NOTICE: This document is no longer being updated. This information has been converted to a wiki and will be maintained by the anti-virus community (including myself, Kris Nosack). I will keep this document available for reference, but the up-to-date source is the wiki - http://flakshack.com/anti-spam/wiki/index.php?page=FairlySecureAntiVirusWiki
By Kris Nosack
Last Edited: 10 November 2004 (Changelog at bottom)
Latest version of this document always available at http://www.xmission.com/~kn/AddClamAV
Read and post comments here (note that you don't need to
create an account to post).
Index
Last year (2003) I put together an anti-spam gateway (I call it an e-mail filter) by following an excellent how-to guide written by Scott Vintinner. In short, the system is built from PC hardware using OpenBSD as the OS, running postfix as the MTA, amavisd-new (called amavisd for short) as the mechanism for passing e-mail messages to a variety of programs for filtering/processing, SpamAssassin for spam identification and a few scripts to add some extra refinement. A few months ago the MyDoom worm hit and I remembered reading a section of Scott's guide, submitted by Helmut Schneider, about adding ClamAV anti-virus to the anti-spam gateway. The directions were simply a list of commands, but it was enough to get me started. Along the way I learned more details and felt I should pass this information on to others. (Note: Helmut's instructions have been removed from Scott's guide and replaced with a link to this document. I thank Helmut for showing me the way.)
This document describes how to add ClamAV anti-virus to an existing anti-spam gateway running OpenBSD 3.3 or 3.4. ClamAV (www.clamav.net) is widely recognized as an excellent open-source virus protection tool that focuses on e-mail viruses. The ClamAV team is quick to add new viruses to their database to keep their users up-to-date. You may be able to get ClamAV to compile and install on older versions of OpenBSD, but you are on your own here. In this document I will describe how to download, install and configure ClamAV and add it to your anti-spam gateway. I also include a few scripts to keep the system maintained and a report script that gives you daily results of viruses ClamAV has found and blocked.
While I will maintain this document and welcome corrections, suggestions and additions, unfortunately I don't have the time available to help people setup their systems or troubleshoot problems. Please respect my time by doing as much work on your own before you e-mail me.
Most often problems are a result of typos. If something doesn't work like it should, go back and rerun all commands and check for errors in configuration files and scripts. Try a web search on the error you receive or a description of the problem. Consult the ClamAV FAQ and documentation. If the problem persists, post a request for help to the OpenBSD anti-spam forum. Another place to go for help is the amavisd mailing list (https://lists.sourceforge.net/lists/listinfo/amavis-user). Please search through the archive (http://marc.theaimsgroup.com/?l=amavis-user) for answers to your problem before posting a question. Mark Martinec (the main amavisd guy) does a very good job of answering most questions quickly, so please don't waste his time. Do some research first and try to ask good questions. Also please do not email huge copies of your config files or debug output unless asked to do so.
If you have a suggestion, or find an error you think I should fix, please email me at kn@xmission.com.
As with Scott's guide, this document is not really meant for the unix newbie. If you have never worked with linux or unix before, you may experience some difficulty with these directions. Specifically, I expect that you will know how to use vi to edit files (here's a vi cheat sheet) and that you know how to use basic unix commands like ls, cd, cp, mv, mkdir, etc.
Text listed in blue are commands that you type into the console. Text listed in red are edits in text files. Text listed in gray tables are full files. The # sign indicates a shell prompt and is followed by a blue command so don't type the #, only type the blue text to the right of it. The # sign in configuration files or text edits is used as a comment block, and may be included in the actual files without harming anything. Text that I want to draw your attention to is highlighted in yellow.
As a convenience for you, I have put console commands into tables so you can easily select several lines (without also grabbing the #'s) and copy and paste them to the console (via the telnet or ssh client) thus executing many commands at once. Try it, you'll like it.
NOTICE: Scott Vintinner recently (04 May 2004) switched to a new Before-Queue content filtering method (made possible in Postfix 2.1) and overhauled his document for putting together an Anti-Spam Gateway. As part of this overhaul, he removed instructions needed for virus scanning which I have now integrated into this document. If you setup your e-mail filter based on Scott's old instructions, then you can skip this section. If you built your e-mail filter from his new instructions, then complete the following steps.
