TestingProcedures
Revision 17 as of 2009-04-11 14:23:58
Clear message
Contents |
Introduction
This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.
This page is part of the MOTU/Clamav update/backport effort.
Amavisd-new
- sudo apt-get install amavisd-new spamassassin
- Edit /etc/amavis/conf.d/15-content_filter_mode uncomment:
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
- Edit /etc/amavis/conf.d/50-user add:
$myhostname = "example.com";
- Edit /etc/mailname add:
false
- Edit /etc/hosts add:
127.0.0.1 example localhost localhost.localdomain
- Edit /etc/postfix/master.cf add:
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks- Also add the following two lines immediately below the "pickup" transport service:
-o content_filter=
-o receive_override_options=no_header_body_checks- Edit /etc/postfix/main.cf add:
content_filter = smtp-amavis:[127.0.0.1]:10024
- add clamav to the amivis group with:
sudo adduser clamav amavis
- verify that /etc/clamav/clamd.conf has:
AllowSupplementaryGroups true
- sudo /etc/init.d/postfix restart
- sudo /etc/init.d/clamav-daemon restart
- sudo /etc/init.d/amavis start
- Send a message through with a virus attachment
AVScan
- sudo apt-get install avscan
- /usr/bin/avscan
- Scan a file.
clamassassin
(it's always a good idea to purge remove the packages and start from scratch when testing, IF it's a test system obviously 
)
- sudo apt-get install postfix procmail clamassassin clamav-daemon
- postfix configuration: Internet site
- in /etc/postfix/main.cf change the MDA (mail delivery agent) to procmail (just append the line at the end):
mailbox_command = /usr/bin/procmail
- restart postfix
- in /etc/defaults/clamassassin change the scanner to clamdscan (to use clamd, thus speeding up the scanning considerably)
CLAMSCAN=clamdscan
- create a testuser and put a .procmailrc file in his home:
useradd testuser touch /home/testuser/.procmailrc chown testuser:testuser /home/testuser/.procmailrc
- put the following code in .procmailrc to enable clamassassin:
MAILDIR=$HOME/Maildir :0fw | /usr/bin/clamassassin :0: * ^X-Virus-Status: Yes .virus/
- create the user's Maildir:
cd /home/testuser mkdir -p Maildir/new Maildir/cur Maildir/tmp mkdir -p Maildir/.virus/new Maildir/.virus/cur Maildir/.virus/tmp chown -R testuser:testuser Maildir/
- make sure clamd is running and the virus databases are up-to-date (in /var/lib/clamav)
get the test virus file from http://www.eicar.org/anti_virus_test_file.htm, and send a mail to testuser
- the mail should be delivered in the .virus/new subfolder in /home/testuser/Maildir (check with mutt -f /home/testuser/Maildir/.virus/)
- open the mail, and check the header for the following signature:
X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV
0.94.2/8961/Fri Feb 6 15:29:06 2009
clamcour
- sudo apt-get install courier-mta
- sudo apt-get install clamcour
- Edit /etc/courier/smtpaccess/default change:
192.168.0 allow,RELAYCLIENT
- Configure a valid DNS domain.
- Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
- Edit /etc/courier/locals' add the domain.
- Edit /etc/courier/defaultdomain set it to host.domain.org
- sudo makesmtpaccess
- sudo makehosteddomains
- sudo /etc/init.d/courier-mta restart
- Should now maybe be able to send a message through courier
- sudo filterctl start clamcour
- Send a virus through the system and it should be logged to /var/log/mail.log.
clamsmtpd
- sudo apt-get install clamsmtpd
- Configure Postfix according to clamsmtp page
- Edit /etc/clamsmtpd comment the following line:
Listen: 127.0.0.1:10026
Change the OutAddress option to be:
OutAddress: 127.0.0.1:10026
- sudo /etc/init.d/postfix restart
- sudo /etc/init.d/clamsmtpd restart
- Send a mail through the system with a virus attachemnt.
Should see the message being rejected and the virus name in /var/log/mail.log
Clamtk
- sudo apt-get install clamtk
- /usr/bin/clamtk
- Scan a file.
Dansguardian
Great guide here
- sudo apt-get install dansguardian tinyproxy firehol
- Edit /etc/dansguardian/dansguardian.conf comment:
#UNCONFIGURED
- Edit /etc/tinyproxy/tinyproxy.conf change:
User nobody Group nogroup Port 3128
- Edit /etc/firehol/firehol.conf replace with:
version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
transparent_squid 8080 "nobody root"
# Accept all client traffic on any interface
interface any world
policy drop
protection strong
client all accept- Edit /etc/default/firehol change from no to yes:
START_FIREHOL=YES
- sudo /etc/init.d/tinyproxy restart
- sudo /etc/init.d/dansguardian restart
- sudo /etc/init.d/firehol restart
- You should now have a working internet filter without any changes being made to the proxy settings.
