Contents

Introduction
amavisd-new
avscan
clamassassin
clamcour
clamfs
clamsmtp
clamtk
dansguardian
dspam
exim4
gurlchecker
havp
klamav
kmail
libclamav-client-perl
mailscanner
mediawiki
mimedefang
nautilus-clamscan
p3scan
php5-clamav
php5-clamavlib
php4-clamavlib
pyclamd
python-clamav
qpsmtpd

Introduction

This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.

This page is part of the MOTU/Clamav update/backport effort.

NOTES:

testing shouldn't be done on a production machine (obviously)
it's always a good idea to purge remove the packages and start from scratch when testing/retesting)

amavisd-new

install amavis and postfix (configure it as Internet site)

# sudo apt-get install amavisd-new postfix

edit /etc/amavis/conf.d/15-content_filter_mode uncomment:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl,
   \$bypass_virus_checks_re);

edit /etc/amavis/conf.d/15-av_scanners, make sure clamd is configured as primary, clamscan as backup scanner, comment the rest out to be sure
also make sure that clamd socket points to the correct filename

 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

edit /etc/amavis/conf.d/50-user, add a valid hostname:

$myhostname = "example.com";

edit /etc/postfix/master.cf add:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

also add the following two lines immediately below the "pickup" transport service (lines need to start with a whitespace/tab!)

        -o content_filter=
        -o receive_override_options=no_header_body_checks

edit /etc/postfix/main.cf add the following line to the end:

content_filter = smtp-amavis:[127.0.0.1]:10024

add clamav user to the amavis group:

# sudo usermod -a -G amavis clamav

verify that /etc/clamav/clamd.conf has:

AllowSupplementaryGroups true

(re)start everything that's changed:

# sudo /etc/init.d/postfix restart 
# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/amavis start

send a message through with a virus attachment, check /var/log/mail.log for something similar to:

Sep 30 22:53:57 utest-lls32 amavis[7207]: (07207-01) Blocked INFECTED (Eicar-Test-
Signature(44d88612fea8a8f36de82e1278abb02f:68)), LOCAL [172.16.21.1] [172.16.21.1] <gimre@example.com> ->
<gimre@example.com>, quarantine: 1/virus-1-BWG7Fdyonr, Message-ID: <20100930195357.45CD419F8B9@voy>,
mail_id: 1-BWG7Fdyonr, Hits: -, size: 1409, 181 ms

stop clamav-daemon to test backup scanner (which should be clamscan), send an email and check the logs:

Sep 30 22:57:11 utest-lls32 amavis[7206]: (07206-01) (!)ClamAV-clamd: Can't connect to UNIX socket 
/var/run/clamav/clamd.ctl: 2, retrying (2)
Sep 30 22:57:17 utest-lls32 amavis[7206]: (07206-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many 
retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: No such 
file or directory) at (eval 115) line 373.\n
Sep 30 22:57:17 utest-lls32 amavis[7206]: (07206-01) (!!)WARN: all primary virus scanners failed, considering 
backups
Sep 30 22:57:22 utest-lls32 amavis[7206]: (07206-01) Blocked INFECTED (Eicar-Test-Signature), LOCAL 
[172.16.21.1] [172.16.21.1] <gimre@example.com> -> <gimre@example.com>, quarantine: 2/virus-2PXuTWKdFjk6,
Message-ID: <20100930195710.0498619F8B9@voy>, mail_id: 2PXuTWKdFjk6, Hits: -, size: 1409, 11889 ms

avscan

sudo apt-get install avscan
/usr/bin/avscan
Scan a file.

clamassassin

install clamassassin and procmail (also postfix and clamav-daemon)

# sudo apt-get install postfix procmail clamassassin clamav-daemon

configure postfix as Internet site
in /etc/postfix/main.cf change the MDA (mail delivery agent) to procmail (just append the following line then restart postfix)

mailbox_command = /usr/bin/procmail

create a test user and put a .procmailrc file in his home:

