TestingProcedures

Revision 22 as of 2009-04-19 18:13:16

Clear message

Introduction

This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.

This page is part of the MOTU/Clamav update/backport effort.

Amavisd-new

  • sudo apt-get install amavisd-new spamassassin
  • Edit /etc/amavis/conf.d/15-content_filter_mode uncomment: 

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
  • Edit /etc/amavis/conf.d/50-user add: 

$myhostname = "example.com";
  • Edit /etc/mailname add: 

false
  • Edit /etc/hosts add: 

127.0.0.1       example localhost localhost.localdomain
  • Edit /etc/postfix/master.cf add: 

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
  • Also add the following two lines immediately below the "pickup" transport service: 

        -o content_filter=
        -o receive_override_options=no_header_body_checks
  • Edit /etc/postfix/main.cf add: 

content_filter = smtp-amavis:[127.0.0.1]:10024
  • add clamav to the amivis group with: 

sudo adduser clamav amavis
  • verify that /etc/clamav/clamd.conf has: 

AllowSupplementaryGroups true
  • sudo /etc/init.d/postfix restart
  • sudo /etc/init.d/clamav-daemon restart
  • sudo /etc/init.d/amavis start
  • Send a message through with a virus attachment

AVScan

  • sudo apt-get install avscan
  • /usr/bin/avscan
  • Scan a file.

clamassassin

(it's always a good idea to purge remove the packages and start from scratch when testing, IF it's a test system obviously Smile :) )

  • sudo apt-get install postfix procmail clamassassin clamav-daemon
  • postfix configuration: Internet site
  • in /etc/postfix/main.cf change the MDA (mail delivery agent) to procmail (just append the line at the end): 

mailbox_command = /usr/bin/procmail
  • restart postfix
  • in /etc/defaults/clamassassin change the scanner to clamdscan (to use clamd, thus speeding up the scanning considerably) 

CLAMSCAN=clamdscan
  • create a testuser and put a .procmailrc file in his home: 

useradd testuser
touch /home/testuser/.procmailrc
chown testuser:testuser /home/testuser/.procmailrc
  • put the following code in .procmailrc to enable clamassassin: 

MAILDIR=$HOME/Maildir

:0fw
| /usr/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
.virus/
  • create the user's Maildir: 

cd /home/testuser
mkdir -p Maildir/new Maildir/cur Maildir/tmp
mkdir -p Maildir/.virus/new Maildir/.virus/cur Maildir/.virus/tmp
chown -R testuser:testuser Maildir/
  • make sure clamd is running and the virus databases are up-to-date (in /var/lib/clamav)

  • get the test virus file from http://www.eicar.org/anti_virus_test_file.htm, and send a mail to testuser

  • the mail should be delivered in the .virus/new subfolder in /home/testuser/Maildir (check with mutt -f /home/testuser/Maildir/.virus/)
  • open the mail, and check the header for the following signature: 

X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV
        0.94.2/8961/Fri Feb  6 15:29:06 2009

clamcour

  • sudo apt-get install courier-mta
  • sudo apt-get install clamcour
  • Edit /etc/courier/smtpaccess/default change: 

192.168.0     allow,RELAYCLIENT
  • Configure a valid DNS domain.
  • Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
  • Edit /etc/courier/locals' add the domain.
  • Edit /etc/courier/defaultdomain set it to host.domain.org
  • sudo makesmtpaccess
  • sudo makehosteddomains
  • sudo /etc/init.d/courier-mta restart
    • Should now maybe be able to send a message through courier
  • sudo filterctl start clamcour
  • Send a virus through the system and it should be logged to /var/log/mail.log.

clamfs

  • sudo apt-get install clamfs
  • mkdir -p /clamfs/tmp

  • get eicar.com file from the eicar site, copy it to /tmp

  • run clamfs with the example conf from the package
    • this will mount /tmp to /clamfs/tmp (check with mount) 

root@utest-jj:~# clamfs /usr/share/doc/clamfs/clamfs-sample.xml
22:45:32 (clamfs.cxx:870) ClamFS v0.9.1
22:45:32 (clamfs.cxx:871) Copyright (c) 2007 Krzysztof Burghardt <[email protected]>
22:45:32 (clamfs.cxx:872) http://clamfs.sourceforge.net/
22:45:32 (clamfs.cxx:952) chdir to our 'root' (/tmp)
22:45:32 (clamfs.cxx:990) ScanCache initialized, 16384 entries will be kept for 10800000 ms max.
22:45:32 (rlog.cxx:82) logs goes to syslog
root@utest-jj:~# mount | grep clamfs
clamfs on /clamfs/tmp type fuse.clamfs (rw,nosuid,nodev,allow_other,default_permissions)

