Introduction

This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.

This page is part of the MOTU/Clamav update/backport effort.

Amavisd-new

• sudo apt-get install amavisd-new spamassassin
• Edit /etc/amavis/conf.d/15-content_filter_mode uncomment:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

• Edit /etc/amavis/conf.d/50-user add:

$myhostname = "example.com";

• Edit /etc/mailname add:

false

• Edit /etc/hosts add:

127.0.0.1       example localhost localhost.localdomain

• Edit /etc/postfix/master.cf add:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

• Also add the following two lines immediately below the "pickup" transport service:

        -o content_filter=
        -o receive_override_options=no_header_body_checks

• Edit /etc/postfix/main.cf add:

content_filter = smtp-amavis:[127.0.0.1]:10024

• add clamav to the amivis group with:

sudo adduser clamav amavis

• verify that /etc/clamav/clamd.conf has:

AllowSupplementaryGroups true

• sudo /etc/init.d/postfix restart
• sudo /etc/init.d/clamav-daemon restart
• sudo /etc/init.d/amavis start
• Send a message through with a virus attachment

AVScan

• sudo apt-get install avscan
• /usr/bin/avscan
• Scan a file.

clamassassin

(it's always a good idea to purge remove the packages and start from scratch when testing, IF it's a test system obviously )

• sudo apt-get install postfix procmail clamassassin clamav-daemon
• postfix configuration: Internet site
• in /etc/postfix/main.cf change the MDA (mail delivery agent) to procmail (just append the line at the end):

mailbox_command = /usr/bin/procmail

• restart postfix
• in /etc/defaults/clamassassin change the scanner to clamdscan (to use clamd, thus speeding up the scanning considerably)

CLAMSCAN=clamdscan

• create a testuser and put a .procmailrc file in his home:

useradd testuser
touch /home/testuser/.procmailrc
chown testuser:testuser /home/testuser/.procmailrc

• put the following code in .procmailrc to enable clamassassin:

MAILDIR=$HOME/Maildir

:0fw
| /usr/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
.virus/

• create the user's Maildir:

cd /home/testuser
mkdir -p Maildir/new Maildir/cur Maildir/tmp
mkdir -p Maildir/.virus/new Maildir/.virus/cur Maildir/.virus/tmp
chown -R testuser:testuser Maildir/

• make sure clamd is running and the virus databases are up-to-date (in /var/lib/clamav)

• get the test virus file from http://www.eicar.org/anti_virus_test_file.htm, and send a mail to testuser

• the mail should be delivered in the .virus/new subfolder in /home/testuser/Maildir (check with mutt -f /home/testuser/Maildir/.virus/)
• open the mail, and check the header for the following signature:

X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV
        0.94.2/8961/Fri Feb  6 15:29:06 2009

clamcour

• sudo apt-get install courier-mta
• sudo apt-get install clamcour
• Edit /etc/courier/smtpaccess/default change:

192.168.0     allow,RELAYCLIENT

• Configure a valid DNS domain.
• Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
• Edit /etc/courier/locals' add the domain.
• Edit /etc/courier/defaultdomain set it to host.domain.org
• sudo makesmtpaccess
• sudo makehosteddomains
• sudo /etc/init.d/courier-mta restart
  • Should now maybe be able to send a message through courier
• sudo filterctl start clamcour
• Send a virus through the system and it should be logged to /var/log/mail.log.

clamfs

• sudo apt-get install clamfs
• mkdir -p /clamfs/tmp

• get eicar.com file from the eicar site, copy it to /tmp

• run clamfs with the example conf from the package
  • this will mount /tmp to /clamfs/tmp (check with mount)

root@utest-jj:~# clamfs /usr/share/doc/clamfs/clamfs-sample.xml
22:45:32 (clamfs.cxx:870) ClamFS v0.9.1
22:45:32 (clamfs.cxx:871) Copyright (c) 2007 Krzysztof Burghardt <krzysztof@burghardt.pl>
22:45:32 (clamfs.cxx:872) http://clamfs.sourceforge.net/
22:45:32 (clamfs.cxx:952) chdir to our 'root' (/tmp)
22:45:32 (clamfs.cxx:990) ScanCache initialized, 16384 entries will be kept for 10800000 ms max.
22:45:32 (rlog.cxx:82) logs goes to syslog
root@utest-jj:~# mount | grep clamfs
clamfs on /clamfs/tmp type fuse.clamfs (rw,nosuid,nodev,allow_other,default_permissions)

• try to cat /clamfs/tmp/eicar.com, should get 'operation not permitted' message

• check syslog for clamfs message:

Apr 11 22:49:40 utest-jj clamfs: (cat:13044) (root:0) /eicar.com: forced anti-virus scan because extension blacklisted 
Apr 11 22:49:40 utest-jj clamfs: (cat:13044) (root:0) /tmp/eicar.com: Eicar-Test-Signature FOUND

clamsmtp

• sudo apt-get install clamsmtp

• Configure Postfix according to clamsmtp page

  • note: stock clamsmtpd in Ubuntu listens on 10026 and forwards scanned mail to 10025, this is where postfix should listen (check /etc/clamsmtpd.conf)
• sudo /etc/init.d/postfix restart
• sudo /etc/init.d/clamsmtpd restart
• Send a mail through the system with a virus attachemnt.