# useradd -m testuser
# touch /home/testuser/.procmailrc
# chown testuser:testuser /home/testuser/.procmailrc

copy-paste the following code in .procmailrc to enable clamassassin:

##########
MAILDIR=$HOME/Maildir

:0fw
| /usr/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
.virus/
##########

create the user's Maildir:

# cd /home/testuser
# mkdir -p Maildir/new Maildir/cur Maildir/tmp
# mkdir -p Maildir/.virus/new Maildir/.virus/cur Maildir/.virus/tmp
# chown -R testuser:testuser Maildir/

make sure clamd is running and the virus databases are up-to-date (in /var/lib/clamav)
get the test virus file from http://eicar.org/85-0-Download.html, and send a mail to testuser
the mail should be delivered in the .virus/new subfolder in /home/testuser/Maildir
open the mail and look for similar lines in the header:

X-Virus-Report: Eicar-Test-Signature FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.97.2/13453/Thu Aug 18 07:34:24 2011

Clamassassin can be configured to use clamdscan/clamav-daemon for scanning email which is preferred over clamscan as it is much faster.

edit /etc/default/clamassassin and change the scanner

CLAMSCAN=clamdscan

make sure clamd is running and using a local (Unix) socket and not TCP socket (in /etc/clamav/clamd.conf)
after sending the email with the virus, look at the header, now it should say 'clamdscan':

X-Virus-Report: Eicar-Test-Signature FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.97.2/13453/Thu Aug 18 07:34:24 2011

clamcour

sudo apt-get install courier-mta
sudo apt-get install clamcour
Edit /etc/courier/smtpaccess/default change:

192.168.0     allow,RELAYCLIENT

Configure a valid DNS domain.
Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
Edit /etc/courier/locals' add the domain.
Edit /etc/courier/defaultdomain set it to host.domain.org
sudo makesmtpaccess
sudo makehosteddomains
sudo /etc/init.d/courier-mta restart
- Should now maybe be able to send a message through courier
sudo filterctl start clamcour
Send a virus through the system and it should be logged to /var/log/mail.log.

clamfs

install clamfs

# sudo apt-get install clamfs

create a temporary folder to be the mountpoint for /tmp (default is /clamfs/tmp)

# mkdir -p /clamfs/tmp

get eicar.com file from http://eicar.org/85-0-Download.html, copy it to /tmp
run clamfs with the example conf from the package (make sure clamav-daemon is running)
- this will mount /tmp to /clamfs/tmp (check with mount)

# cp /usr/share/doc/clamfs/clamfs-sample.xml.gz /root
# gunzip /root/clamfs-sample.xml.gz
# clamfs /root/clamfs-sample.xml
22:28:59 (clamfs.cxx:963) ClamFS v1.0.1
22:28:59 (clamfs.cxx:964) Copyright (c) 2007,2008 Krzysztof Burghardt <krzysztof@burghardt.pl>
22:28:59 (clamfs.cxx:965) http://clamfs.sourceforge.net/
22:28:59 (clamfs.cxx:1050) chdir to our 'root' (/tmp)
22:28:59 (clamfs.cxx:1091) ScanCache initialized, 16384 entries will be kept for 10800000 ms max.
22:28:59 (clamfs.cxx:1102) Statistics module initialized
22:28:59 (rlog.cxx:84) logs goes to syslog
# mount | grep clamfs
clamfs on /clamfs/tmp type fuse.clamfs (rw,nosuid,nodev,allow_other,default_permissions)

try to read /clamfs/tmp/eicar.com, should get 'operation not permitted' message
check syslog for clamfs message:

