Installation und Konfiguration von ClamAV für AMaViS unter CentOS 7.x
Grundlagen
Die Überprüfung der eMail wie auch der Dateianhänge übernimmt das freie Antivirus Toolkit ClamAV für Unix, ein unter der GNU GPL1) stehender Virenscanner. Es wurde speziell für zum Scannen von EMails auf Mailgateways designt. Kann aber ebeso zu zum Prüfen von HTTP-Datenströmen wie auch zum Scannen von Dateisystemen eingesetzt werden. Das Paket stellt eine Reihe von Hilfsmittel zur Verfügung: einen flexiblen und skalierbaren Multi-Threaded Daemon, einen Kommandozeilen Scanner und ein komplexes Programm zur automatischen Aktualisierung über das Internet bereit. Das Herzstück des Paketes ist ein Antivirus-Einheit in Form einer gemeinsam genutzten Bibliothek.
Die wichtigsten Funktionen von ClamAV sind:
- Kommandozeilen Scanner
- performanter Multi-Threaded Daemon mit der Unterstützung von on-access scannen
- Komplexes Update-Programm für die Datenbank mit Unterstützung für scripted Updates und digitale Signaturen
- Virus Scanner Bibliothek in C
- On-Access Scanning
- Mehrmals tägliche Updates der Virusdatenbank (siehe Homepage für die gesamte Anzahl von Signaturen)
- Integrierte Unterstützung für verschieden Archiv-Formate wie Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS und andere
- Integrierte Unterstützung für nahezu alle Mail Dateien Formate
- Eingebaute Unterstützung für ELF executables und Portable Executable Dateien komprimiert mit UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack und verschleiert mit SUE, Y0da Cryptor und anderen
Hauptsächlich wird ClamAV im Zusammenhang mit Postfix und AMaViS genutzt. Die Installation und Konfiguration des Virenscanner-Umgebung (ClamAV unter CentOS 6.x) ist auf dieser Seite ausführlich beschrieben.
Nachfolgend befassen wir uns nun mit der Installation und Konfiguration von ClamAV im Mailserverumfeld.
Installation
Wie üblich installieren wir die benötigten Programmpakete via YUM aus dem Repository EPEL. Folgende Pakete werden bei der Installation von AMaViS mitinstalliert:
- clamav-filesystem
- clamav-data
- clamav-lib
- clamav-server
- clamav-server-systemd
Das fehlende (Grund-)Paket, clamav und das zum Updaten der Virensignaturen benötigte Paket clamav-update, installieren wir nun noch nach.
# yum install clamav-filesystem clamav-data clamav-lib clamav-server clamav-server-systemd clamav clamav-update -y
Programminformationen
Was uns die einzelnen Pakete alle bei der Installation mitgebracht haben, zeigt uns jeweilsein Blick in das installierte rpm.
clamav-filesystem
# rpm -qil clamav-filesystem
Name : clamav-filesystem Version : 0.98.4 Release : 1.el7 Architecture: noarch Install Date: Fri 14 Nov 2014 02:08:22 PM CET Group : Applications/File Size : 0 License : GPLv2 Signature : RSA/SHA256, Sat 26 Jul 2014 12:56:11 AM CEST, Key ID 6a2faea2352c64e5 Source RPM : clamav-0.98.4-1.el7.src.rpm Build Date : Wed 23 Jul 2014 11:35:56 PM CEST Build Host : buildhw-02.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.clamav.net Summary : Filesystem structure for clamav Description : This package provides the filesystem structure and contains the user-creation scripts required by clamav. /usr/share/clamav /var/lib/clamav
clamav-data
# rpm -qil clamav-data
Name : clamav-data Version : 0.98.4 Release : 1.el7 Architecture: noarch Install Date: Fri 14 Nov 2014 02:08:25 PM CET Group : Applications/File Size : 89963742 License : GPLv2 Signature : RSA/SHA256, Sat 26 Jul 2014 01:10:54 AM CEST, Key ID 6a2faea2352c64e5 Source RPM : clamav-0.98.4-1.el7.src.rpm Build Date : Wed 23 Jul 2014 11:35:56 PM CEST Build Host : buildhw-02.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.clamav.net Summary : Virus signature data for the Clam Antivirus scanner Description : This package contains the virus-database needed by clamav. This database should be updated regularly; the 'clamav-update' package ships a corresponding cron-job. This package and the 'clamav-data-empty' package are mutually exclusive. Use -data when you want a working (but perhaps outdated) virus scanner immediately after package installation. Use -data-empty when you are updating the virus database regulary and do not want to download a >5MB sized rpm-package with outdated virus definitions. /var/lib/clamav/daily.cvd /var/lib/clamav/main.cvd
clamav-lib
# rpm -qil clamav-lib
Name : clamav-lib Version : 0.98.4 Release : 1.el7 Architecture: x86_64 Install Date: Fri 14 Nov 2014 02:08:28 PM CET Group : System Environment/Libraries Size : 11502056 License : GPLv2 Signature : RSA/SHA256, Fri 25 Jul 2014 11:53:00 PM CEST, Key ID 6a2faea2352c64e5 Source RPM : clamav-0.98.4-1.el7.src.rpm Build Date : Wed 23 Jul 2014 11:35:56 PM CEST Build Host : buildhw-02.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.clamav.net Summary : Dynamic libraries for the Clam Antivirus scanner Description : This package contains dynamic libraries shared between applications using the Clam Antivirus scanner. /usr/lib64/libclamav.so.6 /usr/lib64/libclamav.so.6.1.23
clamav-server
# rpm -qil clamav-server
Name : clamav-server Version : 0.98.4 Release : 1.el7 Architecture: x86_64 Install Date: Fri 14 Nov 2014 02:09:08 PM CET Group : System Environment/Daemons Size : 194068 License : GPLv2 Signature : RSA/SHA256, Sat 26 Jul 2014 12:16:24 AM CEST, Key ID 6a2faea2352c64e5 Source RPM : clamav-0.98.4-1.el7.src.rpm Build Date : Wed 23 Jul 2014 11:35:56 PM CEST Build Host : buildhw-02.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.clamav.net Summary : Clam Antivirus scanner server Description : ATTENTION: most users do not need this package; the main package has everything (or depends on it) which is needed to scan for virii on workstations. This package contains files which are needed to execute the clamd-daemon. This daemon does not provide a system-wide service. Instead of, an instance of this daemon should be started for each service requiring it. See the README file how this can be done with a minimum of effort. /etc/clamd.d /usr/sbin/clamav-notify-servers /usr/sbin/clamd /usr/share/doc/clamav-server-0.98.4 /usr/share/doc/clamav-server-0.98.4/README /usr/share/doc/clamav-server-0.98.4/clamd.conf /usr/share/doc/clamav-server-0.98.4/clamd.init /usr/share/doc/clamav-server-0.98.4/clamd.logrotate /usr/share/doc/clamav-server-0.98.4/clamd.sysconfig /usr/share/man/man5/clamd.conf.5.gz /usr/share/man/man8/clamd.8.gz
clamav
# rpm -qil clamav
Name : clamav Version : 0.98.4 Release : 1.el7 Architecture: x86_64 Install Date: Tue 18 Nov 2014 10:23:01 AM CET Group : Applications/File Size : 2306673 License : GPLv2 Signature : RSA/SHA256, Sat 26 Jul 2014 12:50:58 AM CEST, Key ID 6a2faea2352c64e5 Source RPM : clamav-0.98.4-1.el7.src.rpm Build Date : Wed 23 Jul 2014 11:35:56 PM CEST Build Host : buildhw-02.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.clamav.net Summary : End-user tools for the Clam Antivirus scanner Description : Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is KEPT UP TO DATE. /usr/bin/clambc /usr/bin/clamconf /usr/bin/clamdscan /usr/bin/clamdtop /usr/bin/clamscan /usr/bin/clamsubmit /usr/bin/sigtool /usr/share/doc/clamav-0.98.4 /usr/share/doc/clamav-0.98.4/AUTHORS /usr/share/doc/clamav-0.98.4/BUGS /usr/share/doc/clamav-0.98.4/COPYING /usr/share/doc/clamav-0.98.4/ChangeLog /usr/share/doc/clamav-0.98.4/FAQ /usr/share/doc/clamav-0.98.4/NEWS /usr/share/doc/clamav-0.98.4/README /usr/share/doc/clamav-0.98.4/UPGRADE /usr/share/doc/clamav-0.98.4/clamav-mirror-howto.pdf /usr/share/doc/clamav-0.98.4/clamdoc.pdf /usr/share/doc/clamav-0.98.4/phishsigs_howto.pdf /usr/share/doc/clamav-0.98.4/signatures.pdf /usr/share/man/man1/clambc.1.gz /usr/share/man/man1/clamconf.1.gz /usr/share/man/man1/clamdscan.1.gz /usr/share/man/man1/clamdtop.1.gz /usr/share/man/man1/clamscan.1.gz /usr/share/man/man1/clamsubmit.1.gz /usr/share/man/man1/sigtool.1.gz /usr/share/man/man5/clamav-milter.conf.5.gz /usr/share/man/man5/clamd.conf.5.gz
clamav-update
# rpm -qil clamav-update
Name : clamav-update Version : 0.98.4 Release : 1.el7 Architecture: x86_64 Install Date: Tue 18 Nov 2014 10:28:34 AM CET Group : Applications/File Size : 182546 License : GPLv2 Signature : RSA/SHA256, Sat 26 Jul 2014 12:02:22 AM CEST, Key ID 6a2faea2352c64e5 Source RPM : clamav-0.98.4-1.el7.src.rpm Build Date : Wed 23 Jul 2014 11:35:56 PM CEST Build Host : buildhw-02.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.clamav.net Summary : Auto-updater for the Clam Antivirus scanner data-files Description : This package contains programs which can be used to update the clamav anti-virus database automatically. It uses the freshclam(1) utility for this task. To activate it, uncomment the entry in /etc/cron.d/clamav-update. /etc/cron.d/clamav-update /etc/freshclam.conf /etc/logrotate.d/clamav-update /etc/sysconfig/freshclam /usr/bin/freshclam /usr/share/clamav/freshclam-sleep /usr/share/man/man1/freshclam.1.gz /usr/share/man/man5/freshclam.conf.5.gz /var/lib/clamav/daily.cld /var/lib/clamav/main.cld /var/log/freshclam.log
freshclam Update
# vim /etc/cron.d/clamav-update
## Adjust this line... MAILTO=root ## It is ok to execute it as root; freshclam drops privileges and becomes ## user 'clamupdate' as soon as possible # Django : 2014-11-15 # default: alle 3 Stunden # 0 */3 * * * root /usr/share/clamav/freshclam-sleep 0 */3 * * * root /usr/share/clamav/freshclam-sleep
# vim /etc/sysconfig/freshclam
## When changing the periodicity of freshclam runs in the crontab, ## this value must be adjusted also. Its value is the timespan between ## two subsequent freshclam runs in minutes. E.g. for the default ## ## | 0 */3 * * * ... ## ## crontab line, the value is 180 (minutes). # FRESHCLAM_MOD= ## A predefined value for the delay in seconds. By default, the value is ## calculated by the 'hostid' program. This predefined value guarantees ## constant timespans of 3 hours between two subsequent freshclam runs. ## ## This option accepts two special values: ## 'disabled-warn' ... disables the automatic freshclam update and ## gives out a warning ## 'disabled' ... disables the automatic freshclam silently # FRESHCLAM_DELAY= ### !!!!! REMOVE ME !!!!!! ### REMOVE ME: By default, the freshclam update is disabled to avoid ### REMOVE ME: network access without prior activation # # Django : 2014-11-15 # default: FRESHCLAM_DELAY=disabled-warn # REMOVE ME
# curl -O http://www.eicar.org/download/eicar.com
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68 100 68 0 0 155 0 --:--:-- --:--:-- --:--:-- 155
# clamscan --infected --remove --recursive .
./eicar.com: Eicar-Test-Signature FOUND ./eicar.com: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 3418320 Engine version: 0.98.4 Scanned directories: 9 Scanned files: 14 Infected files: 1 Data scanned: 0.27 MB Data read: 0.14 MB (ratio 1.94:1) Time: 11.733 sec (0 m 11 s)
Dokumentation
clamav
# less /usr/share/doc/clamav-0.98.4/README
Note: This README/NEWS file refers to the source tarball. Some things described
here may not be available in binary packages.
