Introduction

This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.

This page is part of the MOTU/Clamav update/backport effort.

Amavisd-new

• sudo apt-get install amavisd-new spamassassin
• Edit /etc/amavis/conf.d/15-content_filter_mode uncomment:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

• Edit /etc/amavis/conf.d/50-user add:

$myhostname = "example.com";

• Edit /etc/mailname add:

false

• Edit /etc/hosts add:

127.0.0.1       example localhost localhost.localdomain

• Edit /etc/postfix/master.cf add:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

• Also add the following two lines immediately below the "pickup" transport service:

        -o content_filter=
        -o receive_override_options=no_header_body_checks

• Edit /etc/postfix/main.cf add:

content_filter = smtp-amavis:[127.0.0.1]:10024

• add clamav to the amivis group with:

sudo adduser clamav amavis

• verify that /etc/clamav/clamd.conf has:

AllowSupplementaryGroups true

• sudo /etc/init.d/postfix restart
• sudo /etc/init.d/clamav-daemon restart
• sudo /etc/init.d/amavis start
• Send a message through with a virus attachment

AVScan

• sudo apt-get install avscan
• /usr/bin/avscan
• Scan a file.

clamcour

• sudo apt-get install courier-mta
• sudo apt-get install clamcour
• Edit /etc/courier/smtpaccess/default change:

192.168.0     allow,RELAYCLIENT

• Configure a valid DNS domain.
• Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
• Edit /etc/courier/locals' add the domain.
• Edit /etc/courier/defaultdomain set it to host.domain.org
• sudo makesmtpaccess
• sudo makehosteddomains
• sudo /etc/init.d/courier-mta restart
  • Should now maybe be able to send a message through courier
• sudo filterctl start clamcour
• Send a virus through the system and it should be logged to /var/log/mail.log.

clamsmtpd

• sudo apt-get install clamsmtpd
• Configure Postfix according to clamsmtp page
• Edit /etc/clamsmtpd comment the following line:

Listen: 127.0.0.1:10026

• Change the OutAddress option to be:

OutAddress: 127.0.0.1:10026

• sudo /etc/init.d/postfix restart
• sudo /etc/init.d/clamsmtpd restart
• Send a mail through the system with a virus attachemnt.

• Should see the message being rejected and the virus name in /var/log/mail.log

Clamtk

• sudo apt-get install clamtk
• /usr/bin/clamtk
• Scan a file.

Dansguardian

• Great guide here

• sudo apt-get install dansguardian tinyproxy firehol
• Edit /etc/dansguardian/dansguardian.conf comment:

#UNCONFIGURED

• Edit /etc/tinyproxy/tinyproxy.conf change:

User nobody
Group nogroup

Port 3128

• Edit /etc/firehol/firehol.conf replace with:

version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
transparent_squid 8080 "nobody root"

# Accept all client traffic on any interface
interface any world
         policy drop
         protection strong
         client all accept

• Edit /etc/default/firehol change from no to yes:

START_FIREHOL=YES

• sudo /etc/init.d/tinyproxy restart
• sudo /etc/init.d/dansguardian restart
• sudo /etc/init.d/firehol restart
• You should now have a working internet filter without any changes being made to the proxy settings.
• Try and download a virus over http, it should get blocked.

dspam

• sudo apt-get install dspam
• Download dspamit shell script from dspamit_wrapper
• Save it in /usr/local/bin/dspamit
• sudo chmod 755 /usr/local/bin/dspamit
• Edit /etc/dspam/dspam.conf uncomment and change:

TrustedDeliveryAgent "/usr/sbin/sendmail"


ClamAVPort      3310
ClamAVHost      127.0.0.1
ClamAVResponse accept

Opt out

• Edit /etc/clamav/clamd.conf add:

TCPSocket 3310
TCPAddr 127.0.0.1

• sudo /etc/init.d/clamav-daemon restart
• Edit /etc/postfix/master.cf add:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=dspam:
dspam     unix  -       n       n       -       10      pipe
  flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}