- Try and download a virus over http, it should get blocked.
dspam
- sudo apt-get install dspam
- Download dspamit shell script from dspamit_wrapper
- Save it in /usr/local/bin/dspamit
- sudo chmod 755 /usr/local/bin/dspamit
- Edit /etc/dspam/dspam.conf uncomment and change:
TrustedDeliveryAgent "/usr/sbin/sendmail" ClamAVPort 3310 ClamAVHost 127.0.0.1 ClamAVResponse accept Opt out
- Edit /etc/clamav/clamd.conf add:
TCPSocket 3310 TCPAddr 127.0.0.1
- sudo /etc/init.d/clamav-daemon restart
- Edit /etc/postfix/master.cf add:
smtp inet n - n - - smtpd
-o content_filter=dspam:
dspam unix - n n - 10 pipe
flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}- Edit /etc/postfix/main.cf add:
dspam_destination_recipient_limit = 1
- Edit /etc/default/dspam change no to yes:
START=yes
- sudo /etc/init.d/postfix restart
- Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log
dtc-postfix-courier
Exim4 with ClamAV
- sudo apt-get install exim4-daemon-heavy
- Configure for internet site during install.
- Edit /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs change:
MAIN_LOCAL_DOMAINS = frog.org
- sudo update-exim4.conf
- sudo /etc/init.d/exim4 restart
- Should be able to send mail at this point.
- You may need to setup a valid DNS domain!!!
- Edit /etc/exim4/conf.d/main/02_exim4-config_options change:
av_scanner = clamd:/var/run/clamav/clamd.ctl
- Edit /etc/exim4/conf.d/acl/40_exim4-config_check_data add:
# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.
deny message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#
# Reject file extensions used by worms.
#
deny message = This domain has a policy of not accepting certain types \
of attachments in mail as they may contain a virus. \
\
Tis mail has a file with a .$found_extension attachment and \
is not accepted. \
\
If you have a legitimate need to send this attachment, send it \
in a compressed archive, and it will then be forwarded to the \
recipient.
demime = vbs:bat:pif:scr
.ifdef TEERGRUBE
delay = TEERGRUBE
.endif
# Reject messages containing malware.
deny mess- sudo update-exim4.conf
- sudo /etc/init.d/exim4 restart
- Send a virus through the system and you should see a rejection message from Clamav in /var/log/exim4/mainlog.
Followed the guide here: Rejecting viral email at SMTP time with exim4
gURLChecker
- sudo apt-get install gurlchecker
- Execute /usr/bin/gurlchecker
- Enable Virii scanning in Security section.
- Check a site with a virus.
- Should see virus name on console.
HAVP
- sudo apt-get install havp
- Change browser connection settings to use port 8080.
- May need to clear cache.
Browse to a page with a virus (ie: http://www.eicar.org/anti_virus_test_file.htm, scroll down and select a zip file to download).
- Page should be blocked by havp and the virus should be logged to /var/log/havp/access.log.
Klamav
- sudo apt-get install klamav
- /usr/bin/klamav
- Scan a file.
MailScanner
- sudo apt-get install mailscanner
- Edit /etc/postfix/main.cf add:
header_checks = regexp:/etc/postfix/header_checks
- Create /etc/postfix/header_checks add:
/^Received:/ HOLD
- Edit /etc/MailScanner/MailScanner.conf change:
Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix Virus Scanners = clamav
Change permissions on MailScanner directories:
sudo chown -R postfix.postfix /var/spool/MailScanner/ sudo chown -R postfix.postfix /var/lib/MailScanner/ sudo chown -R postfix.postfix /var/run/MailScanner/ sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/
- Edit /etc/default/mailscanner uncomment:
run_mailscanner=1
- sudo /etc/init.d/mailscanner restart
- sudo /etc/init.d/postfix restart
- Send a message through with a virus attached should see it logged to /var/log/mail.log.
Mediawiki
- sudo apt-get install apache2 libapache2-mod-php5 mysql-server
- sudo apt-get install mediawiki clamav
- configure MySQL to listen on IP Address:
- edit /etc/mysql/my.cnf:
bind-address = 192.168.0.10
- create a database for the wiki and give access rights to wikiuser
- mysql -u root
create database wikidb grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';
- configure Apache:
- sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
- sudo a2ensite mediawiki.conf
- sudo /etc/init.d/apache2/reload
setup the wiki using a browser pointed to http://server/mediawiki to make sure it works
- edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line:
#$wgEnableUploads = true;
- edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav:
$wgAntivirus = 'clamav'; $wgFileExtensions[] = 'zip';
get the test virus file from http://www.eicar.org/anti_virus_test_file.htm (eicar_com.zip further down the page)
- try to upload the file to mediawiki, you should see the following error message:
Upload warning The file contains a virus! Details: Eicar-Test-Signature FOUND
MIMEDefang
- sudo apt-get install mimedefang
- This will install sendmail if it's not installed already.