--
0.98.4
------
ClamAV 0.98.4 is a bug fix release. The following issues are now resolved:
- Various build problems on Solaris, OpenBSD, AIX.
- Crashes of clamd on Windows and Mac OS X platforms when reloading
the virus signature database.
- Infinite loop in clamdscan when clamd is not running.
- Freshclam failure on Solaris 10.
- Buffer underruns when handling multi-part MIME email attachments.
- Configuration of OpenSSL on various platforms.
- Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1.
- Linking issues with libclamunrar
Thanks to the following individuals for testing, writing patches, and
initiating quality improvements in this release:
Tuomo Soini
Scott Kitterman
Jim Klimov
Curtis Smith
Steve Basford
Martin Preen
Lars Hecking
Stuart Henderson
Ismail Paruk
Larry Rosenbaum
Dave Simonson
Sebastian Andrzej Siewior
0.98.2
------
Here are the new features and improvements in ClamAV 0.98.3:
- Support for common raw disk image formats using 512 byte sectors,
specifically GPT, APM, and MBR partitioning.
- Experimental support of OpenIOC files. ClamAV will now extract file
hashes from OpenIOC files residing in the signature database location,
and generate ClamAV hash signatures. ClamAV uses no other OpenIOC
features at this time. No OpenIOC files will be delivered through
freshclam. See openioc.org and iocbucket.com for additional information
about OpenIOC.
- All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop)
now support IPV6 addresses and configuration parameters.
- Use OpenSSL file hash functions for improved performance. OpenSSL
is now prerequisite software for ClamAV 0.98.2.
- Improved detection of malware scripts within image files. Issue reported
by Maarten Broekman.
- Change to circumvent possible denial of service when processing icons within
specially crafted PE files. Icon limits are now in place with corresponding
clamd and clamscan configuration parameters. This issue was reported by
Joxean Koret.
- Improvements to the fidelity of the ClamAV pattern matcher, an issue
reported by Christian Blichmann.
- Opt-in collection of statistics. Statistics collected are: sizes and MD5
hashes of files, PE file section counts and section MD5 hashes, and names
and counts of detected viruses. Enable statistics collection with the
--enable-stats clamscan flag or StatsEnabled clamd configuration
parameter.
- Improvements to ClamAV build process, unit tests, and platform support with
assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman,
and Dave Simonson.
- Patch by Arkadiusz Miskiewicz to improve error handling in freshclam.
- ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation
improvements.
Thanks to the following ClamAV community members for sending patches or reporting
bugs and issues that are addressed in ClamAV 0.98.2:
Sebastian Andrzej Siewior
Scott Kitterman
Joxean Koret
Arkadiusz Miskiewicz
Dave Simonson
Maarten Broekman
Christian Blichmann
--
REGARDING OPENSSL
In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.
0.98.1
------
ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and
quality improvements. These include:
- Extraction, decompression, and scanning of files within Apple Disk Image (DMG) format.
- Extraction, decompression, and scanning of files within Extensible Archive (XAR) format.
XAR format is commonly used for software packaging, such as PKG and RPM, as well as
general archival.
- Decompression and scanning of files in "Xz" compression format.
- Recognition of Open Office XML formats.
- Improvements and fixes to extraction and scanning of ole formats.
- Option to force all scanned data to disk. This impacts only a few file types where
some embedded content is normally scanned in memory. Enabling this option
ensures that a file descriptor exists when callback functions are used, at a small
performance cost. This should only be needed when callback functions are used
that need file access.
- Various improvements to ClamAV configuration, support of third party libraries,
and unit tests.
0.98
------
ClamAV 0.98 includes many new features, across all the different components
of ClamAV. There are new scanning options, extensions to the libclamav API,
support for additional filetypes, and internal upgrades.
- Signature improvements: New signature targets have been added for
PDF files, Flash files and Java class files. (NOTE: Java archive files
(JAR) are not part of the Java target.) Hash signatures can now specify
a '*' (wildcard) size if the size is unknown. Using wildcard size
requires setting the minimum engine FLEVEL to avoid backwards
compatibility issues. For more details read the ClamAV Signatures
guide.
- Scanning enhancements: New filetypes can be unpacked and scanned,
including ISO9660, Flash, and self-extracting 7z files. PDF
handling is now more robust and better handles encrypted PDF files.
- Authenticode: ClamAV is now aware of the certificate chains when
scanning signed PE files. When the database contains signatures for
trusted root certificate authorities, the engine can whitelist
PE files with a valid signature. The same database file can also
include known compromised certificates to be rejected! This
feature can also be disabled in clamd.conf (DisableCertCheck) or
the command-line (nocerts).
- New options: Several new options for clamscan and clamd have been
added. For example, ClamAV can be set to print infected files and
error files, and suppress printing OK results. This can be helpful
when scanning large numbers of files. This new option is "-o" for
clamscan and "LogClean" for clamd. Check clamd.conf or the clamscan
help message for specific details.
- New callbacks added to the API: The libclamav API has additional hooks
for developers to use when wrapping ClamAV scanning. These function
types are prefixed with "clcb_" and allow developers to add logic at
certain steps of the scanning process without directly modifying the
library. For more details refer to the clamav.h file.
- More configurable limits: Several hardcoded values are now configurable
parameters, providing more options for tuning the engine to match your
needs. Check clamd.conf or the clamscan help message for specific
details.
- Performance improvements: This release furthers the use of memory maps
during scanning and unpacking, continuing the conversion started in
prior releases. Complex math functions have been switched from
libtommath to tomsfastmath functions. The A/C matcher code has also
been optimized to provide a speed boost.
- Support for on-access scanning using Clamuko/Dazuko has been replaced
with fanotify. Accordingly, clamd.conf settings related to on-access
scanning have had Clamuko removed from the name. Clamuko-specific
configuration items have been marked deprecated and should no longer
be used.
There are also fixes for other minor issues and code quality changes. Please
see the ChangeLog file for details.
--
The ClamAV team (http://www.clamav.net/team)
0.97.8
----
ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to
Felix Groebert of the Google Security Team for finding and reporting these
issues.
0.97.7
----
ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to
Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for finding and reporting these issues.
0.97.6
----
ClamAV 0.97.6 includes minor bug fixes and detection improvements.
ClamAV 0.97.6 corrects bug 5252 "CL_EFORMAT: Bad format or broken data ERROR
reported as scan result."
0.97.5
------
ClamAV 0.97.5 addresses possible evasion cases in some archive formats
(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability
issues in portions of the bytecode engine. This release is recommended for
all users.
0.97.4
------
ClamAV 0.97.4 includes minor bugfixes, detection improvements and initial
support for on-access scanning under Mac OS X (see contrib/ClamAuth).
This update is recommended for all users.
0.97.3
------
ClamAV 0.97.3 is a minor bugfix release and is recommended for all
users. Please refer to the ChangeLog file for details.
0.97.2
------
ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing detection,
hash matcher, and other minor issues. Please see the ChangeLog file for
details.
*** Announcement ***
The ClamAV project is launching a new service called "Third Party web
interface". It will allow selected individuals/organizations to publish
ClamAV Virus Databases (CVD) through the ClamAV mirror network.
If you choose to publish your signatures through our Third Party
web interface you will benefit from the following:
- before publishing the signatures, we will test them for
false positives against our false positive file collection.
- before publishing the signatures, we'll verify that the latest two major
versions of ClamAV can load them correctly.
- the signatures will be digitally signed and packaged into a single
.cvd compressed file.
- there will be no ".UNOFFICIAL" suffix in the detection names.
- a custom prefix will be added to the detection names, identifying the
organization which published the signature.
- updates will be distributed both as full CVD files and cdiff
incremental updates. Users will benefit from lower network traffic.
- the .cvd and .cdiff files will be distributed through the
ClamAV mirror network.
- the service should result in faster remediation of false positives.
- ClamAV users will be able to download the third party databases
using freshclam, by adding a single line to freshclam.conf, what
should make signature maintenance significantly easier.
The service is still in beta, you are welcome to contact Luca Gibelli
<luca*clamav.net> if you intend to join the beta program.
We especially welcome those who already distribute their own unofficial
signatures to join. A list of databases distributed by the new service
will be available at http://www.clamav.net/download/cvd/3rdparty
We will be happy to answer any questions you might have.
--
The ClamAV team (http://www.clamav.net/team)
0.97.1
------
This is a bugfix release recommended for all users. Please refer to the
ChangeLog file for details.
--
The ClamAV team (http://www.clamav.net/team)
0.97
----
ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support for
signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is available
in the ChangeLog file. For upgrade notes and tips please see:
https://wiki.clamav.net/Main/UpgradeNotes097
With Sourcefire, Inc. acquisition of Immunet Corp., ClamAV for Windows
3.0 has been renamed Immunet 3.0, powered by ClamAV. This release
contains the fully integrated LibClamAV 0.97 engine for offline,
OnDemand, and OnAccess scanning. Immunet 3.0 users can now utilize
the full power of the LibClamAV engine, all the ClamAV signatures,
and creation of custom signatures on any platform running Immunet 3.0,
powered by ClamAV. If you run Windows systems in your environment and
need an AV solution to protect them, give Immunet 3.0, powered by ClamAV
a try; you can download it from http://www.clamav.net/about/win32
--
The ClamAV team (http://www.clamav.net/team)
0.96.5
------
ClamAV 0.96.5 includes bugfixes and minor feature enhancements, such as
improved handling of detection statistics, better file logging,
and support for custom database URLs in freshclam. Please refer to the
ChangeLog for details.
--
The ClamAV team (http://www.clamav.net/team)
0.96.4
------
ClamAV 0.96.4 is a bugfix release recommended for all users.
