Installation und Konfiguration von ClamAV
Grundlagen
Die Überprüfung der eMail wie auch der Dateianhänge übernimmt das freie Antivirus Toolkit ClamAV für Unix, ein unter der GNU GPL1) stehender Virenscanner. Es wurde speziell für zum Scannen von EMails auf Mailgateways designt. Kann aber ebeso zu zum Prüfen von HTTP-Datenströmen wie auch zum Scannen von Dateisystemen eingesetzt werden. Das Paket stellt eine Reihe von Hilfsmittel zur Verfügung: einen flexiblen und skalierbaren Multi-Threaded Daemon, einen Kommandozeilen Scanner und ein komplexes Programm zur automatischen Aktualisierung über das Internet bereit. Das Herzstück des Paketes ist ein Antivirus-Einheit in Form einer gemeinsam genutzten Bibliothek.
Die wichtigsten Funktionen von ClamAV sind:
- Kommandozeilen Scanner
- performanter Multi-Threaded Daemon mit der Unterstützung von on-access scannen
- Komplexes Update-Programm für die Datenbank mit Unterstützung für scripted Updates und digitale Signaturen
- Virus Scanner Bibliothek in C
- On-Access Scanning
- Mehrmals tägliche Updates der Virusdatenbank (siehe Homepage für die gesamte Anzahl von Signaturen)
- Integrierte Unterstützung für verschieden Archiv-Formate wie Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS und andere
- Integrierte Unterstützung für nahezu alle Mail Dateien Formate
- Eingebaute Unterstützung für ELF executables und Portable Executable Dateien komprimiert mit UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack und verschleiert mit SUE, Y0da Cryptor und anderen
Hauptsächlich wird ClamAV im Zusammenhang mit Postfix und AMaViS genutzt. Die Installation und Konfiguration des Virenscanner-Umgebung (ClamAV unter CentOS 6.x) ist auf dieser Seite ausführlich beschrieben.
Nachfolgend befassen wir uns nun mit der Installation und Konfiguration von ClamAV im Mailserverumfeld.
Installation
Für die Installation von clamav und der zugehörigen Pakete nutzen wir am besten das Repository rpmforge - die Installation selbst nehmen wir mit Unterstützung von yum vor.
# yum install clamd clamav clamav-db -y
Programminfo
Was uns die einzelnen Pakete alle bei der Installation mitgebracht haben, zeigt uns jeweilsein Blick in das installierte rpm.
clamav
# rpm -qil clamav
Name : clamav Relocations: (not relocatable) Version : 0.97.4 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Release : 1.el6.rf Build Date: Thu 15 Mar 2012 08:04:38 AM CET Install Date: Sun 10 Jun 2012 11:38:35 PM CEST Build Host: lisse.hasselt.wieers.com Group : Applications/System Source RPM: clamav-0.97.4-1.el6.rf.src.rpm Size : 6113818 License: GPL Signature : DSA/SHA1, Thu 15 Mar 2012 03:28:39 PM CET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag@wieers.com> URL : http://www.clamav.net/ Summary : Anti-virus software Description : Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date /etc/freshclam.conf /usr/bin/clambc /usr/bin/clamscan /usr/bin/freshclam /usr/bin/sigtool /usr/lib64/libclamav.so /usr/lib64/libclamav.so.6 /usr/lib64/libclamav.so.6.1.13 /usr/lib64/libclamunrar.so /usr/lib64/libclamunrar.so.6 /usr/lib64/libclamunrar.so.6.1.13 /usr/lib64/libclamunrar_iface.so /usr/lib64/libclamunrar_iface.so.6 /usr/lib64/libclamunrar_iface.so.6.1.13 /usr/share/doc/clamav-0.97.4 /usr/share/doc/clamav-0.97.4/AUTHORS /usr/share/doc/clamav-0.97.4/BUGS /usr/share/doc/clamav-0.97.4/COPYING /usr/share/doc/clamav-0.97.4/ChangeLog /usr/share/doc/clamav-0.97.4/FAQ /usr/share/doc/clamav-0.97.4/INSTALL /usr/share/doc/clamav-0.97.4/NEWS /usr/share/doc/clamav-0.97.4/README /usr/share/doc/clamav-0.97.4/clamav-mirror-howto.pdf /usr/share/doc/clamav-0.97.4/clamdoc.pdf /usr/share/doc/clamav-0.97.4/freshclam.conf /usr/share/doc/clamav-0.97.4/phishsigs_howto.pdf /usr/share/doc/clamav-0.97.4/signatures.pdf /usr/share/man/man1/clambc.1.gz /usr/share/man/man1/clamscan.1.gz /usr/share/man/man1/freshclam.1.gz /usr/share/man/man1/sigtool.1.gz /usr/share/man/man5/freshclam.conf.5.gz
clamav-db
# rpm -qil clamav-db
Name : clamav-db Relocations: (not relocatable) Version : 0.97.4 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Release : 1.el6.rf Build Date: Thu 15 Mar 2012 08:04:38 AM CET Install Date: Sun 10 Jun 2012 11:38:34 PM CEST Build Host: lisse.hasselt.wieers.com Group : Applications/Databases Source RPM: clamav-0.97.4-1.el6.rf.src.rpm Size : 33616088 License: GPL Signature : DSA/SHA1, Thu 15 Mar 2012 03:28:43 PM CET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag@wieers.com> URL : http://www.clamav.net/ Summary : Virus database for clamav Description : The actual virus database for clamav /etc/cron.daily/freshclam /etc/logrotate.d/freshclam /var/clamav /var/clamav/daily.cvd /var/clamav/main.cvd /var/log/clamav /var/log/clamav/freshclam.log
clamd
# rpm -qil clamd
Name : clamd Relocations: (not relocatable) Version : 0.97.4 Vendor: Dag Apt Repository, http://dag.wieers.com/apt/ Release : 1.el6.rf Build Date: Thu 15 Mar 2012 08:04:38 AM CET Install Date: Sun 10 Jun 2012 11:38:37 PM CEST Build Host: lisse.hasselt.wieers.com Group : System Environment/Daemons Source RPM: clamav-0.97.4-1.el6.rf.src.rpm Size : 602939 License: GPL Signature : DSA/SHA1, Thu 15 Mar 2012 03:28:41 PM CET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag@wieers.com> URL : http://www.clamav.net/ Summary : The Clam AntiVirus Daemon Description : The Clam AntiVirus Daemon /etc/clamd.conf /etc/logrotate.d/clamav /etc/rc.d/init.d/clamd /usr/bin/clamconf /usr/bin/clamdscan /usr/bin/clamdtop /usr/sbin/clamd /usr/share/doc/clamd-0.97.4 /usr/share/doc/clamd-0.97.4/clamd.conf /usr/share/man/man1/clambc.1.gz /usr/share/man/man1/clamconf.1.gz /usr/share/man/man1/clamdscan.1.gz /usr/share/man/man1/clamdtop.1.gz /usr/share/man/man5/clamd.conf.5.gz /usr/share/man/man8/clamd.8.gz /var/clamav /var/log/clamav /var/log/clamav/clamd.log /var/run/clamav
Konfiguration
clamd
Die Konfigurationsdatei /etc/clamd.conf ist bereits optimal vorbereitet - eine besondere Anpassung an der Konfiguration ist also nicht notwendig.