The best way to install most software for OpenBSD is to use the Ports collection. The Ports collection is available on your OpenBSD CDROM, or from any of the mirrors. When unzipped, it contains a number of files that tell the operating system where to go to download over a thousand programs for OpenBSD, along with directions on how to compile them. The limitation of the ports collection is that it does not include the latest and greatest versions of all the software, so while we will us it to install a bunch of utilities, we'll install the main programs directly from the source. For more detailed information on how to use the Ports tree, or how to download it using CVS, see the Ports and Packages mini-faq.
The first step is to get the ports.tar.gz file from the CD-ROM and copy it to /usr|
# |
mount /dev/cd0a /mnt |
If you don't have OpenBSD on CD, you can download the ports collection, but first, I must make a plug for buying OpenBSD on CD-ROM.
The OpenBSD development team used to receive some sizeable funding from DARPA (a U.S. Defense agency), but the contract was suddenly "suspended" in 2003. The short story: more than ever OpenBSD is funded by donations and merchandise sales (CDs, T-shirts, etc.). You can support OpenBSD development by at least purchasing a CD set. It's much easier to install from CD, you get all of the ports and other goodies and it's nice insurance to have the OS on CD. It's only $40.
The example below gets the ports.tar.gz file (around 6 MB) from a mirror in Pittsburg, PA, USA - consult the mirrors list for a site nearer to you, if you wish.|
# |
cd /usr |
Once you extract the file, you will find a whole tree of files
under /usr/ports. The tree is divided into sections which
categorize the different software packages available. To install
a particular software package, all you need to do is change into
the directory of the software package and run
make install:
|
# |
cd /usr/ports/archivers/unzip |
The system will automatically download the source code, compile the program, generate a "package", and install the software. The cool thing is that the software is installed as a package meaning you can easily remove it using the pkg_ commands. For example, to list all installed packages, type # pkg_info. To remove a package type # pkg_delete.
So now you need to install all of the programs listed below. These programs are used by amavisd to extract files from archives attached to e-mail messages so they can be scanned for viruses. As mentioned, all you need to do is change to each of the following directories and run make install in each.
| Package Source Directories |
|---|
|
/usr/ports/archivers/unzip |
In my experience, the package system usually works without a hitch. If you run into any problems, check the output for any error messages. Generally the only problem you may run into is with mismatched packages. In other words, say you install one package from OpenBSD 3.3, then a year from now, you try to install a package using the ports collection from OpenBSD 3.4. Usually when you upgrade, you will want to remove all the packages and reinstall the versions from that version of OpenBSD.
Copy the "file" program (used by amavisd to identify file types) and the unarchiver programs we need from /usr/local/bin into our chroot /var/amavisd/usr/local/bin directory:|
# |
cd /var/amavisd |
NOTE: Older versions of the "file" program have security vulnerabilities and may not be able to correctly identify some file types. If you have a version of "file" older than 4.x, you should upgrade. Enter # /usr/bin/file -v to check the version. If you need to upgrade, follow the steps in Reply #136
Installation of ClamAV is made much easier by using a port. Flinn Mueller produced OpenBSD ports of ClamAV for quite a while (http://activeintra.net/projects/clamav/openbsd/), but now Jerome Loyet creates the ports (www.fatbsd.com/openbsd/clamav). I used Jerome's ClamAV 0.67-1 port for my first install of ClamAV. Be aware that Jerome plans to continue releasing ClamAV ports for the newer versions of OpenBSD, but may stop producing ports for older versions of OpenBSD at any time.
1. Download latest OpenBSD port of ClamAV and install it.
Check the www.fatbsd.com/openbsd/clamav website for the latest version. If a newer version exists, download and install it instead.
Make a directory for ClamAV and go there|
# |
mkdir /usr/ports/security/clamav |
|
# |
ftp http://www.fatbsd.com/openbsd/clamav-0.67-1_3.3.tar.gz |
|
# |
tar -zxvf ./*.gz |
2. Copy ClamAV and other required files to the chroot directory.
Go to the chroot directory
|
# |
cd /var/amavisd |
|
# |
mkdir usr/local/share/clamav |
|
# |
cp -R /usr/local/share/clamav usr/local/share |
|
# |
mknod dev/urandom c 45 2 |
|
# |
cp /usr/local/lib/libclamav.* /var/amavisd/usr/lib/ |
If you get a missing library error in above step, run
|
# |
ldd /usr/local/sbin/clamd |
Edit the ClamAV configuration file
|
# |
vi etc/clamav.conf |
and make the changes shown below. Some of the lines below may already exist in the config file as-is and I'm including them because it's important they are correct, others may need to be uncommented (remove the # as the first character on the line), others may need to be commented (add a # to the beginning of the line) and some will need the value changed.