--
The ClamAV team (http://www.clamav.net/team)
0.96.3
------
This release fixes problems with the PDF parser and the internal bzip2
library. A complete list of changes is available in the Changelog file.
--
The ClamAV team (http://www.clamav.net/team)
0.96.2
------
ClamAV 0.96.2 brings a new PDF parser, performance and memory improvements,
and a number of bugfixes and minor enhancements. This upgrade is recommended
for all users.
0.96.1
------
This is a bugfix release, please refer to the ChangeLog for the complete
list of changes.
--
The ClamAV team (http://www.clamav.net/team)
0.96
----
This release of ClamAV introduces new malware detection mechanisms and other
significant improvements to the scan engine. The key features include:
- The Bytecode Interpreter: the interpreter built into LibClamAV allows
the signature writers to create and distribute very complex detection
routines and remotely enhance the scanner's functionality
- Heuristic improvements: improve the PE heuristics detection engine by
adding support of bogus icons and fake PE header information. In a
nutshell, ClamAV can now detect malware that tries to disguise itself
as a harmless application by using the most common Windows program icons.
- Signature Improvements: logical signature improvements to allow more
detailed matching and referencing groups of signatures. Additionally,
improvements to wildcard matching on word boundaries and newlines.
- Support for new archives: 7zip, InstallShield and CPIO. LibClamAV
can now transparently unpack and inspect their contents.
- Support for new executable file formats: 64-bit ELF files and OS X
Universal Binaries with Mach-O files. Additionally, the PE module
can now decompress and inspect executables packed with UPX 3.0.
- Support for DazukoFS in clamd
- Performance improvements: overall performance improvements and memory
optimizations for a better overall resource utilization experience.
- Native Windows Support: ClamAV will now build natively under Visual
Studio. This will allow 3rd Party application developers on Windows
to easily integrate LibClamAV into their applications.
The complete list of changes is available in the ChangeLog file. For upgrade
notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes096
--
The ClamAV team (http://www.clamav.net/team)
0.95.3
------
ClamAV 0.95.3 is a bugfix release recommended for all users.
Please refer to the ChangeLog included in the source distribution
for the list of changes.
--
The ClamAV team (http://www.clamav.net/team)
0.95.2
------
This version improves handling of archives, adds support for --file-list
in clamscan and clamdscan, and fixes various issues found in previous
releases.
--
The ClamAV team (http://www.clamav.net/team)
0.95.1
------
This is a bugfix release only, please see the ChangeLog for details.
--
The ClamAV team (http://www.clamav.net/team)
0.95
----
ClamAV 0.95 introduces many bugfixes, improvements and additions. To make
the transition easier, we put various tips and upgrade notes on this page:
https://wiki.clamav.net/Main/UpgradeNotes095. For detailed list of changes
and bugfixes, please see the ChangeLog.
The following are the key features of this release:
- Google Safe Browsing support: in addition to the heuristic and signature
based phishing detection mechanisms already available in ClamAV, the
scanner can now make use of the Google's blacklists of suspected
phishing and malware sites. The ClamAV Project distributes a constantly
updated Safe Browsing database, which can be automatically fetched by
freshclam. For more information, please see freshclam.conf(5) and
http://safebrowsing.clamav.net.
- New clamav-milter: The program has been redesigned and rewritten from
scratch. The most notable difference is that the internal mode has been
dropped which means that now a working clamd companion is required.
The milter now also has its own configuration file.
- Clamd extensions: The protocol has been extended to lighten the load
that clamd puts on the system, solve limitations of the old protocol,
and reduce latency when signature updates are received. For more
information about the new extensions please see the official
documentation and the upgrade notes.
- Improved API: The API used to program ClamAV's engine (libclamav) has
been redesigned to use modern object-oriented techniques and solves
various API/ABI compatibility issues between old and new releases.
You can find more information in Section 6 of clamdoc.pdf and in
the upgrade notes.
- ClamdTOP: This is a new program that allows system administrators to
monitor clamd. It provides information about the items in the clamd's
queue, clamd's memory usage, and the version of the signature database,
all in real-time and in nice curses-based interface.
- Memory Pool Allocator: Libclamav now includes its own memory pool
allocator based on memory mapping. This new solution replaces the
traditional malloc/free system for the copy of the signatures that
is kept in memory. As a result, clamd requires much less memory,
particularly when signature updates are received and the database is
loaded into memory.
- Unified Option Parser: Prior to version 0.95 each program in ClamAV's
suite of programs had its own set of runtime options. The new general
parser brings consistency of use and validation to these options across
the suite. Some command line switches of clamscan have been renamed
(the old ones will still be accepted but will have no effect and will
result in warnings), please see clamscan(1) and clamscan --help for
the details.
--
The ClamAV team (http://www.clamav.net/team)
0.94.2
------
This is a bugfix release, please refer to the ChangeLog for a complete
list of changes.
--
The ClamAV team (http://www.clamav.net/team)
0.94.1
------
ClamAV 0.94.1 fixes some issues that were found in previous releases and
includes one new feature, "Malware Statistics Gathering." This is an optional
feature that allows ClamAV users optionally to submit statistics to us about
what they detect in the field. We will then use these data to determine what
types of malware are the most detected in the field and in what geographic
area they are. It will also allow us to publish summary data on www.clamav.net
where our users will be able to monitor the latest threats. You can help us
by enabling SubmitDetectionStats in freshclam.conf.
For more details, please refer to the ChangeLog and
http://www.clamav.net/press/0.94.1-WhatsNew.pdf
--
The ClamAV team (http://www.clamav.net/team)
0.94
----
Sourcefire and the ClamAV team are pleased to announce the release of
ClamAV 0.94. The following are the key features and improvements of this
version:
- Logical Signatures: The logical signature technology uses operators
such as AND, OR and NOT to allow the combination of more than one
signature into one entry in the signature database resulting in
more detailed and flexible pattern matching.
- Anti-phishing Technology: Users can now change the priority and reporting
of ClamAV's heuristic anti-phishing scanner within the detection engine
process. They can choose whether, when scanning a supicious file, ClamAV
should stop scanning and report the phish, or continue to scan in case the
file contains other malware (clamd: HeuristicScanPrecedence,
clamscan: --heuristic-scan-precedence)
- Disassembly Engine: The initial version of the disassembly engine improves
ClamAV's detection abilities.
- PUA Detection: Users can now decide which PUA signatures should be loaded
(clamd: ExcludePUA, IncludePUA; clamscan: --exclude-pua, --include-pua)
- Data Loss Prevention (DLP): This version includes a new module that, when
enabled, scans data for the inclusion of US formated Social Security
Numbers and credit card numbers (clamd: StructuredDataDetection,
clamscan: --detect-structured; additional fine-tuning options are available)
- IPv6 Support: Freshclam now supports IPv6
- Improved Scanning of Scripts: The normalization of scripts now covers
JavaScript
- Improved QA and Unit Testing: The improved QA process now includes
API testing and new library of test files in various formats that are
tested on a wide variety of systems (try running 'make check' in the source
directory)
For more details, please refer to http://www.clamav.net/press/0.94-WhatsNew.pdf
and to the ChangeLog.
You may need to run 'ldconfig' after installing this version.
** This version drops the special support for Cygwin. Our QA process showed
** serious problems with ClamAV builds under Cygwin due to some low-level
** incompatibilities in the POSIX compatibility layer, resulting in unreliable
** ClamAV behaviour.
--
The ClamAV team (http://www.clamav.net/team)
0.93.3
------
This release fixes a problem in handling of .cld files introduced in 0.93.2.
--
The ClamAV team (http://www.clamav.net/team)
0.93.2
------
This release fixes and re-enables the Petite unpacker, improves database
loading and solves some other minor issues.
0.93.1
------
This version improves handling of PDF, CAB, RTF, OLE2 and HTML files
and includes various bugfixes for 0.93 issues.
--
The ClamAV team (http://www.clamav.net/team)
0.93
----
This release introduces many new features and engine enhancements, please
see the notes below for the list of major changes. The most visible one
is the new logic in scan limits which affects some command line and config
options of clamscan and clamd. Please see clamscan(1) and clamd.conf(5)
and the example config file for more information on the new options.
Most important changes include:
* libclamav:
- New logic in scan limits: provides much more efficient protection against
DoS attacks but also results in different command line and config options
to clamscan and clamd (see below)
- New/improved modules: unzip, SIS, cabinet, CHM, SZDD, text normalisator,
entity converter
- Improved filetype detection; filetype definitions can be remotely updated
- Support for .cld containers (which replace .inc directories)
- Improved pattern matcher and signature formats
- More efficient scanning of HTML files
- Many other improvements
* clamd:
- NEW CONFIG FILE OPTIONS: MaxScanSize, MaxFileSize, MaxRecursion, MaxFiles
- ** THE FOLLOWING OPTIONS ARE NO LONGER SUPPORTED **: MailMaxRecursion,
ArchiveMaxFileSize, ArchiveMaxRecursion, ArchiveMaxFiles,
ArchiveMaxCompressionRatio, ArchiveBlockMax
* clamscan:
- NEW CMDLINE OPTIONS: --max-filesize, --max-scansize
- REMOVED OPTIONS: --block-max, --max-space, --max-ratio
* freshclam:
- NEW CONFIG OPTION CompressLocalDatabase
- NEW CMDLINE SWITCH --no-warnings
- main.inc and daily.inc directories are no longer used by ClamAV; please
remove them manually from your database directory
--
The ClamAV team (http://www.clamav.net/team)
0.92.1
------
This is a bugfix release, please refer to the ChangeLog for a complete
list of changes.
--
The ClamAV team (http://www.clamav.net/team)
0.92
----
This release provides various bugfixes, optimisations and improvements
to the scanning engine. The new features include support for ARJ and
SFX-ARJ archives, AutoIt, basic SPF parser in clamav-milter (to reduce
phishing false-positives), faster scanning and others (see ChangeLog).
To get a consistent behaviour of the anti-phishing module on all platforms,
libclamav now includes the regex library from OpenBSD.
--
The ClamAV team (http://www.clamav.net/team)
0.91.2
-------
This release fixes various bugs in libclamav, freshclam and clamav-milter,
and adds support for PUA (Potentially Unwanted Application) signatures
(clamscan: --detect-pua, clamd: DetectPUA).
** Announcement **
Dear ClamAV users,
On August 17, Sourcefire, the creators of Snort, acquired the ClamAV project.
The full announcement is available here:
http://www.sourcefire.com/products/clamav/
We'd like to thank everyone in the ClamAV community for their dedication to
the project. The acquisition by Sourcefire is a testament to the hard work of
the entire ClamAV community in developing cutting edge technology that truly
showcases the promise of the open source model. With the additional resources
Sourcefire will provide we look forward to working with the community to
continue the advancement of ClamAV.
Sourcefire now owns ClamAV project and related trademarks, as well as the
source code copyrights held by the five principal members of the ClamAV team.
Sourcefire will also assume control of the ClamAV project including: the
ClamAV.org domain, web site and web site content; and the ClamAV Sourceforge
project page.