- /etc/clamd.conf
## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clamav/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 0 # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no #LogClean yes # Use system logger (can work together with LogFile). # Default: no LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable verbose logging. # Default: no #LogVerbose yes # Log additional information about the infected file, such as its # size and hash, together with the virus name. #ExtendedDetectionInfo yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/run/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) DatabaseDirectory /var/clamav # Only load the official signatures published by the ClamAV project. # Default: no #OfficialDatabaseOnly no # The daemon can work in local mode, network mode or both. # Due to security reasons we recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /var/run/clamav/clamd.sock # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) #LocalSocketGroup virusgroup # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) #LocalSocketMode 660 # Remove stale socket after unclean shutdown. # Default: yes FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 200 MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 25M #StreamMaxLength 10M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 50 # Waiting for data from a client socket will timeout after this time (seconds). # Default: 120 ReadTimeout 300 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any initial command after connecting. # Default: 5 #CommandReadTimeout 5 # This option specifies how long to wait (in miliseconds) if the send buffer is full. # Keep this value low to prevent clamd hanging # # Default: 500 #SendBufTimeout 200 # Maximum number of queued items (including those being processed by MaxThreads threads) # It is recommended to have this value at least twice MaxThreads if possible. # WARNING: you shouldn't increase this too much to avoid running out of file descriptors, # the following condition should hold: # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) # # Default: 100 #MaxQueue 200 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Don't scan files and directories matching regex # This directive can be used multiple times # Default: scan all #ExcludePath ^/proc/ #ExcludePath ^/sys/ # Maximum depth directories are scanned at. # Default: 15 #MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Scan files and directories on other filesystems. # Default: yes #CrossFilesystems yes # Perform a database check. # Default: 600 (10 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges User clamav # Initialize supplementary group access (clamd must be started by root). # Default: no AllowSupplementaryGroups yes # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # Exclude a specific PUA category. This directive can be used multiple times. # See http://www.clamav.net/support/pua for the complete list of PUA # categories. # Default: Load all categories (if DetectPUA is activated) #ExcludePUA NetTool #ExcludePUA PWTool # Only include a specific PUA category. This directive can be used multiple # times. # Default: Load all categories (if DetectPUA is activated) #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option allows # ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. If you turn off this option, the original files will still be # scanned, but without additional processing. # Default: yes ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes ScanELF yes # With this option clamav will try to detect broken executables (both PE and # ELF) and mark them as Broken.Executable. # Default: no DetectBrokenExecutables yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes ScanOLE2 yes # With this option enabled OLE2 files with VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #OLE2BlockMacros no # This option enables scanning within PDF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanPDF yes ## ## Mail files ## # Enable internal e-mail scanner. # If you turn off this option, the original files will still be scanned, but # without parsing individual messages/attachments. # Default: yes ScanMail yes # Scan RFC1341 messages split over many emails. # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #ScanPartialMessages yes # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockCloak no # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ## ## Data Loss Prevention (DLP) ## # Enable the DLP module # Default: No #StructuredDataDetection yes # This option sets the lowest number of Credit Card numbers found in a file # to generate a detect. # Default: 3 #StructuredMinCreditCardCount 5 # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 # With this option enabled the DLP module will search for valid # SSNs formatted as xxx-yy-zzzz # Default: yes #StructuredSSNFormatNormal yes # With this option enabled the DLP module will search for valid # SSNs formatted as xxxyyzzzz # Default: no #StructuredSSNFormatStripped yes ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes # If you turn off this option, the original files will still be scanned, but # without additional processing. #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # If you turn off this option, the original files will still be scanned, but # without unpacking and additional processing. # Default: yes ScanArchive yes # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). # Default: no ArchiveBlockEncrypted no ## ## Limits ## # The options below protect your system against Denial of Service attacks # using archive bombs. # This option sets the maximum amount of data to be scanned for each input file. # Archives and other containers are recursively extracted and scanned up to this # value. # Value of 0 disables the limit # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 100M #MaxScanSize 150M # Files larger than this limit won't be scanned. Affects the input file itself # as well as files contained inside it (when the input file is an archive, a # document or some other kind of container). # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 25M #MaxFileSize 30M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Note: setting this limit too high may result in severe damage to the system. # Default: 16 #MaxRecursion 10 # Number of files to be scanned within an archive, a document, or any other # container file. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10000 #MaxFiles 15000 ## ## Clamuko settings ## # Enable Clamuko. Dazuko must be configured and running. Clamuko supports # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS # is the preferred option. For more information please visit www.dazuko.org # Default: no #ClamukoScanOnAccess yes # The number of scanner threads that will be started (DazukoFS only). # Having multiple scanner threads allows Clamuko to serve multiple # processes simultaneously. This is particularly beneficial on SMP machines. # Default: 3 #ClamukoScannerCount 3 # Don't scan files larger than ClamukoMaxFileSize # Value of 0 disables the limit. # Default: 5M #ClamukoMaxFileSize 10M # Set access mask for Clamuko (Dazuko only). # Default: no #ClamukoScanOnOpen yes #ClamukoScanOnClose yes #ClamukoScanOnExec yes # Set the include paths (all files inside them will be scanned). You can have # multiple ClamukoIncludePath directives but each directory must be added # in a seperate line. (Dazuko only) # Default: disabled #ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. (Dazuko only) # Default: disabled #ClamukoExcludePath /home/bofh # With this option you can whitelist specific UIDs. Processes with these UIDs # will be able to access all files. # This option can be used multiple times (one per line). # Default: disabled #ClamukoExcludeUID 0 # With this option enabled ClamAV will load bytecode from the database. # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. # Default: yes #Bytecode yes # Set bytecode security level. # Possible values: # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS # This value is only available if clamav was built with --enable-debug! # TrustSigned - trust bytecode loaded from signed .c[lv]d files, # insert runtime safety checks for bytecode loaded from other sources # Paranoid - don't trust any bytecode, insert runtime checks for all # Recommended: TrustSigned, because bytecode in .cvd files already has these checks # Note that by default only signed bytecode is loaded, currently you can only # load unsigned bytecode in --enable-debug mode. # # Default: TrustSigned #BytecodeSecurity TrustSigned # Set bytecode timeout in miliseconds. # # Default: 5000 # BytecodeTimeout 1000
Möchte man sich die gesamte Konfiguration ohne die vielen Kommentarzeilen anzeigen lassen, so kann man sich diese mit einem geschickten egrep ausgeben lassen.
# egrep -v '(^.*#|^$)' /etc/clamd.conf
LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime yes LogSyslog yes PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp DatabaseDirectory /var/clamav LocalSocket /var/run/clamav/clamd.sock FixStaleSocket yes TCPSocket 3310 TCPAddr 127.0.0.1 MaxConnectionQueueLength 30 MaxThreads 50 ReadTimeout 300 User clamav AllowSupplementaryGroups yes ScanPE yes ScanELF yes DetectBrokenExecutables yes ScanOLE2 yes ScanMail yes ScanArchive yes ArchiveBlockEncrypted no
In der Konfigurationsdatei unseres AMaViS-Daemon finden wir folgenden Konfigurationshinweis für die Einbindung und Nutzung von ClamAV.
# ### http://www.clamav.net/
# ['ClamAV-clamd',
# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
# qr/\bOK$/m, qr/\bFOUND$/m,
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# # uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
Wir überpüfen also noch kurz, ob der User clamav bereits Mitglied der Gruppe amavis ist.
# grep amavis /etc/group
amavis:x:494:
In der Gruppe amavis befindet sich also nur ein Nutzer mit der ID 494. Ein Blick in die /etc/passwd zeigt us wer dieser User ist.
