Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
Nächste ÜberarbeitungBeide Seiten der Revision
centos:mail_c6:spam_4 [07.06.2013 10:23. ] – [Grundlagen] djangocentos:mail_c6:spam_4 [08.11.2017 07:58. ] – nstallation und Konfiguration von #ClamAV unter #CentOS6 django
Zeile 1: Zeile 1:
 +====== Installation und Konfiguration von ClamAV ======
 +{{:centos:clamav.png?100 |ClamAV Logo}}
 +===== Grundlagen =====
 +Die Überprüfung der eMail wie auch der Dateianhänge übernimmt das freie Antivirus Toolkit [[http://www.clamav.net/|ClamAV]] für Unix, ein unter der GNU GPL((GNU General Public License)) stehender Virenscanner. Es wurde speziell für zum Scannen von EMails auf Mailgateways designt. Kann aber ebeso zu zum Prüfen von HTTP-Datenströmen wie auch zum Scannen von Dateisystemen eingesetzt werden. Das Paket stellt eine Reihe von Hilfsmittel zur Verfügung: einen flexiblen und skalierbaren Multi-Threaded Daemon, einen Kommandozeilen Scanner und ein komplexes Programm zur automatischen Aktualisierung über das Internet bereit. Das Herzstück des Paketes ist ein Antivirus-Einheit in Form einer gemeinsam genutzten Bibliothek.
  
 +Die wichtigsten Funktionen von **ClamAV** sind:
 +  * Kommandozeilen Scanner
 +  * performanter Multi-Threaded Daemon mit der Unterstützung von on-access scannen
 +  * Komplexes Update-Programm für die Datenbank mit Unterstützung für scripted Updates und digitale Signaturen
 +  * Virus Scanner Bibliothek in C
 +  * On-Access Scanning
 +  * Mehrmals tägliche Updates der Virusdatenbank (siehe Homepage für die gesamte Anzahl von Signaturen)
 +  * Integrierte Unterstützung für verschieden Archiv-Formate wie Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS und andere
 +  * Integrierte Unterstützung für nahezu alle Mail Dateien Formate
 +  * Eingebaute Unterstützung für ELF executables und Portable Executable Dateien komprimiert mit UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack und verschleiert mit SUE, Y0da Cryptor und anderen
 +
 +<uml width=550 title="Postfix MTA">
 +
 +state "MTA" as smtp_25
 +smtp_25 : (Mail Transport Agent) 
 +smtp_25 : andere SMTP-Server
 +smtp_25 : im Internet bzw. Intranet
 +smtp_25 : TCP/IP - Port 25
 +
 +state Postfix {
 +  state "smtpd:25" as smtpd_25
 +  smtpd_25 : SMTP-Daemon
 +  smtpd_25 : TCP/IP Port 25
 +  smtpd_25 : mit smtpd_proxy_filter
 +
 +  state "smtpd:10025" as smtpd_10025
 +  smtpd_10025 : SMTP-Daemon
 +  smtpd_10025 : TCP/IP Port 10025
 +  smtpd_10025 : *ohne* smtpd_proxy_filter
 +
 +  state "Postfix" as work
 +  work : weitere Be-/Abarbeitung
 +  work : der eMail durch den
 +  work : Mail-Transport-Agent Postfix 
 +}
 +
 +state AMaViS {
 +  state "smtpd:10024" as smtpd_10024
 +  smtpd_10024 : SMTP-Daemon
 +  smtpd_10024 : TCP/IP Port 10024
 +
 +  state "AMaViS" as amavis
 +  amavis : Master Prozess
 +  amavis : (Frontend-System)
 +  
 +  state "Entpacker" as packer
 +  packer : Backend-System zum
 +  packer : Entpacken von Dateianhängen
 +  state "Virenscanner" as virus
 +  virus : Backend-System zum
 +  virus : Prüfen der eMail und der
 +  virus : Anhänge auf Schadcode
 +  state "Spamassassin" as spam
 +  spam : Backend-System zum
 +  spam : Prüfen der eMail auf
 +  spam : unerwünschte Inhalte
 +}
 +
 +state Cyrus {
 +  state "IMAP-Server" as smtpd_24
 +  smtpd_24 : Mail-Delivery-Agent
 +  smtpd_24 : Dovecot IMAP-Server
 +}
 +
 +
 + smtp_25 --> smtpd_25
 + smtpd_10025 -right-> work
 +
 + smtpd_25 -right-> smtpd_10024
 + smtpd_10024 --> amavis
 +
 + amavis -right-> packer
 + packer -left-> amavis
 + amavis -down-> virus
 + virus -up-> amavis
 + amavis -left-> spam
 + spam -right-> amavis
 +
 + amavis -left-> smtpd_10025
 +
 + work -right-> smtpd_24
 +</uml>
 +
 +
 +Hauptsächlich wird **//ClamAV//** im Zusammenhang mit [[centos:mailserver:start|Postfix]] und [[centos:mailserver:grundinstallation_von_amavis|AMaViS]] genutzt. Die Installation und Konfiguration des Virenscanner-Umgebung (ClamAV unter CentOS 6.x) ist auf [[centos:clamav_centos_host|dieser Seite]] ausführlich beschrieben.
 +
 +Nachfolgend befassen wir uns nun mit der Installation und Konfiguration von ClamAV im Mailserverumfeld.
 +
 +===== Installation =====
 +Für die Installation von **clamav** und der zugehörigen Pakete nutzen wir am besten das Repository [[centos:rpmforge6|rpmforge]] - die Installation selbst nehmen wir mit Unterstützung von **yum** vor. 
 +   # yum install clamd clamav clamav-db -y
 +===== Programminfo =====
 +Was uns die einzelnen Pakete alle bei der Installation mitgebracht haben, zeigt uns jeweilsein Blick in das installierte **rpm**. 
 +
 +==== clamav ====
 +   # rpm -qil clamav
 +<code>Name        : clamav                       Relocations: (not relocatable)
 +Version     : 0.97.4                            Vendor: Dag Apt Repository, http://dag.wieers.com/apt/
 +Release     : 1.el6.rf                      Build Date: Thu 15 Mar 2012 08:04:38 AM CET
 +Install Date: Sun 10 Jun 2012 11:38:35 PM CEST      Build Host: lisse.hasselt.wieers.com
 +Group       : Applications/System           Source RPM: clamav-0.97.4-1.el6.rf.src.rpm
 +Size        : 6113818                          License: GPL
 +Signature   : DSA/SHA1, Thu 15 Mar 2012 03:28:39 PM CET, Key ID a20e52146b8d79e6
 +Packager    : Dag Wieers <dag@wieers.com>
 +URL         : http://www.clamav.net/
 +Summary     : Anti-virus software
 +Description :
 +Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of
 +this software is the integration with mail servers (attachment scanning).
 +The package provides a flexible and scalable multi-threaded daemon, a
 +command line scanner, and a tool for automatic updating via Internet.
 +
 +The programs are based on a shared library distributed with the Clam
 +AntiVirus package, which you can use with your own software. Most
 +importantly, the virus database is kept up to date
 +/etc/freshclam.conf
 +/usr/bin/clambc
 +/usr/bin/clamscan
 +/usr/bin/freshclam
 +/usr/bin/sigtool
 +/usr/lib64/libclamav.so
 +/usr/lib64/libclamav.so.6
 +/usr/lib64/libclamav.so.6.1.13
 +/usr/lib64/libclamunrar.so
 +/usr/lib64/libclamunrar.so.6
 +/usr/lib64/libclamunrar.so.6.1.13
 +/usr/lib64/libclamunrar_iface.so
 +/usr/lib64/libclamunrar_iface.so.6
 +/usr/lib64/libclamunrar_iface.so.6.1.13
 +/usr/share/doc/clamav-0.97.4
 +/usr/share/doc/clamav-0.97.4/AUTHORS
 +/usr/share/doc/clamav-0.97.4/BUGS
 +/usr/share/doc/clamav-0.97.4/COPYING
 +/usr/share/doc/clamav-0.97.4/ChangeLog
 +/usr/share/doc/clamav-0.97.4/FAQ
 +/usr/share/doc/clamav-0.97.4/INSTALL
 +/usr/share/doc/clamav-0.97.4/NEWS
 +/usr/share/doc/clamav-0.97.4/README
 +/usr/share/doc/clamav-0.97.4/clamav-mirror-howto.pdf
 +/usr/share/doc/clamav-0.97.4/clamdoc.pdf
 +/usr/share/doc/clamav-0.97.4/freshclam.conf
 +/usr/share/doc/clamav-0.97.4/phishsigs_howto.pdf
 +/usr/share/doc/clamav-0.97.4/signatures.pdf
 +/usr/share/man/man1/clambc.1.gz
 +/usr/share/man/man1/clamscan.1.gz
 +/usr/share/man/man1/freshclam.1.gz
 +/usr/share/man/man1/sigtool.1.gz
 +/usr/share/man/man5/freshclam.conf.5.gz
 +</code>
 +==== clamav-db ====
 +   # rpm -qil clamav-db
 +<code>Name        : clamav-db                    Relocations: (not relocatable)
 +Version     : 0.97.4                            Vendor: Dag Apt Repository, http://dag.wieers.com/apt/
 +Release     : 1.el6.rf                      Build Date: Thu 15 Mar 2012 08:04:38 AM CET
 +Install Date: Sun 10 Jun 2012 11:38:34 PM CEST      Build Host: lisse.hasselt.wieers.com
 +Group       : Applications/Databases        Source RPM: clamav-0.97.4-1.el6.rf.src.rpm
 +Size        : 33616088                         License: GPL
 +Signature   : DSA/SHA1, Thu 15 Mar 2012 03:28:43 PM CET, Key ID a20e52146b8d79e6
 +Packager    : Dag Wieers <dag@wieers.com>
 +URL         : http://www.clamav.net/
 +Summary     : Virus database for clamav
 +Description :
 +The actual virus database for clamav
 +/etc/cron.daily/freshclam
 +/etc/logrotate.d/freshclam
 +/var/clamav
 +/var/clamav/daily.cvd
 +/var/clamav/main.cvd
 +/var/log/clamav
 +/var/log/clamav/freshclam.log
 +</code>
 +==== clamd ====
 +   # rpm -qil clamd
 +<code>Name        : clamd                        Relocations: (not relocatable)
 +Version     : 0.97.4                            Vendor: Dag Apt Repository, http://dag.wieers.com/apt/
 +Release     : 1.el6.rf                      Build Date: Thu 15 Mar 2012 08:04:38 AM CET
 +Install Date: Sun 10 Jun 2012 11:38:37 PM CEST      Build Host: lisse.hasselt.wieers.com
 +Group       : System Environment/Daemons    Source RPM: clamav-0.97.4-1.el6.rf.src.rpm
 +Size        : 602939                           License: GPL
 +Signature   : DSA/SHA1, Thu 15 Mar 2012 03:28:41 PM CET, Key ID a20e52146b8d79e6
 +Packager    : Dag Wieers <dag@wieers.com>
 +URL         : http://www.clamav.net/
 +Summary     : The Clam AntiVirus Daemon
 +Description :
 +The Clam AntiVirus Daemon
 +/etc/clamd.conf
 +/etc/logrotate.d/clamav
 +/etc/rc.d/init.d/clamd
 +/usr/bin/clamconf
 +/usr/bin/clamdscan
 +/usr/bin/clamdtop
 +/usr/sbin/clamd
 +/usr/share/doc/clamd-0.97.4
 +/usr/share/doc/clamd-0.97.4/clamd.conf
 +/usr/share/man/man1/clambc.1.gz
 +/usr/share/man/man1/clamconf.1.gz
 +/usr/share/man/man1/clamdscan.1.gz
 +/usr/share/man/man1/clamdtop.1.gz
 +/usr/share/man/man5/clamd.conf.5.gz
 +/usr/share/man/man8/clamd.8.gz
 +/var/clamav
 +/var/log/clamav
 +/var/log/clamav/clamd.log
 +/var/run/clamav
 +</code>
 +
 +===== Konfiguration =====
 +
 +==== clamd ====
 +Die Konfigurationsdatei ** /etc/clamd.conf ** ist bereits optimal vorbereitet - eine besondere Anpassung an der Konfiguration ist also nicht notwendig.