|
LogFile /var/log/clamd.log LogTime LogVerbose PidFile /var/amavisd/clamd.pid LocalSocket /var/amavisd/clamd.sock FixStaleSocket #User _clamd # The ClamAV FAQ says this is experimental and should
not be used |
Edit the FreshClam configuration file
|
# |
vi etc/freshclam.conf |
and make the following changes:
|
UpdateLogFile /var/log/freshclam.log LogVerbose DatabaseOwner amavisd LocalSocket /var/amavisd/clamd.sock |
Optional: All of the ClamAV log files will use GMT (Greenwich Mean Time) unless it can find the file "localtime" in your etc directory, in which case it will adjust the time stamps used in the logs to be your local time. For many unix flavors the "localtime" file is a text file, but OpenBSD does something different. If you go to the /etc directory you will see that "localtime" is a link to a binary file found in /usr/share/zoneinfo. Since we're running clamd chroot it can't get to /etc (by design) so we need to provide a "localtime" file in /var/amavisd/etc. I tried making a link, but that didn't work because being in a chroot jail means you can't (and shouldn't) access files outside of the /var/amavisd home. So I just ended up copying the appropriate time zone file for my location and naming it "localtime". Here's how:
|
# |
ls -l /etc/localtime |
This is what I get (your output will be different unless you live in the Mountain time zone with Daylight Savings time):
lrwxr-xr-x 1 root wheel 27 May 7 2003 /etc/localtime@ -> /usr/share/zoneinfo/MST7MDT
Now copy the file that's targeted by the "localtime" link to your chroot etc directory. (Note: The file for my time zone is MST7MDT, be sure to use the file name for your time zone below):
|
# |
cp /usr/share/zoneinfo/MST7MDT /var/amavisd/etc/locatime |
That's it. Any new log entries should now use your local time.
ClamAV includes a program named freshclam that checks for new viruses from the master database (or a mirror) and downloads these new virus definitions to your local virus database. Update your database with this command:
|
# |
chroot -u amavisd /var/amavisd /usr/bin/freshclam --log-verbose |
It may take a while for freshclam to download the latest virus additions to the database. When finished, the freshclam output should look something like this:
ClamAV update process started at Fri Mar 5
15:38:40 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 21, sigs: 20094, f-level: 1,
builder: tkojm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 166, sigs: 289, f-level: 1,
builder: tomek)
except instead of just OK it will report the number of new viruses added to the databases. Optionally you can also check the freshclam log file like this:
|
# |
more var/log/freshclam.log |
You should see an entry in the log file that looks like this:
ClamAV update process started at Fri Mar 5
15:38:40 2004
main.cvd is up to date (version: 21, sigs: 20094, f-level: 1,
builder: tkojm)
daily.cvd is up to date (version: 166, sigs: 289, f-level: 1,
builder: tomek)
We'll be running the ClamAV daemon (a program that stays running all the time waiting for input) because it's faster than the command line scanner (clamscan). We'll setup clamscan as a backup anti-virus scanner in step 6. The ClamAV daemon is named clamd. Start clamd like this:
|
# |
chroot -u amavisd /var/amavisd /usr/sbin/clamd |
Check to make sure it's running:
|
# |
ps -ax | grep clamd |
Test to see if we can run clamscan, the ClamAV command line scanning program
|
# |
chroot -u amavisd /var/amavisd /usr/bin/clamscan |
The output should look like this:
//amavis.log: Empty file.
//blacklist: Empty file.
//whitelist: OK
//spam_lovers: OK
//notify_spam_sender.txt: OK
//amavisd.lock: Empty file.
//notify_virus_sender.txt: OK
//amavisd.pid: OK
//clamd.pid: OK
//scan.txt: OK
----------- SCAN SUMMARY -----------
Known viruses: 20383
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 2.032 sec (0 m 2 s)
Now let's make sure ClamAV will detect a test virus. EICAR (European Institute for Computer Anti-Virus Research) has produced a test virus signature that most anti-virus programs will detect. Don't worry about downloading this file as it's not a virus, in fact it's not even machine code that could be run in any way. Grab a copy of the EICAR test virus in several forms (plain, zipped, and nested zip) and then rerun clamscan to see if it identifies all three forms
|
# |
ftp
http://www.eicar.org/download/eicar.com |
The output should look like this:
//amavis.log: Empty file.