What's most important is that from the end-user perspective very little will
change beyond the additional resources Sourcefire will provide in our
continued efforts to advance the ClamAV technology and improve our ability to
interact with the open source community. The core team will continue to lead
the advancement of ClamAV and the CVD as employees of Sourcefire. Both the
ClamAV engine and the signature database will remain under GPL.
For more information please visit our website and the following FAQ page:
http://www.clamav.net/support/sf-faq
--
The ClamAV team (http://www.clamav.net/team)
0.91.1
------
This release fixes stability and other issues of 0.91.
--
The ClamAV team (http://www.clamav.net/team)
0.91
----
ClamAV 0.91 is the first release to enable the anti-phishing technology
in default builds. This technology combines heuristics with special
signatures and provides effective protection against phishing threats.
Other important changes and add-ons in this version include:
- unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting
archives
- unpacker for ASPack 2.12
- new implementation of the Aho-Corasick pattern matcher providing
better detection for wildcard enabled signatures
- support for nibble matching and floating offsets
- improved handling of .mdb files (fixes long startup times)
- extraction of PE files embedded into other executables
- better handling of PE & UPX
- removed dependency on libcurl (improves stability)
- libclamav.dll available under Windows
- IPv6 support in clamav-milter
- many other improvements and bugfixes
--
The ClamAV team (http://www.clamav.net/team)
0.90.3
------
This release fixes some security bugs in libclamav and improves stability
under Solaris. Please see ChangeLog for complete list of changes.
If your system is suffering from long clamscan startup times, please
consider installing 0.91rc1 which is due to be released shortly
after 0.90.3.
--
The ClamAV team (http://www.clamav.net/team)
0.90.2
------
This release fixes many problems in libclamav and freshclam.
--
The ClamAV team (http://www.clamav.net/team)
0.90.1
------
This release includes various bugfixes and code enhancements. Please
see ChangeLog for complete list of changes.
** Important note **: please run 'ldconfig' after installing this version.
--
The ClamAV team (http://www.clamav.net/team)
0.90
----
The ClamAV team is proud to announce the long awaited ClamAV 0.90.
This version introduces lots of new interesting features and marks
a big step forward in the development of our antivirus engine.
The most important change is the introduction of scripted updates.
Instead of transferring the whole cvd file at each update, only the
differences between the latest cvds and the previous versions will be
transferred.
In case the local copy of the latest cvd is corrupted or the scripted
update fails for some reason, freshclam will fallback to the old method.
Similarly to cvd files, scripted updates are compressed and digitally signed
and are already being distributed. They will dramatically reduce traffic on
our mirrors and will allow us to release even more updates in the future.
Another noticeable change is the new configuration syntax: you can now turn
single options on and off, the old crude hack of "DisableDefaultScanOptions"
is no longer required.
Cosmetic changes apart, the 0.9x series introduces lots of new code, but some
parts are not compiled in by default because they are not ready for production
systems yet. You are encouraged to pass the --enable-experimental flag to
./configure when compiling ClamAV. The experimental code introduces many
improvements in terms of detection rate and performances. If you find a bug,
please take some time to report it on our bugzilla: http://bugs.clamav.net.
Your help in testing the new code is really appreciated. The experimental code
introduces many improvements in terms of detection rate and performances.
RAR3, SIS and SFX archives support is finally available together with
new unpackers and decryptors: pespin, sue, yc, wwpack32, nspack, mew, upack
and others. Additionally, ClamAV now includes better mechanisms for scanning
ELF, PDF and tar files. The email decoding has been improved to reduce both
the memory requirements and the time taken to process attachments.
As part of the Google Summer of Code program, we have introduced support for
a new phishing signatures format that has proved very effective in detecting
phishing emails. The ClamAV phishing module allows better and more generic
detection of phishing emails by searching for URLs in email messages, and
comparing the real site with the URL displayed to the user in the message.
On the performance side, support for the MULTISCAN command has been
implemented in clamd, allowing to scan multiple files simultaneously.
Support for Sensory Networks' NodalCore acceleration technology
(http://www.clamav.net/nodalcore/) is now available in ClamAV and will be
compiled in if the ncore libraries are detected at compile time. NodalCore
acceleration allows highly improved scan speeds on systems equipped with
NodalCore cards.
Detailed list of changes:
-) libclamav:
+ New unpacker for RAR3, RAR2 and RAR1
+ Rewritten unpackers for Zip and CAB files
+ Support for RAR-SFX, Zip-SFX and CAB-SFX archives
+ New PE parsing model:
- Accurate virtual and raw size and offset calculations
- Proper parsing of executables with weird/handcrafted/uncommon headers
- Proper handling (or skipping) of ghost sections at various places in the
code
- Rebuild improvements for various unpackers
- Adjusted alignment on rebuilt executables
- Proper handling of out of sections offsets
- Broken exe detection now mimics the XPSP2 loader
- Lots of misc improvements and fixes
+ Support for PE32+ (64-bit) executables
+ Support for MD5 signatures based on PE sections (.mdb)
+ ELF file parser
+ Support for Sensory Networks' NodalCore hardware acceleration technology
+ Advanced phishing detection module (experimental)
+ Signatures are stored in separate trees depending on their target type
+ Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC
+ Support for new obfuscators: SUE, Y0da Cryptor, CryptFF
+ Support for new packers: NsPack, wwpack32, MEW, Upack
+ Support for SIS files (SymbianOS packages)
+ Support for PDF and RTF files
+ New encoding and entity normalizer (experimental)
-) clamd:
+ New config file parser:
* all options require arguments (options without args must be now followed
by boolean values: (yes, no), (1, 0), or (true, false)
* optional arguments (as in NotifyClamd) are no longer supported
* removed "DisableDefaultScanOptions" option (scan options can be
configured individually)
+ TCP and local sockets can be operated simultaneously
+ New command: MULTISCAN (scan directory with multiple threads)
+ New option AlgorithmicDetection
+ New option ScanELF
+ New option NodalCoreAcceleration (requires hardware accelerator)
+ New option PhishingSignatures
+ New options to control the phishing module:
- PhishingRestrictedScan
- PhishingScanURLs
- PhishingAlwaysBlockSSLMismatch
- PhishingAlwaysBlockCloak
-) clamav-milter:
+ Black list mode: optionally black lists an IP for a configurable amount
of time
+ Black hole mode: detects emails that will be discarded and refrains from
scanning them
+ Reporting: ability to report phishing attempts to anti-phishing
organisations to help close the sites
+ Improved load balancing for scanning with clusters
+ Removed -b option (enable BOUNCE compile time option to re-enable the
option)
-) clamscan:
+ New options: --no-phishing-sigs, --no-algorithmic (disable phishing and
algorithmic detection respectively)
+ New options to control the phishing module: --no-phishing-scan-urls,
--no-phishing-restrictedscan, --phishing-ssl, --phishing-cloak
+ New option: --ncore (requires hardware accelerator)
+ New option: --no-elf
+ New option: --copy
-) freshclam:
+ Interpreter for .cdiff files (scripted updates)
+ Initial version of mirror manager
+ New option: --list-mirrors (list details on mirrors accessed by the mirror
manager)
+ New option HTTPUserAgent to force different User-Agent header
-) sigtool:
+ New option: --utf16-decode (decode UTF16 encoded files)
+ New options: --diff, --run-cdiff, --verify-cdiff (update script management)
+ New option: --mdb (generated .mdb compatible signatures)
-) clamconf: initial version of configuration utility for clamd and freshclam
We are happy to announce new interesting software with support for ClamAV:
+ AqMail - a POP3 client with additional filtering
+ ClamFS - a FUSE-based file system with on-access anti-virus scanning
+ c-icap - an ICAP server coded in C with support for ClamAV
+ MailCleaner - a complete email filtering gateway
+ mod_streamav - a ClamAV based antivirus filter for Apache 2
+ pyClamd - a python interface to Clamd
More information at http://www.clamav.net/download/third-party-tools/
--
The ClamAV team (http://www.clamav.net/team)
0.88.7
------
This version improves scanning of mail and tar files.
--
The ClamAV team (http://www.clamav.net/team)
0.88.6
------
Changes in this release include better handling of network problems in
freshclam and other minor bugfixes.
The ClamAV developers encourage all users to give a try to the latest
beta version of 0.90!
--
The ClamAV team (http://www.clamav.net/team)
0.88.5
------
This version fixes a crash in the CHM unpacker and a heap overflow in the
function rebuilding PE files after unpacking.
--
The ClamAV team (http://www.clamav.net/team)
0.88.4
------
This release fixes a possible heap overflow in the UPX code.
See security information at: http://www.clamav.net/2006/08/07/security-fixes-in-0884
--
The ClamAV team (http://www.clamav.net/team)
0.88.3
------
This version fixes handling of large binhex files and multiple alternatives in
virus signatures.
--
The ClamAV team (http://www.clamav.net/team)
0.88.2
------
This release improves virus detection, fixes zip handling on 64-bit
architectures and possible security problem in freshclam.
Following the 0.88.1 release some portals and security related websites
published incorrect information on security problems of 0.88. To avoid
such incidents in the future, every new ClamAV package will be released
together with detailed information about security bugs it fixes. Details
for this version can be found here:
http://www.clamav.net/2006/08/07/security-fixes-in-0884
--
The ClamAV team (http://www.clamav.net/team)
0.88.1
------
This version fixes a number of minor bugs and provides code updates
to improve virus detection.
--
The ClamAV team (http://www.clamav.net/team)
0.88
----
A possible heap overflow in the UPX code has been fixed. General improvements
include better zip and mail processing, and support for a self-protection mode.
The security of the UPX, FSG and Petite modules has been improved, too.
--
The ClamAV team (http://www.clamav.net/team)
0.87.1
------
This release includes major bugfixes for problems with handling TNEF
attachments, cabinet files and FSG compressed executables.
--
The ClamAV team (http://www.clamav.net/team)
0.87
----
This version fixes vulnerabilities in handling of UPX and FSG compressed
executables. Support for PE files, Zip and Cabinet archives has been improved
and other small bugfixes have been made. The new option "--on-outdated-execute"
allows freshclam to run a command when system reports a new engine version.
--
The ClamAV team (http://www.clamav.net/team)
0.86.2
------
Changes in this release include fixes for three possible integer overflows
in libclamav, improved scanning of Cabinet and FSG compressed files, better
database handling in clamav-milter, and others.
--
The ClamAV team (http://www.clamav.net/team)
0.86.1
------
A possible crash in the libmspack's Quantum decompressor has been fixed.
--
The ClamAV team (http://www.clamav.net/team)
0.86
----
This release introduces a number of bugfixes and cleanups. Possible descriptor
leaks in archive unpackers and mishandling of fast track uuencoded files have
been fixed in libclamav. Database reloading in clamav-milter has been improved.
--
The ClamAV team (http://www.clamav.net/team)
0.85.1
------
A problem where an email with more than one content-disposition type line,
one or more of which was empty, could crash libclamav has been fixed. Other
minor bugfixes have been made.
--
The ClamAV team (http://www.clamav.net/team)
0.85
----
Bugfixes in this release include correct signature offset calculation in large
files, proper handling of encrypted zip archives, and others.