 +<file bash /etc/clamd.conf>##
 +## Example config file for the Clam AV daemon
 +## Please read the clamd.conf(5) manual before editing this file.
 +##
 +
 +
 +# Comment or remove the line below.
 +#Example
 +
 +# Uncomment this option to enable logging.
 +# LogFile must be writable for the user running daemon.
 +# A full path is required.
 +# Default: disabled
 +LogFile /var/log/clamav/clamd.log
 +
 +# By default the log file is locked for writing - the lock protects against
 +# running clamd multiple times (if want to run another clamd, please
 +# copy the configuration file, change the LogFile variable, and run
 +# the daemon with --config-file option).
 +# This option disables log file locking.
 +# Default: no
 +#LogFileUnlock yes
 +
 +# Maximum size of the log file.
 +# Value of 0 disables the limit.
 +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
 +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
 +# in bytes just don't use modifiers.
 +# Default: 1M
 +LogFileMaxSize 0
 +
 +# Log time with each message.
 +# Default: no
 +LogTime yes
 +
 +# Also log clean files. Useful in debugging but drastically increases the
 +# log size.
 +# Default: no
 +#LogClean yes
 +
 +# Use system logger (can work together with LogFile).
 +# Default: no
 +LogSyslog yes
 +
 +# Specify the type of syslog messages - please refer to 'man syslog'
 +# for facility names.
 +# Default: LOG_LOCAL6
 +#LogFacility LOG_MAIL
 +
 +# Enable verbose logging.
 +# Default: no
 +#LogVerbose yes
 +
 +# Log additional information about the infected file, such as its
 +# size and hash, together with the virus name.
 +#ExtendedDetectionInfo yes
 +
 +# This option allows you to save a process identifier of the listening
 +# daemon (main thread).
 +# Default: disabled
 +PidFile /var/run/clamav/clamd.pid
 +
 +# Optional path to the global temporary directory.
 +# Default: system specific (usually /tmp or /var/tmp).
 +TemporaryDirectory /var/tmp
 +
 +# Path to the database directory.
 +# Default: hardcoded (depends on installation options)
 +DatabaseDirectory /var/clamav
 +
 +# Only load the official signatures published by the ClamAV project.
 +# Default: no
 +#OfficialDatabaseOnly no
 +
 +# The daemon can work in local mode, network mode or both. 
 +# Due to security reasons we recommend the local mode.
 +
 +# Path to a local socket file the daemon will listen on.
 +# Default: disabled (must be specified by a user)
 +LocalSocket /var/run/clamav/clamd.sock
 +
 +# Sets the group ownership on the unix socket.
 +# Default: disabled (the primary group of the user running clamd)
 +#LocalSocketGroup virusgroup
 +
 +# Sets the permissions on the unix socket to the specified mode.
 +# Default: disabled (socket is world accessible)
 +#LocalSocketMode 660
 +
 +# Remove stale socket after unclean shutdown.
 +# Default: yes
 +FixStaleSocket yes
 +
 +# TCP port address.
 +# Default: no
 +TCPSocket 3310
 +
 +# TCP address.
 +# By default we bind to INADDR_ANY, probably not wise.
 +# Enable the following to provide some degree of protection
 +# from the outside world.
 +# Default: no
 +TCPAddr 127.0.0.1
 +
 +# Maximum length the queue of pending connections may grow to.
 +# Default: 200
 +MaxConnectionQueueLength 30
 +
 +# Clamd uses FTP-like protocol to receive data from remote clients.
 +# If you are using clamav-milter to balance load between remote clamd daemons
 +# on firewall servers you may need to tune the options below.
 +
 +# Close the connection when the data size limit is exceeded.
 +# The value should match your MTA's limit for a maximum attachment size.
 +# Default: 25M
 +#StreamMaxLength 10M
 +
 +# Limit port range.
 +# Default: 1024
 +#StreamMinPort 30000
 +# Default: 2048
 +#StreamMaxPort 32000
 +
 +# Maximum number of threads running at the same time.
 +# Default: 10
 +MaxThreads 50
 +
 +# Waiting for data from a client socket will timeout after this time (seconds).
 +# Default: 120
 +ReadTimeout 300
 +
 +# This option specifies the time (in seconds) after which clamd should
 +# timeout if a client doesn't provide any initial command after connecting.
 +# Default: 5
 +#CommandReadTimeout 5
 +
 +# This option specifies how long to wait (in miliseconds) if the send buffer is full.
 +# Keep this value low to prevent clamd hanging
 +#
 +# Default: 500
 +#SendBufTimeout 200
 +
 +# Maximum number of queued items (including those being processed by MaxThreads threads)
 +# It is recommended to have this value at least twice MaxThreads if possible.
 +# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
 +# the following condition should hold:
 +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
 +#
 +# Default: 100
 +#MaxQueue 200
 +
 +# Waiting for a new job will timeout after this time (seconds).
 +# Default: 30
 +#IdleTimeout 60
 +
 +# Don't scan files and directories matching regex
 +# This directive can be used multiple times
 +# Default: scan all
 +#ExcludePath ^/proc/
 +#ExcludePath ^/sys/
 +
 +# Maximum depth directories are scanned at.
 +# Default: 15
 +#MaxDirectoryRecursion 20
 +
 +# Follow directory symlinks.
 +# Default: no
 +#FollowDirectorySymlinks yes
 +
 +# Follow regular file symlinks.
 +# Default: no
 +#FollowFileSymlinks yes
 +
 +# Scan files and directories on other filesystems.
 +# Default: yes
 +#CrossFilesystems yes
 +
 +# Perform a database check.
 +# Default: 600 (10 min)
 +#SelfCheck 600
 +
 +# Execute a command when virus is found. In the command string %v will
 +# be replaced with the virus name.
 +# Default: no
 +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
 +
 +# Run as another user (clamd must be started by root for this option to work)
 +# Default: don't drop privileges
 +User clamav
 +
 +# Initialize supplementary group access (clamd must be started by root).
 +# Default: no
 +AllowSupplementaryGroups yes
 +
 +# Stop daemon when libclamav reports out of memory condition.
 +#ExitOnOOM yes
 +
 +# Don't fork into background.
 +# Default: no
 +#Foreground yes
 +
 +# Enable debug messages in libclamav.
 +# Default: no
 +#Debug yes
 +
 +# Do not remove temporary files (for debug purposes).
 +# Default: no
 +#LeaveTemporaryFiles yes
 +
 +# Detect Possibly Unwanted Applications.
 +# Default: no
 +#DetectPUA yes
 +
 +# Exclude a specific PUA category. This directive can be used multiple times.
 +# See http://www.clamav.net/support/pua for the complete list of PUA
 +# categories.
 +# Default: Load all categories (if DetectPUA is activated)
 +#ExcludePUA NetTool
 +#ExcludePUA PWTool
 +
 +# Only include a specific PUA category. This directive can be used multiple
 +# times.
 +# Default: Load all categories (if DetectPUA is activated)
 +#IncludePUA Spy
 +#IncludePUA Scanner
 +#IncludePUA RAT
 +
 +# In some cases (eg. complex malware, exploits in graphic files, and others),
 +# ClamAV uses special algorithms to provide accurate detection. This option
 +# controls the algorithmic detection.
 +# Default: yes
 +#AlgorithmicDetection yes
 +
 +
 +##
 +## Executable files
 +##
 +
 +# PE stands for Portable Executable - it's an executable file format used
 +# in all 32 and 64-bit versions of Windows operating systems. This option allows
 +# ClamAV to perform a deeper analysis of executable files and it's also
 +# required for decompression of popular executable packers such as UPX, FSG,
 +# and Petite. If you turn off this option, the original files will still be
 +# scanned, but without additional processing.
 +# Default: yes
 +ScanPE yes
 +
 +# Executable and Linking Format is a standard format for UN*X executables.
 +# This option allows you to control the scanning of ELF files.
 +# If you turn off this option, the original files will still be scanned, but
 +# without additional processing.
 +# Default: yes
 +ScanELF yes
 +
 +# With this option clamav will try to detect broken executables (both PE and
 +# ELF) and mark them as Broken.Executable.
 +# Default: no
 +DetectBrokenExecutables yes
 +
 +
 +##
 +## Documents
 +##
 +
 +# This option enables scanning of OLE2 files, such as Microsoft Office
 +# documents and .msi files.
 +# If you turn off this option, the original files will still be scanned, but
 +# without additional processing.
 +# Default: yes
 +ScanOLE2 yes
 +
 +
 +# With this option enabled OLE2 files with VBA macros, which were not
 +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
 +# Default: no
 +#OLE2BlockMacros no
 +
 +# This option enables scanning within PDF files.
 +# If you turn off this option, the original files will still be scanned, but
 +# without decoding and additional processing.
 +# Default: yes
 +#ScanPDF yes
 +
 +
 +##
 +## Mail files
 +##
 +
 +# Enable internal e-mail scanner.
 +# If you turn off this option, the original files will still be scanned, but
 +# without parsing individual messages/attachments.
 +# Default: yes
 +ScanMail yes
 +
 +# Scan RFC1341 messages split over many emails.
 +# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
 +# WARNING: This option may open your system to a DoS attack.
 +#    Never use it on loaded servers.
 +# Default: no
 +#ScanPartialMessages yes
 +
 +
 +# With this option enabled ClamAV will try to detect phishing attempts by using
 +# signatures.
 +# Default: yes
 +#PhishingSignatures yes
 +
 +# Scan URLs found in mails for phishing attempts using heuristics.
 +# Default: yes
 +#PhishingScanURLs yes
 +
 +# Always block SSL mismatches in URLs, even if the URL isn't in the database.
 +# This can lead to false positives.
 +#
 +# Default: no
 +#PhishingAlwaysBlockSSLMismatch no
 +
 +# Always block cloaked URLs, even if URL isn't in database.
 +# This can lead to false positives.
 +#
 +# Default: no
 +#PhishingAlwaysBlockCloak no
 +
 +# Allow heuristic match to take precedence.
 +# When enabled, if a heuristic scan (such as phishingScan) detects
 +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
 +# scan-time.
 +# When disabled, virus/phish detected by heuristic scans will be reported only at
 +# the end of a scan. If an archive contains both a heuristically detected
 +# virus/phish, and a real malware, the real malware will be reported
 +#
 +# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
 +# differently from "real" malware.
 +# If a non-heuristically-detected virus (signature-based) is found first, 
 +# the scan is interrupted immediately, regardless of this config option.