//blacklist: Empty file.
//whitelist: OK
//spam_lovers: OK
//notify_spam_sender.txt: OK
//amavisd.lock: Empty file.
//notify_virus_sender.txt: OK
//amavisd.pid: OK
//clamd.pid: OK
//scan.txt: OK
//eicar.com Eicar-Test-Signature FOUND
//eicar_com.zip Eicar-Test-Signature FOUND
//eicarcom2.zip Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 20383
Scanned directories: 1
Scanned files: 10
Infected files: 3
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 2.032 sec (0 m 2 s)
Finally we'll test clamd to by sending it the filename of an EICAR test virus using clamdscan
|
# |
chroot -u amavisd /var/amavisd /usr/bin/clamdscan eicar.com |
The output should look like this:
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.095 sec (0 m 0 s)
Edit the amavisd configuration file
|
# |
vi /etc/amavisd.conf |
and make sure the lines shown below are included. Note that #@bypass_virus_checks_acl = qw( . ); is probably already in the amavisd.conf file but needs to have the # inserted in front to command amavisd to perform virus scans.
|
#@bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code $file = 'file'; ### Virus scanners # Add X-Virus-Scanned line to mail? (default: undef) $remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone # Don't notify sender when these viruses
are found because they spoof From: @av_scanners = ( @av_scanners_backup = ( |
These changes tell amavisd-new to enable virus scanning and use clamd for the primary scanner and clamscan for the backup (secondary) scanner. There are more amavisd-new configuration options relating to virus scanning, but these are the basics.
If you have Scott's restart script use it
|
# |
/root/my-restart.sh |
otherwise do it manually like this:
|
# |
postfix stop |
wait five seconds or so then check the maillog
|
# |
tail -2000 /var/log/maillog | grep clam |
The output should looks something like this:
Mar 5 08:44:22 ldmailfilter
amavis[25161]: Using internal av scanner code for (primary) Clam
Antivirus-clamd
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found secondary av
scanner Clam Antivirus - clamscan at (chroot: /var/amavisd/)
/usr/bin/clamscan
Mar 5 08:44:34 ldmailfilter amavis[5412]: (05412-01) Using Clam
Antivirus-clamd: (built-in interface)
Mar 5 08:44:34 ldmailfilter amavis[5412]: (05412-01) Clam
Antivirus-clamd: Connecting to socket /var/amavisd
/var/amavisd/clamd.sock
Mar 5 08:44:34 ldmailfilter amavis[5412]: (05412-01) Clam
Antivirus-clamd: Sending CONTSCAN
/var/amavisd/tmp/amavis-20040305T084433-05412/parts\\n to UNIX
socket /var/amavisd/clamd.sock
Mar 5 08:44:36 ldmailfilter amavis[5412]: (05412-01) Clam
Antivirus-clamd result:
/var/amavisd/tmp/amavis-20040305T084433-05412/parts:
OK\\n
amavisd should find clamd and use it for the primary scanner (first line shown above) and find clamscan as the secondary scanner (second line). Amavisd should also indicate that it was able to connect to the socket for clamd (forth line). After this you should see amavisd call clamd to scan some mail (or mail parts if you have your loglevel set to 4 or 5) and return a result, if you have e-mail in the queue. If you didn't see any mail scans, wait a bit longer and run the tail command again (as shown above).
