Introduction

This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.

This page is part of the MOTU/Clamav update/backport effort.

NOTES:

• testing shouldn't be done on a production machine (obviously)
• it's always a good idea to purge remove the packages and start from scratch when testing/retesting)

amavisd-new

• install amavis and postfix (configure it as Internet site)

# sudo apt-get install amavisd-new postfix

• edit /etc/amavis/conf.d/15-content_filter_mode uncomment:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl,
   \$bypass_virus_checks_re);

• edit /etc/amavis/conf.d/15-av_scanners, make sure clamd is configured as primary, clamscan as backup scanner, comment the rest out to be sure

• also make sure that clamd socket points to the correct filename

 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

• edit /etc/amavis/conf.d/50-user, add a valid hostname:

$myhostname = "example.com";

• edit /etc/postfix/master.cf add:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

• also add the following two lines immediately below the "pickup" transport service (lines need to start with a whitespace/tab!)

        -o content_filter=
        -o receive_override_options=no_header_body_checks

• edit /etc/postfix/main.cf add the following line to the end:

content_filter = smtp-amavis:[127.0.0.1]:10024

• add clamav user to the amavis group:

# sudo usermod -a -G amavis clamav

• verify that /etc/clamav/clamd.conf has:

AllowSupplementaryGroups true

• (re)start everything that's changed:

# sudo /etc/init.d/postfix restart 
# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/amavis start

• send a message through with a virus attachment, check /var/log/mail.log for something similar to:

Sep 30 22:53:57 utest-lls32 amavis[7207]: (07207-01) Blocked INFECTED (Eicar-Test-
Signature(44d88612fea8a8f36de82e1278abb02f:68)), LOCAL [172.16.21.1] [172.16.21.1] <gimre@example.com> ->
<gimre@example.com>, quarantine: 1/virus-1-BWG7Fdyonr, Message-ID: <20100930195357.45CD419F8B9@voy>,
mail_id: 1-BWG7Fdyonr, Hits: -, size: 1409, 181 ms

• stop clamav-daemon to test backup scanner (which should be clamscan), send an email and check the logs:

Sep 30 22:57:11 utest-lls32 amavis[7206]: (07206-01) (!)ClamAV-clamd: Can't connect to UNIX socket 
/var/run/clamav/clamd.ctl: 2, retrying (2)
Sep 30 22:57:17 utest-lls32 amavis[7206]: (07206-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many 
retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: No such 
file or directory) at (eval 115) line 373.\n
Sep 30 22:57:17 utest-lls32 amavis[7206]: (07206-01) (!!)WARN: all primary virus scanners failed, considering 
backups
Sep 30 22:57:22 utest-lls32 amavis[7206]: (07206-01) Blocked INFECTED (Eicar-Test-Signature), LOCAL 
[172.16.21.1] [172.16.21.1] <gimre@example.com> -> <gimre@example.com>, quarantine: 2/virus-2PXuTWKdFjk6,
Message-ID: <20100930195710.0498619F8B9@voy>, mail_id: 2PXuTWKdFjk6, Hits: -, size: 1409, 11889 ms

AVScan

• sudo apt-get install avscan
• /usr/bin/avscan
• Scan a file.

clamassassin

• install clamassassin and procmail (also postfix and clamav-daemon)

# sudo apt-get install postfix procmail clamassassin clamav-daemon

• configure postfix as Internet site

• in /etc/postfix/main.cf change the MDA (mail delivery agent) to procmail (just append the following line then restart postfix)

mailbox_command = /usr/bin/procmail

• create a test user and put a .procmailrc file in his home:

# useradd -m testuser
# touch /home/testuser/.procmailrc
# chown testuser:testuser /home/testuser/.procmailrc

• copy-paste the following code in .procmailrc to enable clamassassin:

##########
MAILDIR=$HOME/Maildir

:0fw
| /usr/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
.virus/
##########

• create the user's Maildir:

# cd /home/testuser
# mkdir -p Maildir/new Maildir/cur Maildir/tmp
# mkdir -p Maildir/.virus/new Maildir/.virus/cur Maildir/.virus/tmp
# chown -R testuser:testuser Maildir/

• make sure clamd is running and the virus databases are up-to-date (in /var/lib/clamav)

• get the test virus file from http://eicar.org/85-0-Download.html, and send a mail to testuser

• the mail should be delivered in the .virus/new subfolder in /home/testuser/Maildir

• open the mail and look for similar lines in the header:

X-Virus-Report: Eicar-Test-Signature FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.97.2/13453/Thu Aug 18 07:34:24 2011

Clamassassin can be configured to use clamdscan/clamav-daemon for scanning email which is preferred over clamscan as it is much faster.

• edit /etc/default/clamassassin and change the scanner

CLAMSCAN=clamdscan

• make sure clamd is running and using a local (Unix) socket and not TCP socket (in /etc/clamav/clamd.conf)

• after sending the email with the virus, look at the header, now it should say 'clamdscan':

X-Virus-Report: Eicar-Test-Signature FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.97.2/13453/Thu Aug 18 07:34:24 2011

clamcour

• sudo apt-get install courier-mta
• sudo apt-get install clamcour
• Edit /etc/courier/smtpaccess/default change:

192.168.0     allow,RELAYCLIENT

• Configure a valid DNS domain.
• Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
• Edit /etc/courier/locals' add the domain.
• Edit /etc/courier/defaultdomain set it to host.domain.org
• sudo makesmtpaccess
• sudo makehosteddomains
• sudo /etc/init.d/courier-mta restart
  • Should now maybe be able to send a message through courier
• sudo filterctl start clamcour
• Send a virus through the system and it should be logged to /var/log/mail.log.

clamfs

• sudo apt-get install clamfs
• mkdir -p /clamfs/tmp

• get eicar.com file from the eicar site, copy it to /tmp

• run clamfs with the example conf from the package
  • this will mount /tmp to /clamfs/tmp (check with mount)

root@utest-jj:~# clamfs /usr/share/doc/clamfs/clamfs-sample.xml
22:45:32 (clamfs.cxx:870) ClamFS v0.9.1
22:45:32 (clamfs.cxx:871) Copyright (c) 2007 Krzysztof Burghardt <krzysztof@burghardt.pl>
22:45:32 (clamfs.cxx:872) http://clamfs.sourceforge.net/
22:45:32 (clamfs.cxx:952) chdir to our 'root' (/tmp)
22:45:32 (clamfs.cxx:990) ScanCache initialized, 16384 entries will be kept for 10800000 ms max.
22:45:32 (rlog.cxx:82) logs goes to syslog
root@utest-jj:~# mount | grep clamfs
clamfs on /clamfs/tmp type fuse.clamfs (rw,nosuid,nodev,allow_other,default_permissions)

• try to cat /clamfs/tmp/eicar.com, should get 'operation not permitted' message

• check syslog for clamfs message:

Apr 11 22:49:40 utest-jj clamfs: (cat:13044) (root:0) /eicar.com: forced anti-virus scan because extension blacklisted 
Apr 11 22:49:40 utest-jj clamfs: (cat:13044) (root:0) /tmp/eicar.com: Eicar-Test-Signature FOUND

clamsmtp

• sudo apt-get install clamsmtp

• Configure Postfix according to clamsmtp page

  • note: stock clamsmtpd in Ubuntu listens on 10026 and forwards scanned mail to 10025, this is where postfix should listen (check /etc/clamsmtpd.conf)
• sudo /etc/init.d/postfix restart
• sudo /etc/init.d/clamsmtpd restart
• Send a mail through the system with a virus attachemnt.