Aug 18 22:31:13 utest-nns32 clamfs: (root:16714) (root:0) /eicar.com: forced anti-virus scan because extension
blacklisted 
Aug 18 22:31:13 utest-nns32 clamfs: (cat:16714) (root:0) /tmp/eicar.com: Eicar-Test-Signature FOUND

clamsmtp

install clamsmtp and postfix

# sudo apt-get install clamsmtp postfix

configure Postfix to use clamsmtp as a content scanner (taken from http://thewalter.net/stef/software/clamsmtp/postfix.html)
add the following lines to the end of /etc/postfix/master.cf:

scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no

127.0.0.1:10025 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

NOTE: stock clamsmtpd in Ubuntu listens on 10026 and forwards scanned mail to 10025, this is where postfix should listen (check /etc/clamsmtpd.conf), above guide does it the other way around

edit /etc/postfix/main.cf, append the following line to it

content_filter = scan:[127.0.0.1]:10026

sudo /etc/init.d/postfix restart
sudo /etc/init.d/clamsmtp restart
send a mail through the system with a virus attachment
should see the message being rejected and the virus name in /var/log/mail.log

Aug 18 22:44:10 utest-nns32 postfix/smtp[18073]: 51301149F4: to=<gimre@utest-nns32.narancs.net>,
relay=127.0.0.1[127.0.0.1]:10026, delay=0.12, delays=0.07/0/0.04/0, dsn=2.0.0, status=sent
(250 Virus Detected; Discarded Email)
Aug 18 22:44:10 utest-nns32 postfix/qmgr[18065]: 51301149F4: removed
Aug 18 22:44:10 utest-nns32 clamsmtpd: 100000: from=gimre@utest-nns32.narancs.net,
to=gimre@utest-nns32.narancs.net, status=VIRUS:Eicar-Test-Signature

clamtk

install clamtk

# sudo apt-get install clamtk

start clamtk and scan a file (downloaded from http://eicar.org/85-0-Download.html)

dansguardian

install dansguardian and squid proxy:

# sudo apt-get install dansguardian squid

to enable dansguardian, edit /etc/dansguardian/dansguardian.conf, comment out "UNCONFIGURED" at the beginning of the file
set up squid to listen on 127.0.0.1:3128, for this edit /etc/squid/squid.conf, search for http_port and change it to:

http_port 127.0.0.1:3128

Depending on which part of clamav you are testing, you need to enable a content scanner in /etc/dansguardian/dansguardian.conf

for testing libclamav, uncomment the following:

#contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'

for testing clamdscan/clamav-daemon, uncomment:

#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

NOTE: there are some extra steps to be taken when using clamdscan:

clamav-daemon needs to be installed and running (obviously)
the clamav user needs to be in dansguardian group for clamd to be able to scan dansguardian's temporary files, this can be achieved with the following commands:

# usermod -a -G dansguardian clamav
# /etc/init.d/clamav-daemon restart

restart squid and (re)start dansguardian:

# sudo /etc/init.d/squid restart
# sudo /etc/init.d/dansguardian start

set your browser to use dansguardian as a proxy server (on port 8080), then try to download a test virus file, like one of these: http://eicar.org/85-0-Download.html
it should get blocked with a warning and there should be an entry in /var/log/dansguardian/access.log similar to this:

2011.8.17 21:43:34 - 172.16.21.1 http://eicar.org/download/eicar.com.txt *INFECTED* *DENIED* Virus or bad
content detected. Eicar-Test-Signature GET 68 0 Content scanning 1 403 application/octet-stream   -

dspam

sudo apt-get install dspam
Download dspamit shell script from dspamit_wrapper
Save it in /usr/local/bin/dspamit
sudo chmod 755 /usr/local/bin/dspamit
Edit /etc/dspam/dspam.conf uncomment and change:

TrustedDeliveryAgent "/usr/sbin/sendmail"


ClamAVPort      3310
ClamAVHost      127.0.0.1
ClamAVResponse accept

Opt out

Edit /etc/clamav/clamd.conf add:

TCPSocket 3310
TCPAddr 127.0.0.1

sudo /etc/init.d/clamav-daemon restart
Edit /etc/postfix/master.cf add:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=dspam:
dspam     unix  -       n       n       -       10      pipe
  flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}