If you want to dig into the log further, find where amavisd restarted and it should look like this (the key lines are highlighted):
Mar 5 08:44:21 ldmailfilter amavis[16109]: starting. amavisd at
ldmailfilter.larsondavis.com amavisd-new-20030616-p7, Unicode
aware
Mar 5 08:44:21 ldmailfilter amavis[16109]: Perl
version
5.008
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Amavis::Conf 1.15
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Archive::Tar 1.05
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Archive::Zip 1.05
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Compress::Zlib 1.22
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Convert::TNEF 0.17
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Convert::UUlib 0.31
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
MIME::Entity 5.404
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
MIME::Parser 5.406
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
MIME::Tools
5.411
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Mail::Header 1.58
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Mail::Internet 1.58
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Mail::SpamAssassin 2.63
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Net::Cmd
2.21
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Net::DNS
0.45
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Net::SMTP
2.24
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Net::Server
0.85
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Time::HiRes
1.2
Mar 5 08:44:21 ldmailfilter amavis[16109]: Module
Unix::Syslog 0.99
Mar 5 08:44:21 ldmailfilter amavis[16109]: Found myself:
/usr/local/sbin/amavisd -c /etc/amavisd.conf
Mar 5 08:44:21 ldmailfilter amavis[16109]: Lookup::SQL
code NOT loaded
Mar 5 08:44:21 ldmailfilter amavis[16109]: Lookup::LDAP
code NOT loaded
Mar 5 08:44:21 ldmailfilter amavis[16109]: AMCL-in protocol
code NOT loaded
Mar 5 08:44:21 ldmailfilter amavis[16109]: SMTP-in protocol
code loaded
Mar 5 08:44:21 ldmailfilter
amavis[16109]: ANTI-VIRUS
code loaded
Mar 5 08:44:21 ldmailfilter amavis[16109]: ANTI-SPAM
code loaded
Mar 5 08:44:21 ldmailfilter amavis[25161]: Net::Server:
Process Backgrounded
Mar 5 08:44:21 ldmailfilter amavis[25161]: Net::Server:
2004/03/05-08:44:21 Amavis (type Net::Server::PreForkSimple)
starting! pid(25161)
Mar 5 08:44:21 ldmailfilter amavis[25161]: Net::Server:
Binding to TCP port 10024 on host 127.0.0.1
Mar 5 08:44:22 ldmailfilter amavis[25161]: Net::Server:
Chrooting to /var/amavisd
Mar 5 08:44:22 ldmailfilter amavis[25161]: Net::Server:
Setting gid to "3000 3000"
Mar 5 08:44:22 ldmailfilter amavis[25161]: Net::Server:
Setting uid to "3000"
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$file at (chroot:
/var/amavisd/) /usr/bin/file
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$arc at (chroot:
/var/amavisd/) /usr/bin/arc
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$gzip at (chroot:
/var/amavisd/) /usr/bin/gzip
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$bzip2 at (chroot: /var/amavisd/)
/usr/bin/bzip2
Mar 5 08:44:22 ldmailfilter amavis[25161]: No
$lzop, not using
it
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$lha at (chroot:
/var/amavisd/) /usr/bin/lha
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$unarj at (chroot: /var/amavisd/)
/usr/bin/unarj
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$uncompress at (chroot: /var/amavisd/) /usr/bin/gzip -d
Mar 5 08:44:22 ldmailfilter amavis[25161]: No
$unfreeze, not using it
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$unrar at (chroot: /var/amavisd/)
/usr/bin/unrar
Mar 5 08:44:22 ldmailfilter amavis[25161]: Found
$zoo at (chroot:
/var/amavisd/) /usr/bin/zoo
Mar 5 08:44:22 ldmailfilter amavis[25161]: No
$cpio, not using
it
Mar 5 08:44:22 ldmailfilter
amavis[25161]: Using internal av scanner code for (primary) Clam
Antivirus-clamd
Mar 5 08:44:22 ldmailfilter
amavis[25161]: Found secondary av scanner Clam Antivirus -
clamscan at (chroot: /var/amavisd/) /usr/bin/clamscan
Mar 5 08:44:22 ldmailfilter amavis[25161]: SpamControl:
initializing Mail::SpamAssassin
If everything checks out, you are now scanning all e-mail for viruses using ClamAV.