• Should see the message being rejected and the virus name in /var/log/mail.log

Clamtk

• install clamtk

# sudo apt-get install clamtk

• start clamtk and scan a file (downloaded from http://eicar.org/85-0-Download.html)

Dansguardian

• install dansguardian and squid proxy:

# sudo apt-get install dansguardian squid

• to enable dansguardian, edit /etc/dansguardian/dansguardian.conf, comment out "UNCONFIGURED" at the beginning of the file

• set up squid to listen on 127.0.0.1:3128, for this edit /etc/squid/squid.conf, search for http_port and change it to:

http_port 127.0.0.1:3128

Depending on which part of clamav you are testing, you need to enable a content scanner in /etc/dansguardian/dansguardian.conf

• for testing libclamav, uncomment the following:

#contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'

• for testing clamdscan/clamav-daemon, uncomment:

#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

NOTE: there are some extra steps to be taken when using clamdscan:

• clamav-daemon needs to be installed and running (obviously)

• the clamav user needs to be in dansguardian group for clamd to be able to scan dansguardian's temporary files, this can be achieved with the following commands:

# usermod -a -G dansguardian clamav
# /etc/init.d/clamav-daemon restart

• restart squid and (re)start dansguardian:

# sudo /etc/init.d/squid restart
# sudo /etc/init.d/dansguardian start

• set your browser to use dansguardian as a proxy server (on port 8080), then try to download a test virus file, like one of these: http://eicar.org/85-0-Download.html

• it should get blocked with a warning and there should be an entry in /var/log/dansguardian/access.log similar to this:

2011.8.17 21:43:34 - 172.16.21.1 http://eicar.org/download/eicar.com.txt *INFECTED* *DENIED* Virus or bad
content detected. Eicar-Test-Signature GET 68 0 Content scanning 1 403 application/octet-stream   -

dspam

• sudo apt-get install dspam
• Download dspamit shell script from dspamit_wrapper
• Save it in /usr/local/bin/dspamit
• sudo chmod 755 /usr/local/bin/dspamit
• Edit /etc/dspam/dspam.conf uncomment and change:

TrustedDeliveryAgent "/usr/sbin/sendmail"


ClamAVPort      3310
ClamAVHost      127.0.0.1
ClamAVResponse accept

Opt out

• Edit /etc/clamav/clamd.conf add:

TCPSocket 3310
TCPAddr 127.0.0.1

• sudo /etc/init.d/clamav-daemon restart
• Edit /etc/postfix/master.cf add:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=dspam:
dspam     unix  -       n       n       -       10      pipe
  flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}

• Edit /etc/postfix/main.cf add:

dspam_destination_recipient_limit = 1

• Edit /etc/default/dspam change no to yes:

START=yes

• sudo /etc/init.d/postfix restart
• Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log

dtc-postfix-courier

Exim4 with ClamAV

• sudo apt-get install exim4-daemon-heavy
• sudo dpkg-reconfigure exim4-config (select split configuration)
• should be able to send mail at this point
• edit /etc/exim4/conf.d/main/02_exim4-config_options change:

av_scanner = clamd:/var/run/clamav/clamd.ctl

• create new file /etc/exim4/conf.d/main/00_localmacros, add:

CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local_acl

• create new file /etc/exim4/local_acl and add the following:

   # Reject messages that have serious MIME errors.
   # This calls the demime condition again, but it
   # will return cached results.
   deny message = Serious MIME defect detected ($demime_reason)
   demime = *
   condition = ${if >{$demime_errorlevel}{2}{1}{0}}

   #
   # Reject file extensions used by worms.
   #
   deny message = This domain has a policy of not accepting certain types \
                  of attachments in mail as they may contain a virus.  \
                  \
                  This mail has a file with a .$found_extension attachment and \
                  is not accepted. \
                  \
                  If you have a legitimate need to send this attachment, send it \
                  in a compressed archive, and it will then be forwarded to the \
                  recipient.
   demime = vbs:bat:pif:scr
   .ifdef TEERGRUBE
      delay = TEERGRUBE
   .endif

   # Reject messages containing malware.
   deny message = This message contains a virus ($malware_name) and has been rejected
   malware = *

• sudo update-exim4.conf
• sudo /etc/init.d/exim4 restart
• you may need to add clamav user to Debian-exim group (on jaunty)
• sudo /etc/init.d/clamav-daemon restart
• send a virus through the system and you should see a rejection message from ClamAV in /var/log/exim4/mainlog

gURLChecker

• sudo apt-get install gurlchecker
• Execute /usr/bin/gurlchecker
• Enable Virii scanning in Security section.
• Check a site with a virus.
• Should see virus name on console.