  • try to cat /clamfs/tmp/eicar.com, should get 'operation not permitted' message

  • check syslog for clamfs message: 

Apr 11 22:49:40 utest-jj clamfs: (cat:13044) (root:0) /eicar.com: forced anti-virus scan because extension blacklisted 
Apr 11 22:49:40 utest-jj clamfs: (cat:13044) (root:0) /tmp/eicar.com: Eicar-Test-Signature FOUND

clamsmtp

  • sudo apt-get install clamsmtp

  • Configure Postfix according to clamsmtp page

    • note: stock clamsmtpd in Ubuntu listens on 10026 and forwards scanned mail to 10025, this is where postfix should listen (check /etc/clamsmtpd.conf)
  • sudo /etc/init.d/postfix restart
  • sudo /etc/init.d/clamsmtpd restart
  • Send a mail through the system with a virus attachemnt.

  • Should see the message being rejected and the virus name in /var/log/mail.log

Clamtk

  • sudo apt-get install clamtk
  • /usr/bin/clamtk
  • Scan a file.

Dansguardian

  • Great guide here

  • sudo apt-get install dansguardian tinyproxy firehol
  • Edit /etc/dansguardian/dansguardian.conf comment: 

#UNCONFIGURED
  • Edit /etc/tinyproxy/tinyproxy.conf change: 

User nobody
Group nogroup

Port 3128
  • Edit /etc/firehol/firehol.conf replace with: 

version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
transparent_squid 8080 "nobody root"

# Accept all client traffic on any interface
interface any world
         policy drop
         protection strong
         client all accept
  • Edit /etc/default/firehol change from no to yes: 

START_FIREHOL=YES
  • sudo /etc/init.d/tinyproxy restart
  • sudo /etc/init.d/dansguardian restart
  • sudo /etc/init.d/firehol restart
  • You should now have a working internet filter without any changes being made to the proxy settings.
  • Try and download a virus over http, it should get blocked.

dspam

  • sudo apt-get install dspam
  • Download dspamit shell script from dspamit_wrapper
  • Save it in /usr/local/bin/dspamit
  • sudo chmod 755 /usr/local/bin/dspamit
  • Edit /etc/dspam/dspam.conf uncomment and change: 

TrustedDeliveryAgent "/usr/sbin/sendmail"


ClamAVPort      3310
ClamAVHost      127.0.0.1
ClamAVResponse accept

Opt out
  • Edit /etc/clamav/clamd.conf add: 

TCPSocket 3310
TCPAddr 127.0.0.1
  • sudo /etc/init.d/clamav-daemon restart
  • Edit /etc/postfix/master.cf add: 

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=dspam:
dspam     unix  -       n       n       -       10      pipe
  flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}
  • Edit /etc/postfix/main.cf add: 

dspam_destination_recipient_limit = 1
  • Edit /etc/default/dspam change no to yes: 

START=yes
  • sudo /etc/init.d/postfix restart
  • Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log

dtc-postfix-courier

Exim4 with ClamAV

  • sudo apt-get install exim4-daemon-heavy
  • sudo dpkg-reconfigure exim4-config (select split configuration)
  • should be able to send mail at this point
  • edit /etc/exim4/conf.d/main/02_exim4-config_options change: 

av_scanner = clamd:/var/run/clamav/clamd.ctl
  • create new file /etc/exim4/conf.d/main/00_localmacros, add: 

CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local_acl
  • create new file /etc/exim4/local_acl and add the following: 

   # Reject messages that have serious MIME errors.
   # This calls the demime condition again, but it
   # will return cached results.
   deny message = Serious MIME defect detected ($demime_reason)
   demime = *
   condition = ${if >{$demime_errorlevel}{2}{1}{0}}