• Should see the message being rejected and the virus name in /var/log/mail.log

Clamtk

• sudo apt-get install clamtk
• /usr/bin/clamtk
• Scan a file.

Dansguardian

• Great guide here

• sudo apt-get install dansguardian tinyproxy firehol
• Edit /etc/dansguardian/dansguardian.conf comment:

#UNCONFIGURED

• Edit /etc/tinyproxy/tinyproxy.conf change:

User nobody
Group nogroup

Port 3128

• Edit /etc/firehol/firehol.conf replace with:

version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
transparent_squid 8080 "nobody root"

# Accept all client traffic on any interface
interface any world
         policy drop
         protection strong
         client all accept

• Edit /etc/default/firehol change from no to yes:

START_FIREHOL=YES

• sudo /etc/init.d/tinyproxy restart
• sudo /etc/init.d/dansguardian restart
• sudo /etc/init.d/firehol restart
• You should now have a working internet filter without any changes being made to the proxy settings.
• Try and download a virus over http, it should get blocked.

dspam

• sudo apt-get install dspam
• Download dspamit shell script from dspamit_wrapper
• Save it in /usr/local/bin/dspamit
• sudo chmod 755 /usr/local/bin/dspamit
• Edit /etc/dspam/dspam.conf uncomment and change:

TrustedDeliveryAgent "/usr/sbin/sendmail"


ClamAVPort      3310
ClamAVHost      127.0.0.1
ClamAVResponse accept

Opt out

• Edit /etc/clamav/clamd.conf add:

TCPSocket 3310
TCPAddr 127.0.0.1

• sudo /etc/init.d/clamav-daemon restart
• Edit /etc/postfix/master.cf add:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=dspam:
dspam     unix  -       n       n       -       10      pipe
  flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}

• Edit /etc/postfix/main.cf add:

dspam_destination_recipient_limit = 1

• Edit /etc/default/dspam change no to yes:

START=yes

• sudo /etc/init.d/postfix restart
• Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log

dtc-postfix-courier

Exim4 with ClamAV

• sudo apt-get install exim4-daemon-heavy
• sudo dpkg-reconfigure exim4-config (select split configuration)
• should be able to send mail at this point
• edit /etc/exim4/conf.d/main/02_exim4-config_options change:

av_scanner = clamd:/var/run/clamav/clamd.ctl

• create new file /etc/exim4/conf.d/main/00_localmacros, add:

CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local_acl

• create new file /etc/exim4/local_acl and add the following:

   # Reject messages that have serious MIME errors.
   # This calls the demime condition again, but it
   # will return cached results.
   deny message = Serious MIME defect detected ($demime_reason)
   demime = *
   condition = ${if >{$demime_errorlevel}{2}{1}{0}}

   #
   # Reject file extensions used by worms.
   #
   deny message = This domain has a policy of not accepting certain types \
                  of attachments in mail as they may contain a virus.  \
                  \
                  This mail has a file with a .$found_extension attachment and \
                  is not accepted. \
                  \
                  If you have a legitimate need to send this attachment, send it \
                  in a compressed archive, and it will then be forwarded to the \
                  recipient.
   demime = vbs:bat:pif:scr
   .ifdef TEERGRUBE
      delay = TEERGRUBE
   .endif

   # Reject messages containing malware.
   deny message = This message contains a virus ($malware_name) and has been rejected
   malware = *

• sudo update-exim4.conf
• sudo /etc/init.d/exim4 restart
• you may need to add clamav user to Debian-exim group (on jaunty)
• sudo /etc/init.d/clamav-daemon restart
• send a virus through the system and you should see a rejection message from ClamAV in /var/log/exim4/mainlog

gURLChecker

• sudo apt-get install gurlchecker
• Execute /usr/bin/gurlchecker
• Enable Virii scanning in Security section.
• Check a site with a virus.
• Should see virus name on console.

HAVP

• sudo apt-get install havp
• Change browser connection settings to use port 8080.
• May need to clear cache.

• Browse to a page with a virus (ie: http://www.eicar.org/anti_virus_test_file.htm, scroll down and select a zip file to download).

• Page should be blocked by havp and the virus should be logged to /var/log/havp/access.log.