HAVP

• install havp

# sudo apt-get install havp

• havp listens only on localhost by default, you may need to change that in /etc/havp/havp.config

  • comment out the line:

BIND_ADDRESS 127.0.0.1

• don't forget to restart havp
• change browser connection settings to use proxy on port 8080 (havp default) and clear browser cache

• browse to a page with a virus (ie: http://eicar.org/85-0-Download.html), and try downloading a file

• page should be blocked by havp and the virus should be logged to /var/log/havp/access.log:

17/08/2011 21:58:25 172.16.21.1 GET 200 http://eicar.org/download/eicar.com.txt 314+68 VIRUS
ClamAV: Eicar-Test-Signature

NOTE: havp uses libclamav by default but it can be configured to use clamd for scanning, you might want to test that

• change /etc/havp/havp.config to use clamd and not libclamav:

ENABLECLAMLIB false
ENABLECLAMD true
CLAMDSOCKET /var/run/clamav/clamd.ctl

• clamav-daemon needs to be installed and running (obviously)

• the clamav user needs to be in havp group for clamd to be able to scan havp's temporary files, this can be achieved with the following commands:

# usermod -a -G havp clamav
# /etc/init.d/clamav-daemon restart

• logfile should reflect that scanning was performed using clamd:

17/08/2011 22:09:13 172.16.21.1 GET 200 http://eicar.org/download/eicar.com.txt 314+68 VIRUS
Clamd: Eicar-Test-Signature

Klamav

• install klamav (you will need a running graphical environment for this)

# sudo apt-get install klamav

• start it and scan a file (downloaded from http://eicar.org/85-0-Download.html)

NOTE: by default, /var/lib/clamav is used as the database folder which cannot be updated by a normal user. To test with latest signatures you can change the database directory to /home/<user>/.klamav/database in the 'Update' tab.

Kmail

• sudo apt-get install clamav-daemon kmail
• start kmail, configure a POP3 email account, make sure it works ok

• in the menu go to Tools / Anti-Virus Wizard...

• clamav should appear in the list, select it, click Next

• check the first two options (Check messages using the anti-virus tool and Move to selected folder)

• select Local Folders/trash and click Finish

• go to Settings / Configure Filters... and check that the antivirus filters got added (there should be two, one for scanning and marking the email in the header, the other one to move the email if virus found)

• send a test email with virus attached to the account, then Check Mail and see the message moved automatically to the trash folder

• select the mail in the trash folder, select View / Headers / All Headers, and check for X-Virus-Flag: yes at the beginning of the header.

libclamav-client-perl

• sudo apt-get install libclamav-client-perl
• create a new file, add the following perl code and run the script with perl

 #!/usr/bin/perl

use ClamAV::Client;

# connect to clamd through UNIX socket
# Ubuntu default socket patch
$scanner = ClamAV::Client->new(
    socket_name     => '/var/run/clamav/clamd.ctl'
);

# check if clamd is running
die("ClamAV daemon not alive")
    if not defined($scanner) or not $scanner->ping();

# print clamav version information
my $version = $scanner->version;
print "$version\n";

# scan a file, return virus name if found
my ($path, $result) = $scanner->scan_path('/tmp/eicar.com');
if (defined($result)) {
    print "Virus found in $path: $result\n";
}
else {
    print "No virus found.\n";
}

MailScanner

• sudo apt-get install mailscanner
• Edit /etc/postfix/main.cf add:

header_checks = regexp:/etc/postfix/header_checks

• Create /etc/postfix/header_checks add:

/^Received:/ HOLD

• Edit /etc/MailScanner/MailScanner.conf change:

Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Virus Scanners = clamav

• Change permissions on MailScanner directories:

sudo chown -R postfix.postfix /var/spool/MailScanner/
sudo chown -R postfix.postfix /var/lib/MailScanner/
sudo chown -R postfix.postfix /var/run/MailScanner/
sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/

• Edit /etc/default/mailscanner uncomment:

run_mailscanner=1

• sudo /etc/init.d/mailscanner restart
• sudo /etc/init.d/postfix restart
• Send a message through with a virus attached should see it logged to /var/log/mail.log.