# grep 494 /etc/passwd
amavis:x:497:494:Amavis email scan user:/var/amavis:/bin/sh
Dies ist also „nur“ der Nutzer amavis selbst. Wir erweitern also nun die Gruppe amavis um den User clamav.
# usermod -a -G amavis clamav
Ein erneuter Blick zeigt uns nun, dass wie bei den Hinweisen in der /etc/amavisd.conf angegeben, der Nutzer clamav nun Mitglied der Gruppe amavis ist.
# grep amavis /etc/group
amavis:x:494:clamav
freshclamd
Damit ClamAV stets mit den aktuellen Vireninformationen versorgen wird, steht und das Programm freshclam aus dem Paket clamav zu Diensten.
In der Standardkonfiguration sorgt freshclam dafür, dass 1x am Tag ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbak einfließen zu lassen. Hierbei stehen uns prinzipiell zwei Mechanismen zur Verfügung, die crontab und der Daemon-Modus. Beide Varianten könnten im System parallel genutzt werden - nachfolgend werden bei Möglichkeiten kurz beschrieben.
Nutzung crontab
Die erste und einfache Variante besteht darin das Update-Script, welches sich mit dem Namen freshclam aktuell und standardmäßig unter /etc/cron.daily befindet, nach /etc/cron.hourly/ zu verschieben. Das Updatescript beinhaltet folgende Parameter und Aufrufe:
#!/bin/sh ### A simple update script for the clamav virus database. ### This could as well be replaced by a SysV script. ### fix log file if needed LOG_FILE="/var/log/clamav/freshclam.log" if [ ! -f "$LOG_FILE" ]; then touch "$LOG_FILE" chmod 644 "$LOG_FILE" chown clamav.clamav "$LOG_FILE" fi /usr/bin/freshclam \ --quiet \ --datadir="/var/clamav" \ --log="$LOG_FILE" \ --daemon-notify="/etc/clamd.conf"
Wir verschieben also das Script bei Bedarf nach /etc/cron.hourly/.
# mv /etc/cron.daily/freshclam /etc/cron.hourly/
Nutzung Daemon-Modus
Die zuvor erwähnte zweite Möglichkeit zum Updaten der Virenpattern-Datenbank ist die Nutzung des freshclam-Daemons, der im Hintergrund läuft und regelmäßig zu den Pattenservern eine Abfrage startet.
Startscript
Da bei unserer Installation kein passendes Init-V-Script mitgeliefert wurde legen wir uns ein eigenes Startscript an.
# vim /etc/init.d/freshclamd
- freshclamd
#!/bin/sh # # freshclamd Init Script to start/stop the freshclamd. # # chkconfig: - 62 38 # description: freshclam is an update daemon for Clam AV database. # # processname: freshclamd # config: /etc/freshclam.conf # pidfile: /var/run/clamav/freshclam.pid # Source function library . /etc/init.d/functions # Get network config . /etc/sysconfig/network test -f /etc/freshclam.conf || exit 0 RETVAL=0 DATA_DIR="/var/clamav" CLAMD_CONF_FILE="/etc/clamd.conf" LOG_FILE="/var/log/clamav/freshclam.log" if [ ! -f "$LOG_FILE" ]; then touch "$LOG_FILE" chmod 644 "$LOG_FILE" chown clamav.clamav "$LOG_FILE" fi start() { echo -n $"Starting freshclam: " # Start me up! # --log="$LOG_FILE" \ # --log-verbose \ daemon /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid \ -c 48 \ --quiet \ --datadir="$DATA_DIR" \ --daemon-notify="$CLAMD_CONF_FILE" RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/freshclam return $RETVAL } stop() { echo -n $"Stopping freshclam: " killproc freshclam RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/run/clamav/freshclam.pid /var/lock/subsys/freshclam return $RETVAL } restart() { stop start } reload() { echo -n $"Reloading DB: " killproc freshclam -ALRM RETVAL=$? echo return $RETVAL } case "$1" in start) start ;; stop) stop ;; status) status freshclam ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/freshclam ] && restart || : ;; reload) reload ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}" exit 1 esac exit $?
Anschließend passen wir noch die Dateirechte an:
# chmod +x /etc/init.d/freshclamd
Konfiguration
Wir passen nun in der Konfigurationsdatei /etc/freshclam.conf das Updateintervall unseren Vorstellungen entsprechend an.
# vim /etc/freshclam.conf ... # Number of database checks per day. # Default: 12 (every two hours) # Django 2009-05-17 für halbstündlichen Virenpatterndatenbankcheck Checks 48 ...
amavisd
Die Konfiguration unseres AV-Scanners clamav erfolgt über dessen Frontend AMaViS. Wir bearbeiten also die Datei amavisd.conf.
# vim /etc/amavisd.conf
Die Pfadangaben passen wir unseren Gegebenheiten an:
$MYHOME = '/var/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = "/var/virusmails";
Ebenso:
$db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S $lock_file = "$MYHOME/var/amavisd.lock"; # -L $pid_file = "$MYHOME/var/amavisd.pid"; # -P $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
Für den ersten Programmstart drehen wir den Loglevel auf den Wert 3, den wir im späteren Produktivbetrieb dann auf 2 herabsetzen können. Somit erhalten wir in der Anfangsphase wertvolle und ausreichende Hinweise, falls etwas nicht wie geplant laufen sollte.
$log_level = 3; # verbosity 0..5, -d
Da wir uns weder mit Viren, noch mit Spam oder den unerwünschten Dateianhängen herumschlagen wollen, weisen wir AMaViS an, diese Nachrichten über den Mailserver direkt ablehnt.
$final_virus_destiny = D_REJECT; $final_banned_destiny = D_REJECT; $final_spam_destiny = D_REJECT;
Da wir AMaViS in erster Linie in der dämonisierten Variante und als Fallback als Backup-Scanner verwenden wollen, aktivieren wir die entsprechenden Konfigurationszeilen kurz nach der Zeile @av_scanners = (.
Wichtig: Die Pfadangaben des Socket müssen zu den Angaben in der vorweg beschriebenen /etc/clamd.conf passen!
# ### http://www.clamav.net/ # Django : 2012-05-21 # ClamAV in der daemonisierten Variante aktiviert # default: unset # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], # qr/\bOK$/m, qr/\bFOUND$/m, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
Damit uns später das Maillogfile nicht mit unzähligen Meldungen wie No primary av scanner: und No secondary av scanner: zugemüllt wird für Scan-Engines, die wir nicht installiert haben, deaktivieren wir diese in der Konfigurationsdatei unseres AMaViS-Daemon.
Die komplette AMaViS-Konfiguration lautet demnach nunmehr.