Klamav

• sudo apt-get install klamav
• /usr/bin/klamav
• Scan a file.

Kmail

• sudo apt-get install clamav-daemon kmail
• start kmail, configure a POP3 email account, make sure it works ok

• in the menu go to Tools / Anti-Virus Wizard...

• clamav should appear in the list, select it, click Next

• check the first two options (Check messages using the anti-virus tool and Move to selected folder)

• select Local Folders/trash and click Finish

• go to Settings / Configure Filters... and check that the antivirus filters got added (there should be two, one for scanning and marking the email in the header, the other one to move the email if virus found)

• send a test email with virus attached to the account, then Check Mail and see the message moved automatically to the trash folder

• select the mail in the trash folder, select View / Headers / All Headers, and check for X-Virus-Flag: yes at the beginning of the header.

libclamav-client-perl

• sudo apt-get install libclamav-client-perl
• create a new file, add the following perl code and run the script with perl

 #!/usr/bin/perl

use ClamAV::Client;

# connect to clamd through UNIX socket
# Ubuntu default socket patch
$scanner = ClamAV::Client->new(
    socket_name     => '/var/run/clamav/clamd.ctl'
);

# check if clamd is running
die("ClamAV daemon not alive")
    if not defined($scanner) or not $scanner->ping();

# print clamav version information
my $version = $scanner->version;
print "$version\n";

# scan a file, return virus name if found
my ($path, $result) = $scanner->scan_path('/tmp/eicar.com');
if (defined($result)) {
    print "Virus found in $path: $result\n";
}
else {
    print "No virus found.\n";
}

MailScanner

• sudo apt-get install mailscanner
• Edit /etc/postfix/main.cf add:

header_checks = regexp:/etc/postfix/header_checks

• Create /etc/postfix/header_checks add:

/^Received:/ HOLD

• Edit /etc/MailScanner/MailScanner.conf change:

Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Virus Scanners = clamav

• Change permissions on MailScanner directories:

sudo chown -R postfix.postfix /var/spool/MailScanner/
sudo chown -R postfix.postfix /var/lib/MailScanner/
sudo chown -R postfix.postfix /var/run/MailScanner/
sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/

• Edit /etc/default/mailscanner uncomment:

run_mailscanner=1

• sudo /etc/init.d/mailscanner restart
• sudo /etc/init.d/postfix restart
• Send a message through with a virus attached should see it logged to /var/log/mail.log.

Mediawiki

• sudo apt-get install apache2 libapache2-mod-php5 mysql-server
• sudo apt-get install mediawiki clamav
• configure MySQL to listen on IP Address:
• edit /etc/mysql/my.cnf:

bind-address     = 192.168.0.10

• create a database for the wiki and give access rights to wikiuser
  • mysql -u root

create database wikidb
grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';

• configure Apache:
  • sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
  • sudo a2ensite mediawiki.conf
  • sudo /etc/init.d/apache2/reload

• setup the wiki using a browser pointed to http://server/mediawiki to make sure it works

• edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line:

#$wgEnableUploads       = true;

• edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav:

$wgAntivirus = 'clamav';
$wgFileExtensions[] = 'zip';

• get the test virus file from http://www.eicar.org/anti_virus_test_file.htm (eicar_com.zip further down the page)

• try to upload the file to mediawiki, you should see the following error message:

Upload warning
The file contains a virus! Details: Eicar-Test-Signature FOUND

MIMEDefang

• sudo apt-get install mimedefang
  • This will install sendmail if it's not installed already.
• Edit /etc/mail/sendmail.mc change:

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl

INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl

• Edit /etc/mail/access uncomment:

Connect:172.18                  RELAY

• sudo sendmailconfig
• sudo adduser clamav defang
• sudo adduser defang clamav
• sudo adduser clamav smmsp
• Edit /etc/mail/mimedefang-filter add the following to the top:

# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock  = "/var/run/clamav/clamd.ctl"

• sudo /etc/init.d/mimedefang restart
• sudo /etc/init.d/clamav-daemon restart

• send messages to user@host.domain.org

• Send through a virus and it should be logged to /var/log/mail.log.

nautilus-clamscan

Nautilus-clamscan is a Nautilus extension for scanning files for viruses easily by right-clicking on them. See https://launchpad.net/nautilus-clamscan for more information.