- Edit /etc/mail/sendmail.mc change:
DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl
- Edit /etc/mail/access uncomment:
Connect:172.18 RELAY
- sudo sendmailconfig
- sudo adduser clamav defang
- sudo adduser defang clamav
- sudo adduser clamav smmsp
- Edit /etc/mail/mimedefang-filter add the following to the top:
# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock = "/var/run/clamav/clamd.ctl"- sudo /etc/init.d/mimedefang restart
- sudo /etc/init.d/clamav-daemon restart
send messages to [email protected]
- Send through a virus and it should be logged to /var/log/mail.log.
p3scan
- sudo apt-get install p3scan clamav-daemon
- enable plain POP3 protocol in dovecot (/etc/dovecot/dovecot.conf):
protocols = pop3 imap imaps
- add the clamav user to p3scan group
root@utest-dd:/var/mail# usermod -a -G p3scan clamav root@utest-dd:/var/mail# id clamav uid=110(clamav) gid=110(clamav) groups=110(clamav),114(p3scan)
- sudo /etc/init.d/dovecot restart
- sudo /etc/init.d/clamav-daemon start
- edit /etc/p3scan/p3scan.conf and set the following options:
scanner = /usr/bin/clamdscan --no-summary virusregexp = .*: (.*) FOUND
- sudo /etc/init.d/p3scan restart
- Redirect the POP3 port 110 to 8110 using iptables:
sudo iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to 8110
- send a virus through the system then try connecting to the account using POP3
- should get an email stating there was a virus sent to you
- p3scan should then quarantine the message in /var/spool/p3scan.
php5-clamavlib
- sudo apt-get install php5-clamlib
- Edit /etc/php5/apache2/php.ini remove -e from the extension statement:
extension=clamav.so
- sudo /etc/init.d/apache2 restart
- Create a test script:
<?php
print cl_info()."<br/>";
$ret = cl_scanfile('/path/to/virus_file');
print "<br/>";
print $ret;
print "<br/>";
print "<br/>";
echo cl_info() . "<br>";
$file = "/path/to/virus_file";
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS)
echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>";
else
echo $file . " returns: " . cl_pretcode($retcode) . "<br>";
?>- Place the script under the web root.
- Browse to the script, should see virus details if a virus is scanned.
- If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.
php4-clamavlib
- sudo apt-get install php4-clamlib
- Edit /etc/php4/apache2/php.ini remove -e from the extension statement:
extension=clamav.so
- sudo /etc/init.d/apache2 restart
- Create a test script:
<?php
print cl_info()."<br/>";
$ret = cl_scanfile('/path/to/virus_file');
print "<br/>";
print $ret;
print "<br/>";
print "<br/>";
echo cl_info() . "<br>";
$file = "/path/to/virus_file";
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS)
echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>";
else
echo $file . " returns: " . cl_pretcode($retcode) . "<br>";
?>- Place the script under the web root.
- Browse to the script, should see virus details if a virus is scanned.
If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.
Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above.
python-clamav
- sudo apt-get install python-clamav
- Create a python test script:
###################################
#
# pyClamav test script.
#
###################################
import pyclamav
# Print the number of signatures.
print pyclamav.get_numsig()
# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()
# Setup the file to scan.
scan_file = pyclamav.scanfile('/path/to/virus_file')
print scan_file- Execute the file:
python clamav_test.py
- Should see version information and virus information printed to console.
qpsmtpd
- sudo apt-get install qpsmtpd
- sudo dpkg-reconfigure qpsmtpd
- Answer the following:
- Enable qpsmtpd startup at boot time: Yes
- Addresses on which to listen for incoming SMTP connections: 172.18.100.50
- Queueing method for accepted mail: Postfix
- Destination domain(s) to accept mail for (blank for none): Grizzlebees localhost.localdomain localhost
- Edit /etc/postfix/main.cf change:
inet_interfaces = 127.0.0.1
- sudo /etc/init.d/postfix restart
- Edit /etc/qpsmtpd/plugins add:
virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam
- sudo /etc/init.d/qpsmtpd restart
- Send a virus through the system and it should be logged to /var/log/qpsmtpd/qpsmtpd.log
sylpheed-claws-gtk2
sylpheed-claws-clamav