--
The ClamAV team (http://www.clamav.net/team)
0.84
----
This version improves detection of JPEG (MS04-028) based exploits, introduces
support for TNEF files and new detection mechanisms. Various bugfixes
(including problems with scanning of digest mail files) and improvements
have been made.
** We encourage users to help testing the development versions, now with **
** rewritten RAR code and support for 3.0 archives! **
** http://www.clamav.net/snapshot/ **
-) libclamav:
+ JPEG exploit detector now also checks embedded Photoshop thumbnail images
+ archive meta-data scanner (improves malware detection within encrypted
archives)
+ support for TNEF (winmail.dat) decoding
+ support for all tar archive formats
+ MD5 implementation replaced with a slightly faster one
+ improved database reloading with reference counter
+ database updateable false positive eliminator
+ speed improvements
+ various bugfixes
-) clamd:
+ VirusEvent now sets CLAM_VIRUSEVENT_FILENAME and CLAM_VIRUSEVENT_VIRUSNAME
environment variables
-) clamav-milter:
+ improved database update detection when not --external
-) clamscan:
+ new options --include-dir and exclude-dir
+ new option --max-dir-recursion
-) freshclam:
+ new directive LocalIPAddress
-) contrib:
+ clamdmon 1.0 - clamdwatch replacement written in C
-) 3rd party software:
+ hMailServer - open source e-mail server for Microsoft Window
+ pop3.proxy - proxy server for the POP3 protocol
+ HTTP Anti Virus Proxy
+ SmarterMail Filter - ClamAV based plugin for SmarterMail Mail Server
+ smf-clamd - small & fast virus filter for Sendmail
+ Squidclam - replacement for SquidClamAV-Redirector.py written in C
+ QtClamAVclient - remote clamd client based on the Qt Toolkit
+ qpsmtp - flexible smtpd daemon written in Perl
News:
Palo Alto, Calif. March 31st 2005 - Clam AntiVirus, the leading Open Source
antivirus toolkit, and Sensory Networks, the leading provider of hardware
acceleration for network security applications, announced a partnership
to provide hardware acceleration support for the Clam AntiVirus suite.
[...]
Support for Sensory Networks' NodalCore acceleration in ClamAV will be
available in version 0.90 of the software suite in Q3 2005. For more
information please visit:
http://www.clamav.net/partners/sensorynetworks
http://www.sensorynetworks.com/
The ClamAV project announces the opening of the official merchandise store:
http://www.cafepress.com/clamav/
A big thank you to Finndesign (http://www.finndesign.fi) which
volunteered to design the whole line of products, including:
- t-shirts (for women and men)
- golf shirt
- sweatshirt
- coffee mug
- mousepad
- stickers
- scrapbook
By purchasing our merchandise, you contribute to the development of ClamAV.
--
The ClamAV team (http://www.clamav.net/team)
0.83
----
Due to a high number of bad files produced by broken software, the MS05-002
exploit detector now only checks specific RIFF files. This version also fixes
a stability problem of clamav-milter/clamd and improves e-mail scanning.
--
The ClamAV team (http://www.clamav.net/team)
0.82
----
This release adds generic detection of MS05-002 ("Vulnerability in Cursor and
Icon Format Handling Could Allow Remote Code Execution") based exploits.
Fixes include correct attachment scanning in e-mails generated by some
Internet worms (broken in 0.81), removed false positive "Suspect.Zip"
warning on non-standard zip archives created by ICEOWS, better proxy support
in freshclam, and speed improvements.
--
The ClamAV team (http://www.clamav.net/team)
0.81
----
Scan engine improvements were made. The internal mail scanner now supports
multipart/partial messages, and support for decoding non-standard mail files
was greatly enhanced. clamav-milter by default uses libclamav and scans emails
itself without the use of clamd. libclamav can now extract RFC2397 encoded
data within HTML documents, block zip archives with modified information in
local header, and scan HQX files. PE file structure rebuilding from compressed
executables was improved.
Important note to clamdwatch users: please upgrade to the latest version
(contrib/clamdwatch) as soon as possible.
-) libclamav:
+ major improvements in the mail scanning engine:
o support for multipart/partial messages
o improved support for non-standard quoted-printable attachments
o in some situations it will try to guess a correct mode (e.g.
a good type for an incorrect content-type, a best guess for an
unknown encoding type, etc.)
o handling of RFC822 comments in the commands (e.g.: Co(foo)ntent-Type:
text/plain)
o better recovery if memory softlimit is hit
o new test code that decodes emails without parsing them first (must
be enabled manually before compilation)
+ support for extracting RFC2397 encoded data within HTML documents
+ blocking of zip archives with modified information in local header
+ improved PE structure rebuilding from compressed executables
+ improved support for zip archives
+ support for Mac's HQX file format
+ stability and (minor) security fixes
+ a lot of minor improvements, including support for new platforms
-) clamd:
+ new directive ExitOnOOM (stop the deamon when libclamav reports an out of
memory condition)
+ new directives StreamMinPort and StreamMaxPort (port range specification
for a stream mode)
+ support for passing of file descriptors
-) clamdscan:
+ added support for --move and --remove
-) clamav-milter:
+ by default uses libclamav to scan e-mails
+ new option --external (enables the use of clamd)
+ various optimisations
-) freshclam:
+ the DNS mode is now enabled by default (no need for DNSDatabaseInfo in
freshclam.conf)
+ --no-dns uses a If-Modified-Since method instead of a range GET
+ added support for AllowSupplementaryGroups
-) sigtool:
+ new options --vba and --vba-hex (extract VBA/Word6 macros and optionally
display the corresponding hex values; Word6 binary code will be
disassembled)
-) The list of third party programs with support for ClamAV is growing
rapidly. Here are the latest additions (see clamdoc.pdf for details):
+ AVScan - a libclamav based GUI a-v scanner for Unix
+ clamailfilter - a Python script that provides a-v scanning via procmailrc
+ ClamAVPlugin - A ClamAV plugin for SpamAssassin 3.x
+ ClamCour - an e-mail filter for Courier
+ clamfilter - a small, secure, and efficient content filter for Postfix
+ ClamMail - an anti-virus POP3 proxy for Windows
+ ClamShell - a Java GUI for clamscan
+ ClamTk - a perl-tk GUI for ClamAV
+ clapf - a virus scanning and antispam content filter for Postfix
+ D bindings for ClamAV - ClamAV bindings for the D programming language
+ Frox - a transparent FTP proxy
+ KMail - a fully-featured email client now supports ClamAV out of box
+ Mail Avenger - a highly-configurable SMTP server with a-v support
+ Mailnees - a mail content filter for Sendmail and Postfix
+ Maverix - anti-spam and anti-virus solution for AOLServer
+ Moodle - scan files submitted by students for viruses!
+ php-clamav - scan files from within PHP
+ pymavis - a powerful email parser, similar to the old amavis-perl
+ QClam - a simple program to plug ClamAV to a qmail mailbox
+ qmailmrtg7 - display graphs of viruses found by ClamAV
+ qSheff - an e-mail filter for qmail
+ SafeSquid - a feature rich content filtering internet proxy
+ Scrubber - a server-side daemon for filtering mail content
+ simscan - an e-mail and spam filter for qmail
+ smtpfilter - scan SMTP session for viruses
+ snort-inline - scan your network traffic for viruses with ClamAV
+ SquidClamAV Redirector - a Squid helper script which adds virus scanning
+ WRAVLib - a library for a-v integration with Mono/.NET applications
--
The ClamAV team (http://www.clamav.net/team)
0.80
----
Stable version. Please read the release notes for the candidate versions below.
--
The ClamAV team (http://www.clamav.net/team)
0.80rc4
-------
Improvements in this release include better JPEG exploit verification,
faster base64 decoding, support for GNU tar files, updated on-access scanner,
and others.
--
The ClamAV team (http://www.clamav.net/team)
0.80rc3
-------
This release candidate eliminates possible false positive alerts in UPX/FSG
compressed files and clarifies behaviour of default actions in clamd and
freshclam.
We encourage users to take advantage of our new mirror structure. In order to
download the database from the closest mirror you should configure freshclam
to use db.XY.clamav.net where XY is your country code (see
http://www.iana.org/cctld/cctld-whois.htm for the full list). Please add
the following lines to freshclam.conf:
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net
DNSDatabaseInfo enables database and software version verification through
DNS TXT records, and the second database mirror acts as a fallback in case
a connection to the first mirror fails for some reason.
0.80rc2
-------
This update fixes a serious bug in e-mail scanner.
0.80rc
------
The development version of ClamAV is ready for general testing! New mechanisms
have already proved very nasty to Internet worms successfully protecting
against the new versions R, S, T, U, V and W of the infamous Mydoom worm
and detecting them as Worm.Mydoom.Gen before they were analysed and specific
signatures added by the ClamAV database maintainers. That means servers running
the new version of ClamAV have detected and blocked 100% of Mydoom attacks!
New features in this release include:
-) libclamav
+ Portable Executable analyser (CL_SCAN_PE) featuring:
o UPX decompression (all versions)
o Petite decompression (2.x)
o FSG decompression (1.3, 1.31, 1.33)
o detection of broken executables (CL_SCAN_BLOCKBROKEN)
+ new, memory efficient, pattern matching algorithm (multipattern variant
of Boyer-Moore) - it's now primary matcher and Aho-Corasick is only used
for regular expression extended signatures
+ new signature format with advanced target type and offset specification
+ support for MD5 based signatures
+ extended regular expression scanner
+ added support for MS cabinet files
+ added support for CHM files
+ added support for POSIX tar archives
+ scanning inside PowerPoint documents
+ HTML normaliser with support for decoding of MS Script Encoder code
+ great improvements in e-mail scanner (now handles even more worm tricks)
+ new method of mail files detection
+ all e-mail attachments are now scanned (previously only the first ten
attachments were scanned)
+ added support for scanning URLs in e-mails (CL_SCAN_MAILURL)
+ detection of Worm.Mydoom.M.log
+ updated API (still backward compatible but please consult clamdoc.pdf
(Section 6) and adapt your software)
-) clamd
+ new directive ScanHTML (enables HTML normalisator and ScrEnc decoder)
+ new directive ScanPE (win32 executable analyser and decompressor)
+ new directive DetectBrokenExecutables (try to detect broken executables
and mark them as Broken.Executable)
+ new directive MailFollowURLs (try to download and scan files from URLs
in mails. BE CAREFUL! DO NOT ENABLE IT ON LOADED MAIL SERVERS)
+ new directive ArchiveBlockMax (archives that exceed limits will be
marked as viruses)
+ clamav.conf was renamed clamd.conf
-) clamscan
+ mail files are scanned by default, use --no-mail to disable it
+ new option --no-html (disables HTML normalisator)
+ new option --no-pe (disables PE analyser)
+ new option --detect-broken
+ new option --block-max
+ new option --mail-follow-urls (download and scan files from URLs in mails)
-) clamdscan
+ now prints warnings if some activated command line options are only
supported by clamscan
+ added support for archive scanning in stdin mode
-) clamav-milter
+ improved template file format
+ quarantined file names now contain virus names
+ initial support for SESSION mode of clamd
-) freshclam:
+ new directive DNSDatabaseInfo that enables ultra lightweight version
verification method through DNS (using TXT records). Based on idea by
Christopher X. Candreva and enabled by default.
