false creates the user without a login, no shell.
Start the clamav
/usr/sbin/clamd
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: **************************************************
/etc/clamd.conf
Be sure to comment out the example line!
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log
# By default the log file is locked for writing – the lock protects against
# running clamd multiple times (if you want to run another clamd instance,
# please # copy the configuration file, change the LogFile variable, and run
# the daemon with the –config-file option).
# This option disables log file locking.
# Default: disabled
#LogFileUnlock
# Maximal size of the log file.
# Value of 0 disables the limit.
# You may use ‘M’ or ‘m’ for megabytes (1M = 1m = 1048576 bytes)
# and ‘K’ or ‘k’ for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don’t use modifiers.
# Default: 1M
LogFileMaxSize 0
# Log time with each message.
# Default: disabled
LogTime
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: disabled
#LogClean
# Use system logger (can work together with LogFile).
# Default: disabled
LogSyslog
# Specify the type of syslog messages – please refer to ‘man syslog’
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: disabled
#LogVerbose
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/clamav
# The daemon works in a local OR a network mode. Due to security reasons we
# recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled
#LocalSocket /var/run/clamav/clamd.sock
# Remove stale socket after unclean shutdown.
# Default: disabled
FixStaleSocket
# TCP port address.
# Default: disabled
TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: disabled
TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA’s limit for a maximal attachment size.
# Default: 10M
#StreamMaxLength 20M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximal number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 300
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Maximal depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: disabled
#FollowDirectorySymlinks
# Follow regular file symlinks.
# Default: disabled
#FollowFileSymlinks
# Perform internal sanity check (database integrity and freshness).
# Default: 1800 (30 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced by a virus name.
# Default: disabled
#VirusEvent /usr/local/bin/send_sms 123456789 “VIRUS ALERT: %v”
# Run as a selected user (clamd must be started by root).
# Default: disabled
User clamav
# Initialize supplementary group access (clamd must be started by root).
# Default: disabled
AllowSupplementaryGroups
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM
# Don’t fork into background.
# Default: disabled
#Foreground
# Enable debug messages in libclamav.
# Default: disabled
#Debug
# Do not remove temporary files (for debug purposes).
# Default: disabled
#LeaveTemporaryFiles
# By default clamd uses scan options recommended by libclamav. This option
# disables recommended options and allows you to enable selected ones below.
# DO NOT TOUCH IT unless you know what you are doing.
# Default: disabled
#DisableDefaultScanOptions
##
## Executable files
##
# PE stands for Portable Executable – it’s an executable file format used
# in all 32-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it’s also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: enabled
#ScanPE
# With this option clamav will try to detect broken executables and mark
# them as Broken.Executable
# Default: disabled
DetectBrokenExecutables
##
## Documents
##
# This option enables scanning of Microsoft Office document macros.
# Default: enabled
#ScanOLE2
##
## Mail files
##
# Enable internal e-mail scanner.
# Default: enabled
ScanMail
# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: disabled
#MailFollowURLs
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: enabled
#ScanHTML
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# Default: enabled
#ScanArchive
# Due to license issues libclamav does not support RAR 3.0 archives (only the
# old 2.0 format is supported). Because some users report stability problems
# with unrarlib it’s disabled by default and you must uncomment the directive
# below to enable RAR 2.0 support.
# Default: disabled
#ScanRAR
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# Files in archives larger than this limit won’t be scanned.
# Value of 0 disables the limit.
# Default: 10M
#ArchiveMaxFileSize 15M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deep the process should be continued.
# Value of 0 disables the limit.
# Default: 8
#ArchiveMaxRecursion 9
# Number of files to be scanned within an archive.
# Value of 0 disables the limit.
# Default: 1000
#ArchiveMaxFiles 1500
# If a file in an archive is compressed more than ArchiveMaxCompressionRatio
# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)# Value of 0 disables the limit.
# Default: 250
ArchiveMaxCompressionRatio 300
# Use slower but memory efficient decompression algorithm.
# only affects the bzip2 decompressor.
# Default: disabled
#ArchiveLimitMemoryUsage
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: disabled
ArchiveBlockEncrypted
# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)
# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is
# reached.
# Default: disabled
ArchiveBlockMax
##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
## up your system!!!
##
# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
# Default: disabled
#ClamukoScanOnAccess
# Set access mask for Clamuko.
# Default: disabled
#ClamukoScanOnOpen
#ClamukoScanOnClose
#ClamukoScanOnExec
# Set the include paths (all files in them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#ClamukoExcludePath /home/guru
# Don’t scan files larger than ClamukoMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#ClamukoMaxFileSize 10M
Posted by mike Filed Under Virus Control with Comments Off
Install the ClamAV Daemon
Of course YUM, if installed is the easiest method of installing these programs as it meets all the dependencies at one time.
If you cannot install clamav with yum the next option is to download the RPMS from dag_weeirs.com. Note that you want the latest version for your operating system.
http://dag.wieers.com/rpm/packages/clamav/clamav-0.xxx.el5.rf.i386.rpm
http://dag.wieers.com/rpm/packages/clamav/clamav-db-0.xxx.el5.rf.i386.rpm
http://dag.wieers.com/rpm/packages/clamav/clamav-devel-0.xxx.el5.rf.i386.rpm
http://dag.wieers.com/rpm/packages/clamav/clamav-milter-0.xxx.el5.rf.i386.rpm
http://dag.wieers.com/rpm/packages/clamav/clamd-0.xxx.el5.rf.i386.rpm
Ubuntu Install
Clamav is in the repository for Ubuntu so you can use apt-get.
apt-get install clamav clamav-milter clamd
Copyright CyberMontana Inc. and Postfixmail.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