Freshclam can be run as a daemon, but it didn't make sense to me to keep freshclam running just to check for new viruses every few hours (even if it doesn't take much memory), so I setup a cron job to run freshclam every 4 hours (six times per day). To do this, edit your crontab
|
# |
crontab -e |
and add this line:
21 1,5,9,13,17,21 * * * chroot -u amavisd /var/amavisd /usr/bin/freshclam --quiet --log-verbose --daemon-notify
Edit the /etc/rc.local file and add a line to start clamd when the computer starts up
|
# |
vi /etc/rc.local |
scroll down to the end of the file and add this line before the postfix line (we want to start clamd before postfix and amavisd):
chroot -u amavisd /var/amavisd /usr/sbin/clamd
The default action for amavisd-new is to quarantine e-mail containing viruses so they can be examined later. I couldn't think of any reason to keep these files so I delete them after they are 2 days old. Also, amavisd does a pretty good job of deleting it's temporary files, but I have found that it misses some often enough that I setup a mechanism to delete these files after two days also. (Note: a while ago I had enough of these files build up that it crashed OpenBSD.) This is how I handle deleting these files, certainly you can tweak these or come up with your own way of dealing with them. First I make a script
|
# |
vi /usr/local/sbin/my-tmp-delete.sh |
then enter these lines into this new file:
find /var/amavisd/tmp -type d -name 'amavis-*'
-prune -mtime +2 -exec rm -rf {} \;
find /var/amavisd/tmp -name 'sa*' -mtime +2 -exec rm {} \;
find /var/amavisd/quarantine -name 'virus-*' -mtime +2 -exec rm
{} \;
This script will delete all amavisd temporary files starting with "amavisd-" and "sa" and then deletes any "virus-" files in the quarantine directory. Now I make sure the permissions are set properly and setup a cron job to run this script once a day (5:30 am)
|
# |
chmod 500 /usr/local/sbin/my-tmp-delete.sh |
then add this line:
30 5 * * * /usr/local/sbin/my-tmp-delete.sh
I created a script to send me a daily report on the virus scanning activity of the previous day (like the postfix and spamassassin reports). If you want this report, follow these steps:
|
# |
ftp http://www.xmission.com/~kn/AddClamAV/my-virus-report.txt |
Now add this line just before the last line (gzip ...):
/usr/local/sbin/my-virus-report.pl /var/log/maillog.0 | mail -s "ClamAV Maillog Report" spamczar@host.com
replace "spamczar@host.com" with the e-mail address you used for the other reports. Check that this new script has the same file permissions and ownership as the other scripts.
If you have trouble using ftp to download the script, try wget or use this link to download the script with your browser:
http://www.xmission.com/~kn/AddClamAV/my-virus-report.txt
To disable virus scanning of e-mail, edit the /etc/amavisd.conf file and uncomment this line:
@bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
then restart amavisd (easiest to use the my-restart.sh script).
To turn virus scanning back on, comment out this line by adding the # in front like this:
#@bypass_virus_checks_acl = qw( . ); # uncomment to DISABLE anti-virus code
then restart amavisd.
New versions of ClamAV are released often. In general, a new minor version is released every month with major versions about every six months. The ClamAV developers are continually improving ClamAV and adding new features to keep up with, or ahead of, the constantly evolving virus threats. The bottom line is you will need to periodically upgrade ClamAV to keep it functioning effectively.
This section will give instructions for upgrading ClamAV through this example of moving from version 0.75-1 to 0.80. Hopefully this example will be general enough to assist in any upgrade.
Before we get started, I want to point out that it's a good idea to periodically check the freshclam log file to make sure your virus definitions are getting updated and to see if your ClamAV needs to be updated. Running the following command will show you the last 50 lines of the log:
|
# |
tail -50 /var/amavisd/var/log/freshclam.log |
If you see any warnings about reduced functionality (see below), it's time to upgrade.
--------------------------------------
ClamAV update process started at Wed Oct 27 13:21:07 2004
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
daily.cvd is up to date (version: 557, sigs: 1816, f-level: 3, builder: trog)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 2, required = 3
--------------------------------------
1. Get the latest version of ClamAV
Go to the ClamAV homepage and check the news or look in the Download | Stable area for the latest version. More important, check Jerome's ClamAV for OpenBSD ports page for the latest version - be sure to check for news and instructions down at the bottom of the page. Download the latest port. Here's an example using WGET (FTP should also work) to retrieve ClamAV 0.80 for OpenBSD 3.3:
|
# |
wget http://www.fatbsd.com/openbsd/clamav/dl/clamav-0.80_3.3.tar.gz |
Unpack the archive
|
# |
tar -zxvf clamav-0.80_3.3.tar.gz |
2. Disable virus scanning
Virus scaning must be disabled while you upgrade ClamAV. This can be handled several ways. For small orgranizations like mine I just shutdown amavisd and postfix so no e-mail goes in or out while I'm upgrading. I do these upgrades after business hours so it doesn't bother anyone. If you need to keep mail flowing and don't mind risking a few viruses getting in, you can disable only virus scanning.