(see http://www.gossamer-threads.com/lists/clamav/users/11102)
+ new option --no-dns (quick option to disable DNS method without editing
freshclam.conf)
-) sigtool
+ removed ability of automatic signature generation (use MD5 sums to
create your own signatures, see signatures.pdf for details)
+ new option --md5
+ new option --html-normalise (saves HTML normalisation and decryption
results in three html files in current directory)
-) configure:
+ new option --disable-gethostbyname_r (try enabling it if clamav-milter
compilation fails)
+ new option --disable-dns (try enabling it if freshclam compilation fails)
+ extended regular expression scanner
-) documentation
+ included new Mac OS X installation instructions
+ official documentation rewritten and outdated docs removed
-) new 3rd party software with support for ClamAV:
+ OdeiaVir - an e-mail filter for qmail and Exim
+ ClamSMTP - a lightweight (written in C) and simple filter for Postfix
+ Protea AntiVirus Tools - a virus filter for Lotus Domino
+ PTSMail Utilities - an e-mail filter for Sendmail
+ mxGuard for IMail - a mail filter for Ipswitch IMail (W32)
+ Zabit - a content and attachment filter for qmail
+ BeClam - ClamAV port for BeOS
+ clamXav - a virus scanner with GUI for Mac OS X
Special thanks to aCaB for his work on UPX, FSG and Petite decompressors.
Thanks to good reaction times on new threats ClamAV was awarded as best
security tool for 2004 by Linux Journal: "...With this year's outbreak of
e-mail worms for non-Linux platforms, ClamAV has been getting quite a workout,
and Linux admins on mailing lists report that database update times are keeping
up with or beating the proprietary alternatives." Thanks!
SourceWear.com is selling some very nice t-shirts and polo shirts powered by
ClamAV. Wear them and virus writers will stay away from you :-) A quarter out
of every dollar profited from the sale of these shirts will go to the ClamAV
project. Visit http://www.sourcewear.com and click on ClamAV logo!
--
The ClamAV team (http://www.clamav.net/team)
0.75
----
This release fixes detection of e-mails generated by Worm.Mydoom.I.
Important notice for people using ClamAV 0.60:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Our logs show that there is still a small percentage of ClamAV 0.60
installations updating their database. ClamAV 0.60 was released on
July 29th, 2003 and it was the last release to use the old database
format. Starting from version 0.65, released on November 12nd, ClamAV
uses a new database format, which is compressed and digitally signed.
We have been distributing the database in both formats till now, but
we plan to drop support for ClamAV 0.60 on September 1st.
We encourage _all_ users to upgrade to the latest release available.
People running an old version of ClamAV are missing many viruses and
may experience stability problems.
On non-production systems you can try the latest development version.
The new engine not only speeds up the scanning process but also limits
memory usage by about 8 MB ! It's able to scan new formats, including
CAB, CHM, UPX, HTML (normalisation), PowerPoint macros and can detect
annoying e-mails with empty attachments generated by new Bagle variants.
--
The ClamAV team (http://www.clamav.net/team)
0.74
----
Bugfixes in this version include crashes with multipart/mixed messages
and corrupted OLE2 and Zip files. Improvements include various optimisations
of mail scanning and clamav-milter and clamdscan behaviour.
New members of our "3rd party software" list:
+ MyClamMailFilter an e-mail filter for procmail (written in C)
+ clamaktion scan files from the right-click Konqueror menu
+ QMVC Qmail Mail and Virus Control
+ pyclamav Python binding for ClamAV
+ FETCAV Front End To Clam AntiVirus based on Xdialog
+ Famuko an on-access scanner working in a userspace
+ SoftlabsAV a generic anti-virus filter for procmail
Japanese users can take an advantage of the new ClamAV related site:
http://clamav-jp.sourceforge.jp/
and join the clamav-jp-users mailing list.
--
The ClamAV team (http://www.clamav.net/team)
0.73
----
This version fixes memory management problems in the OLE2 decoder and
improves mail scanning. Because of the rapid ClamAV development the team
encourages users to help in testing new features:
http://www.clamav.net/snapshot
Thank you for using ClamAV !
--
The ClamAV team (http://www.clamav.net/team)
0.72
----
Major bugfixes in this release include crashes with corrupted BinHex messages
and some Excel documents. Protection against archive bombs (not fully
functional since 0.70) was improved and a number of other improvements were
made.
--
The ClamAV team (http://www.clamav.net/team)
0.71
----
This release fixes all bugs found in 0.70 and introduces a few new features -
the noteworthy changes include:
-) libclamav:
+ support nested OLE2 files
+ support Word6 macro code
+ ignore popular file types (media, graphics)
+ support compress.exe (SZDD) compression (test/test.msc)
+ improve virus detection in e-mails
-) clamscan:
+ automatically decide (by comparing daily.cvd version numbers) which
database directory (hardcoded or clamav.conf's one) to use
+ support compression ratio feature (--max-ratio)
+ allow regular expressions in --[in|ex]clude
+ do not overwrite old files in a quarantine directory but add a numerical
extension to new files
+ respect --tempdir in libclamav
+ fix access problem when calling external unpackers in a superuser mode
+ fix file permission corruption with --deb in a superuser mode
-) clamd
+ support log facility specification in syslog's style (LogFacility)
+ new directive LeaveTemporaryFiles (Debug no longer leaves temporary
files not removed)
-) clamav-milter:
+ include the virus name in the 550 rejection
+ support user defined template for virus notifications (--template-file)
+ sort quarantine messages by date
+ improve thread management
+ add X-Virus-Scanned and X-Infected-Received-From: headers
+ improve load balancing (when using remote servers with --server)
+ send 554 after DATA received, not 550
+ save PID (--pidfile)
-) documentation:
+ German clamdoc.pdf translation (Rupert Roesler-Schmidt and Karina
Schwarz, uplink coherent solutions, http://www.uplink.at)
+ new Japanese documentation (Masaki Ogawa)
--
The ClamAV team (http://www.clamav.net/team)
0.70
----
The two major changes in this version are new thread manager in clamd
and support for decoding MS Office VBA macros. Both of them have been
implemented by Trog. Besides, there are many improvements and bugfixes
(all listed in ChangeLog), a short summary:
-) clamd
+ new thread manager (with better SMP support)
+ on-access scanning now also available on FreeBSD (with Dazuko 2.0)
+ new directive ArchiveBlockEncrypted
+ new directive ReadTimeout (replaces ThreadTimeout)
+ handle SIGHUP (re-open logfile) and SIGUSR2 (reload database)
+ respect TCPAddr in stream scanner
-) clamav-milter:
+ TCPWrappers support
-) libclamav:
+ support MS Office documents (OLE2) and VBA macro decoding
+ support encrypted archive detection
+ new flags: CL_OLE2, CL_ENCRYPTED (see clamdoc.pdf, Section 6.1)
+ improve virus detection in big files
+ improve support for multipart, bounce and embedded RFC822 messages
+ improve RAR support
+ include backup snprintf implementation
-) clamscan:
+ new option: --block-encrypted
-) freshclam
+ new option: --pid, -p (write pid file if run as daemon)
+ handle SIGHUP (re-open logfile), SIGTERM (terminate with log message),
SIGALRM and SIGUSR1 (wake up and check mirror)
+ fix bug with -u and -c handling
-) contrib
+ windows clamd client now available with source code
-) documentation:
+ new Polish documentation on ClamAV and Samba integration
+ official documentation updated
Special thanks to Dirk Mueller <mueller*kde.org> for his code review,
many bugfixes and cleanups.
Thanks to the help of many companies (clamdoc.pdf: Section 2.10,
http://www.clamav.net/mirrors.html) we have 49 very fast and reliable
virus database mirrors in 22 regions and the number is still growing.
As of March 2004 we attempt to redirect our users to the closest pool
of mirrors by looking at their ip source address when they try to resolve
database.clamav.net. Our DNS servers can answer with a CNAME to:
db.europe.clamav.net, db.america.clamav.net, db.asia.clamav.net or
db.other.clamav.net. Our advanced push-mirroring mechanism (maintained by
Luca Gibelli) allows database maintainers to update all the mirrors in less
than one minute !
There will be no major feature enhancements in the 0.7x series. Our work
will be concentrated on a new scanning engine and preliminary heuristics -
please help us and test CVS snapshots from time to time.
We are happy to announce new programs with support for ClamAV (all of them
have been reviewed by our team - more info in the documentation and
on our website: http://www.clamav.net/download/third-party-tools):
+ ClamWin - a GUI for Windows (!)
+ KlamAV - a collection of GUI tools for using ClamAV on KDE
+ clamscan-procfilter - a Perl procmail filter
+ j-chkmail - a powerful filter for sendmail
+ qscanq - Virus Scanning for Qmail
+ clamavr - a Ruby binding for ClamAV
+ DansGuardian Anti-Virus Plugin
+ Viralator - a Perl script that virus scans http downloads
+ ClamAssassin - a filter for procmail
+ Gadoyanvirus - a filter for Qmail
+ OpenProtect - a complete e-mail protection solution
+ RevolSys SMTP kit for Postfix - an antispam/antivirus tools installation
+ POP3 Virus Scanner Daemon
+ mailman-clamav - a virus filter for Mailman
+ wbmclamav - a webmin module to manage ClamAV
+ Scan Log Analyzer
+ mailgraph - a RRDtool frontend for Postfix Statistics
+ INSERT - a security toolkit on a credit card size CD
+ Local Area Security - a Live CD Linux distribution
--
The ClamAV team (http://www.clamav.net/team)
April 17, 2004
0.68-1
------
Fixed RAR support.
0.68
----
This version fixes a crash with some RAR archives generated by the Bagle worm,
also a few important fixes have been backported from CVS.
We strongly encourage users to install the 0.70-rc version (released today).
0.67
----
This release fixes a memory management problem (platform dependent; can lead
to a DoS attack) with messages that only have attachments (reported by Oliver
Brandmueller). It also contains patches for a few problems found in 0.66 and
has better Cygwin support.