 +#
 +# Default: no
 +#HeuristicScanPrecedence yes
 +
 +##
 +## Data Loss Prevention (DLP)
 +##
 +
 +# Enable the DLP module
 +# Default: No
 +#StructuredDataDetection yes
 +
 +# This option sets the lowest number of Credit Card numbers found in a file
 +# to generate a detect.
 +# Default: 3
 +#StructuredMinCreditCardCount 5
 +
 +# This option sets the lowest number of Social Security Numbers found
 +# in a file to generate a detect.
 +# Default: 3
 +#StructuredMinSSNCount 5
 +
 +# With this option enabled the DLP module will search for valid
 +# SSNs formatted as xxx-yy-zzzz
 +# Default: yes
 +#StructuredSSNFormatNormal yes
 +
 +# With this option enabled the DLP module will search for valid
 +# SSNs formatted as xxxyyzzzz
 +# Default: no
 +#StructuredSSNFormatStripped yes
 +
 +
 +##
 +## HTML
 +##
 +
 +# Perform HTML normalisation and decryption of MS Script Encoder code.
 +# Default: yes
 +# If you turn off this option, the original files will still be scanned, but
 +# without additional processing.
 +#ScanHTML yes
 +
 +
 +##
 +## Archives
 +##
 +
 +# ClamAV can scan within archives and compressed files.
 +# If you turn off this option, the original files will still be scanned, but
 +# without unpacking and additional processing.
 +# Default: yes
 +ScanArchive yes
 +
 +# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
 +# Default: no
 +ArchiveBlockEncrypted no
 +
 +
 +##
 +## Limits
 +##
 +
 +# The options below protect your system against Denial of Service attacks
 +# using archive bombs.
 +
 +# This option sets the maximum amount of data to be scanned for each input file.
 +# Archives and other containers are recursively extracted and scanned up to this
 +# value.
 +# Value of 0 disables the limit
 +# Note: disabling this limit or setting it too high may result in severe damage
 +# to the system.
 +# Default: 100M
 +#MaxScanSize 150M
 +
 +# Files larger than this limit won't be scanned. Affects the input file itself
 +# as well as files contained inside it (when the input file is an archive, a
 +# document or some other kind of container).
 +# Value of 0 disables the limit.
 +# Note: disabling this limit or setting it too high may result in severe damage
 +# to the system.
 +# Default: 25M
 +#MaxFileSize 30M
 +
 +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
 +# file, all files within it will also be scanned. This options specifies how
 +# deeply the process should be continued.
 +# Note: setting this limit too high may result in severe damage to the system.
 +# Default: 16
 +#MaxRecursion 10
 +
 +# Number of files to be scanned within an archive, a document, or any other
 +# container file.
 +# Value of 0 disables the limit.
 +# Note: disabling this limit or setting it too high may result in severe damage
 +# to the system.
 +# Default: 10000
 +#MaxFiles 15000
 +
 +
 +##
 +## Clamuko settings
 +##
 +
 +# Enable Clamuko. Dazuko must be configured and running. Clamuko supports
 +# both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
 +# is the preferred option. For more information please visit www.dazuko.org
 +# Default: no
 +#ClamukoScanOnAccess yes
 +
 +# The number of scanner threads that will be started (DazukoFS only).
 +# Having multiple scanner threads allows Clamuko to serve multiple
 +# processes simultaneously. This is particularly beneficial on SMP machines.
 +# Default: 3
 +#ClamukoScannerCount 3
 +
 +# Don't scan files larger than ClamukoMaxFileSize
 +# Value of 0 disables the limit.
 +# Default: 5M
 +#ClamukoMaxFileSize 10M
 +
 +# Set access mask for Clamuko (Dazuko only).
 +# Default: no
 +#ClamukoScanOnOpen yes
 +#ClamukoScanOnClose yes
 +#ClamukoScanOnExec yes
 +
 +# Set the include paths (all files inside them will be scanned). You can have
 +# multiple ClamukoIncludePath directives but each directory must be added
 +# in a seperate line. (Dazuko only)
 +# Default: disabled
 +#ClamukoIncludePath /home
 +#ClamukoIncludePath /students
 +
 +# Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
 +# Default: disabled
 +#ClamukoExcludePath /home/bofh
 +
 +# With this option you can whitelist specific UIDs. Processes with these UIDs
 +# will be able to access all files.
 +# This option can be used multiple times (one per line).
 +# Default: disabled
 +#ClamukoExcludeUID 0
 +
 +# With this option enabled ClamAV will load bytecode from the database. 
 +# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
 +# Default: yes
 +#Bytecode yes
 +
 +# Set bytecode security level.
 +# Possible values:
 +#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
 +#         This value is only available if clamav was built with --enable-debug!
 +#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
 +#                insert runtime safety checks for bytecode loaded from other sources
 +#       Paranoid - don't trust any bytecode, insert runtime checks for all
 +# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
 +# Note that by default only signed bytecode is loaded, currently you can only
 +# load unsigned bytecode in --enable-debug mode.
 +#
 +# Default: TrustSigned
 +#BytecodeSecurity TrustSigned
 +
 +# Set bytecode timeout in miliseconds.
 +
 +# Default: 5000
 +# BytecodeTimeout 1000
 +</file>
 +Möchte man sich die gesamte Konfiguration ohne die vielen Kommentarzeilen anzeigen lassen, so kann man sich diese mit einem geschickten **egrep** ausgeben lassen.
 +   # egrep -v '(^.*#|^$)' /etc/clamd.conf
 +<code bash>LogFile /var/log/clamav/clamd.log
 +LogFileMaxSize 0
 +LogTime yes
 +LogSyslog yes
 +PidFile /var/run/clamav/clamd.pid
 +TemporaryDirectory /var/tmp
 +DatabaseDirectory /var/clamav
 +LocalSocket /var/run/clamav/clamd.sock
 +FixStaleSocket yes
 +TCPSocket 3310
 +TCPAddr 127.0.0.1
 +MaxConnectionQueueLength 30
 +MaxThreads 50
 +ReadTimeout 300
 +User clamav
 +AllowSupplementaryGroups yes
 +ScanPE yes
 +ScanELF yes
 +DetectBrokenExecutables yes
 +ScanOLE2 yes
 +ScanMail yes
 +ScanArchive yes
 +ArchiveBlockEncrypted no
 +</code>
 +
 +In der Konfigurationsdatei unseres **AMaViS**-Daemon finden wir folgenden Konfigurationshinweis für die Einbindung und Nutzung von **ClamAV**.
 +<code># ### http://www.clamav.net/
 +# ['ClamAV-clamd',
 +#   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
 +#   qr/\bOK$/m, qr/\bFOUND$/m,
 +#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +# # NOTE: run clamd under the same user as amavisd, or run it under its own
 +# #   uid such as clamav, add user clamav to the amavis group, and then add
 +# #   AllowSupplementaryGroups to clamd.conf;
 +# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 +# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
 +</code>
 +
 +Wir überpüfen also noch kurz, ob der User **clamav** bereits Mitglied der Gruppe **amavis** ist.
 +   # grep amavis /etc/group
 +
 +   amavis:x:494:
 +
 +In der Gruppe **amavis** befindet sich also nur ein Nutzer mit der ID **494**. Ein Blick in die ** /etc/passwd ** zeigt us wer dieser User ist.
 +   # grep 494 /etc/passwd
 +
 +   amavis:x:497:494:Amavis email scan user:/var/amavis:/bin/sh
 +
 +Dies ist also "nur" der Nutzer **amavis** selbst. Wir erweitern also nun die Gruppe **amavis** um den User **clamav**. 
 +   # usermod -a -G amavis clamav
 +
 +Ein erneuter Blick zeigt uns nun, dass wie bei den Hinweisen in der ** /etc/amavisd.conf ** angegeben, der Nutzer **clamav** nun  Mitglied der Gruppe **amavis** ist.
 +   # grep amavis /etc/group
 +
 +   amavis:x:494:clamav
 +
 +==== freshclamd ====
 +Damit [[http://www.clamav.net|ClamAV]] stets mit den aktuellen Vireninformationen versorgen wird, steht und das Programm **freshclam** aus dem Paket **clamav** zu Diensten.
 +
 +In der Standardkonfiguration sorgt **freshclam** dafür, dass **1x am Tag** ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbak einfließen zu lassen. Hierbei stehen uns prinzipiell zwei Mechanismen zur Verfügung, die **crontab** und der **Daemon-Modus**. Beide Varianten könnten im System parallel genutzt werden - nachfolgend werden bei Möglichkeiten kurz beschrieben. 
 +
 +=== Nutzung crontab ===
 +Die erste und einfache Variante besteht darin das Update-Script, welches sich mit dem Namen **freshclam** aktuell und standardmäßig unter //**/etc/cron.daily**// befindet, nach //**/etc/cron.hourly/**// zu verschieben. 
 +Das Updatescript beinhaltet folgende Parameter und Aufrufe:
 +<file freshclam>#!/bin/sh
 +
 +### A simple update script for the clamav virus database.
 +### This could as well be replaced by a SysV script.
 +
 +### fix log file if needed
 +LOG_FILE="/var/log/clamav/freshclam.log"
 +if [ ! -f "$LOG_FILE" ]; then
 +    touch "$LOG_FILE"
 +    chmod 644 "$LOG_FILE"
 +    chown clamav.clamav "$LOG_FILE"
 +fi
 +
 +/usr/bin/freshclam \
 +    --quiet \
 +    --datadir="/var/clamav" \
 +    --log="$LOG_FILE" \
 +    --daemon-notify="/etc/clamd.conf"
 +</file>
 +
 +Wir verschieben also das Script bei Bedarf nach //**/etc/cron.hourly/**//.
 +   # mv /etc/cron.daily/freshclam /etc/cron.hourly/
 +
 +=== Nutzung Daemon-Modus ===
 +Die zuvor erwähnte zweite Möglichkeit zum Updaten der Virenpattern-Datenbank ist die Nutzung des **freshclam-Daemons**, der im Hintergrund läuft und regelmäßig zu den Pattenservern eine Abfrage startet. 
 +
 +== Startscript ==
 +Da bei unserer Installation kein passendes Init-V-Script mitgeliefert wurde legen wir uns ein eigenes Startscript an.
 +  # vim /etc/init.d/freshclamd
 +<file bash freshclamd>
 +#!/bin/sh
 +#
 +# freshclamd    Init Script to start/stop the freshclamd.
 +#
 +# chkconfig: - 62 38
 +# description: freshclam is an update daemon for Clam AV database.
 +#
 +# processname: freshclamd
 +# config: /etc/freshclam.conf
 +# pidfile: /var/run/clamav/freshclam.pid
 +
 +# Source function library
 +. /etc/init.d/functions
 +
 +# Get network config
 +. /etc/sysconfig/network
 +
 +test -f /etc/freshclam.conf || exit 0
 +
 +RETVAL=0
 +DATA_DIR="/var/clamav"
 +CLAMD_CONF_FILE="/etc/clamd.conf"
 +LOG_FILE="/var/log/clamav/freshclam.log"
 +
 +if [ ! -f "$LOG_FILE" ]; then
 +    touch "$LOG_FILE"
 +    chmod 644 "$LOG_FILE"
 +    chown clamav.clamav "$LOG_FILE"
 +fi
 +
 +start() {
 +        echo -n $"Starting freshclam: "
 +        # Start me up!
 +        #       --log="$LOG_FILE" \
 +        #       --log-verbose \
 +        daemon /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid \
 +                -c 48 \
 +                --quiet \
 +                --datadir="$DATA_DIR" \
 +                --daemon-notify="$CLAMD_CONF_FILE"
 +        RETVAL=$?