• sudo apt-get install nautilus-clamscan
• logout/login for the extension to get loaded

• download a testfile from the EICAR website to the Desktop

• right-click on the file and select 'Scan for viruses...'
• a 'File manager' popup should appear with scanning progress bar, saying that it found 1 infected file

p3scan

• sudo apt-get install p3scan clamav-daemon
• enable plain POP3 protocol in dovecot (/etc/dovecot/dovecot.conf):

protocols = pop3 imap imaps

• add the clamav user to p3scan group

root@utest-dd:/var/mail# usermod -a -G p3scan clamav
root@utest-dd:/var/mail# id clamav
uid=110(clamav) gid=110(clamav) groups=110(clamav),114(p3scan)

• sudo /etc/init.d/dovecot restart
• sudo /etc/init.d/clamav-daemon start
• edit /etc/p3scan/p3scan.conf and set the following options:

(for scanning with clamdscan)

scanner = /usr/bin/clamdscan --no-summary
virusregexp = .*: (.*) FOUND

(for scanning directly with clamd through TCP socket)

scannertype = clamd
scanner = 127.0.0.1:3310
virusregexp = .*: (.*) FOUND

• sudo /etc/init.d/p3scan restart
• Redirect the POP3 port 110 to 8110 using iptables:

sudo iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to 8110

• send a virus through the system then try connecting to the account using POP3
• should get an email stating there was a virus sent to you
• p3scan should then quarantine the message in /var/spool/p3scan.

php5-clamav

Install php5-clamav package (only available since Lucid, replaces php{4,5}-clamavlib)

• sudo apt-get install php5-clamav
• sudo /etc/init.d/apache2 restart

Create a test script:

• vi /var/www/vir.php

<?php

print cl_info()."<br/>";
$virname = '';
$file = '/tmp/eicar_com.zip';

$ret = cl_scanfile($file,$virname); 
print "<br/>"; 
if ($ret) {
  print "Virus found in $file: $virname .<br/>";
}
else {
  print "No virus found in $file.<br/>";
}
?>

Browse to the script, should see virus details if a virus is found.

For more details see /usr/share/doc/php5-clamav/README.Debian included with the package.

php5-clamavlib

• sudo apt-get install php5-clamlib
• Edit /etc/php5/apache2/php.ini remove -e from the extension statement:

extension=clamav.so

• sudo /etc/init.d/apache2 restart
• Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

• Place the script under the web root.
• Browse to the script, should see virus details if a virus is scanned.
• If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

php4-clamavlib

• sudo apt-get install php4-clamlib
• Edit /etc/php4/apache2/php.ini remove -e from the extension statement:

extension=clamav.so

• sudo /etc/init.d/apache2 restart
• Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

• Place the script under the web root.
• Browse to the script, should see virus details if a virus is scanned.

• If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above or php-clamav (it support Clamav 0.95.x).

python-clamav

• sudo apt-get install python-clamav
• Create a python test script:

###################################
#
# pyClamav test script.
#
###################################
import pyclamav

# Print the number of signatures.
print pyclamav.get_numsig()

# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()

# Setup the file to scan.
scan_file = pyclamav.scanfile('/path/to/virus_file')
print scan_file

• Execute the file:

python clamav_test.py

• Should see version information and virus information printed to console.

qpsmtpd

• sudo apt-get install qpsmtpd
• sudo dpkg-reconfigure qpsmtpd
• answer the following:
  • Enable qpsmtpd startup at boot time: Yes

  • Addresses on which to listen for incoming SMTP connections: 172.18.100.50 (remove 127.0.0.1!)

  • Queueing method for accepted mail: Postfix

  • Destination domain(s) to accept mail for (blank for none): some_test_domain localhost.localdomain localhost

• edit /etc/postfix/main.cf change:

inet_interfaces = 127.0.0.1

• sudo /etc/init.d/postfix restart

• for testing with clamscan, add the following:

virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam

• for testing with clamdscan, take a look at README.Debian from the package

• sudo /etc/init.d/qpsmtpd restart
• send a virus through the system and it should be logged to /var/log/qpsmtpd/qpsmtpd.log

sylpheed-claws-gtk2

sylpheed-claws-clamav

Claws Mail

pyclamd

• apt-get install python-pyclamd

• get a test virus file from the eicar site

• make sure the file is readable by clamav-daemon (chmod 0666 /tmp/eicar.com)

• fire up python and copy-paste the commands below (the lines starting with >>>)

gimre@utest-jj:~$ python
Python 2.6.2c1 (release26-maint, Apr  8 2009, 01:02:22) 
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyclamd
>>> pyclamd.init_unix_socket(filename='/var/run/clamav/clamd.ctl')
>>> print pyclamd.version()
ClamAV 0.95.1/9224/Sat Apr 11 00:49:29 2009
>>> ret = pyclamd.scan_file('/tmp/eicar.com')
>>> print ret
{'/tmp/eicar.com': 'Eicar-Test-Signature'}
>>> ret = pyclamd.scan_stream(open('/tmp/eicar.com').read())
>>> print ret
{'stream': 'Eicar-Test-Signature FOUND'}