# less /etc/amavisd.conf
- /etc/amavisd.conf
use strict; # a minimalistic configuration file for amavisd-new with all necessary settings # # see amavisd.conf-default for a list of all variables with their defaults; # see amavisd.conf-sample for a traditional-style commented file; # for more details see documentation in INSTALL, README_FILES/* # and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html # COMMONLY ADJUSTED SETTINGS: # @bypass_virus_checks_maps = (1); # controls running of anti-virus code # @bypass_spam_checks_maps = (1); # controls running of anti-spam code # $bypass_decode_parts = 1; # controls running of decoders&dearchivers $max_servers = 2; # num of pre-forked children (2..30 is common), -m $daemon_user = "amavis"; # (no default; customary: vscan or amavis), -u $daemon_group = "amavis"; # (no default; customary: vscan or amavis), -g # Django : 2012-05-21 # default: $mydomain = 'example.com'; $mydomain = 'nausch.org'; # a convenient default for other settings # Django : 2012-06-25 "by localhost" in den Haederzeilen durch "" ersetzen # default: unset $localhost_name = ""; # Django : 2012-05-21 # default: unset $MYHOME = '/var/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = "/var/virusmails"; # $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine # $release_format = 'resend'; # 'attach', 'plain', 'resend' # $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' # $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D # Django : 2012-05-21 # default: unset $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S # Django : 2012-05-21 # default: unset $lock_file = "$MYHOME/var/amavisd.lock"; # -L # Django : 2012-05-21 # default: unset $pid_file = "$MYHOME/var/amavisd.pid"; # -P #NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually # Django : 2012-05-21 # default: $log_level = 0; $log_level = 3; # verbosity 0..5, -d $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $syslog_priority = 'debug'; # Syslog base (minimal) priority as a string, # choose from: emerg, alert, crit, err, warning, notice, info, debug $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key @local_domains_maps = ( [".$mydomain"] ); # list of all local domains # Django : 2012-05-21 # @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 # 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); @mynetworks = qw( 127.0.0.0/8 10.0.0.0/24 ); $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname $inet_socket_port = 10024; # listen on this local TCP port(s) # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports # Django : 2012-05-21 # default: unset # listening only on localhost $inet_socket_bind = '*'; # listen on this port 10024 on all network-interfaces # Django : 2012-05-21 # default: @inet_acl = qw( 127.0.0.1 ::1 ); @inet_acl = qw( 127.0.0.1 10.0.0.80/32 ); # access allowed from this hosts $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients }; # it is up to MTA to re-route mail from authenticated roaming users or # from internal hosts to a dedicated TCP port (such as 10026) for filtering $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating => 1, # declare that mail was submitted by our smtp client allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1], # allow sending any file names and types terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option }; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname # Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c # (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, # do not require secret_id for amavisd-release }; $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level # Django : 2012-05-21 # default: $sa_tag2_level_deflt = 6.2; $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level # Django : 2012-05-21 # default: $sa_kill_level_deflt = 6.9; $sa_kill_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? # @lookup_sql_dsn = # ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], # ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], # ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = "virusalert\@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_banned_maps = ('banned'); @addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); # $recipient_delimiter = '+'; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name # for defanging bad headers only turn on certain minor contents categories: $defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header $defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998 characters $defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error # OTHER MORE COMMON SETTINGS (defaults may suffice): # Django : 2010-05-21 # default: unset $myhostname = 'amavis.dmz.nausch.org'; # must be a fully-qualified domain name! # Django : 2010-05-21 # default: # $notify_method = 'smtp:[127.0.0.1]:10025'; $notify_method = 'smtp:[mail.dmz.nausch.org]:10025'; # Django : 2010-05-21 # default: # $forward_method = 'smtp:[127.0.0.1]:10025'; $forward_method = 'smtp:[mail.dmz.nausch.org]:10025'; # set to undef with milter! # Django : 2012-05-21 # default: unset $final_virus_destiny = D_DISCARD; # Django : 2012-05-21 # default: unset $final_banned_destiny = D_BOUNCE; # Django : 2012-05-21 # default: unset $final_spam_destiny = D_BOUNCE; # $final_bad_header_destiny = D_PASS; # $bad_header_quarantine_method = undef; # $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl ## hierarchy by which a final setting is chosen: ## policy bank (based on port or IP address) -> *_by_ccat ## *_by_ccat (based on mail contents) -> *_maps ## *_maps (based on recipient address) -> final configuration value # SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) # $warnbadhsender, # $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) # # @bypass_virus_checks_maps, @bypass_spam_checks_maps, # @bypass_banned_checks_maps, @bypass_header_checks_maps, # # @virus_lovers_maps, @spam_lovers_maps, # @banned_files_lovers_maps, @bad_header_lovers_maps, # # @blacklist_sender_maps, @score_sender_maps, # # $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, # $bad_header_quarantine_to, $spam_quarantine_to, # # $defang_bad_header, $defang_undecipherable, $defang_spam # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); # for $banned_namepath_re (a new-style of banned table) see amavisd.conf-sample $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary # qr'^\.(exe|lha|cab|dll)$', # banned file(1) types ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary # qr'^\.zip$', # block zip type ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # qr'^message/partial$'i, # rfc2046 MIME type # qr'^message/external-body$'i, # rfc2046 MIME type # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type # qr'^\.wmf$', # Windows Metafile file(1) type # block certain double extensions in filenames qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| # wmf|wsc|wsf|wsh)$'ix, # banned ext - long # qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename # qr'^\.ani$', # banned animated cursor file(1) type # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. ); # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 # and http://www.cknow.com/vtutor/vtextensions.htm # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed # ## per-recipient personal tables (NOTE: positive: black, negative: white) # 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], # 'user3@example.com' => [{'.ebay.com' => -3.0}], # 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, # '.cleargreen.com' => -5.0}], ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), # read_hash("/var/amavis/sender_scores_sitewide"), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['deb', \&do_ar, 'ar'], # ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill ['zip', \&do_unzip], ['7z', \&do_7zip, ['7zr','7za','7z'] ], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, ['zoo','unzoo'] ], ['lha', \&do_lha, 'lha'], # ['doc', \&do_ole, 'ripole'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], # ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) # ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ], # ### http://www.clamav.net/ # Django : 2012-05-21 # ClamAV in der daemonisierten Variante aktiviert # default: unset # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], # qr/\bOK$/m, qr/\bFOUND$/m, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # # note that Mail::ClamAV requires perl to be build with threading! # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], # qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # \&ask_daemon, ["{}/\n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], # qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], # ### http://www.f-prot.com/ # ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 # \&ask_daemon, # ["SCAN FILE {}/*\n", '127.0.0.1:10200'], # qr/^(0|8|64) /m, # qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, # qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], # ### http://www.f-prot.com/ # ['F-Prot f-protd', # old version # \&ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", # ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', # '127.0.0.1:10203', '127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean<\/summary>/m, # qr/(?i)<summary[^>]*>infected<\/summary>/m, # qr/(?i)<name>(.+)<\/name>/m ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF # qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.kaspersky.com/ (kav4mailservers) # ['KasperskyLab AVP - aveclient', # ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', # '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], # '-p /var/run/aveserver -s {}/*', # [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, # qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, # ], # # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # # currupted or protected archives are to be handled # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.kaspersky.com/ # ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], # '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? # qr/infected: (.