 +        echo
 +        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/freshclam
 +        return $RETVAL
 +}
 +
 +stop() {
 +        echo -n $"Stopping freshclam: "
 +        killproc freshclam
 +        RETVAL=$?
 +        echo
 +        [ $RETVAL -eq 0 ] && rm -f /var/run/clamav/freshclam.pid /var/lock/subsys/freshclam
 +        return $RETVAL
 +}
 +
 +restart() {
 +        stop
 +        start
 +}
 +
 +reload() {
 +        echo -n $"Reloading DB: "
 +        killproc freshclam -ALRM
 +        RETVAL=$?
 +        echo
 +        return $RETVAL
 +}
 +
 +
 +case "$1" in
 +  start)
 +        start
 +        ;;
 +  stop)
 +        stop
 +        ;;
 +  status)
 +        status freshclam
 +        ;;
 +  restart)
 +        restart
 +        ;;
 +  condrestart)
 +        [ -f /var/lock/subsys/freshclam ] && restart || :
 +        ;;
 +  reload)
 +        reload
 +        ;;
 +  *)
 +        echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}"
 +        exit 1
 +esac
 +
 +exit $?
 +</file>
 +Anschließend passen wir noch die Dateirechte an:
 +   # chmod +x /etc/init.d/freshclamd
 +
 +== Konfiguration ==
 +Wir passen nun in der Konfigurationsdatei ** // /etc/freshclam.conf // ** das Updateintervall unseren Vorstellungen entsprechend an.
 +<code bash># vim /etc/freshclam.conf
 +
 +...
 +# Number of database checks per day.
 +# Default: 12 (every two hours)
 +# Django 2009-05-17 für halbstündlichen Virenpatterndatenbankcheck
 +Checks 48
 +...
 +</code>
 +==== amavisd ====
 +Die Konfiguration unseres AV-Scanners [[http://www.clamav.net/|clamav]] erfolgt über dessen Frontend [[centos:mail_c6:spam_3|AMaViS]]. Wir bearbeiten also die Datei **amavisd.conf**.
 +   # vim /etc/amavisd.conf
 +
 +Die Pfadangaben passen wir unseren Gegebenheiten an:
 +   $MYHOME = '/var/amavis';                    # a convenient default for other settings, -H
 +   $TEMPBASE = "$MYHOME/tmp";                  # working directory, needs to exist, -T
 +   $ENV{TMPDIR} = $TEMPBASE;                   # environment variable TMPDIR, used by SA, etc.
 +   $QUARANTINEDIR = "/var/virusmails";
 +
 +Ebenso:
 +   $db_home   = "$MYHOME/db";                  # dir for bdb nanny/cache/snmp databases, -D
 +   $helpers_home = "$MYHOME/var";              # working directory for SpamAssassin, -S
 +   $lock_file = "$MYHOME/var/amavisd.lock";    # -L
 +   $pid_file  = "$MYHOME/var/amavisd.pid";     # -P
 +   $unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
 +
 +Für den ersten Programmstart drehen wir den Loglevel auf den Wert **3**, den wir im späteren Produktivbetrieb dann auf **2** herabsetzen können. Somit erhalten wir in der Anfangsphase wertvolle und ausreichende Hinweise, falls etwas nicht wie geplant laufen sollte.
 +   $log_level = 3;                             # verbosity 0..5, -d
 +
 +Da wir uns weder mit **Viren**, noch mit **Spam** oder den **unerwünschten Dateianhängen** herumschlagen wollen, weisen wir AMaViS an, diese Nachrichten über den Mailserver direkt ablehnt.
 +   $final_virus_destiny      = D_REJECT;
 +   $final_banned_destiny     = D_REJECT;
 +   $final_spam_destiny       = D_REJECT;
 +
 +Da wir AMaViS in erster Linie in der dämonisierten Variante und als Fallback als Backup-Scanner verwenden wollen,  aktivieren wir die entsprechenden Konfigurationszeilen kurz nach der Zeile **@av_scanners = (**. 
 +
 +<WRAP round important>**Wichtig**:
 +Die Pfadangaben des **Socket** müssen zu den Angaben in der vorweg beschriebenen **/etc/clamd.conf** passen!
 +</WRAP>
 +
 +<code bash># ### http://www.clamav.net/
 +# Django : 2012-05-21
 +# ClamAV in der daemonisierten Variante aktiviert
 +# default: unset
 +#  ['ClamAV-clamd',
 +#    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
 +#    qr/\bOK$/m, qr/\bFOUND$/m,
 +#    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +['ClamAV-clamd',
 +  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
 +  qr/\bOK$/m, qr/\bFOUND$/m,
 +  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +# # NOTE: run clamd under the same user as amavisd, or run it under its own
 +# #   uid such as clamav, add user clamav to the amavis group, and then add
 +# #   AllowSupplementaryGroups to clamd.conf;
 +# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 +# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
 +</code>
 +
 +<WRAP round tip>Damit uns später das Maillogfile nicht mit unzähligen Meldungen wie **No primary av scanner:** und **No secondary av scanner:** zugemüllt wird für Scan-Engines, die wir nicht installiert haben, deaktivieren wir diese in der Konfigurationsdatei unseres AMaViS-Daemon.
 +</WRAP>
 +
 +Die komplette AMaViS-Konfiguration lautet demnach nunmehr.
 +  # less /etc/amavisd.conf
 +<file perl /etc/amavisd.conf>use strict;
 +
 +# a minimalistic configuration file for amavisd-new with all necessary settings
 +#
 +#   see amavisd.conf-default for a list of all variables with their defaults;
 +#   see amavisd.conf-sample for a traditional-style commented file;
 +#   for more details see documentation in INSTALL, README_FILES/*
 +#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
 +
 +
 +# COMMONLY ADJUSTED SETTINGS:
 +
 +# @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
 +# @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
 +# $bypass_decode_parts = 1;         # controls running of decoders&dearchivers
 +
 +$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
 +$daemon_user  = "amavis";     # (no default;  customary: vscan or amavis), -u
 +$daemon_group = "amavis";     # (no default;  customary: vscan or amavis), -g
 +
 +# Django : 2012-05-21
 +# default: $mydomain = 'example.com';
 +$mydomain = 'nausch.org';    # a convenient default for other settings
 +
 +# Django : 2012-06-25 "by localhost" in den Haederzeilen durch "" ersetzen
 +# default: unset
 +$localhost_name = "";
 +
 +# Django : 2012-05-21
 +# default: unset
 +$MYHOME = '/var/amavis';     # a convenient default for other settings, -H
 +$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
 +$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
 +$QUARANTINEDIR = "/var/virusmails";
 +# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
 +# $release_format = 'resend';     # 'attach', 'plain', 'resend'
 +# $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'
 +
 +# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R
 +
 +$db_home   = "$MYHOME/db";        # dir for bdb nanny/cache/snmp databases, -D
 +# Django : 2012-05-21
 +# default: unset
 +$helpers_home = "$MYHOME/var";    # working directory for SpamAssassin, -S
 +# Django : 2012-05-21
 +# default: unset
 +$lock_file = "$MYHOME/var/amavisd.lock";  # -L
 +# Django : 2012-05-21
 +# default: unset
 +$pid_file  = "$MYHOME/var/amavisd.pid";   # -P
 +#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
 +
 +# Django : 2012-05-21
 +# default: $log_level = 0;
 +$log_level = 3;      # verbosity 0..5, -d
 +$log_recip_templ = undef;    # disable by-recipient level-0 log entries
 +$DO_SYSLOG = 1;              # log via syslogd (preferred)
 +$syslog_facility = 'mail';   # Syslog facility as a string
 +           # e.g.: mail, daemon, user, local0, ... local7
 +$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
 +           # choose from: emerg, alert, crit, err, warning, notice, info, debug
 +
 +$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
 +$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
 +$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
 +$enable_dkim_verification = 1;  # enable DKIM signatures verification
 +$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
 +
 +@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
 +
 +# Django : 2012-05-21
 +# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
 +#                   10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
 +@mynetworks = qw( 127.0.0.0/8 10.0.0.0/24 );
 +
 +$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
 +               # option(s) -p overrides $inet_socket_port and $unix_socketname
 +
 +$inet_socket_port = 10024;   # listen on this local TCP port(s)
 +# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports
 +
 +# Django : 2012-05-21
 +# default: unset             # listening only on localhost
 +$inet_socket_bind = '*';     # listen on this port 10024 on all network-interfaces
 +
 +# Django : 2012-05-21
 +# default: @inet_acl = qw( 127.0.0.1 ::1 );
 +@inet_acl = qw( 127.0.0.1 10.0.0.80/32 );  # access allowed from this hosts
 +
 +$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
 +  originating => 1,  # is true in MYNETS by default, but let's make it explicit
 +  os_fingerprint_method => undef,  # don't query p0f for internal clients
 +};
 +
 +# it is up to MTA to re-route mail from authenticated roaming users or
 +# from internal hosts to a dedicated TCP port (such as 10026) for filtering
 +$interface_policy{'10026'} = 'ORIGINATING';
 +
 +$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
 +  originating => 1,  # declare that mail was submitted by our smtp client
 +  allow_disclaimers => 1,  # enables disclaimer insertion if available
 +  # notify administrator of locally originating malware
 +  virus_admin_maps => ["virusalert\@$mydomain"],
 +  spam_admin_maps  => ["virusalert\@$mydomain"],
 +  warnbadhsender   => 1,
 +  # forward to a smtpd service providing DKIM signing service
 +  forward_method => 'smtp:[127.0.0.1]:10027',
 +  # force MTA conversion to 7-bit (e.g. before DKIM signing)
 +  smtpd_discard_ehlo_keywords => ['8BITMIME'],
 +  bypass_banned_checks_maps => [1],  # allow sending any file names and types
 +  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
 +};
 +
 +$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
 +
 +# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
 +# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
 +$policy_bank{'AM.PDP-SOCK'} = {
 +  protocol => 'AM.PDP',
 +  auth_required_release => 0,  # do not require secret_id for amavisd-release
 +};
 +
 +$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
 +# Django : 2012-05-21
 +# default: $sa_tag2_level_deflt = 6.2;
 +$sa_tag2_level_deflt = 6.31;  # add 'spam detected' headers at that level
 +# Django : 2012-05-21
 +# default: $sa_kill_level_deflt = 6.9;
 +$sa_kill_level_deflt = 6.31;  # triggers spam evasive actions (e.g. blocks mail)
 +$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
 +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
 +# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
 +$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
 +$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
 +$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
 +
 +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
 +$sa_local_tests_only = 0;    # only tests which do not require internet access?
 +
 +# @lookup_sql_dsn =
 +#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
 +#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
 +#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
 +# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
 +
 +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
 +#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
 +
 +$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
 +
 +$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
 +$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
 +$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
 +$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
 +
 +@addr_extension_virus_maps      = ('virus');
 +@addr_extension_banned_maps     = ('banned');
 +@addr_extension_spam_maps       = ('spam');
 +@addr_extension_bad_header_maps = ('badh');
 +# $recipient_delimiter = '+';  # undef disables address extensions altogether
 +# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
 +
 +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
 +# $dspam = 'dspam';
 +
 +$MAXLEVELS = 14;
 +$MAXFILES = 1500;
 +$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
 +$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
 +
 +$sa_spam_subject_tag = '***SPAM*** ';
 +$defang_virus  = 1;  # MIME-wrap passed infected mail
 +$defang_banned = 1;  # MIME-wrap passed mail containing banned name
 +# for defanging bad headers only turn on certain minor contents categories:
 +$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
 +$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998 characters
 +$defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error
 +
 +
 +# OTHER MORE COMMON SETTINGS (defaults may suffice):
 +
 +# Django : 2010-05-21
 +# default: unset 
 +$myhostname = 'amavis.dmz.nausch.org';  # must be a fully-qualified domain name!