To shutdown your mail filter (postfix and amavisd), run the /root/my-stop.sh script or manually execute the commands:
|
# |
postfix stop |
To disable virus scanning, edit your amavisd configuration file:
|
# |
vi /etc/amavisd.conf |
And disable virus scanning by uncommenting the @bypass_virus_checks_acl line by removing the # in front of it so it looks like this:
|
@bypass_virus_checks_acl = qw( . ); |
Save the configuration file and restart postfix and amavisd by running /root/my-restart.sh or these equivalent commands:
|
# |
postfix stop |
3. Kill the ClamAV daemon and the freshclam cron job
Shutdown the ClamAV daemon:
|
# |
cat /var/amavisd/clamd.pid | xargs kill |
It's unlikely, but we don't want the freshclam cron job to run while we're doing the upgrade so disable it by editing the cron job list:
|
# |
crontab -e |
Then disable the freshclam job by commenting it out (inserting a # as the first character), like this:
#21 1,5,9,13,17,21 * * * chroot -u amavisd /var/amavisd /usr/bin/freshclam --quiet --log-verbose --daemon-notify
4. Uninstall the old ClamAV
The old version of ClamAV must be uninstalled before installing the new version. The prefered method is to use the uninstall routine provided in the old version, if you still have it:
|
# |
cd /usr/ports/security/clamav/clamav-0.75.1 |
If you removed or can't find the source directory, you should be OK using the OpenBSD package management commands. Use this command to list the installed packages:
|
# |
pkg_info |
Find the exact name of the ClamAV package and remove it like this:
|
# |
pkg_delete clamav-0.75.1 |
5. Install the new ClamAV
Installing the new version of ClamAV is similar to installing ClamAV from scratch.
|
# |
cd /usr/ports/security/clamav/clamav-0.80 |
If you get an error when you run "make install", try running "make plist" then "make install".
Now copy ClamAV files to the chroot directories
|
# |
cp -R /usr/local/share/clamav /var/amavisd/usr/local/share |
Next copy the libraries needed by ClamAV to the chroot directory, but first use "ldd" to find out what libraries need to be copied:
|
# |
ldd /usr/local/sbin/clamd |
The output will look like this:
/usr/local/sbin/clamd:
Start End Type Ref Name
00000000 00000000 exe 1 /usr/local/sbin/clamd
050c0000 250d3000 rlib 1 /usr/local/lib/libclamav.so.1.4
02322000 22327000 rlib 2 /usr/local/lib/libbz2.so.10.2
0b4ea000 2b4f0000 rlib 2 /usr/local/lib/libgmp.so.6.2
00b3d000 20b46000 rlib 2 /usr/local/lib/libcurl.so.2.2
02574000 22580000 rlib 3 /usr/lib/libssl.so.8.0
0cf93000 2cfc4000 rlib 3 /usr/lib/libcrypto.so.10.3
0e3de000 2e3e6000 rlib 3 /usr/lib/libz.so.3.0
02d45000 22d4f000 rlib 1 /usr/lib/libpthread.so.2.4
03083000 230bc000 rlib 1 /usr/lib/libc.so.30.3
0514a000 0514a000 rtld 1 /usr/libexec/ld.so
Copy the libraries listed above like this:
|
# |
cp /usr/lib/libz.so.2.0 /var/amavisd/usr/lib/ |
The above is just an example, be sure all of the libraries listed by "ldd" get copied.
Often new versions include new configuration parameters. Look at the example configuration files (clamd.conf and freshclam.conf) in /usr/local/share/examples/clamav/ and put new settings you want to (or must) use into your config files in the /var/amavisd/etc directory. Note that ClamAV 0.80 now uses "clamd.conf" instead of "clamav.conf" as the name of the configuration file (I just renamed my old config file). As of ClamAV 0.80 you are encouraged to use the new DNS method (easier on the download servers) to see if new virus definitions are available - just add "DNSDatabaseInfo current.cvd.clamav.net" to your freshclam.conf file.
While you're editing the configuration files it's a good idea to turn on logging (if you've turned it off) in clamd.conf so you can check for errors as you bring up and test the new version.
6. Test the installation and update the virus database
To test the installation (in the chroot jail) and the freshclam configuration file, and update the virus database, run this command:
|
# |
chroot -u amavisd /var/amavisd /usr/bin/freshclam -v |
The output should look something like this:
Current working dir is /var/amavisd
Max retries == 3
ClamAV update process started at Thu Nov 11 15:08:31 2004
TTL: 900
main.cvd version from DNS: 27
Software version from DNS: 0.80
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
TTL: 900
daily.cvd version from DNS: 585
daily.cvd is up to date (version: 585, sigs: 2485, f-level: 3, builder: trog)
Freeing option list...done
Notice the "from DNS:" lines indicate that you have correctly configured freshclam to use the DNS method for retrieving the version data. If you see any errors in the output, fix them before continuing.