Mediawiki

• sudo apt-get install apache2 libapache2-mod-php5 mysql-server
• sudo apt-get install mediawiki clamav
• configure MySQL to listen on IP Address:
• edit /etc/mysql/my.cnf:

bind-address     = 192.168.0.10

• create a database for the wiki and give access rights to wikiuser
  • mysql -u root

create database wikidb
grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';

• configure Apache:
  • sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
  • sudo a2ensite mediawiki.conf
  • sudo /etc/init.d/apache2/reload

• setup the wiki using a browser pointed to http://server/mediawiki to make sure it works

• edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line:

#$wgEnableUploads       = true;

• edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav:

$wgAntivirus = 'clamav';
$wgFileExtensions[] = 'zip';

• get the test virus file from http://www.eicar.org/anti_virus_test_file.htm (eicar_com.zip further down the page)

• try to upload the file to mediawiki, you should see the following error message:

Upload warning
The file contains a virus! Details: Eicar-Test-Signature FOUND

MIMEDefang

• sudo apt-get install mimedefang
  • This will install sendmail if it's not installed already.
• Edit /etc/mail/sendmail.mc change:

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl

INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl

• Edit /etc/mail/access uncomment:

Connect:172.18                  RELAY

• sudo sendmailconfig
• sudo adduser clamav defang
• sudo adduser defang clamav
• sudo adduser clamav smmsp
• Edit /etc/mail/mimedefang-filter add the following to the top:

# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock  = "/var/run/clamav/clamd.ctl"

• sudo /etc/init.d/mimedefang restart
• sudo /etc/init.d/clamav-daemon restart

• send messages to user@host.domain.org

• Send through a virus and it should be logged to /var/log/mail.log.

nautilus-clamscan

Nautilus-clamscan is a Nautilus extension for scanning files for viruses easily by right-clicking on them. See https://launchpad.net/nautilus-clamscan for more information.

• sudo apt-get install nautilus-clamscan
• logout/login for the extension to get loaded

• download a testfile from the EICAR website to the Desktop

• right-click on the file and select 'Scan for viruses...'
• a 'File manager' popup should appear with scanning progress bar, saying that it found 1 infected file

p3scan

• sudo apt-get install p3scan clamav-daemon
• enable plain POP3 protocol in dovecot (/etc/dovecot/dovecot.conf):

protocols = pop3 imap imaps

• add the clamav user to p3scan group

root@utest-dd:/var/mail# usermod -a -G p3scan clamav
root@utest-dd:/var/mail# id clamav
uid=110(clamav) gid=110(clamav) groups=110(clamav),114(p3scan)

• sudo /etc/init.d/dovecot restart
• sudo /etc/init.d/clamav-daemon start
• edit /etc/p3scan/p3scan.conf and set the following options:

(for scanning with clamdscan)

scanner = /usr/bin/clamdscan --no-summary
virusregexp = .*: (.*) FOUND

(for scanning directly with clamd through TCP socket)

scannertype = clamd
scanner = 127.0.0.1:3310
virusregexp = .*: (.*) FOUND

• sudo /etc/init.d/p3scan restart
• Redirect the POP3 port 110 to 8110 using iptables:

sudo iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to 8110

• send a virus through the system then try connecting to the account using POP3
• should get an email stating there was a virus sent to you
• p3scan should then quarantine the message in /var/spool/p3scan.

php5-clamav

Install php5-clamav package (only available since Lucid, replaces php{4,5}-clamavlib)

• sudo apt-get install php5-clamav
• sudo /etc/init.d/apache2 restart

Create a test script:

• vi /var/www/vir.php

<?php

print cl_info()."<br/>";
$virname = '';
$file = '/tmp/eicar_com.zip';

$ret = cl_scanfile($file,$virname); 
print "<br/>"; 
if ($ret) {
  print "Virus found in $file: $virname .<br/>";
}
else {
  print "No virus found in $file.<br/>";
}
?>

Browse to the script, should see virus details if a virus is found.