 +
 +# Django : 2010-05-21
 +# default: # $notify_method  = 'smtp:[127.0.0.1]:10025';
 +$notify_method  = 'smtp:[mail.dmz.nausch.org]:10025';
 +# Django : 2010-05-21
 +# default: # $forward_method = 'smtp:[127.0.0.1]:10025';
 +$forward_method = 'smtp:[mail.dmz.nausch.org]:10025';  # set to undef with milter!
 +
 +# Django : 2012-05-21
 +# default: unset
 +$final_virus_destiny      = D_DISCARD;
 +# Django : 2012-05-21
 +# default: unset
 +$final_banned_destiny     = D_BOUNCE;
 +# Django : 2012-05-21
 +# default: unset
 +$final_spam_destiny       = D_BOUNCE;
 +# $final_bad_header_destiny = D_PASS;
 +# $bad_header_quarantine_method = undef;
 +
 +# $os_fingerprint_method = 'p0f:*:2345';  # to query p0f-analyzer.pl
 +
 +## hierarchy by which a final setting is chosen:
 +##   policy bank (based on port or IP address) -> *_by_ccat
 +##   *_by_ccat (based on mail contents) -> *_maps
 +##   *_maps (based on recipient address) -> final configuration value
 +
 +
 +# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
 +
 +# $warnbadhsender,
 +# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
 +#
 +# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
 +# @bypass_banned_checks_maps, @bypass_header_checks_maps,
 +#
 +# @virus_lovers_maps, @spam_lovers_maps,
 +# @banned_files_lovers_maps, @bad_header_lovers_maps,
 +#
 +# @blacklist_sender_maps, @score_sender_maps,
 +#
 +# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
 +# $bad_header_quarantine_to, $spam_quarantine_to,
 +#
 +# $defang_bad_header, $defang_undecipherable, $defang_spam
 +
 +
 +# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
 +
 +@keep_decoded_original_maps = (new_RE(
 +  qr'^MAIL$',   # retain full original message for virus checking
 +  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
 +  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
 +# qr'^Zip archive data',     # don't trust Archive::Zip
 +));
 +
 +
 +# for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample
 +
 +$banned_filename_re = new_RE(
 +
 +### BLOCKED ANYWHERE
 +# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
 +  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
 +# qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
 +
 +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
 +# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
 +  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
 +
 +  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
 +# qr'^\.zip$',                            # block zip type
 +
 +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
 +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives
 +
 +  qr'^application/x-msdownload$'i,        # block these MIME types
 +  qr'^application/x-msdos-program$'i,
 +  qr'^application/hta$'i,
 +
 +# qr'^message/partial$'i,         # rfc2046 MIME type
 +# qr'^message/external-body$'i,   # rfc2046 MIME type
 +
 +# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
 +# qr'^\.wmf$',                            # Windows Metafile file(1) type
 +
 +  # block certain double extensions in filenames
 +  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
 +
 +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
 +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
 +
 +  qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
 +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
 +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
 +#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
 +#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
 +#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
 +# qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
 +# qr'^\.ani$',                            # banned animated cursor file(1) type
 +
 +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
 +);
 +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
 +# and http://www.cknow.com/vtutor/vtextensions.htm
 +
 +
 +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
 +
 +@score_sender_maps = ({ # a by-recipient hash lookup table,
 +                        # results from all matching recipient tables are summed
 +
 +# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
 +# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
 +# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
 +# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
 +#                           '.cleargreen.com'           => -5.0}],
 +
 +  ## site-wide opinions about senders (the '.' matches any recipient)
 +  '.' => [  # the _first_ matching sender determines the score boost
 +
 +   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
 +    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'        => 5.0],
 +    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
 +    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
 +    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'  => 5.0],
 +    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@' => 5.0],
 +    [qr'^(your_friend|greatoffers)@'                               => 5.0],
 +    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'                   => 5.0],
 +   ),
 +
 +#  read_hash("/var/amavis/sender_scores_sitewide"),
 +
 +   { # a hash-type lookup table (associative array)
 +     'nobody@cert.org'                        => -3.0,
 +     'cert-advisory@us-cert.gov'              => -3.0,
 +     'owner-alert@iss.net'                    => -3.0,
 +     'slashdot@slashdot.org'                  => -3.0,
 +     'securityfocus.com'                      => -3.0,
 +     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
 +     'security-alerts@linuxsecurity.com'      => -3.0,
 +     'mailman-announce-admin@python.org'      => -3.0,
 +     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
 +     'amavis-user-bounces@lists.sourceforge.net' => -3.0,
 +     'spamassassin.apache.org'                => -3.0,
 +     'notification-return@lists.sophos.com'   => -3.0,
 +     'owner-postfix-users@postfix.org'        => -3.0,
 +     'owner-postfix-announce@postfix.org'     => -3.0,
 +     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
 +     'sendmail-announce-request@lists.sendmail.org' => -3.0,
 +     'donotreply@sendmail.org'                => -3.0,
 +     'ca+envelope@sendmail.org'               => -3.0,
 +     'noreply@freshmeat.net'                  => -3.0,
 +     'owner-technews@postel.acm.org'          => -3.0,
 +     'ietf-123-owner@loki.ietf.org'           => -3.0,
 +     'cvs-commits-list-admin@gnome.org'       => -3.0,
 +     'rt-users-admin@lists.fsck.com'          => -3.0,
 +     'clp-request@comp.nus.edu.sg'            => -3.0,
 +     'surveys-errors@lists.nua.ie'            => -3.0,
 +     'emailnews@genomeweb.com'                => -5.0,
 +     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
 +     'returns.groups.yahoo.com'               => -3.0,
 +     'clusternews@linuxnetworx.com'           => -3.0,
 +     lc('lvs-users-admin@LinuxVirtualServer.org'   => -3.0,
 +     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
 +
 +     # soft-blacklisting (positive score)
 +     'sender@example.net'                     =>  3.0,
 +     '.example.net'                           =>  1.0,
 +
 +   },
 +  ],  # end of site-wide tables
 +});
 +
 +
 +@decoders = (
 +  ['mail', \&do_mime_decode],
 +  ['asc',  \&do_ascii],
 +  ['uue',  \&do_ascii],
 +  ['hqx',  \&do_ascii],
 +  ['ync',  \&do_ascii],
 +  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
 +  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
 +  ['gz',   \&do_uncompress,  'gzip -d'],
 +  ['gz',   \&do_gunzip],
 +  ['bz2',  \&do_uncompress,  'bzip2 -d'],
 +  ['lzo',  \&do_uncompress,  'lzop -d'],
 +  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
 +  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
 +  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
 +  ['deb',  \&do_ar,          'ar'],
 +# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill
 +  ['zip',  \&do_unzip],
 +  ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
 +  ['rar',  \&do_unrar,      ['rar','unrar'] ],
 +  ['arj',  \&do_unarj,      ['arj','unarj'] ],
 +  ['arc',  \&do_arc,        ['nomarch','arc'] ],
 +  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
 +  ['lha',  \&do_lha,         'lha'],
 +# ['doc',  \&do_ole,         'ripole'],
 +  ['cab',  \&do_cabextract,  'cabextract'],
 +  ['tnef', \&do_tnef_ext,    'tnef'],
 +  ['tnef', \&do_tnef],
 +# ['sit',  \&do_unstuff,     'unstuff'],  # broken/unsafe decoder
 +  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
 +);
 +
 +
 +@av_scanners = (
 +
 +# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
 +# ['Sophie',
 +#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
 +#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
 +#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
 +
 +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
 +# ['Sophos SAVI', \&sophos_savi ],
 +
 +# ### http://www.clamav.net/
 +# Django : 2012-05-21
 +# ClamAV in der daemonisierten Variante aktiviert
 +# default: unset
 +#  ['ClamAV-clamd',
 +#    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
 +#    qr/\bOK$/m, qr/\bFOUND$/m,
 +#    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +['ClamAV-clamd',
 +  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
 +  qr/\bOK$/m, qr/\bFOUND$/m,
 +  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +# # NOTE: run clamd under the same user as amavisd, or run it under its own
 +# #   uid such as clamav, add user clamav to the amavis group, and then add
 +# #   AllowSupplementaryGroups to clamd.conf;
 +# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 +# #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
 +
 +# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
 +# # note that Mail::ClamAV requires perl to be build with threading!
 +# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ],
 +
 +# ### http://www.openantivirus.org/
 +# ['OpenAntiVirus ScannerDaemon (OAV)',
 +#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
 +#   qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],
 +
 +# ### http://www.vanja.com/tools/trophie/
 +# ['Trophie',
 +#   \&ask_daemon, ["{}/\n", '/var/run/trophie'],
 +#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
 +#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
 +
 +# ### http://www.grisoft.com/
 +# ['AVG Anti-Virus',
 +#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
 +#   qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],
 +
 +# ### http://www.f-prot.com/
 +# ['F-Prot fpscand',  # F-PROT Antivirus for BSD/Linux/Solaris, version 6
 +#   \&ask_daemon,
 +#   ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
 +#   qr/^(0|8|64) /m,
 +#   qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
 +#   qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],
 +
 +# ### http://www.f-prot.com/
 +# ['F-Prot f-protd',  # old version
 +#   \&ask_daemon,
 +#   ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
 +#     ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
 +#      '127.0.0.1:10203', '127.0.0.1:10204'] ],
 +#   qr/(?i)<summary[^>]*>clean<\/summary>/m,
 +#   qr/(?i)<summary[^>]*>infected<\/summary>/m,
 +#   qr/(?i)<name>(.+)<\/name>/m ],
 +
 +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
 +# ['DrWebD', \&ask_daemon,   # DrWebD 4.31 or later
 +#   [pack('N',1).  # DRWEBD_SCAN_CMD
 +#    pack('N',0x00280001).   # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
 +#    pack('N',     # path length
 +#      length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
 +#    '{}/*'      # path
 +#    pack('N',0).  # content size
 +#    pack('N',0),
 +#    '/var/drweb/run/drwebd.sock',
 +#  # '/var/amavis/var/run/drwebd.sock',   # suitable for chroot
 +#  # '/usr/local/drweb/run/drwebd.sock',  # FreeBSD drweb ports default
 +#  # '127.0.0.1:3000',                    # or over an inet socket
 +#   ],
 +#   qr/\A\x00[\x10\x11][\x00\x10]\x00/sm,        # IS_CLEAN,EVAL_KEY; SKIPPED
 +#   qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
 +#   qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
 +# ],
 +# # NOTE: If using amavis-milter, change length to:
 +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.kaspersky.com/  (kav4mailservers)
 +#  ['KasperskyLab AVP - aveclient',
 +#    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
 +#     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
 +#    '-p /var/run/aveserver -s {}/*',
 +#    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
 +#    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
 +#  ],
 +#  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
 +#  # currupted or protected archives are to be handled
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.kaspersky.com/
 +#  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
 +#    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
 +#    qr/infected: (.+)/m,
 +#    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
 +#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
 +#  ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert 
 +# ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
 +#  ### products and replaced by aveserver and aveclient
 +#  ['KasperskyLab AVPDaemonClient',
 +#    [ '/opt/AVP/kavdaemon',       'kavdaemon',
 +#      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
 +#      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
 +#      '/opt/AVP/avpdc', 'avpdc' ],
 +#    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
 +#    # change the startup-script in /etc/init.d/kavd to:
 +#    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
 +#    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
 +#    # adjusting /var/amavis above to match your $TEMPBASE.