7. Start the ClamAV daemon (clamd) and test it
The steps starting and the ClamAV daemon (clamd) and testing ClamAV are the same for a fresh install as for an upgrade so run through these steps:
(Note: The test for scanning a directory for viruses may not work, so just run the test for the EICAR virus.)8. Restart virus scanning and check for errors
If you stopped postfix and amavisd to upgrade, start them up:
|
# |
/root/my-start.sh |
or
|
# |
/usr/local/sbin/amavisd |
If you just disabled virus scanning, enable it by commenting out the @bypass_virus_checks_acl line and restart.
If you have logging on for ClamAV, check the log:
|
# |
tail -100 /var/amavisd/var/log/clamd.log |
Finally, turn the freshclam cron job back on by removing the #.
Update: amavisd-new maintenance update p8 was released on 10 March 2004 and includes the fix described below. I recommend that you upgrade amavisd instead of fixing older versions of amavisd, but the choice is yours. Upgrading amavisd is pretty easy. Go to the amavisd-new website and get the name of the latest release then just do the first 7 commands listed in Scott's guide for installing amavisd-new (but use the file and directory names of the new version of amavisd). Look at the release notes to see what's new then copy the configuration items for the new features you want from the default amavisd.conf file into your amavisd.conf. As a side note, I highly recommend using $sa_dsn_cutoff_level to control the volume of wasted spam notices you send out.
Some virus writers are employing a somewhat new trick aimed at getting their virus past e-mail scanners. They wrap the virus in a password protected zip file and attach it to an e-mail that includes that password in the message. The message tries to persuade the recipient to follow the included instructions for opening the zip file with the included password. An example of a virus that uses this trick is Bagle.h. While most virus scanners (including ClamAV) can detect viruses in zip files (and other compressed archive formats), most cannot detect viruses in password protected (encrypted) zip files so the e-mail gets sent along to the recipient. ClamAV can detect these password protected zip file viruses if the entire message is available to be scanned. But amavisd breaks apart each e-mail into it's various parts so each part can be scanned - which helps identify other virus tricks, but not this one. Fortunately there is an easy solution. Ted Cabeen, an amavisd user, has written a two-line patch that causes amavisd to copy the whole e-mail message to the same temporary folder where it's parts are stored so they can all be scanned for viruses. I recommend you install this patch and inform your users to be wary of password protected zip files. Here's how to apply the patch:
|
# |
cd /usr/local/sbin |
The patch is simple enough you could do it by hand if you can't / don't want to use the patch program. There is talk of a feature being added to amavisd to do what this patch does - possibly in p8 (as of this writing p7 is the current release).
|
03/08/04 - |
Initial release. |
|
03/10/04 - |
Add update to section on detecting password protected viruses about p8 version of amavisd-new fixing this problem. |
|
03/15/04 - |
Added needed chown and chmod commands to chroot install. |
|
03/30/04 - |
References to Helmut's instructions removed (no longer in Scott's document). Updated Installing ClamAV introduction. |
|
04/13/04 - |
Added optional instructions for switching ClamAV log file time stamps from GMT to locatime. |
|
04/30/04 - |
Fixed typos, changed chmods to 744. |
|
05/04/04 - |
Major update. Added Installing Needed OpenBSD Ports section and added commands to amavisd.conf since these were taken out of Scott's newest doc. |
|
05/20/04 - |
Added chmod 755 for usr/local/share and chmod 500 for /usr/local/sbin/my-tmp-delete.sh Fixed some unimportant typos. Clarified benign nature of EICAR virus signature. |
|
05/26/04 - |
Updated URL for ClamAV port (http://www.fatbsd.com/openbsd/clamav). |
|
11/10/04 - |
Report script downloads weren't working - changed extension from ".pl" to ".txt" Added new section - Upgrading ClamAV. |
This document is ©2004 by Kris Nosack.
Thanks to the following people who helped make this document possible: Jerome Loyet (for the current ports of ClamAV), Flinn Mueller (for his previous work in porting ClamAV to OpenBSD), Mark Martinec (for Amavisd-new), Scott Vintinner (for the original instructions for setting up an OpenBSD spam filter), Helmut Schneider (for the tips for setting up ClamAV chroot), Paul Barbeau (for testing these instructions on his install).