   #
   # Reject file extensions used by worms.
   #
   deny message = This domain has a policy of not accepting certain types \
                  of attachments in mail as they may contain a virus.  \
                  \
                  This mail has a file with a .$found_extension attachment and \
                  is not accepted. \
                  \
                  If you have a legitimate need to send this attachment, send it \
                  in a compressed archive, and it will then be forwarded to the \
                  recipient.
   demime = vbs:bat:pif:scr
   .ifdef TEERGRUBE
      delay = TEERGRUBE
   .endif

   # Reject messages containing malware.
   deny message = This message contains a virus ($malware_name) and has been rejected
   malware = *
  • sudo update-exim4.conf
  • sudo /etc/init.d/exim4 restart
  • you may need to add clamav user to Debian-exim group (on jaunty)
  • sudo /etc/init.d/clamav-daemon restart
  • send a virus through the system and you should see a rejection message from ClamAV in /var/log/exim4/mainlog

gURLChecker

  • sudo apt-get install gurlchecker
  • Execute /usr/bin/gurlchecker
  • Enable Virii scanning in Security section.
  • Check a site with a virus.
  • Should see virus name on console.

HAVP

  • sudo apt-get install havp
  • Change browser connection settings to use port 8080.
  • May need to clear cache.

  • Browse to a page with a virus (ie: http://www.eicar.org/anti_virus_test_file.htm, scroll down and select a zip file to download).

  • Page should be blocked by havp and the virus should be logged to /var/log/havp/access.log.

Klamav

  • sudo apt-get install klamav
  • /usr/bin/klamav
  • Scan a file.

libclamav-client-perl

  • sudo apt-get install libclamav-client-perl
  • create a new file, add the following perl code and run the script with perl 

 #!/usr/bin/perl

use ClamAV::Client;

# connect to clamd through UNIX socket
# Ubuntu default socket patch
$scanner = ClamAV::Client->new(
    socket_name     => '/var/run/clamav/clamd.ctl'
);

# check if clamd is running
die("ClamAV daemon not alive")
    if not defined($scanner) or not $scanner->ping();

# print clamav version information
my $version = $scanner->version;
print "$version\n";

# scan a file, return virus name if found
my ($path, $result) = $scanner->scan_path('/tmp/eicar.com');
if (defined($result)) {
    print "Virus found in $path: $result\n";
}
else {
    print "No virus found.\n";
}

MailScanner

  • sudo apt-get install mailscanner
  • Edit /etc/postfix/main.cf add: 

header_checks = regexp:/etc/postfix/header_checks
  • Create /etc/postfix/header_checks add: 

/^Received:/ HOLD
  • Edit /etc/MailScanner/MailScanner.conf change: 

Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Virus Scanners = clamav

sudo chown -R postfix.postfix /var/spool/MailScanner/
sudo chown -R postfix.postfix /var/lib/MailScanner/
sudo chown -R postfix.postfix /var/run/MailScanner/
sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/
  • Edit /etc/default/mailscanner uncomment: 

run_mailscanner=1
  • sudo /etc/init.d/mailscanner restart
  • sudo /etc/init.d/postfix restart
  • Send a message through with a virus attached should see it logged to /var/log/mail.log.

Mediawiki

  • sudo apt-get install apache2 libapache2-mod-php5 mysql-server
  • sudo apt-get install mediawiki clamav
  • configure MySQL to listen on IP Address:
  • edit /etc/mysql/my.cnf: 

bind-address     = 192.168.0.10
  • create a database for the wiki and give access rights to wikiuser
    • mysql -u root 

create database wikidb
grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';
  • configure Apache:
    • sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
    • sudo a2ensite mediawiki.conf
    • sudo /etc/init.d/apache2/reload

  • setup the wiki using a browser pointed to http://server/mediawiki to make sure it works

  • edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line: 

#$wgEnableUploads       = true;
  • edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav: 

$wgAntivirus = 'clamav';
$wgFileExtensions[] = 'zip';

Upload warning
The file contains a virus! Details: Eicar-Test-Signature FOUND

MIMEDefang

  • sudo apt-get install mimedefang
    • This will install sendmail if it's not installed already.
  • Edit /etc/mail/sendmail.mc change: 

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl

INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl
  • Edit /etc/mail/access uncomment: 

Connect:172.18                  RELAY
  • sudo sendmailconfig
  • sudo adduser clamav defang
  • sudo adduser defang clamav
  • sudo adduser clamav smmsp
  • Edit /etc/mail/mimedefang-filter add the following to the top: 

# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock  = "/var/run/clamav/clamd.ctl"
  • sudo /etc/init.d/mimedefang restart
  • sudo /etc/init.d/clamav-daemon restart

  • send messages to [email protected]

  • Send through a virus and it should be logged to /var/log/mail.log.

p3scan

  • sudo apt-get install p3scan clamav-daemon
  • enable plain POP3 protocol in dovecot (/etc/dovecot/dovecot.conf): 

protocols = pop3 imap imaps
  • add the clamav user to p3scan group 

root@utest-dd:/var/mail# usermod -a -G p3scan clamav
root@utest-dd:/var/mail# id clamav
uid=110(clamav) gid=110(clamav) groups=110(clamav),114(p3scan)
  • sudo /etc/init.d/dovecot restart
  • sudo /etc/init.d/clamav-daemon start
  • edit /etc/p3scan/p3scan.conf and set the following options: 

scanner = /usr/bin/clamdscan --no-summary
virusregexp = .*: (.*) FOUND
  • sudo /etc/init.d/p3scan restart
  • Redirect the POP3 port 110 to 8110 using iptables: 

sudo iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to 8110
  • send a virus through the system then try connecting to the account using POP3
  • should get an email stating there was a virus sent to you
  • p3scan should then quarantine the message in /var/spool/p3scan.

php5-clamavlib

  • sudo apt-get install php5-clamlib
  • Edit /etc/php5/apache2/php.ini remove -e from the extension statement: 

extension=clamav.so
  • sudo /etc/init.d/apache2 restart
  • Create a test script: 

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>
  • Place the script under the web root.
  • Browse to the script, should see virus details if a virus is scanned.
  • If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

php4-clamavlib

  • sudo apt-get install php4-clamlib
  • Edit /etc/php4/apache2/php.ini remove -e from the extension statement: 

extension=clamav.so
  • sudo /etc/init.d/apache2 restart
  • Create a test script: 

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>
  • Place the script under the web root.
  • Browse to the script, should see virus details if a virus is scanned.

  • If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above.

python-clamav

  • sudo apt-get install python-clamav
  • Create a python test script: 

###################################
#
# pyClamav test script.
#
###################################
import pyclamav

# Print the number of signatures.
print pyclamav.get_numsig()

# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()

# Setup the file to scan.
scan_file = pyclamav.scanfile('/path/to/virus_file')
print scan_file
  • Execute the file: 

python clamav_test.py
  • Should see version information and virus information printed to console.

qpsmtpd

  • sudo apt-get install qpsmtpd
  • sudo dpkg-reconfigure qpsmtpd
  • Answer the following:
    • Enable qpsmtpd startup at boot time: Yes
    • Addresses on which to listen for incoming SMTP connections: 172.18.100.50
    • Queueing method for accepted mail: Postfix
    • Destination domain(s) to accept mail for (blank for none): Grizzlebees localhost.localdomain localhost
  • Edit /etc/postfix/main.cf change: 

inet_interfaces = 127.0.0.1
  • sudo /etc/init.d/postfix restart
  • Edit /etc/qpsmtpd/plugins add: 

virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam
  • sudo /etc/init.d/qpsmtpd restart
  • Send a virus through the system and it should be logged to /var/log/qpsmtpd/qpsmtpd.log

sylpheed-claws-gtk2

sylpheed-claws-clamav

Claws Mail

pyclamd

  • apt-get install python-pyclamd

  • get a test virus file from the eicar site

  • make sure the file is readable by clamav-daemon (chmod 0666 /tmp/eicar.com)

  • fire up python and copy-paste the commands below (the lines starting with >>>) 

gimre@utest-jj:~$ python
Python 2.6.2c1 (release26-maint, Apr  8 2009, 01:02:22) 
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyclamd
>>> pyclamd.init_unix_socket(filename='/var/run/clamav/clamd.ctl')
>>> print pyclamd.version()
ClamAV 0.95.1/9224/Sat Apr 11 00:49:29 2009
>>> ret = pyclamd.scan_file('/tmp/eicar.com')
>>> print ret
{'/tmp/eicar.com': 'Eicar-Test-Signature'}
>>> ret = pyclamd.scan_stream(open('/tmp/eicar.com').read())
>>> print ret
{'stream': 'Eicar-Test-Signature FOUND'}