 +#    # The '-f=/var/amavis' is needed if not running it as root, so it
 +#    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
 +#    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
 +#    #   directory $TEMPBASE specifies) in the 'Names=' section.
 +#    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
 +#    # cp AvpDaemonClient /opt/AVP/
 +#    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.centralcommand.com/
 +#  ['CentralCommand Vexira (new) vascan',
 +#    ['vascan','/usr/lib/Vexira/vascan'],
 +#    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
 +#    "--log=/var/log/vascan.log {}",
 +#    [0,3], [1,2,5],
 +#    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
 +#    # Adjust the path of the binary and the virus database as needed.
 +#    # 'vascan' does not allow to have the temp directory to be the same as
 +#    # the quarantine directory, and the quarantine option can not be disabled.
 +#    # If $QUARANTINEDIR is not used, then another directory must be specified
 +#    # to appease 'vascan'. Move status 3 to the second list if password
 +#    # protected files are to be considered infected.
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.avira.com/
 +#  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
 +#  ['Avira AntiVir', ['antivir','vexira'],
 +#    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
 +#    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
 +#         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
 +#    # NOTE: if you only have a demo version, remove -z and add 214, as in:
 +#    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.commandsoftware.com/
 +#  ['Command AntiVirus for Linux', 'csav',
 +#    '-all -archive -packed {}', [50], [51,52,53],
 +#    qr/Infection: (.+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.symantec.com/
 +#  ['Symantec CarrierScan via Symantec CommandLineScanner',
 +#    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
 +#    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
 +#    qr/^(?:Info|Virus Name):\s+(.+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.symantec.com/
 +#  ['Symantec AntiVirus Scan Engine',
 +#    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
 +#    [0], qr/^Infected\b/m,
 +#    qr/^(?:Info|Virus Name):\s+(.+)/m ],
 +#    # NOTE: check options and patterns to see which entry better applies
 +
 +# ### http://www.f-secure.com/products/anti-virus/  version 4.65
 +#  ['F-Secure Antivirus for Linux servers',
 +#   ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
 +#   '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
 +#   '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
 +#   qr/(?:infection|Infected|Suspected): (.+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.f-secure.com/products/anti-virus/  version 5.52
 +#   ['F-Secure Antivirus for Linux servers',
 +#    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
 +#    '--virus-action1=report --archive=yes --auto=yes '.
 +#    '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
 +#    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
 +#    # NOTE: internal archive handling may be switched off by '--archive=no'
 +#    #   to prevent fsav from exiting with status 9 on broken archives
 +
 +# ### http://www.avast.com/
 +# ['avast! Antivirus daemon',
 +#   \&ask_daemon, # greets with 220, terminate with QUIT
 +#   ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
 +#   qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
 +
 +# ### http://www.avast.com/
 +# ['avast! Antivirus - Client/Server Version', 'avastlite',
 +#   '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
 +#   qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ['CAI InoculateIT', 'inocucmd',  # retired product
 +#    '-sec -nex {}', [0], [100],
 +#    qr/was infected by virus (.+)/m ],
 +#  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
 +#  ['CAI eTrust Antivirus', 'etrust-wrapper',
 +#    '-arc -nex -spm h {}', [0], [101],
 +#    qr/is infected by virus: (.+)/m ],
 +#    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
 +#    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://mks.com.pl/english.html
 +#  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
 +#    '-s {}/*', [0], [1,2],
 +#    qr/--[ \t]*(.+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://mks.com.pl/english.html
 +#  ['MkS_Vir daemon', 'mksscan',
 +#    '-s -q {}', [0], [1..7],
 +#    qr/^... (\S+)/m ],
 +
 +# ### http://www.nod32.com/,  version v2.52 (old)
 +# ['ESET NOD32 for Linux Mail servers',
 +#   ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
 +#    '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
 +#    '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
 +#    '--action-on-notscanned=accept {}',
 +#   [0,3], [1,2], qr/virus="([^"]+)"/m ],
 +
 +# ### http://www.eset.com/, version v2.7 (old)
 +# ['ESET NOD32 Linux Mail Server - command line interface',
 +#   ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
 +#   '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],
 +
 +# ### http://www.eset.com/, version 2.71.12
 +# ['ESET Software ESETS Command Line Interface',
 +#   ['/usr/bin/esets_cli', 'esets_cli'],
 +#   '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.eset.com/, version 3.0
 +#  ['ESET Software ESETS Command Line Interface',
 +#    ['/usr/bin/esets_cli', 'esets_cli'],
 +#    '--subdir {}', [0], [1,2,3],
 +#    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
 +#  ['ESET NOD32 for Linux File servers',
 +#    ['/opt/eset/nod32/sbin/nod32','nod32'],
 +#    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
 +#    '-w -a --action=1 -b {}',
 +#    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
 +
 +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
 +# ['ESET Software NOD32 Client/Server (NOD32SS)',
 +#   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT
 +#   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
 +#   qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.norman.com/products_nvc.shtml
 +#  ['Norman Virus Control v5 / Linux', 'nvcc',
 +#    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
 +#    qr/(?i).* virus in .* -> \'(.+)\'/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.pandasoftware.com/
 +#  ['Panda CommandLineSecure 9 for Linux',
 +#    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
 +#    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
 +#    qr/Number of files infected[ .]*: 0+(?!\d)/m,
 +#    qr/Number of files infected[ .]*: 0*[1-9]/m,
 +#    qr/Found virus :\s*(\S+)/m ],
 +#  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
 +#  # before starting amavisd - the bases are then loaded only once at startup.
 +#  # To reload bases in a signature update script:
 +#  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
 +#  # Please review other options of pavcl, for example:
 +#  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
 +
 +# ### http://www.pandasoftware.com/
 +# ['Panda Antivirus for Linux', ['pavcl'],
 +#   '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
 +#   [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
 +#   qr/Found virus :\s*(\S+)/m ],
 +
 +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
 +# Check your RAV license terms before fiddling with the following two lines!
 +# ['GeCAD RAV AntiVirus 8', 'ravav',
 +#   '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
 +# # NOTE: the command line switches changed with scan engine 8.5 !
 +# # (btw, assigning stdin to /dev/null causes RAV to fail)
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.nai.com/
 +#  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
 +#    '--secure -rv --mime --summary --noboot - {}', [0], [13],
 +#    qr/(?x) Found (?:
 +#        \ the\ (.+)\ (?:virus|trojan)  |
 +#        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
 +#        :\ (.+)\ NOT\ a\ virus)/m,
 +#  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
 +#  # sub {delete $ENV{LD_PRELOAD}},
 +#  ],
 +#  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
 +#  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
 +#  # and then clear it when finished to avoid confusing anything else.
 +#  # NOTE2: to treat encrypted files as viruses replace the [13] with:
 +#  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.virusbuster.hu/en/
 +#  ['VirusBuster', ['vbuster', 'vbengcl'],
 +#    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
 +#    qr/: '(.*)' - Virus/m ],
 +#  # VirusBuster Ltd. does not support the daemon version for the workstation
 +#  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
 +#  # binaries, some parameters AND return codes have changed (from 3 to 1).
 +#  # See also the new Vexira entry 'vascan' which is possibly related.
 +
 +# ### http://www.virusbuster.hu/en/
 +# ['VirusBuster (Client + Daemon)', 'vbengd',
 +#   '-f -log scandir {}', [0], [3],
 +#   qr/Virus found = (.*);/m ],
 +# # HINT: for an infected file it always returns 3,
 +# # although the man-page tells a different story
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.cyber.com/
 +#  ['CyberSoft VFind', 'vfind',
 +#    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
 +#  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
 +#  ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.avast.com/
 +#  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
 +#    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.ikarus-software.com/
 +#  ['Ikarus AntiVirus for Linux', 'ikarus',
 +#    '{}', [0], [40], qr/Signature (.+) found/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.bitdefender.com/
 +#  ['BitDefender', 'bdscan',  # new version
 +#    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
 +#    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
 +#    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.bitdefender.com/
 +#  ['BitDefender', 'bdc',  # old version
 +#    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
 +#    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
 +#    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
 +#  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
 +#  # not apply to your version of bdc, check documentation and see 'bdc --help'
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
 +#  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
 +#    '-v 1 -summary 0 -s {}', [0], [1,2],
 +#    qr/(?:VIR|WIR):[ \t]*(.+)/m ],
 +
 +# ### a generic SMTP-client interface to a SMTP-based virus scanner
 +# ['av_smtp', \&ask_av_smtp,
 +#   ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'],
 +#   qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],
 +
 +# ['File::Scan', sub {Amavis::AV::ask_av(sub{
 +#   use File::Scan; my($fn)=@_;
 +#   my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
 +#   my($vname) = $f->scan($fn);
 +#   $f->error ? (2,"Error: ".$f->error)
 +#   : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
 +#   ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],
 +
 +# ### fully-fledged checker for JPEG marker segments of invalid length
 +# ['check-jpeg',
 +#   sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
 +#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
 +# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
 +# #       for example in /usr/local/lib/perl5/site_perl
 +
 +);
 +
 +
 +@av_scanners_backup = (
 +
 +  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
 +  ['ClamAV-clamscan', 'clamscan',
 +    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
 +    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
 +#  ['F-PROT Antivirus for UNIX', ['fpscan'],
 +#    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
 +#    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
 +#    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
 +#  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
 +#    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
 +#    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.trendmicro.com/   - backs up Trophie
 +#  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
 +#    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
 +#  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
 +#    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
 +#    '-path={} -al -go -ot -cn -upn -ok-',
 +#    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
 +
 +# Django : 2012-05-21
 +# Eintrag deaktiviert
 +#   ### http://www.kaspersky.com/
 +#   ['Kaspersky Antivirus v5.5',
 +#     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
 +#      '/opt/kav/5.5/kav4unix/bin/kavscanner',
 +#      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
 +#     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
 +#     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
 +##    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
 +##    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
 +#   ],
 +
 +# Commented out because the name 'sweep' clashes with Debian and FreeBSD
 +# package/port of an audio editor. Make sure the correct 'sweep' is found
 +# in the path when enabling.
 +#
 +# ### http://www.sophos.com/   - backs up Sophie or SAVI-Perl
 +# ['Sophos Anti Virus (sweep)', 'sweep',
 +#   '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
 +#   '--no-reset-atime {}',
 +#   [0,2], qr/Virus .*? found/m,
 +#   qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
 +# ],
 +# # other options to consider: -idedir=/usr/local/sav
 +
 +# Always succeeds and considers mail clean.
 +# Potentially useful when all other scanners fail and it is desirable
 +# to let mail continue to flow with no virus checking (when uncommented).
 +# ['always-clean', sub {0}],
 +
 +);
 +
 +
 +1;  # insure a defined return value
 +</file>
 +
 +===== erster Programmstart =====
 +
 +==== clamd ====
 +Nun starten wir unseren ClamAV-Daemon das erste mal.