Edit /etc/postfix/main.cf add:

dspam_destination_recipient_limit = 1

Edit /etc/default/dspam change no to yes:

START=yes

sudo /etc/init.d/postfix restart
Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log

exim4

install and configure exim4 (select 'Split configuration')

# sudo apt-get install exim4-daemon-heavy
# sudo dpkg-reconfigure exim4-config

should be able to send mail at this point
edit /etc/exim4/conf.d/main/02_exim4-config_options, enable:

av_scanner = clamd:/var/run/clamav/clamd.ctl

create new file /etc/exim4/conf.d/main/00_localmacros, add:

CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local_acl

create new file /etc/exim4/local_acl and add the following:

# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.
deny message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#
# Reject file extensions used by worms.
#
deny message = This domain has a policy of not accepting certain types \
               of attachments in mail as they may contain a virus.  \
               \
               This mail has a file with a .$found_extension attachment and \
               is not accepted. \
               \
               If you have a legitimate need to send this attachment, send it \
               in a compressed archive, and it will then be forwarded to the \
               recipient.
demime = vbs:bat:pif:scr
.ifdef TEERGRUBE
   delay = TEERGRUBE
.endif
# Reject messages containing malware.
deny message = This message contains a virus ($malware_name) and has been rejected
malware = *

restart exim

# sudo update-exim4.conf
# sudo /etc/init.d/exim4 restart

you may need to add clamav user to debian-exim group (on Natty at least)

# usermod -a -G Debian-exim clamav
# sudo /etc/init.d/clamav-daemon restart

send a virus through the system and you should see a rejection message from ClamAV in /var/log/exim4/mainlog

2011-08-19 00:14:08 1Qu9ui-0005bU-4s H=voy (voy.localdomain) [172.16.21.1] F=<gimre@localhost> rejected after
DATA: This message contains a virus (Eicar-Test-Signature) and has been rejected

gurlchecker

sudo apt-get install gurlchecker
Execute /usr/bin/gurlchecker
Enable Virii scanning in Security section.
Check a site with a virus.
Should see virus name on console.

havp

install havp

# sudo apt-get install havp

havp listens only on localhost by default, you may need to change that in /etc/havp/havp.config
- comment out the line:

BIND_ADDRESS 127.0.0.1

don't forget to restart havp
change browser connection settings to use proxy on port 8080 (havp default) and clear browser cache
browse to a page with a virus (ie: http://eicar.org/85-0-Download.html), and try downloading a file
page should be blocked by havp and the virus should be logged to /var/log/havp/access.log:

17/08/2011 21:58:25 172.16.21.1 GET 200 http://eicar.org/download/eicar.com.txt 314+68 VIRUS
ClamAV: Eicar-Test-Signature

NOTE: havp uses libclamav by default but it can be configured to use clamd for scanning, you might want to test that

change /etc/havp/havp.config to use clamd and not libclamav:

ENABLECLAMLIB false
ENABLECLAMD true
CLAMDSOCKET /var/run/clamav/clamd.ctl

clamav-daemon needs to be installed and running (obviously)
the clamav user needs to be in havp group for clamd to be able to scan havp's temporary files, this can be achieved with the following commands:

# usermod -a -G havp clamav
# /etc/init.d/clamav-daemon restart

logfile should reflect that scanning was performed using clamd:

17/08/2011 22:09:13 172.16.21.1 GET 200 http://eicar.org/download/eicar.com.txt 314+68 VIRUS
Clamd: Eicar-Test-Signature

klamav

install klamav (you will need a running graphical environment for this)

# sudo apt-get install klamav

start it and scan a file (downloaded from http://eicar.org/85-0-Download.html)

NOTE: by default, /var/lib/clamav is used as the database folder which cannot be updated by a normal user. To test with latest signatures you can change the database directory to /home/<user>/.klamav/database in the 'Update' tab.