For more details see /usr/share/doc/php5-clamav/README.Debian included with the package.

php5-clamavlib

• sudo apt-get install php5-clamavlib
• sudo /etc/init.d/apache2 restart

Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

• Place the script under the web root.
• Browse to the script, should see virus details if a virus is scanned.
• If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

php4-clamavlib

• sudo apt-get install php4-clamlib
• Edit /etc/php4/apache2/php.ini remove -e from the extension statement:

extension=clamav.so

• sudo /etc/init.d/apache2 restart
• Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

• Place the script under the web root.
• Browse to the script, should see virus details if a virus is scanned.

• If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above or php-clamav (it support Clamav 0.95.x).

python-clamav

• install python-clamav package:

# sudo apt-get install python-clamav

• create a python test script, say in /tmp/test.py with the following content:

###################################
#
# pyClamav test script
#
###################################
import pyclamav

# Print the number of signatures.
print pyclamav.get_numsig()

# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()

# Setup the file to scan.
scan_file = pyclamav.scanfile('/tmp/eicar.com.txt')
print scan_file
###################################
#
# end of test script
#
###################################

NOTE: download a test file from http://eicar.org/85-0-Download.html and change path to the file (ie: /tmp/eicar.com.txt)

• execute the script, you should see version and virus information printed to console

# cd /tmp
# python ./test.py
1021013
('0.97.2', 13450, 1313597786)
0.4.1
(1, 'Eicar-Test-Signature')

qpsmtpd

• sudo apt-get install qpsmtpd
• sudo dpkg-reconfigure qpsmtpd
• answer the following:
  • Enable qpsmtpd startup at boot time: Yes

  • Addresses on which to listen for incoming SMTP connections: 172.18.100.50 (remove 127.0.0.1!)

  • Queueing method for accepted mail: Postfix

  • Destination domain(s) to accept mail for (blank for none): some_test_domain localhost.localdomain localhost

• edit /etc/postfix/main.cf change:

inet_interfaces = 127.0.0.1

• sudo /etc/init.d/postfix restart

• for testing with clamscan, add the following in /etc/qpsmtpd/plugins

virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam

• for testing with clamdscan, add the following in /etc/qpsmtpd/plugins

virus/clamdscan clamd_socket /var/run/clamav/clamd.ctl deny_viruses yes

• add clamav to qpsmtpd group and fix permissions on qpsmtpd spool:

usermod -a -G qpsmtpd clamav
chmod g+ux /var/spool/qpsmtpd

• sudo /etc/init.d/qpsmtpd restart
• send a virus through the system and it should be logged to /var/log/qpsmtpd/qpsmtpd.log

sylpheed-claws-gtk2

sylpheed-claws-clamav

Claws Mail

pyclamd

• apt-get install python-pyclamd

• get a test virus file from the eicar site

• make sure the file is readable by clamav-daemon (chmod 0666 /tmp/eicar.com)

• fire up python and copy-paste the commands below (the lines starting with >>>)

gimre@utest-jj:~$ python
Python 2.6.2c1 (release26-maint, Apr  8 2009, 01:02:22) 
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyclamd
>>> pyclamd.init_unix_socket(filename='/var/run/clamav/clamd.ctl')
>>> print pyclamd.version()
ClamAV 0.95.1/9224/Sat Apr 11 00:49:29 2009
>>> ret = pyclamd.scan_file('/tmp/eicar.com')
>>> print ret
{'/tmp/eicar.com': 'Eicar-Test-Signature'}
>>> ret = pyclamd.scan_stream(open('/tmp/eicar.com').read())
>>> print ret
{'stream': 'Eicar-Test-Signature FOUND'}