 +   # service clamd start
 +
 +   Starting Clam AntiVirus Daemon:                            [  OK  ]
 +
 +Im Logfile ** /var/log/clamav/clamd.log ** wird der Start entsprechend protokolliert.
 +   # less /var/log/clamav/clamd.log
 +
 +<code>Mon Jun 11 12:08:26 2012 -> +++ Started at Mon Jun 11 12:08:26 2012
 +Mon Jun 11 12:08:26 2012 -> clamd daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
 +Mon Jun 11 12:08:26 2012 -> Running as user clamav (UID 496, GID 493)
 +Mon Jun 11 12:08:26 2012 -> Log file size limited to -1 bytes.
 +Mon Jun 11 12:08:26 2012 -> Reading databases from /var/clamav
 +Mon Jun 11 12:08:26 2012 -> Not loading PUA signatures.
 +Mon Jun 11 12:08:26 2012 -> Bytecode: Security mode set to "TrustSigned".
 +Mon Jun 11 12:08:30 2012 -> Loaded 1256207 signatures.
 +Mon Jun 11 12:08:30 2012 -> TCP: Bound to address 127.0.0.1 on port 3310
 +Mon Jun 11 12:08:30 2012 -> TCP: Setting connection queue length to 30
 +Mon Jun 11 12:08:30 2012 -> LOCAL: Unix socket file /var/run/clamav/clamd.sock
 +Mon Jun 11 12:08:30 2012 -> LOCAL: Setting connection queue length to 30
 +Mon Jun 11 12:08:30 2012 -> Limits: Global size limit set to 104857600 bytes.
 +Mon Jun 11 12:08:30 2012 -> Limits: File size limit set to 26214400 bytes.
 +Mon Jun 11 12:08:30 2012 -> Limits: Recursion level limit set to 16.
 +Mon Jun 11 12:08:30 2012 -> Limits: Files limit set to 10000.
 +Mon Jun 11 12:08:30 2012 -> Archive support enabled.
 +Mon Jun 11 12:08:30 2012 -> Algorithmic detection enabled.
 +Mon Jun 11 12:08:30 2012 -> Portable Executable support enabled.
 +Mon Jun 11 12:08:30 2012 -> ELF support enabled.
 +Mon Jun 11 12:08:30 2012 -> Detection of broken executables enabled.
 +Mon Jun 11 12:08:30 2012 -> Mail files support enabled.
 +Mon Jun 11 12:08:30 2012 -> OLE2 support enabled.
 +Mon Jun 11 12:08:30 2012 -> PDF support enabled.
 +Mon Jun 11 12:08:30 2012 -> HTML support enabled.
 +Mon Jun 11 12:08:30 2012 -> Self checking every 600 seconds.
 +Mon Jun 11 12:08:39 2012 -> Pid file removed.
 +</code>
 +
 +==== freshclamd ====
 +Unseren Updatemechanismus **freshclam-daemon** starten wir wie gewohnt mit:
 +   # service freshclamd start
 +
 +   Starting freshclam:                                        [  OK  ]
 +
 +Im Logfile // ** /var/log/clamav/freshclam.log ** // wird der Programmaufruf entsprechend dokumentiert:
 +   # less /var/log/clamav/freshclam.log
 +
 +<code>freshclam daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
 +ClamAV update process started at Mon Jun 11 12:32:48 2012
 +main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
 +Downloading daily-15026.cdiff [100%]
 +Downloading daily-15027.cdiff [100%]
 +daily.cld updated (version: 15027, sigs: 217122, f-level: 63, builder: ccordes)
 +bytecode.cvd is up to date (version: 185, sigs: 39, f-level: 63, builder: neo)
 +Database updated (1261548 signatures) from db.de.clamav.net (IP: 212.1.60.18)
 +WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock
 +--------------------------------------
 +</code>
 +
 +Die Meldung 
 +**WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock** stimmt natürlich, da der ClamAV-Daemon **clamd** noch nicht gestartet ist.
 +
 +Daher starten wir nun auch den ClamAV-Daemon erneut an.
 +   # service clamd start
 +
 +   Starting Clam AntiVirus Daemon:                            [  OK  ]
 +
 +Starten wir nun unseren freshclam-Daemon einmal durch und kontrollieren anschließend dessen logfile.
 +   # service freshclamd restart
 +
 +   Stopping freshclam:                                        [  OK  ]
 +   Starting freshclam:                                        [  OK  ]
 +
 +Ein Blick in das Logfile des freshclam-Daemon zeigt nun, keine entsprechende Fehlermeldung mehr!
 +   # less /var/log/clamav/freshclam.log
 +
 +<code>--------------------------------------
 +freshclam daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
 +ClamAV update process started at Mon Jun 11 12:39:25 2012
 +main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
 +daily.cld is up to date (version: 15027, sigs: 217122, f-level: 63, builder: ccordes)
 +bytecode.cvd is up to date (version: 185, sigs: 39, f-level: 63, builder: neo)
 +</code>
 +==== amavisd ====
 +Zum Aktivieren der [[centos:mail_c6:spam_4?&#amavisd|Konfigurationsänderungen]] am AMaViS-Frontend starten wir den Daemon nun einmal durch.
 +   # service amavisd restart
 +
 +   Shutting down Mail Virus Scanner (amavisd):                [  OK  ]
 +   Starting Mail Virus Scanner (amavisd):                      OK  ]
 +
 +Der Start wird im Maillogfile entsprechend protokolliert.
 +<code>Jun 11 13:21:43 vml000060 amavis[18664]: logging initialized, log level 3, syslog: amavis.mail
 +Jun 11 13:21:43 vml000060 amavis[18664]: starting.  /usr/sbin/amavisd at amavis.dmz.nausch.org amavisd-new-2.6.6 (20110518), Unicode aware, LANG="en_US.UTF-8"
 +Jun 11 13:21:43 vml000060 amavis[18664]: user=497, EUID: 497 (497);  group=, EGID: 494 494 (494 494)
 +Jun 11 13:21:43 vml000060 amavis[18664]: Perl version               5.010001
 +Jun 11 13:21:43 vml000060 amavis[18664]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin
 +Jun 11 13:21:44 vml000060 amavis[18664]: INFO: SA version: 3.3.1, 3.003001, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record Error
 +Jun 11 13:21:44 vml000060 amavis[18664]: SpamControl: init_pre_chroot on SpamAssassin done
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Process Backgrounded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: 2012/06/11-13:21:44 Amavis (type Net::Server::PreForkSimple) starting! pid(18665)
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Using default listen value of 128
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Binding to TCP port 10024 on host *
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Group Not Defined.  Defaulting to EGID '494 494'
 +Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: User Not Defined.  Defaulting to EUID '497'
 +Jun 11 13:21:44 vml000060 amavis[18665]: config files read: /etc/amavisd.conf
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Amavis::Conf        2.209
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Archive::Zip        1.30
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module BerkeleyDB          0.43
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Compress::Zlib      2.02
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Convert::TNEF       0.17
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Convert::UUlib      1.34
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Crypt::OpenSSL::RSA 0.25
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module DB_File             1.82
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Digest::MD5         2.39
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Digest::SHA         5.47
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module IO::Socket::INET6   2.56
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Entity        5.427
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Parser        5.427
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Tools         5.427
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::DKIM::Signer  0.37
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::DKIM::Verifier 0.37
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::Header        2.04
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::Internet      2.04
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::SpamAssassin  3.003001
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Net::DNS            0.65
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Net::Server         0.99
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module NetAddr::IP         4.027
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Socket6             0.23
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Time::HiRes         1.9721
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module URI                 1.40
 +Jun 11 13:21:44 vml000060 amavis[18665]: Module Unix::Syslog        1.1
 +Jun 11 13:21:44 vml000060 amavis[18665]: Amavis::DB code      loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Amavis::Cache code   loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: SQL base code        NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: SQL::Log code        NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: SQL::Quarantine      NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Lookup::SQL code     NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Lookup::LDAP code    NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: AM.PDP-in proto code loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: SMTP-in proto code   loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Courier proto code   NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: SMTP-out proto code  loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Pipe-out proto code  NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: BSMTP-out proto code NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Local-out proto code loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: OS_Fingerprint code  NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-VIRUS code      loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM code       loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM-EXT code   NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM-C code     NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM-SA code    loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Unpackers code       loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: DKIM code            loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Tools code           NOT loaded
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found $file            at /usr/bin/file
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found $altermime       at /usr/bin/altermime
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .mail
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .asc 
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .uue 
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .hqx 
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .ync 
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .F    at /usr/bin/unfreeze
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .Z    at /usr/bin/uncompress
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .gz   at /usr/bin/gzip -d
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .gz   (backup, not used)
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .lzo  at /usr/bin/lzop -d
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .cpio at /bin/cpio
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .tar  at /bin/cpio
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .deb  at /usr/bin/ar
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .zip 
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .7z   at /usr/bin/7za
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .rar  at /usr/bin/unrar
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .arj  at /usr/bin/arj
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .arc  at /usr/bin/nomarch
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .zoo  at /usr/bin/zoo
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .lha  at /usr/bin/lha
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .cab  at /usr/bin/cabextract
 +Jun 11 13:21:44 vml000060 amavis[18665]: No decoder for       .tnef tried: tnef
 +Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .tnef
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
 +Jun 11 13:21:44 vml000060 amavis[18665]: Using primary internal av scanner code for ClamAV-clamd
 +Jun 11 13:21:44 vml000060 amavis[18665]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
 +Jun 11 13:21:44 vml000060 amavis[18665]: Creating db in /var/amavis/db/; BerkeleyDB 0.43, libdb 4.7
 +Jun 11 13:21:44 vml000060 amavis[18665]: initializing Mail::SpamAssassin
 +Jun 11 13:21:44 vml000060 amavis[18665]: SpamAssassin debug facilities: info
 +Jun 11 13:21:46 vml000060 amavis[18665]: SpamAssassin loaded plugins: AutoLearnThreshold, Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
 +Jun 11 13:21:46 vml000060 amavis[18665]: SpamControl: init_pre_fork on SpamAssassin done
 +Jun 11 13:21:46 vml000060 amavis[18665]: extra modules loaded after daemonizing/chrooting: Mail/SpamAssassin/Plugin/FreeMail.pm
 +Jun 11 13:21:46 vml000060 amavis[18679]: TIMING [total 10 ms] - bdb-open: 10 (100%)100, rundown: 0 (0%)100
 +Jun 11 13:21:46 vml000060 amavis[18680]: TIMING [total 9 ms] - bdb-open: 9 (100%)100, rundown: 0 (0%)100
 +</code>
 +===== automatisches Starten der Dienste beim Systemstart =====
 +
 +==== clamd ====
 +Damit nun unser clamav-daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
 +   # chkconfig clamd on
 +Anschließend überprüfen wir noch unsere Änderung:
 +   # chkconfig --list | grep clamd
 +
 +   clamd          0:off 1:off 2:on 3:on 4:on 5:on 6:off
 +
 +==== freshclamd ====
 +Damit nun auch unser freshclamd beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
 +   # chkconfig freshclamd on
 +Anschließend überprüfen wir noch unsere Änderung:
 +   # chkconfig --list | grep freshclamd
 +
 +   freshclamd      0:off 1:off 2:on 3:on 4:on 5:on 6:off
 +
 +
 +==== amavisd ====
 +Bei unserem Frontend **AMaViS** muss keinerlei Änderung vorgenommen werden, haben wir die nötige [[centos:mail_c6:spam_3#automatisches_starten_des_dienste_beim_systemstart|Konfiguration]] ja bereits bei der Grundkonfiguration von amavisd-new vorgenommen.