+)/m, # sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, # ], # Django : 2012-05-21 # Eintrag deaktiviert # ### The kavdaemon and AVPDaemonClient have been removed from Kasperky # ### products and replaced by aveserver and aveclient # ['KasperskyLab AVPDaemonClient', # [ '/opt/AVP/kavdaemon', 'kavdaemon', # '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', # '/opt/AVP/AvpTeamDream', 'AvpTeamDream', # '/opt/AVP/avpdc', 'avpdc' ], # "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], # # change the startup-script in /etc/init.d/kavd to: # # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # # adjusting /var/amavis above to match your $TEMPBASE. # # The '-f=/var/amavis' is needed if not running it as root, so it # # can find, read, and write its pid file, etc., see 'man kavdaemon'. # # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # # directory $TEMPBASE specifies) in the 'Names=' section. # # cd /opt/AVP/DaemonClients; configure; cd Sample; make # # cp AvpDaemonClient /opt/AVP/ # # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.centralcommand.com/ # ['CentralCommand Vexira (new) vascan', # ['vascan','/usr/lib/Vexira/vascan'], # "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". # "--log=/var/log/vascan.log {}", # [0,3], [1,2,5], # qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], # # Adjust the path of the binary and the virus database as needed. # # 'vascan' does not allow to have the temp directory to be the same as # # the quarantine directory, and the quarantine option can not be disabled. # # If $QUARANTINEDIR is not used, then another directory must be specified # # to appease 'vascan'. Move status 3 to the second list if password # # protected files are to be considered infected. # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.avira.com/ # ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus # ['Avira AntiVir', ['antivir','vexira'], # '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, # qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | # (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], # # NOTE: if you only have a demo version, remove -z and add 214, as in: # # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.commandsoftware.com/ # ['Command AntiVirus for Linux', 'csav', # '-all -archive -packed {}', [50], [51,52,53], # qr/Infection: (.+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.symantec.com/ # ['Symantec CarrierScan via Symantec CommandLineScanner', # 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', # qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, # qr/^(?:Info|Virus Name):\s+(.+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.symantec.com/ # ['Symantec AntiVirus Scan Engine', # 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', # [0], qr/^Infected\b/m, # qr/^(?:Info|Virus Name):\s+(.+)/m ], # # NOTE: check options and patterns to see which entry better applies # ### http://www.f-secure.com/products/anti-virus/ version 4.65 # ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], # '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. # '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], # qr/(?:infection|Infected|Suspected): (.+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.f-secure.com/products/anti-virus/ version 5.52 # ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], # '--virus-action1=report --archive=yes --auto=yes '. # '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], # qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # # NOTE: internal archive handling may be switched off by '--archive=no' # # to prevent fsav from exiting with status 9 on broken archives # ### http://www.avast.com/ # ['avast! Antivirus daemon', # \&ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], # qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/\t\[L\]\t([^[ \t\015\012]+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ['CAI InoculateIT', 'inocucmd', # retired product # '-sec -nex {}', [0], [100], # qr/was infected by virus (.+)/m ], # # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) # ['CAI eTrust Antivirus', 'etrust-wrapper', # '-arc -nex -spm h {}', [0], [101], # qr/is infected by virus: (.+)/m ], # # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 # Django : 2012-05-21 # Eintrag deaktiviert # ### http://mks.com.pl/english.html # ['MkS_Vir for Linux (beta)', ['mks32','mks'], # '-s {}/*', [0], [1,2], # qr/--[ \t]*(.+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://mks.com.pl/english.html # ['MkS_Vir daemon', 'mksscan', # '-s -q {}', [0], [1..7], # qr/^... (\S+)/m ], # ### http://www.nod32.com/, version v2.52 (old) # ['ESET NOD32 for Linux Mail servers', # ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], # '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. # '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. # '--action-on-notscanned=accept {}', # [0,3], [1,2], qr/virus="([^"]+)"/m ], # ### http://www.eset.com/, version v2.7 (old) # ['ESET NOD32 Linux Mail Server - command line interface', # ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], # '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], # ### http://www.eset.com/, version 2.71.12 # ['ESET Software ESETS Command Line Interface', # ['/usr/bin/esets_cli', 'esets_cli'], # '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.eset.com/, version 3.0 # ['ESET Software ESETS Command Line Interface', # ['/usr/bin/esets_cli', 'esets_cli'], # '--subdir {}', [0], [1,2,3], # qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ## http://www.nod32.com/, NOD32LFS version 2.5 and above # ['ESET NOD32 for Linux File servers', # ['/opt/eset/nod32/sbin/nod32','nod32'], # '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. # '-w -a --action=1 -b {}', # [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 # ['ESET Software NOD32 Client/Server (NOD32SS)', # \&ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*\r\n", '127.0.0.1:8448' ], # qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.norman.com/products_nvc.shtml # ['Norman Virus Control v5 / Linux', 'nvcc', # '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], # qr/(?i).* virus in .* -> \'(.+)\'/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.pandasoftware.com/ # ['Panda CommandLineSecure 9 for Linux', # ['/opt/pavcl/usr/bin/pavcl','pavcl'], # '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', # qr/Number of files infected[ .]*: 0+(?!\d)/m, # qr/Number of files infected[ .]*: 0*[1-9]/m, # qr/Found virus :\s*(\S+)/m ], # # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # # before starting amavisd - the bases are then loaded only once at startup. # # To reload bases in a signature update script: # # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # # Please review other options of pavcl, for example: # # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies # ### http://www.pandasoftware.com/ # ['Panda Antivirus for Linux', ['pavcl'], # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], # qr/Found virus :\s*(\S+)/m ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. # Check your RAV license terms before fiddling with the following two lines! # ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.nai.com/ # ['NAI McAfee AntiVirus (uvscan)', 'uvscan', # '--secure -rv --mime --summary --noboot - {}', [0], [13], # qr/(?x) Found (?: # \ the\ (.+)\ (?:virus|trojan) | # \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | # :\ (.+)\ NOT\ a\ virus)/m, # # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # # sub {delete $ENV{LD_PRELOAD}}, # ], # # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # # and then clear it when finished to avoid confusing anything else. # # NOTE2: to treat encrypted files as viruses replace the [13] with: # # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.virusbuster.hu/en/ # ['VirusBuster', ['vbuster', 'vbengcl'], # "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], # qr/: '(.*)' - Virus/m ], # # VirusBuster Ltd. does not support the daemon version for the workstation # # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # # binaries, some parameters AND return codes have changed (from 3 to 1). # # See also the new Vexira entry 'vascan' which is possibly related. # ### http://www.virusbuster.hu/en/ # ['VirusBuster (Client + Daemon)', 'vbengd', # '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/m ], # # HINT: for an infected file it always returns 3, # # although the man-page tells a different story # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.cyber.com/ # ['CyberSoft VFind', 'vfind', # '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, # # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, # ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.avast.com/ # ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], # '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.ikarus-software.com/ # ['Ikarus AntiVirus for Linux', 'ikarus', # '{}', [0], [40], qr/Signature (.+) found/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.bitdefender.com/ # ['BitDefender', 'bdscan', # new version # '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, # qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, # qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.bitdefender.com/ # ['BitDefender', 'bdc', # old version # '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, # qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, # qr/(?:suspected|infected): (.*)(?:\033|$)/m ], # # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # # not apply to your version of bdc, check documentation and see 'bdc --help' # Django : 2012-05-21 # Eintrag deaktiviert # ### ArcaVir for Linux and Unix http://www.arcabit.pl/ # ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], # '-v 1 -summary 0 -s {}', [0], [1,2], # qr/(?:VIR|WIR):[ \t]*(.+)/m ], # ### a generic SMTP-client interface to a SMTP-based virus scanner # ['av_smtp', \&ask_av_smtp, # ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], # qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], # ['File::Scan', sub {Amavis::AV::ask_av(sub{ # use File::Scan; my($fn)=@_; # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); # my($vname) = $f->scan($fn); # $f->error ? (2,"Error: ".$f->error) # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, # ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], # ### fully-fledged checker for JPEG marker segments of invalid length # ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, # ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 # ['F-PROT Antivirus for UNIX', ['fpscan'], # '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 # [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], # qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) # ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], # '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], # qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.trendmicro.com/ - backs up Trophie # ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], # '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD # ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier # ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], # '-path={} -al -go -ot -cn -upn -ok-', # [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], # Django : 2012-05-21 # Eintrag deaktiviert # ### http://www.kaspersky.com/ # ['Kaspersky Antivirus v5.5', # ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', # '/opt/kav/5.5/kav4unix/bin/kavscanner', # '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], # '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], # qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, ## sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, ## sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, # ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. # '--no-reset-atime {}', # [0,2], qr/Virus .*? found/m, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, # ], # # other options to consider: -idedir=/usr/local/sav # Always succeeds and considers mail clean. # Potentially useful when all other scanners fail and it is desirable # to let mail continue to flow with no virus checking (when uncommented). # ['always-clean', sub {0}], ); 1; # insure a defined return value
erster Programmstart
clamd
Nun starten wir unseren ClamAV-Daemon das erste mal.
# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
Im Logfile /var/log/clamav/clamd.log wird der Start entsprechend protokolliert.
# less /var/log/clamav/clamd.log
Mon Jun 11 12:08:26 2012 -> +++ Started at Mon Jun 11 12:08:26 2012 Mon Jun 11 12:08:26 2012 -> clamd daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Mon Jun 11 12:08:26 2012 -> Running as user clamav (UID 496, GID 493) Mon Jun 11 12:08:26 2012 -> Log file size limited to -1 bytes. Mon Jun 11 12:08:26 2012 -> Reading databases from /var/clamav Mon Jun 11 12:08:26 2012 -> Not loading PUA signatures. Mon Jun 11 12:08:26 2012 -> Bytecode: Security mode set to "TrustSigned". Mon Jun 11 12:08:30 2012 -> Loaded 1256207 signatures. Mon Jun 11 12:08:30 2012 -> TCP: Bound to address 127.0.0.1 on port 3310 Mon Jun 11 12:08:30 2012 -> TCP: Setting connection queue length to 30 Mon Jun 11 12:08:30 2012 -> LOCAL: Unix socket file /var/run/clamav/clamd.sock Mon Jun 11 12:08:30 2012 -> LOCAL: Setting connection queue length to 30 Mon Jun 11 12:08:30 2012 -> Limits: Global size limit set to 104857600 bytes. Mon Jun 11 12:08:30 2012 -> Limits: File size limit set to 26214400 bytes. Mon Jun 11 12:08:30 2012 -> Limits: Recursion level limit set to 16. Mon Jun 11 12:08:30 2012 -> Limits: Files limit set to 10000. Mon Jun 11 12:08:30 2012 -> Archive support enabled. Mon Jun 11 12:08:30 2012 -> Algorithmic detection enabled. Mon Jun 11 12:08:30 2012 -> Portable Executable support enabled. Mon Jun 11 12:08:30 2012 -> ELF support enabled. Mon Jun 11 12:08:30 2012 -> Detection of broken executables enabled. Mon Jun 11 12:08:30 2012 -> Mail files support enabled. Mon Jun 11 12:08:30 2012 -> OLE2 support enabled. Mon Jun 11 12:08:30 2012 -> PDF support enabled. Mon Jun 11 12:08:30 2012 -> HTML support enabled. Mon Jun 11 12:08:30 2012 -> Self checking every 600 seconds. Mon Jun 11 12:08:39 2012 -> Pid file removed.
freshclamd
Unseren Updatemechanismus freshclam-daemon starten wir wie gewohnt mit:
# service freshclamd start
Starting freshclam: [ OK ]
Im Logfile /var/log/clamav/freshclam.log wird der Programmaufruf entsprechend dokumentiert:
# less /var/log/clamav/freshclam.log
freshclam daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Mon Jun 11 12:32:48 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Downloading daily-15026.cdiff [100%]
Downloading daily-15027.cdiff [100%]
daily.cld updated (version: 15027, sigs: 217122, f-level: 63, builder: ccordes)
bytecode.cvd is up to date (version: 185, sigs: 39, f-level: 63, builder: neo)
Database updated (1261548 signatures) from db.de.clamav.net (IP: 212.1.60.18)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock
--------------------------------------
Die Meldung WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock stimmt natürlich, da der ClamAV-Daemon clamd noch nicht gestartet ist.
Daher starten wir nun auch den ClamAV-Daemon erneut an.
# service clamd start
Starting Clam AntiVirus Daemon: [ OK ]
Starten wir nun unseren freshclam-Daemon einmal durch und kontrollieren anschließend dessen logfile.
# service freshclamd restart
Stopping freshclam: [ OK ] Starting freshclam: [ OK ]
Ein Blick in das Logfile des freshclam-Daemon zeigt nun, keine entsprechende Fehlermeldung mehr!
# less /var/log/clamav/freshclam.log
-------------------------------------- freshclam daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) ClamAV update process started at Mon Jun 11 12:39:25 2012 main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 15027, sigs: 217122, f-level: 63, builder: ccordes) bytecode.cvd is up to date (version: 185, sigs: 39, f-level: 63, builder: neo)
amavisd
Zum Aktivieren der Konfigurationsänderungen am AMaViS-Frontend starten wir den Daemon nun einmal durch.
# service amavisd restart
Shutting down Mail Virus Scanner (amavisd): [ OK ] Starting Mail Virus Scanner (amavisd): [ OK ]
Der Start wird im Maillogfile entsprechend protokolliert.