0.66
----
This version is a response to the "clamav 0.65 remote DOS exploit" information
published on popular security-related mailing lists. Unfortunately we had
not been contacted by the author before he published that and had to release
this (unplanned) package very quickly (it should be mentioned that CVS version
was not vulnerable to the exploit). Untested code has been disabled also
the Dazuko support is temporarily not available (if you really need it please
use a CVS version or wait for a next stable release). Other noteworthy changes:
-) clamd:
+ fixed database timestamp handling (and a double reload problem reported
by Alex Pleiner and Ole Stanstrup)
+ new directive: ArchiveMaxCompressionRatio
+ new command: SESSION (starts a clamd session and allows to do multiple
commands per TCP session)
+ new directives: TemporaryDirectory, LogClean (Andrey V. Malyshev)
-) clamav-milter: (Nigel Horne)
+ added support for AllowSupplementaryGroups and ThreadTimeout
+ added --quarantine-dir (thanks to Michael Dankov)
+ added --noreject (thanks to Vijay Sarvepalli)
+ added --headers (thanks Leonid Zeitlin)
+ added --sign option
-) libclamav:
+ detect Worm.SCO.A bounces (Nigel)
+ prevent buffer overflow in broken uuencoded files (Nigel)
+ scan multipart alternatives that have no boundaries (Nigel)
+ better handling of encapsulated messages (Nigel)
+ locate uuencoded viruses hidden in text portions of multipart/mixed
mime messages (Nigel)
+ initial support for BinHex (Nigel)
+ fixed a mail recursion loop (problem reported by Alex Kah and Kristof
Petr)
+ fixed bzip2 memory limit (improper call suggested by the buggy libbz2
documentation, problem reported by Tomasz Klim)
+ fixed on error descriptor leak in CVD unpacker (Thomas Lamy)
+ fixed memory leak in digital signature verification code (Thomas Lamy)
+ added maximal compression ratio limit (cl_limits->maxratio)
-) clamscan:
+ support for multiple arguments on command line (Thomas Lamy)
+ fixed buffer overflow in --move (Denis De Messemacker)
+ removed support for sendfile() under Linux
-) freshclam:
+ support for freshclam.conf (that may be optionally merged with
clamav.conf, command line options overwrite config settings)
+ work-around for potential database downgrade (subtle problem
in r-r dns handling) - reported by Daniel Mario Vega and patched
by Luca Gibelli
-) sigtool:
+ list virus names with --list-sigs (-l)
-) contrib:
+ clamdwatch (by Mike Cathey)
+ windows clamd client with drag&drop support (Nigel Horne)
-) documentation:
+ complete clamdoc.pdf French translation by Stephane Jeannenot
+ Polish how-to on ClamAV and Sendmail integration (with clamav-milter)
by Przemyslaw Holowczyc
News:
ClamAV was the first anti-virus protecting against Worm.SCO.A (aka MyDoom.A) !
The signature was published by Diego d'Ambra in the daily update 105,
26-Jan-2004 20:23 GMT and we were at least two hours faster than "big" AV
vendors:
http://sourceforge.net/mailarchive/forum.php?thread_id=3764826&forum_id=34654
http://www.pcwelt.de/news/viren_bugs/37278/4.html
clamav-devel is finally able to decode OLE2 (Microsoft Office) files and
decompress VBA streams ! The code is developed by Trog, official ClamAV
developer. Also we're testing new clamd implementation that will solve
several important problems (especially that "Time out" related). Please
help us and test the latest CVS version.
The virus database now contains more than 20.000 signatures ! On January 8,
Denis De Messemacker (who joined our team 3 months ago) added signatures for
about 7700 new viruses. Also special thanks go to Tomasz Papszun for his
hard work on daily submissions and forcing us to keep ClamAV quality on
the highest possible level.
New mirroring mechanisms. Luca Gibelli (ClamAV) and mirror administrators
(22 sites, http://www.clamav.net/mirrors.html, please see clamdoc.pdf for
a complete mirror information) are converting mirrors to new "push mirroring"
method. It uses advanced techniques to ensure all the mirrors are up to date.
More info: http://www.clamav.net/docs/mirrors
"Newsworthy Hack of Kindness" - Affero.net is featuring ClamAV in its latest
newsletter (Volume #9, January 2004: http://www.affero.net/nl/dec03.html).
Affero is a great rate-donate system and its mission is to bring a culture
of patronage to the Internet. Currently we only accept donations via Affero.
You can also help us and promote our project by adding the ClamAV logo to
your home page. Look at http://www.clamav.net/donate for more information.
We would like to thank our donors:
* Jeremy Garcia (http://www.linuxquestions.org)
* Andries Filmer (http://www.netexpo.nl)
* David Eriksson (http://www.2good.nu)
* Dynamic Network Services, Inc (http://www.dyndns.org)
* epublica
* Invisik Corporation (http://www.invisik.com)
* Keith (http://www.textpad.com)
* Explido Software USA Inc. (http://www.explido.us)
* cheahch from Singapore
* Electric Embers
* Stephane Rault
* Brad Koehn
* David Farrick
* ActiveIntra.net Inc. (http://www.activeintra.net)
* An anonymous donor from Colorado, US
--
Tomasz Kojm <tkojm*clamav.net>
February 10, 2004
0.65
----
IMPORTANT NOTE: The project has been moved into SourceForge. The only official
ClamAV's homepage is www.clamav.net (however clamav.elektrapro.
com still works). We would like to thank ElektraPro.com for
their support for the open-source community - THANKS !
ClamAV 0.65 introduces a new database container file format (called CVD) with
support for digital signatures and compression. Please remove the old
databases from your database directory before the installation. And the most
important thing: clamd stability has been greatly improved (especially under
FreeBSD) ! Also we have a new mirror infrastructure - you will find all the
details in clamdoc.pdf. If you want to become an official ClamAV mirror
(with entry in database.clamav.net) please read the clamav-mirror-howto.pdf
document and contact our administrator - Luca Gibelli <nervous*clamav.net>.
Noteworthy changes in this version:
-) clamd:
+ fixed a race condition in database reloading code (random crashes
under high load)
+ fixed a race condition with the improperly initialized session start time
(thanks to Michael Dankov)
+ fixed PidFile permissions (Magnus Ekdahl, bug reported by Tomasz Papszun)
+ fixed LogFile permissions (Magnus Ekdahl)
+ new directive ScanRAR (bacause RAR support is now disabled by default)
+ new directive VirusEvent
+ new directive FixStaleSocket (Thomas Lamy and Mark Mielke)
+ new directive TCPAddr (Bernard Quatermass, fixed by Damien Curtain)
+ new directive Debug
-) clamav-milter: (Nigel Horne <njh*clamav.net>)
+ new --force-scan flag
+ new -P and -q flags by Nicholas M. Kirsch
WARNING: clamav-milter and our mail scanner are still in high development
and may be unstable. You should always use the CVS version.
-) libclamav:
+ support for a new database container format (CVD) - compressed and
digitally signed
+ better protection against malformed zip archives (such as Mimail)
+ mail decoder fixes (thanks to Rene Bellora, Bernd Kuhls, Thomas Lamy,
Tomasz Papszun) (Nigel Horne)
+ memory leak fixes (Thomas Lamy)
+ new scan option CL_DISABLERAR (disables built-in RAR unpacker)
-) freshclam:
+ fixed --on-error-execute behaviour (David Woakes)
+ new option --user (-u) USER - run as USER instead of the default user.
Patch by Damien Curtain.
+ rewritten to use database.clamav.net and CVD
-) documentation:
+ new Spanish documentation on ClamAV and Sendmail integration by
Erick Ivaan Lopez Carreon
+ included clamdoc.pdf Turkish translation by yavuz kaya and �brahim erken
+ included clamav-mirror-howto.pdf by Luca Gibelli
+ included clamd+daemontools HOWTO by Jesse D. Guardiani
+ included signatures.pdf
+ man pages: updated
+ clamdoc.pdf: rewritten
New members of our list of ClamAV certified software (see clamdoc.pdf for
details):
+ cgpav
+ smtp-vilter
+ IVS Milter
+ scanexi
+ Mail::ClamAV
+ OpenAntiVirus samba-vscan
+ Sylpheed Claws
+ nclamd
Thanks to Mia Kalenius and Sergei Pronin we have a new official logo !
Thank you for using ClamAV !
--
Tomasz Kojm <tkojm*clamav.net>
November 12, 2003
0.60
----
Hello again...
This is a new, (very?) stable release of Clam AntiVirus. 0.60 was developed
and stabilized for over seven months and many people had contributed to the
final release. This version introduces many enhancements and a new program:
clamav-milter written by ClamAV developer Nigel Horne. This is a mail scanner
for Sendmail/milter written entirely in C, which uses clamd for virus scanning.
Clamav-milter and clamd duet is a powerful solution for systems where high
performance is required. Please check clamdoc for more detail.
Many people get confused with ClamAV database status because of
the OpenAntiVirus update information at:
http://openantivirus.org/latest.php
(last update at 17 October, 2002). The ClamAV virus database contains
the OAV database (with some signatures fixed or removed) but we
develop it independently of the OAV project. Our database is updated
frequently (on average 4-5 times a week). You can help (or join) us -
will find some basic but useful instructions at
http://clamav.elektrapro.com/doc/signatures.pdf
News from ClamAV world:
-) New email address for virus submitting: virus@clamav.elektrapro.com
You don't need to encrypt a virus sample, but if your system doesn't allow
you to send infected files just put it into an encrypted zip archive
(password: virus)
Special thanks to Nicholas Chua, Diego D'Ambra, Hrvoje Habjanic, Nigel Kukard
and Chris van Meerendonk for a big number of samples submitted.
-) New mailing list: virusdb@clamav.elektrapro.com
After each update an email with subject "[clamav-virusdb] Update" and a list
of viruses added is sent to it. You can set up a procmail rule for freshclam
to react on such a mails (and update the database just after an update).
-) New official mirrors:
+ clamav.ozforces.com: database mirror updated manually (thanks to
Andrew <andrew@ozforces.com>)
+ clamav.essentkabel.com: full (automatic) mirror of clamav.elektrapro.com
(thanks to Chris van Meerendonk <cvm@castel.nl>)
+ clamav.linux-sxs.org: database mirror - rsync from clamav.ozforces.com
(thanks to Douglas J Hunley <doug@hunley.homeip.net>)
Freshclam will automatically use them when the main server is not
accessible.
-) Official port in FreeBSD available ! (maintained by Masahiro Teramoto
<markun@onohara.to>)
-) Unofficial port for OpenBSD is available at:
http://www.activeintra.net/openbsd/article.php?id=5
(maintained by Flinn Mueller <flinn@activeintra.net>)
-) there are many new programs that use ClamAV, eg. mod_clamav (Apache
virus scanning filter), clamdmail or Sagator. You will find more
info in clamdoc.
Changes:
-) libclamav:
+ fixed buffer overflow in unrarlib (patch by Robbert Kouprie
<robbert@exx.nl>)
+ various mbox code updates (fixed memory leak; added support for decoding
viruses sent in message bodies, detection of viruses that put their
payloads after the end of message marker (thanks to Stephen White
<stephen@earth.li> for the bug report and useful CGI tools);
+ zziplib updated to 0.10.81 (some problems with older version were reported
by Martin Schitter)
+ direct scanning of mbox/maildir files (new directive CL_MAIL)
+ file scanner optimization (patch by Hendrik Muhs
<Hendrik.Muhs@student.uni-magdeburg.de>)
+ bzip2 support
+ faster detection of malformed Zip archives (eg. 'Zip of Death'), they are
reported as a viruses
+ fixed strcasecmp() compile problem in zziplib on Free/NetBSD and others
-) clamd:
+ fixed descriptor leak in directory scanner - it was causing random
clamd crashes and locks, especially on highly loaded servers. Reported
by Kristof Petr <Kristof.P@fce.vutbr.cz>.