 +===== Test (eicar) =====
 +Zum Testen schicken wir eine eMail an einen Empfänger und hängen im Anhang einfach mal einen [[http://eicar.org/download/eicar_com.zip|Eicar-Testvirus]] an die eMail.
 +
 +Der Versuch scheitert natürlich kläglich und dem einliefernden Mailclient wird auch promt der Grund angegeben, warum die Nachricht nicht angenommern werden konnte.
 +
 +<code>An error occurred while sending mail.
 +The mail server responded:  5.7.0 Reject, id=19056-05 - INFECTED: Eicar-Test-Signature. 
 +Please check the message and try again.
 +</code>
 +
 +Im Maillog unseres AMaViS-Hosts wird der erfolglose Versuch der Einlieferung der eAmil mit dem Eicar-Textpattern im Anhang entsprechend protokolliert.
 +   # less /var/log/maillog
 +
 +<code>Jun 11 16:48:12 vml000060 amavis[19055]: (19055-05) process_request: fileno sock=11, STDIN=0, STDOUT=1
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ESMTP:[10.0.0.60]:10024 /var/amavis/tmp/amavis-20120611T142736-19055: <django@nausch.org> -> <Django@nausch.org> SIZE=1043 Received: from mx1.nausch.org ([10.0.0.80]) by localhost (amavis.dmz.nausch.org [10.0.0.60]) (amavisd-new, port 10024) with ESMTP for <Django@nausch.org>; Mon, 11 Jun 2012 16:48:12 +0200 (CEST)
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp connection cache, dt: 1153.6, state: 0
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) body hash: d87eeb64bae8fd89341d4f6332e5263e
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Checking: Cn1wWSZI30ms [192.168.10.45] <django@nausch.org> -> <Django@nausch.org>
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) 2822.From: <django@nausch.org>
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p003 1 Content-Type: multipart/mixed
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p001 1/1 Content-Type: text/plain, size: 5 B, name: 
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p002 1/2 Content-Type: application/zip, size: 184 B, name: eicar_com.zip
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) inspect_dsn: not a bounce
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Checking for banned types and filenames
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) collect banned table[0]: Django@nausch.org, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3be71a0)
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p.path Django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc"
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p.path Django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/zip,T=zip,N=eicar_com.zip | P=p004,L=1/2/1,T=asc,N=eicar.com"
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) presenting full original message to scanners as /var/amavis/tmp/amavis-20120611T142736-19055/parts/p005
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20120611T142736-19055/parts\n
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ClamAV-clamd: Connecting to socket  /var/run/clamav/clamd.sock
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20120611T142736-19055/parts\n to UNIX socket /var/run/clamav/clamd.sock
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) run_av (ClamAV-clamd): /var/amavis/tmp/amavis-20120611T142736-19055/parts INFECTED: Eicar-Test-Signature, Eicar-Test-Signature
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) blocking contents category is (9) for Django@nausch.org
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth=
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp session: setting up a new session
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp creating socket by IO::Socket::INET6 to [mail.dmz.nausch.org]:10025
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to greeting: 220 mx1.nausch.org ESMTP Postfix
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> EHLO localhost
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to EHLO: 250 mx1.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) AUTH not needed, user='', MTA offers ''
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> MAIL FROM:<virusalert@nausch.org> ENVID=AM..20120611T144813Z@amavis.dmz.nausch.org
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> RCPT TO:<virusalert@nausch.org>
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> DATA
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to MAIL (pip): 250 2.1.0 Ok
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to RCPT (pip) (<virusalert@nausch.org>): 250 2.1.5 Ok
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> QUIT
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to data-dot (<virusalert@nausch.org>): 250 2.0.0 Ok: queued as 36EE653
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Amavis::Out::SMTP::Session close, disconnecting
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) SEND via SMTP: <virusalert@nausch.org> -> <virusalert@nausch.org>,ENVID=AM..20120611T144813Z@amavis.dmz.nausch.org 250 2.0.0 from MTA([mail.dmz.nausch.org]:10025): 250 2.0.0 Ok: queued as 36EE653
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Blocked INFECTED (Eicar-Test-Signature), [192.168.10.45] [192.168.10.45] <django@nausch.org> -> <Django@nausch.org>, Message-ID: <4FD6052D.8030805@nausch.org>, mail_id: Cn1wWSZI30ms, Hits: -, size: 1317, 274 ms
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) sending SMTP response: "554 5.7.0 Reject, id=19055-06 - INFECTED: Eicar-Test-Signature"
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) TIMING [total 279 ms] - SMTP greeting: 4 (2%)2, SMTP EHLO: 1 (0%)2, SMTP pre-MAIL: 1 (0%)2, SMTP pre-DATA-flush: 7 (2%)5, SMTP DATA: 37 (13%)18, check_init: 1 (0%)18, digest_hdr: 2 (1%)19, digest_body_dkim: 1 (0%)19, gen_mail_id: 1 (0%)19, mime_decode: 16 (6%)25, get-file-type2: 17 (6%)31, decompose_part: 2 (1%)32, decompose_part: 6 (2%)34, get-file-type1: 13 (5%)39, decompose_part: 1 (0%)39, parts_decode: 0 (0%)39, check_header: 2 (1%)40, AV-scan-1: 26 (9%)49, read_snmp_variables: 1 (1%)50, best_try_originator: 2 (1%)51, update_cache: 2 (1%)51, decide_mail_destiny: 3 (1%)52, fwd-connect: 52 (19%)71, fwd-mail-pip: 14 (5%)76, fwd-rcpt-pip: 1 (0%)76, fwd-data-chkpnt: 0 (0%)76, write-header: 1 (0%)77, fwd-data-contents: 3 (1%)78, fwd-end-chkpnt: 50 (18%)95, prepare-dsn: 1 (0%)96, main_log_entry: 7 (2%)98, update_snmp: 2 (1%)99, SMTP pre-response: 0 (0%)99, SMTP response: 1 (0%)99, unlink-3-files: 1 (0%)100, rundown: 1 (0%)100
 +Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) load: 0 %, total idle 8420.239 s, busy 16.845 s
 +</code>
 +
 +Dem Postmaster // **virusalert@nausch.org** // wird hier auch eine Hinweisnachricht geschickt,in der drauf hingewiesen wird, dass jemand versucht hat einen Virus abzuladen.
 +
 +<code>From: "Content-filter at amavis.dmz.nausch.org" <virusalert@nausch.org>
 +Date: Mon, 11 Jun 2012 16:48:12 +0200 (CEST)
 +Subject: VIRUS (Eicar-Test-Signature) in mail FROM [192.168.10.45]
 + <django@nausch.org>
 +To: <virusalert@nausch.org>
 +Message-ID: <VACn1wWSZI30ms@amavis.dmz.nausch.org>
 +
 +This is a multi-part message in MIME format...
 +
 +------------=_1339426093-19055-1
 +Content-Type: text/plain; charset="iso-8859-1"
 +Content-Disposition: inline
 +Content-Transfer-Encoding: 7bit
 +
 +A virus was found: Eicar-Test-Signature
 +
 +Scanner detecting a virus: ClamAV-clamd
 +
 +Content type: Virus
 +Internal reference code for the message is 19055-06/Cn1wWSZI30ms
 +
 +First upstream SMTP client IP address: [192.168.10.45] 
 +According to a 'Received:' trace, the message apparently originated at:
 +  [192.168.10.45], pml010051.nausch.org unknown [192.168.10.45] using TLSv1
 +  with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits) No client certificate
 +  requested
 +
 +Return-Path: <django@nausch.org>
 +From: Django <django@nausch.org>
 +Message-ID: <4FD6052D.8030805@nausch.org>
 +Subject: TesteMail mit Eicar-Testfile im Anhang
 +Not quarantined.
 +
 +Notification to sender will not be mailed.
 +
 +The message WAS NOT relayed to:
 +<Django@nausch.org>:
 +   554 5.7.0 Reject, id=19055-06 - INFECTED: Eicar-Test-Signature
 +
 +Virus scanner output:
 +  p004: Eicar-Test-Signature FOUND
 +  p005: Eicar-Test-Signature FOUND
 +
 +
 +------------=_1339426093-19055-1
 +Content-Type: text/rfc822-headers; name="header"
 +Content-Disposition: inline; filename="header"
 +Content-Transfer-Encoding: 7bit
 +Content-Description: Message header section
 +
 +Return-Path: <django@nausch.org>
 +Received: from pml010051.nausch.org (unknown [192.168.10.45])
 + (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 + (No client certificate requested)
 + by mx1.nausch.org (Postfix) with ESMTPS
 + for <Django@nausch.org>; Mon, 11 Jun 2012 16:48:12 +0200 (CEST)
 +Message-ID: <4FD6052D.8030805@nausch.org>
 +Date: Mon, 11 Jun 2012 16:48:13 +0200
 +From: Django <django@nausch.org>
 +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120329 Thunderbird/11.0.1
 +MIME-Version: 1.0
 +To: Django@nausch.org
 +Subject: TesteMail mit Eicar-Testfile im Anhang
 +Content-Type: multipart/mixed;
 + boundary="------------010707070506040503040902"
 +</code>
 +
 +Bei Bedarf kann man diese Benachrichtigung abstellen. Hierzu sind folgende werte in der **amavis.conf** relevant.
 +
 +<code bash>$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
 +
 +$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
 +$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
 +</code>
 +
 +
 +===== Optimierung / RAM-Disk für AMaViS =====
 +Da sich bei entsprechenden Traffic die Zugriffe auf die Harddisk ungünstig auf die Performance auswirkt, legen wir eine RAM-Disk für den Virenscanner an. Dort kann ClamAV dann die Dateianhänge der Nachrichten entpacken, ablegen und auf Schadcode hin überprüfen.
 +
 +Damit wir die Zugriffsrechte auf die Ramdisk richtig setzen können, schließlich soll nicht jedermann die Inhalte der eMails lesen können, ermitteln wird zu erst noch die **gid** und **uid**.
 +
 +   # grep amavis /etc/group
 +
 +   amavis:x:494:clamav
 +
 +   # grep amavis /etc/passwd
 +
 +   amavis:x:497:494:Amavis email scan user:/var/amavis:/bin/sh
 +
 +Für unsere Zwecke legen uns eine 250 MB große RAM-Disk an:
 +
 +   # vim /etc/fstab
 +
 +   # RAM-Disk für ClamAV
 +   /dev/shm                /var/amavis/tmp         tmpfs   defaults,size=250m,mode=750,uid=497,gid=494 0 0
 +
 +Anschließend mounten wir unser neues Laufwerk mit
 +   # mount /var/amavis/tmp
 +Je nach Belastung werden nun in unserem Arbeitsverzeichnis die Daten abgelegt
 +   # df -h -t tmpfs
 +
 +   Filesystem            Size  Used Avail Use% Mounted on
 +   /dev/shm              250M      250M   0% /var/amavis/tmp
 +
 +====== Links ======
 +  * **[[centos:mail_c6:start|Zurück zum Kapitel >>Mailserverinstallation unter CentOS 6<<]]**
 +  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
 +  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
 +
 +~~AUTOTWEET:~~
  • centos/mail_c6/spam_4.txt
  • Zuletzt geändert: 20.05.2021 12:43.
  • von 127.0.0.1