• Edit /etc/postfix/main.cf add:

dspam_destination_recipient_limit = 1

• Edit /etc/default/dspam change no to yes:

START=yes

• sudo /etc/init.d/postfix restart
• Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log

dtc-postfix-courier

Exim4 with ClamAV

• sudo apt-get install exim4-daemon-heavy
• Configure for internet site during install.
• Edit /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs change:

MAIN_LOCAL_DOMAINS = frog.org

• sudo update-exim4.conf
• sudo /etc/init.d/exim4 restart
• Should be able to send mail at this point.
  • You may need to setup a valid DNS domain!!!
• Edit /etc/exim4/conf.d/main/02_exim4-config_options change:

av_scanner = clamd:/var/run/clamav/clamd.ctl

• Edit /etc/exim4/conf.d/acl/40_exim4-config_check_data add:

  # Reject messages that have serious MIME errors.
  # This calls the demime condition again, but it
  # will return cached results.
  deny message = Serious MIME defect detected ($demime_reason)
  demime = *
  condition = ${if >{$demime_errorlevel}{2}{1}{0}}
                     
  #
  # Reject file extensions used by worms.
  #
  deny message = This domain has a policy of not accepting certain types \
                 of attachments in mail as they may contain a virus.  \
                 \       
                 Tis mail has a file with a .$found_extension attachment and \
                 is not accepted. \                                              
                 \
                 If you have a legitimate need to send this attachment, send it \
                 in a compressed archive, and it will then be forwarded to the \
                 recipient.
  demime = vbs:bat:pif:scr
  .ifdef TEERGRUBE
       delay = TEERGRUBE
  .endif

  # Reject messages containing malware.
  deny mess

• sudo update-exim4.conf
• sudo /etc/init.d/exim4 restart
• Send a virus through the system and you should see a rejection message from Clamav in /var/log/exim4/mainlog.

• Followed the guide here: Rejecting viral email at SMTP time with exim4

gURLChecker

• sudo apt-get install gurlchecker
• Execute /usr/bin/gurlchecker
• Enable Virii scanning in Security section.
• Check a site with a virus.
• Should see virus name on console.

HAVP

• sudo apt-get install havp
• Change browser connection settings to use port 8080.
• May need to clear cache.

• Browse to a page with a virus (ie: http://www.eicar.org/anti_virus_test_file.htm, scroll down and select a zip file to download).

• Page should be blocked by havp and the virus should be logged to /var/log/havp/access.log.

Klamav

• sudo apt-get install klamav
• /usr/bin/klamav
• Scan a file.

MailScanner

• sudo apt-get install mailscanner
• Edit /etc/postfix/main.cf add:

header_checks = regexp:/etc/postfix/header_checks

• Create /etc/postfix/header_checks add:

/^Received:/ HOLD

• Edit /etc/MailScanner/MailScanner.conf change:

Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Virus Scanners = clamav

• Change permissions on MailScanner directories:

sudo chown -R postfix.postfix /var/spool/MailScanner/
sudo chown -R postfix.postfix /var/lib/MailScanner/
sudo chown -R postfix.postfix /var/run/MailScanner/
sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/

• Edit /etc/default/mailscanner uncomment:

run_mailscanner=1

• sudo /etc/init.d/mailscanner restart
• sudo /etc/init.d/postfix restart
• Send a message through with a virus attached should see it logged to /var/log/mail.log.