Jun 11 13:21:43 vml000060 amavis[18664]: logging initialized, log level 3, syslog: amavis.mail Jun 11 13:21:43 vml000060 amavis[18664]: starting. /usr/sbin/amavisd at amavis.dmz.nausch.org amavisd-new-2.6.6 (20110518), Unicode aware, LANG="en_US.UTF-8" Jun 11 13:21:43 vml000060 amavis[18664]: user=497, EUID: 497 (497); group=, EGID: 494 494 (494 494) Jun 11 13:21:43 vml000060 amavis[18664]: Perl version 5.010001 Jun 11 13:21:43 vml000060 amavis[18664]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin Jun 11 13:21:44 vml000060 amavis[18664]: INFO: SA version: 3.3.1, 3.003001, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record Error Jun 11 13:21:44 vml000060 amavis[18664]: SpamControl: init_pre_chroot on SpamAssassin done Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Process Backgrounded Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: 2012/06/11-13:21:44 Amavis (type Net::Server::PreForkSimple) starting! pid(18665) Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Using default listen value of 128 Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Binding to TCP port 10024 on host * Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Group Not Defined. Defaulting to EGID '494 494' Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: User Not Defined. Defaulting to EUID '497' Jun 11 13:21:44 vml000060 amavis[18665]: config files read: /etc/amavisd.conf Jun 11 13:21:44 vml000060 amavis[18665]: Module Amavis::Conf 2.209 Jun 11 13:21:44 vml000060 amavis[18665]: Module Archive::Zip 1.30 Jun 11 13:21:44 vml000060 amavis[18665]: Module BerkeleyDB 0.43 Jun 11 13:21:44 vml000060 amavis[18665]: Module Compress::Zlib 2.02 Jun 11 13:21:44 vml000060 amavis[18665]: Module Convert::TNEF 0.17 Jun 11 13:21:44 vml000060 amavis[18665]: Module Convert::UUlib 1.34 Jun 11 13:21:44 vml000060 amavis[18665]: Module Crypt::OpenSSL::RSA 0.25 Jun 11 13:21:44 vml000060 amavis[18665]: Module DB_File 1.82 Jun 11 13:21:44 vml000060 amavis[18665]: Module Digest::MD5 2.39 Jun 11 13:21:44 vml000060 amavis[18665]: Module Digest::SHA 5.47 Jun 11 13:21:44 vml000060 amavis[18665]: Module IO::Socket::INET6 2.56 Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Entity 5.427 Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Parser 5.427 Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Tools 5.427 Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::DKIM::Signer 0.37 Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::DKIM::Verifier 0.37 Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::Header 2.04 Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::Internet 2.04 Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::SpamAssassin 3.003001 Jun 11 13:21:44 vml000060 amavis[18665]: Module Net::DNS 0.65 Jun 11 13:21:44 vml000060 amavis[18665]: Module Net::Server 0.99 Jun 11 13:21:44 vml000060 amavis[18665]: Module NetAddr::IP 4.027 Jun 11 13:21:44 vml000060 amavis[18665]: Module Socket6 0.23 Jun 11 13:21:44 vml000060 amavis[18665]: Module Time::HiRes 1.9721 Jun 11 13:21:44 vml000060 amavis[18665]: Module URI 1.40 Jun 11 13:21:44 vml000060 amavis[18665]: Module Unix::Syslog 1.1 Jun 11 13:21:44 vml000060 amavis[18665]: Amavis::DB code loaded Jun 11 13:21:44 vml000060 amavis[18665]: Amavis::Cache code loaded Jun 11 13:21:44 vml000060 amavis[18665]: SQL base code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: SQL::Log code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: SQL::Quarantine NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: Lookup::SQL code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: Lookup::LDAP code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: AM.PDP-in proto code loaded Jun 11 13:21:44 vml000060 amavis[18665]: SMTP-in proto code loaded Jun 11 13:21:44 vml000060 amavis[18665]: Courier proto code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: SMTP-out proto code loaded Jun 11 13:21:44 vml000060 amavis[18665]: Pipe-out proto code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: BSMTP-out proto code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: Local-out proto code loaded Jun 11 13:21:44 vml000060 amavis[18665]: OS_Fingerprint code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-VIRUS code loaded Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM code loaded Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM-EXT code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM-C code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: ANTI-SPAM-SA code loaded Jun 11 13:21:44 vml000060 amavis[18665]: Unpackers code loaded Jun 11 13:21:44 vml000060 amavis[18665]: DKIM code loaded Jun 11 13:21:44 vml000060 amavis[18665]: Tools code NOT loaded Jun 11 13:21:44 vml000060 amavis[18665]: Found $file at /usr/bin/file Jun 11 13:21:44 vml000060 amavis[18665]: Found $altermime at /usr/bin/altermime Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .mail Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .asc Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .uue Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .hqx Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .ync Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .F at /usr/bin/unfreeze Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .Z at /usr/bin/uncompress Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .gz at /usr/bin/gzip -d Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .gz (backup, not used) Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .bz2 at /usr/bin/bzip2 -d Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .lzo at /usr/bin/lzop -d Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .rpm at /usr/bin/rpm2cpio Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .cpio at /bin/cpio Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .tar at /bin/cpio Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .deb at /usr/bin/ar Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .zip Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .7z at /usr/bin/7za Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .rar at /usr/bin/unrar Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .arj at /usr/bin/arj Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .arc at /usr/bin/nomarch Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .zoo at /usr/bin/zoo Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .lha at /usr/bin/lha Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .cab at /usr/bin/cabextract Jun 11 13:21:44 vml000060 amavis[18665]: No decoder for .tnef tried: tnef Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .tnef Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj Jun 11 13:21:44 vml000060 amavis[18665]: Using primary internal av scanner code for ClamAV-clamd Jun 11 13:21:44 vml000060 amavis[18665]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan Jun 11 13:21:44 vml000060 amavis[18665]: Creating db in /var/amavis/db/; BerkeleyDB 0.43, libdb 4.7 Jun 11 13:21:44 vml000060 amavis[18665]: initializing Mail::SpamAssassin Jun 11 13:21:44 vml000060 amavis[18665]: SpamAssassin debug facilities: info Jun 11 13:21:46 vml000060 amavis[18665]: SpamAssassin loaded plugins: AutoLearnThreshold, Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject Jun 11 13:21:46 vml000060 amavis[18665]: SpamControl: init_pre_fork on SpamAssassin done Jun 11 13:21:46 vml000060 amavis[18665]: extra modules loaded after daemonizing/chrooting: Mail/SpamAssassin/Plugin/FreeMail.pm Jun 11 13:21:46 vml000060 amavis[18679]: TIMING [total 10 ms] - bdb-open: 10 (100%)100, rundown: 0 (0%)100 Jun 11 13:21:46 vml000060 amavis[18680]: TIMING [total 9 ms] - bdb-open: 9 (100%)100, rundown: 0 (0%)100
automatisches Starten der Dienste beim Systemstart
clamd
Damit nun unser clamav-daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig clamd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep clamd
clamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
freshclamd
Damit nun auch unser freshclamd beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig freshclamd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep freshclamd
freshclamd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
amavisd
Bei unserem Frontend AMaViS muss keinerlei Änderung vorgenommen werden, haben wir die nötige Konfiguration ja bereits bei der Grundkonfiguration von amavisd-new vorgenommen.
Test (eicar)
Zum Testen schicken wir eine eMail an einen Empfänger und hängen im Anhang einfach mal einen Eicar-Testvirus an die eMail.
Der Versuch scheitert natürlich kläglich und dem einliefernden Mailclient wird auch promt der Grund angegeben, warum die Nachricht nicht angenommern werden konnte.
An error occurred while sending mail. The mail server responded: 5.7.0 Reject, id=19056-05 - INFECTED: Eicar-Test-Signature. Please check the message and try again.
Im Maillog unseres AMaViS-Hosts wird der erfolglose Versuch der Einlieferung der eAmil mit dem Eicar-Textpattern im Anhang entsprechend protokolliert.