kmail

install postfix + dovecot (for POP3), clamav-daemon and kmail

# sudo apt-get install postfix dovecot-pop3d clamav-daemon kmail

start kmail, configure a local POP3 email account, make sure it works
in the menu go to Tools / Anti-Virus Wizard...
clamd should appear in the list, select it, click Next
select the first two options (Check messages using the anti-virus tool and Move to selected folder)
select Local Folders/trash and click Finish
go to Settings / Configure Filters... and check that the antivirus filters got added (there should be two, one for scanning and marking the email in the header, the other one to move the email if virus found)
send a test email with virus attached to the account, then Check Mail and see the message moved automatically to the trash folder

libclamav-client-perl

# sudo apt-get install libclamav-client-perl

create a new file (say /tmp/test.pl), copy-paste the following perl code:

###################################
#
# libclamav-client-perl test script
#
###################################
#!/usr/bin/perl

use ClamAV::Client;

# connect to clamd through UNIX socket
# Ubuntu default socket patch
$scanner = ClamAV::Client->new(
    socket_name     => '/var/run/clamav/clamd.ctl'
);

# check if clamd is running
die("ClamAV daemon not alive")
    if not defined($scanner) or not $scanner->ping();

# print clamav version information
my $version = $scanner->version;
print "$version\n";

# scan a file, return virus name if found
my ($path, $result) = $scanner->scan_path('/tmp/eicar.com');
if (defined($result)) {
    print "Virus found in $path: $result\n";
}
else {
    print "No virus found.\n";
}
###################################
#
# test script end
#
###################################

running the script should result the following output:

root@utest-nns32:/tmp# perl /tmp/test.pl 
ClamAV 0.97.2/13454/Thu Aug 18 18:32:54 2011
Virus found in /tmp/eicar.com: Eicar-Test-Signature

mailscanner

sudo apt-get install mailscanner
Edit /etc/postfix/main.cf add:

header_checks = regexp:/etc/postfix/header_checks

Create /etc/postfix/header_checks add:

/^Received:/ HOLD

Edit /etc/MailScanner/MailScanner.conf change:

Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Virus Scanners = clamav

Change permissions on MailScanner directories:

sudo chown -R postfix.postfix /var/spool/MailScanner/
sudo chown -R postfix.postfix /var/lib/MailScanner/
sudo chown -R postfix.postfix /var/run/MailScanner/
sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/

Edit /etc/default/mailscanner uncomment:

run_mailscanner=1

sudo /etc/init.d/mailscanner restart
sudo /etc/init.d/postfix restart
Send a message through with a virus attached should see it logged to /var/log/mail.log.

mediawiki

sudo apt-get install apache2 libapache2-mod-php5 mysql-server
sudo apt-get install mediawiki clamav
configure MySQL to listen on IP Address:
edit /etc/mysql/my.cnf:

bind-address     = 192.168.0.10

create a database for the wiki and give access rights to wikiuser
- mysql -u root

create database wikidb
grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';

configure Apache:
- sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
- sudo a2ensite mediawiki.conf
- sudo /etc/init.d/apache2/reload
setup the wiki using a browser pointed to http://server/mediawiki to make sure it works
edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line:

#$wgEnableUploads       = true;

edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav:

$wgAntivirus = 'clamav';
$wgFileExtensions[] = 'zip';

get the test virus file from http://www.eicar.org/anti_virus_test_file.htm (eicar_com.zip further down the page)
try to upload the file to mediawiki, you should see the following error message:

Upload warning
The file contains a virus! Details: Eicar-Test-Signature FOUND

mimedefang

install mimedefang and sendmail

# sudo apt-get install mimedefang sendmail

edit /etc/mail/sendmail.mc, change:

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl

add clamav to groups

# sudo sendmailconfig
# usermod -a -G defang,smmsp clamav
# usermod -a -G clamav defang

edit /etc/mail/mimedefang-filter add the following to the top:

# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock  = "/var/run/clamav/clamd.ctl";

restart everything:

# mimedefang.pl -test
# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/mimedefang restart

send virus through the system and it should be logged to /var/log/mail.log

Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: MDLOG,p7IN4UXO005515,virus,Eicar-Test-Signature,172.16.21.1,
<gergelyimre@gmail.com>,<gimre@utest-nns32.narancs.net>,[TESTMAIL] eicar test mail
Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: Discarding because of virus Eicar-Test-Signature
Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: filter: p7IN4UXO005515:  discard=1
Aug 19 02:04:31 utest-nns32 mimedefang[4543]: p7IN4UXO005515: Discarding because filter instructed us to
Aug 19 02:04:31 utest-nns32 sm-mta[5515]: p7IN4UXO005515: Milter: data, discard
Aug 19 02:04:31 utest-nns32 sm-mta[5515]: p7IN4UXO005515: discarded

nautilus-clamscan

Nautilus-clamscan is a Nautilus extension for scanning files for viruses easily by right-clicking on them. See https://launchpad.net/nautilus-clamscan for more information.

# sudo apt-get install nautilus-clamscan

logout/login for the extension to get loaded
download a testfile from http://eicar.org/85-0-Download.html to the Desktop
right-click on the file and select Scan for viruses...
a File manager popup should appear with scanning progress bar, saying that it found 1 infected file

p3scan

install dovecot, clamav-daemon and p3scan

# sudo apt-get install dovecot-pop3d clamav-daemon p3scan

enable plain POP3 protocol in dovecot (/etc/dovecot/dovecot.conf):

protocols = pop3 imap imaps

add the clamav user to p3scan group:

# usermod -a -G p3scan clamav
# id clamav
uid=110(clamav) gid=110(clamav) groups=110(clamav),114(p3scan)

configure clamav-daemon to listen on TCP port 3310 (/etc/clamav/clamd.conf)

TCPSocket 3310
TCPAddr 127.0.0.1

NOTE: p3scan uses clamav-daemon either by calling clamdscan or communicating with clamd directly through TCP socket

edit /etc/p3scan/p3scan.conf and set the following options:

(for scanning with clamdscan)

scanner = /usr/bin/clamdscan --no-summary
virusregexp = .*: (.*) FOUND

(for scanning directly with clamd through TCP socket)

scannertype = clamd
scanner = 127.0.0.1:3310
virusregexp = .*: (.*) FOUND

IMPORTANT! restart everything that changed

# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/dovecot restart
# sudo /etc/init.d/p3scan restart

redirect the POP3 port 110 to 8110 (p3scan default) using iptables:

# sudo iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to 8110

send an email with virus attachment through the system then try opening the mail using POP3

# telnet utest-nns32 110
Trying 172.16.21.183...
Connected to utest-nns32.narancs.net.
Escape character is '^]'.
+OK Dovecot ready.
user gimre
+OK
pass *****
+OK Logged in.
retr 1
+OK P3Scan'ing...

should get an email body stating something like:

This message body was generated automatically from P3Scan, which runs on
utest-nns32.(none) for scanning all incoming email.

It replaces the body of a message sent to you that contained a VIRUS!
[...]

p3scan should then quarantine the message in /var/spool/p3scan
if the above step is not working and p3scan crashes, make sure that clamav-daemon is running and it's in the p3scan group

php5-clamav

Install php5-clamav package (only available since Lucid, replaces php{4,5}-clamavlib)

sudo apt-get install php5-clamav
sudo /etc/init.d/apache2 restart

Create a test script:

vi /var/www/vir.php

<?php

print cl_info()."<br/>";
$virname = '';
$file = '/tmp/eicar_com.zip';

$ret = cl_scanfile($file,$virname); 
print "<br/>"; 
if ($ret) {
  print "Virus found in $file: $virname .<br/>";
}
else {
  print "No virus found in $file.<br/>";
}
?>

Browse to the script, should see virus details if a virus is found.