Mediawiki

• sudo apt-get install apache2 libapache2-mod-php5 mysql-server
• sudo apt-get install mediawiki clamav
• configure MySQL to listen on IP Address:
• edit /etc/mysql/my.cnf:

bind-address     = 192.168.0.10

• create a database for the wiki and give access rights to wikiuser
  • mysql -u root

create database wikidb
grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';

• configure Apache:
  • sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
  • sudo a2ensite mediawiki.conf
  • sudo /etc/init.d/apache2/reload

• setup the wiki using a browser pointed to http://server/mediawiki to make sure it works

• edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line:

#$wgEnableUploads       = true;

• edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav:

$wgAntivirus = 'clamav';
$wgFileExtensions[] = 'zip';

• get the test virus file from http://www.eicar.org/anti_virus_test_file.htm (eicar_com.zip further down the page)

• try to upload the file to mediawiki, you should see the following error message:

Upload warning
The file contains a virus! Details: Eicar-Test-Signature FOUND

MIMEDefang

• sudo apt-get install mimedefang
  • This will install sendmail if it's not installed already.
• Edit /etc/mail/sendmail.mc change:

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl

INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl

• Edit /etc/mail/access uncomment:

Connect:172.18                  RELAY

• sudo sendmailconfig
• sudo adduser clamav defang
• sudo adduser defang clamav
• sudo adduser clamav smmsp
• Edit /etc/mail/mimedefang-filter add the following to the top:

# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock  = "/var/run/clamav/clamd.ctl"

• sudo /etc/init.d/mimedefang restart
• sudo /etc/init.d/clamav-daemon restart

• send messages to [email protected]

• Send through a virus and it should be logged to /var/log/mail.log.

p3scan

• sudo apt-get install p3scan
• Disable SSL for dovecot:

ssl_disable = yes

• sudo /etc/init.d/dovecot restart
• edit /etc/p3scan/p3scan.conf and set the scanner option to:

scanner = /usr/bin/clamdscan 

• sudo /etc/init.d/p3scan restart
• Redirect the POP3 port 110 to 8110 using iptables:

sudo iptables -t nat -A OUTPUT  -p tcp --dport pop3 -j REDIRECT --to 8110

• Send a virus through the system then try connecting to the account using POP3.
• Should get an email stating there was a virus sent to you.
• p3scan should then quarantine the message in /var/spool/p3scan.

php5-clamavlib

• sudo apt-get install php5-clamlib
• Edit /etc/php5/apache2/php.ini remove -e from the extension statement:

extension=clamav.so

• sudo /etc/init.d/apache2 restart
• Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

• Place the script under the web root.
• Browse to the script, should see virus details if a virus is scanned.
• If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

php4-clamavlib

• sudo apt-get install php4-clamlib
• Edit /etc/php4/apache2/php.ini remove -e from the extension statement:

extension=clamav.so

• sudo /etc/init.d/apache2 restart
• Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

• Place the script under the web root.
• Browse to the script, should see virus details if a virus is scanned.

• If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above.

python-clamav

• sudo apt-get install python-clamav
• Create a python test script:

###################################
#
# pyClamav test script.
#
###################################
import pyclamav

# Print the number of signatures.
print pyclamav.get_numsig()

# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()

# Setup the file to scan.
scan_file = pyclamav.scanfile('/path/to/virus_file')
print scan_file

• Execute the file:

python clamav_test.py

• Should see version information and virus information printed to console.

qpsmtpd

• sudo apt-get install qpsmtpd
• sudo dpkg-reconfigure qpsmtpd
• Answer the following:
  • Enable qpsmtpd startup at boot time: Yes
  • Addresses on which to listen for incoming SMTP connections: 172.18.100.50
  • Queueing method for accepted mail: Postfix
  • Destination domain(s) to accept mail for (blank for none): Grizzlebees localhost.localdomain localhost
• Edit /etc/postfix/main.cf change:

inet_interfaces = 127.0.0.1

• sudo /etc/init.d/postfix restart
• Edit /etc/qpsmtpd/plugins add:

virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam

• sudo /etc/init.d/qpsmtpd restart
• Send a virus through the system and it should be logged to /var/log/qpsmtpd/qpsmtpd.log

sylpheed-claws-gtk2

sylpheed-claws-clamav

Claws Mail