# less /var/log/maillog
Jun 11 16:48:12 vml000060 amavis[19055]: (19055-05) process_request: fileno sock=11, STDIN=0, STDOUT=1 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ESMTP:[10.0.0.60]:10024 /var/amavis/tmp/amavis-20120611T142736-19055: <django@nausch.org> -> <Django@nausch.org> SIZE=1043 Received: from mx1.nausch.org ([10.0.0.80]) by localhost (amavis.dmz.nausch.org [10.0.0.60]) (amavisd-new, port 10024) with ESMTP for <Django@nausch.org>; Mon, 11 Jun 2012 16:48:12 +0200 (CEST) Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp connection cache, dt: 1153.6, state: 0 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) body hash: d87eeb64bae8fd89341d4f6332e5263e Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Checking: Cn1wWSZI30ms [192.168.10.45] <django@nausch.org> -> <Django@nausch.org> Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) 2822.From: <django@nausch.org> Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p003 1 Content-Type: multipart/mixed Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p001 1/1 Content-Type: text/plain, size: 5 B, name: Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p002 1/2 Content-Type: application/zip, size: 184 B, name: eicar_com.zip Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) inspect_dsn: not a bounce Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Checking for banned types and filenames Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) collect banned table[0]: Django@nausch.org, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3be71a0) Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p.path Django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc" Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p.path Django@nausch.org: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/zip,T=zip,N=eicar_com.zip | P=p004,L=1/2/1,T=asc,N=eicar.com" Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) presenting full original message to scanners as /var/amavis/tmp/amavis-20120611T142736-19055/parts/p005 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20120611T142736-19055/parts\n Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ClamAV-clamd: Connecting to socket /var/run/clamav/clamd.sock Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20120611T142736-19055/parts\n to UNIX socket /var/run/clamav/clamd.sock Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) run_av (ClamAV-clamd): /var/amavis/tmp/amavis-20120611T142736-19055/parts INFECTED: Eicar-Test-Signature, Eicar-Test-Signature Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) blocking contents category is (9) for Django@nausch.org Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth= Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp session: setting up a new session Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp creating socket by IO::Socket::INET6 to [mail.dmz.nausch.org]:10025 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to greeting: 220 mx1.nausch.org ESMTP Postfix Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> EHLO localhost Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to EHLO: 250 mx1.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) AUTH not needed, user='', MTA offers '' Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> MAIL FROM:<virusalert@nausch.org> ENVID=AM..20120611T144813Z@amavis.dmz.nausch.org Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> RCPT TO:<virusalert@nausch.org> Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> DATA Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to MAIL (pip): 250 2.1.0 Ok Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to RCPT (pip) (<virusalert@nausch.org>): 250 2.1.5 Ok Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> QUIT Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to data-dot (<virusalert@nausch.org>): 250 2.0.0 Ok: queued as 36EE653 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Amavis::Out::SMTP::Session close, disconnecting Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) SEND via SMTP: <virusalert@nausch.org> -> <virusalert@nausch.org>,ENVID=AM..20120611T144813Z@amavis.dmz.nausch.org 250 2.0.0 from MTA([mail.dmz.nausch.org]:10025): 250 2.0.0 Ok: queued as 36EE653 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Blocked INFECTED (Eicar-Test-Signature), [192.168.10.45] [192.168.10.45] <django@nausch.org> -> <Django@nausch.org>, Message-ID: <4FD6052D.8030805@nausch.org>, mail_id: Cn1wWSZI30ms, Hits: -, size: 1317, 274 ms Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) sending SMTP response: "554 5.7.0 Reject, id=19055-06 - INFECTED: Eicar-Test-Signature" Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) TIMING [total 279 ms] - SMTP greeting: 4 (2%)2, SMTP EHLO: 1 (0%)2, SMTP pre-MAIL: 1 (0%)2, SMTP pre-DATA-flush: 7 (2%)5, SMTP DATA: 37 (13%)18, check_init: 1 (0%)18, digest_hdr: 2 (1%)19, digest_body_dkim: 1 (0%)19, gen_mail_id: 1 (0%)19, mime_decode: 16 (6%)25, get-file-type2: 17 (6%)31, decompose_part: 2 (1%)32, decompose_part: 6 (2%)34, get-file-type1: 13 (5%)39, decompose_part: 1 (0%)39, parts_decode: 0 (0%)39, check_header: 2 (1%)40, AV-scan-1: 26 (9%)49, read_snmp_variables: 1 (1%)50, best_try_originator: 2 (1%)51, update_cache: 2 (1%)51, decide_mail_destiny: 3 (1%)52, fwd-connect: 52 (19%)71, fwd-mail-pip: 14 (5%)76, fwd-rcpt-pip: 1 (0%)76, fwd-data-chkpnt: 0 (0%)76, write-header: 1 (0%)77, fwd-data-contents: 3 (1%)78, fwd-end-chkpnt: 50 (18%)95, prepare-dsn: 1 (0%)96, main_log_entry: 7 (2%)98, update_snmp: 2 (1%)99, SMTP pre-response: 0 (0%)99, SMTP response: 1 (0%)99, unlink-3-files: 1 (0%)100, rundown: 1 (0%)100 Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) load: 0 %, total idle 8420.239 s, busy 16.845 s
Dem Postmaster virusalert@nausch.org wird hier auch eine Hinweisnachricht geschickt,in der drauf hingewiesen wird, dass jemand versucht hat einen Virus abzuladen.
From: "Content-filter at amavis.dmz.nausch.org" <virusalert@nausch.org> Date: Mon, 11 Jun 2012 16:48:12 +0200 (CEST) Subject: VIRUS (Eicar-Test-Signature) in mail FROM [192.168.10.45] <django@nausch.org> To: <virusalert@nausch.org> Message-ID: <VACn1wWSZI30ms@amavis.dmz.nausch.org> This is a multi-part message in MIME format... ------------=_1339426093-19055-1 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit A virus was found: Eicar-Test-Signature Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 19055-06/Cn1wWSZI30ms First upstream SMTP client IP address: [192.168.10.45] According to a 'Received:' trace, the message apparently originated at: [192.168.10.45], pml010051.nausch.org unknown [192.168.10.45] using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits) No client certificate requested Return-Path: <django@nausch.org> From: Django <django@nausch.org> Message-ID: <4FD6052D.8030805@nausch.org> Subject: TesteMail mit Eicar-Testfile im Anhang Not quarantined. Notification to sender will not be mailed. The message WAS NOT relayed to: <Django@nausch.org>: 554 5.7.0 Reject, id=19055-06 - INFECTED: Eicar-Test-Signature Virus scanner output: p004: Eicar-Test-Signature FOUND p005: Eicar-Test-Signature FOUND ------------=_1339426093-19055-1 Content-Type: text/rfc822-headers; name="header" Content-Disposition: inline; filename="header" Content-Transfer-Encoding: 7bit Content-Description: Message header section Return-Path: <django@nausch.org> Received: from pml010051.nausch.org (unknown [192.168.10.45]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.nausch.org (Postfix) with ESMTPS for <Django@nausch.org>; Mon, 11 Jun 2012 16:48:12 +0200 (CEST) Message-ID: <4FD6052D.8030805@nausch.org> Date: Mon, 11 Jun 2012 16:48:13 +0200 From: Django <django@nausch.org> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120329 Thunderbird/11.0.1 MIME-Version: 1.0 To: Django@nausch.org Subject: TesteMail mit Eicar-Testfile im Anhang Content-Type: multipart/mixed; boundary="------------010707070506040503040902"
Bei Bedarf kann man diese Benachrichtigung abstellen. Hierzu sind folgende werte in der amavis.conf relevant.
$virus_admin = "virusalert\@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender
Optimierung / RAM-Disk für AMaViS
Da sich bei entsprechenden Traffic die Zugriffe auf die Harddisk ungünstig auf die Performance auswirkt, legen wir eine RAM-Disk für den Virenscanner an. Dort kann ClamAV dann die Dateianhänge der Nachrichten entpacken, ablegen und auf Schadcode hin überprüfen.
Damit wir die Zugriffsrechte auf die Ramdisk richtig setzen können, schließlich soll nicht jedermann die Inhalte der eMails lesen können, ermitteln wird zu erst noch die gid und uid.
# grep amavis /etc/group
amavis:x:494:clamav
# grep amavis /etc/passwd
amavis:x:497:494:Amavis email scan user:/var/amavis:/bin/sh
Für unsere Zwecke legen uns eine 250 MB große RAM-Disk an:
# vim /etc/fstab
# RAM-Disk für ClamAV
/dev/shm /var/amavis/tmp tmpfs defaults,size=250m,mode=750,uid=497,gid=494 0 0
Anschließend mounten wir unser neues Laufwerk mit
# mount /var/amavis/tmp
Je nach Belastung werden nun in unserem Arbeitsverzeichnis die Daten abgelegt
# df -h -t tmpfs
Filesystem Size Used Avail Use% Mounted on
/dev/shm 250M 0 250M 0% /var/amavis/tmp