For more details see /usr/share/doc/php5-clamav/README.Debian included with the package.

php5-clamavlib

sudo apt-get install php5-clamavlib
sudo /etc/init.d/apache2 restart

Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

Place the script under the web root.
Browse to the script, should see virus details if a virus is scanned.
If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

php4-clamavlib

sudo apt-get install php4-clamlib
Edit /etc/php4/apache2/php.ini remove -e from the extension statement:

extension=clamav.so

sudo /etc/init.d/apache2 restart
Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>

Place the script under the web root.
Browse to the script, should see virus details if a virus is scanned.
If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above or php-clamav (it support Clamav 0.95.x).

pyclamd

apt-get install python-pyclamd
get a test virus file from http://eicar.org/85-0-Download.html
make sure the file is readable by clamav-daemon

# chmod 0666 /tmp/eicar.com

fire up python and copy-paste the commands below (the lines starting with >>>)

# python
Python 2.7.1+ (r271:86832, Apr 11 2011, 18:05:24) 
[GCC 4.5.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyclamd
>>> pyclamd.init_unix_socket(filename='/var/run/clamav/clamd.ctl')
>>> print pyclamd.version()
ClamAV 0.97.2/13455/Thu Aug 18 23:04:32 2011
>>> ret = pyclamd.scan_file('/tmp/eicar.com')
>>> print ret
{'/tmp/eicar.com': 'Eicar-Test-Signature'}
>>> ret = pyclamd.scan_stream(open('/tmp/eicar.com').read())
>>> print ret
{'stream': 'Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68)'}

python-clamav

install python-clamav package:

# sudo apt-get install python-clamav

create a python test script, say in /tmp/test.py with the following content:

###################################
#
# pyClamav test script
#
###################################
import pyclamav

# Print the number of signatures.
print pyclamav.get_numsig()

# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()

# Setup the file to scan.
scan_file = pyclamav.scanfile('/tmp/eicar.com.txt')
print scan_file
###################################
#
# end of test script
#
###################################

NOTE: download a test file from http://eicar.org/85-0-Download.html and change path to the file (ie: /tmp/eicar.com.txt)

execute the script, you should see version and virus information printed to console

# cd /tmp
# python ./test.py
1021013
('0.97.2', 13450, 1313597786)
0.4.1
(1, 'Eicar-Test-Signature')

qpsmtpd

install qpsmtpd and postfix

# sudo apt-get install qpsmtpd postfix

reconfigure qpsmtpd

# sudo dpkg-reconfigure qpsmtpd

answer the following:
- Enable qpsmtpd startup at boot time: Yes
- Addresses on which to listen for incoming SMTP connections: 172.18.100.50 (remove 127.0.0.1!)
- Queueing method for accepted mail: Postfix
- Destination domain(s) to accept mail for (blank for none): some_test_domain localhost.localdomain localhost
configure postfix to listen on localhost only (/etc/postfix/main.cf), then restart postfix:

inet_interfaces = 127.0.0.1

NOTE: qpsmtpd can use either clamscan or clamdscan for scanning incoming emails, configure /etc/qpsmtpd/plugins accordingly

(for testing with clamscan)

virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam

(for testing with clamdscan)

virus/clamdscan clamd_socket /var/run/clamav/clamd.ctl deny_viruses yes

add clamav to qpsmtpd group and fix permissions on qpsmtpd spool (only needed for testing with clamdscan):

# usermod -a -G qpsmtpd clamav
# chmod g+u /var/spool/qpsmtpd

restart qpsmtpd
send an email with virus attachment through and it should be logged in /var/log/qpsmtpd/qpsmtpd.log

Thu Aug 18 12:12:32 2011 utest-nns32[16174]: Virus found: Eicar-Test-Signature
Thu Aug 18 12:12:32 2011 utest-nns32[16174]: 552 Virus found: Eicar-Test-Signature