Clamav: Quick glance and exim integration

Clamav should be the best anti-virus software for linux, it’s widely used and frequently updated for security vulnerabilities. If your server allows some public groups to upload files or serves as mail server, it’s highly recommended to have a good antivirus installed, so that every of the unknown files would be scanned, in order to get rid of any potential attacks. It’s extremely helpful on mail gateways, mostly it integrated with MTAs (like sendmail, exim) to filter incoming mails.

Clamav consists of three types of utilities, an advanced tool for automatic database updates, a flexible and scalable multi-threaded daemon, and a command line scanner. With the help of these tools, the installation and configuration is easy, so that we can quickly take advantage of this fabulous open source software.

In the following paragraph, I would show a quick example on how to use clamav to scan files and how to integrate it with exim4 for filting incoming mails on a Redhat server box. Let’s start the installation first.

As there’s no official pre-compiled binaries for Clamav, we need to compile it or use third party released packages. Mostly I download it from here. We need three rpm packages, clamav-db, clamd, clamav. Just download them, and install them in right sequence.

After the installation, there’re three files available:
clamd – It’s the filter daemon, which can listen on both local file socket and tcp port (3310 by default).
freshclam – This tool is used to update the virus databases. It downloads the latest virus updates from the internet and keeps your anti-virus solution upto date.
clamscan – This is the tool that actually checks your files to see if they are infected.

The two configuration files are /etc/clamd.conf /etc/freshclam.conf, clamd.conf is used by both clamd and clamscan, and freshclam.conf is for virus database updating. The default settings is ok, and there’s no need to tweak the settings.

After the installation, we need to update virus database:

[root@server ~]# freshclam
ClamAV update process started at Sun May 10 05:36:35 2009
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92 Recommended version: 0.95.1
DON’T PANIC! Read is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven) is up to date (version: 9350, sigs: 49149, f-level: 42, builder: guitar)

Now, let’s start check an directory for testing purpose:

[root@server ~]# clamscan -r -i /root/test
/root/test/trojan.txt: Trojan.Zbot-3283 FOUND
/root/test/exploit.txt: Exploit.HTML.IFrame-6 FOUND
/root/test/worm.txt: Worm.SomeFool.P.2 FOUND
/root/test/fishing.txt: HTML.Phishing.Pay-152 FOUND
/root/test/ssl-spoof.txt: Phishing.Heuristics.Email.SSL-Spoof FOUND

———– SCAN SUMMARY ———–
Known viruses: 717973
Engine version: 0.92
Scanned directories: 1
Scanned files: 5
Infected files: 5
Data scanned: 0.09 MB
Time: 17.771 sec (0 m 17 s)

There is a simple Bash script named clamav-cron, which help you schedule these  tasks via crontab:

  1. update the ClamAV virus database (freshclam);
  2. perform personal system scan (clamscan);
  3. send a brief report via e-mail;

With its help, you dont need to know ClamAV configuration files, no need to run ClamAV daemon, just have to configure the e-mail address(es) that will receive the report.

wget -O /usr/local/bin/clamav-cron

chmod 755 /usr/local/bin/clamav-cron

Simply open the clamav-cron script with your editor and edit the “User configuration” section following the instructions. Then create a new entry in your crontab:
# Running virus check for /home on a weekly basis at midnight Saturday
45 23 * * 6 /usr/local/bin/clamav-cron /home

Example 2. Exim mail transfer agent integration
First we need to start the filter daemon side by this command:
/etc/init.d/clamd start

The running status of clamd:
[root@server ~]$ netstat -lnpt | grep clamd
tcp        0      0*      LISTEN      19406/clamd

Then, to complete this step you need to have exim at least 4.50 installed on your server. Issue the following command:
$ exim -bV
Check if there is a minimum 4.50 version and a string Content_Scanning in output (around forth line)
If all ok – open WHM and go to Service Configuration -> Exim Configuration Editor -> Advanced editor
Add the following line at the very beginning of the text field:
av_scanner = clamd:/tmp/clamd.socket

Pay attention to the location of the socket file path, it should be the same as what you specified in /etc/clamd.conf:
$ grep LocalSocket /etc/clamd.conf
LocalSocket /tmp/clamd.socket

And to the second (after begin acl line):

deny message   = Message rejected: virus found!
hosts       = *
malware     = *

Save configuration. WHM will restart Exim and apply your settings. Feel free to edit /etc/exim.conf if you dont have WHM running there.

Now, we have implimented what we expected, have a nice time with the tour!

Share this post

Post Comment