+ fixed crash with archive scanning on BSD (increased thread stack size)
(Nigel Horne)
+ fixed CONTSCAN command (used by clamdscan) - it had archive support
disabled (hardcoded)
+ fixed SelfCheck option (there was a logic bug, and the option was
disabled) it now checks a databases time stamps and reloads them
if needed.
+ fixed possible writing to undefined descriptors (bug found by
Brian May <bam@debian.org>)
+ new STREAM command (scanning data on socket) and directives:
StreamSaveToDisk (save stream to disk to allow scanning within archives),
StreamMaxLength. This option allows scanning data on socket (might be
sent from another host), currently only clamav-milter uses this.
+ new ScanMail directive for scanning into mbox/Maildir files
+ new directive: ArchiveLimitMemoryUsage (limit memory usage with bzip2)
+ new directive: AllowSupplementaryGroups (feature requested by Exiscan
users)
+ syslog support (LogSyslog) (patch by Hrvoje Habjanic
<hrvoje.habjanic@zg.hinet.hr>)
+ fixed parser segfault with extra space between option and argument
in config file (Magnus Ekdahl <magnus@debian.org>)
-) clamscan:
+ fixed --remove option (didn't work when the file was scanned with an
internal unpacker) (patch by Damien Curtain <damien@pagefault.org>)
+ --move option for moving infected files into a specified directory
(by Damien Curtain <damien@pagefault.org>)
+ --mbox enables a direct support for mbox files
(ex. clamscan --mbox /var/spool/mail)
+ fixed --log (-l) option
+ fixed -i option (patch by Magnus Ekdahl <magnus@debian.org>)
+ enabled default archive limits (max-files = 500, max-size = 10M,
max-recursion = 5)
+ use arj instead of non-free unarj (patch by Magnus Ekdahl)
+ use unzoo instead of non-free zoo (patch by Magnus Ekdahl)
+ removed thread support
freshclam:
+ mirror support (implemented by Damien Curtain <damien@pagefault.org>)
+ --proxy-user: proxy authorization support (implemented by Gernot Tenchio
<g.tenchio@telco-tech.de>)
+ new options --on-error-execute, --on-update-execute
(ex. freshclam -d -c 6 --on-error-execute "sendsms 23332243 Can't
update virus database"). Idea by Douglas J Hunley <doug@hunley.homeip.net>
configure:
+ --disable-cr (don't link with C reentrant library (needed on some newer
versions of OpenBSD))
-) Enhanced AIX (thanks to Mike Loewen <mloewen@sturgeon.cac.psu.edu>) and
Tru64 support (thanks to Christophe Varoqui <ext.devoteam.varoqui@sncf.fr>)
-) documentation:
+ included how-to in Portugese by Alexandre de Jesus Marcolino
+ clamdoc.pdf and system manual updates
Many thanks to Luca 'NERvOus' Gibelli from ElektraPro for his support,
to Ken McKittrick from USA DataNet for a fully accessible FreeBSD box and
to mailing list subscribers for a constructive discussions.
--
Tomasz Kojm
June 21, 2003
0.54
----
Many major changes this time...
-) libclamav:
+ fixed segfault with some strange zip archives (there is a bug in zziplib,
libclamav contains a work around for it) (the problem was reported by
Oliver Paukstadt <pstadt@stud.fh-heilbronn.de>)
+ engine improvements (better support for a detection of new viruses,
limited memory usage (consumes ~ 5 Mb now))
+ mbox code updated and moved into the library: fixed core dump when an
embedded message includes a mime header with the line Content-Type:
without specifying the type of content, fixed (theoretical) memory leak,
support for multipart/report messages, fixed bug causing some formats to
fail to scan) (Nigel)
-) clamd:
+ new commands: CONTSCAN (it doesn't stop scanning even when virus is
found), VERSION
+ disable logging of a unnecessary time stamps with LogTime when
LogVerbose isn't used (patch by Ed Phillips <ed@UDel.Edu>)
-) freshclam:
+ "Cache-Control: no-cache" enabled by default
+ Cygwin support fix
-) clamdscan:
+ initial version
-) all tools:
+ removed huge printf() in help() (there was a buffer overflow problem with
--help option under Windows and SCO Unix (reported by Wojciech Noworyta
<wnow@konarski.edu.pl> and Nigel respectively)
-) configure:
+ allow configuration of the clamav user and group with --with-user and
--with-group (patch by Patrick Bihan-Faou <patrick@mindstep.com>)
+ --enable-id-check - it uses the check procedure from Jason Englander
<jason@englanders.cc>, currently it will fail on systems with getent
which doesn't detect clamav group.
+ do not overwrite the existing config file
There are initial packages for Windows available at:
http://clamav.elektrapro.com/binary
--tk
0.53
----
This release has removed the limit for a file name length in clamscan. Some
viruses (eg. W32/Yaha.E) are using very long file names, and they were
ignored in mbox mode. Users of AMaViS-ng and other wrappers were not
vulnerable to this problem, because that programs don't use original
attachement file names.
-) clamscan:
+ removed limit for a file name length (thanks to Odhiambo Washington
<wash@wananchi.com> for the test files and extensive mbox testing)
+ mbox: adapted to the new changes, enabled thread support (Nigel),
re-enabled temporary directory removing.
0.52
----
This version contains a portability fixes - it should compile on OpenBSD,
MacOSX and NetBSD (support for them was broken in 0.51).
-) clamd: various fixes:
+ drop supplementary groups (suggested by Enrico Scholz
<enrico.scholz@informatik.tu-chemnitz.de>) (this has been implemented
in freshclam, too)
+ work-around for the segmentation fault at QUIT under FreeBSD
+ check timeouts when waiting for threads in RELOAD mode
+ SelfCheck - internal integrity check (by default every 1 hour)
+ fixed problem with directory scanning on non typical file systems
(bug reported by Jason Englander <jason@englanders.cc>)
+ clamd is a system command (clamd.1 -> clamd.8, /usr/local/bin ->
/usr/local/sbin) (Magnus Ekdahl)
-) clamscan:
+ mbox code updates (Nigel Horne) - it fixes some problems on *BSD
systems (see mailing lists archives for the details)
+ enable core dumping (Nigel Horne) [ with --enable-debug ]
-) freshclam:
+ applied http-proxy patch from http://bugs.debian.org/clamav (by
Martin Lesser <admin-debian@bettercom.de>)
+ when configured with --disable-cache, freshclam forces 'no-cache'
option in proxy servers (patch by Ant La Porte <ant@dvere.net>)
-) HPUX (10.20/11.0 tested) support (thanks to Joe Oaks <joe.oaks@hp.com>)
-) fixed support for SCO Unix and BeOS (Nigel Horne)
-) support/mboxscan: new version with SpamAssassin support (Nigel Horne)
-) re-included TrashScan 0.08 (by Trashware <trashware@gmx.de>) - the security
issue has been fixed.
-) included "Installing qmail-scanner, Clam Antivirus and SpamAssassin under
FreeBSD" how-to by Paul Hoadley and Eric Parsonage
0.51
----
OAV database is up to date ! There was a problem with signature parsing,
because some hex strings were upper case. Anyway, I still recommend you
freshclam for a database updating.
-) support for the genuine OAV database
-) limited memory usage (at the cost of speed, increase CL_MIN_LENGTH in
libclamav/clamav.h to make it faster, it's safe to set it on 3-4 for
the OAV database)
-) fixed compile problem on TurboLinux 6.5 (probably others, too), the bug
was reported by Henk Kuipers <henk@opensourcesolutions.nl>.
-) clamd: fixed THREXIT (thanks to Piotr Gackiewicz <gacek@intertele.pl>)
-) clamd: fixed serious bug with thread argument type
-) clamscan: mbox: don't scan empty attachments (Nigel Horne)
-) configure: --with-db1, --with-db2 (suggested by Magnus Ekdahl)
0.50
----
Here it is...
Clam AntiVirus 0.50 contains an anti-virus library - libclamav, a fully
multi-threaded daemon clamd(1) and a quite long list of changes. The
documentation was rewritten and you _should_ review it. By courtesy of
NERvOus <nervous@nervous.it> and ElektraPro, there are three mailing lists
available - you can subscribe via www at http://clamav.elektrapro.com/ml.
Please check the manual for more information.
New software:
-) libclamav with RAR, Zip and Gzip support built-in. The library is thread
safe and should be very secure, also. It uses UniquE RAR File
Library by Christian Scheurer and Johannes Winkelmann (RAR 2.0 support only)
and zziplib library by Guido Draheim and Tomi Ollila. Both of them are
included and slightly modified in the clamav sources. You need the zlib
library for the Zip/Gzip support, though. The API is described with
examples in the clamdoc.
-) clamd: a modern anti-virus daemon. It uses configuration file clamav.conf
described in the clamav.conf(5) manual. The program was written with
security as a goal.
-) clamuko: on-access scanning under Linux. It utilizes Dazuko kernel module
(GPL, http://dazuko.org) and is clamd-based.
New features / improvements:
-) enhanced scanner engine (better detection of some complex polymorphic
viruses)
-) clamscan: Nigel Horne <njh@bandsman.co.uk> has added the ability to scan
mail attachments in a filter. For example:
$ clamscan -i --mbox - < /var/spool/mail/john
/tmp/aa6b9fc06bc477ae/setup.exe: Worm/Klez.H FOUND
Nigel is the author of the whole mbox code in clamscan. Currently it only
works in a filter mode, but there are plans to move the code into the
libclamav and allow clamd using it. Please check support/mboxscan, also.
-) clamscan: support for including and excluding multiple patterns with
--include and --exclude (patch by Alejandro Dubrovsky
<s328940@student.uq.edu.au>).
Example: clamscan --include .exe --include .obj --include .scr /mnt/windows
-) clamscan: don't scan /proc files (Linux, st_dev comparing). No more
/proc/kcore related mails :))
-) clamscan: use libclamav's archive support by default (it's enabled by default
and may be disabled with --disable-archive) and switch to the external
unpackers (if specified) in the case of libclamav archive code error.
-) freshclam: proxy support (via $http_proxy variable and --http-proxy).
I started implementing proxy support some time ago, but never finished.
Nigel Horne did the great job and has finished the proxy support !
-) freshclam: --daemon-notify. freshclam will send the RELOAD command to the
daemon after database update (supports both tcp and local sockets, it reads
clamav.conf to determine the socket type).
-) freshclam: support for viruses.db2
Bug fixes:
-) freshclam: log 'Database updated' message (thanks to Jeffrey Moskot
<jef@math.miami.edu> for the bug report). It now prints a number
of signatures in a database, also.
-) clamscan: fixed compile problem on Solaris 8 and some other systems -
#include <signal.h> lack in others.c (thanks Mike Loewen
<mloewen@sturgeon.cac.psu.edu> for the bug report)
Documentation:
-) included Japanese documentation by Masaki Ogawa <proc@mac.com>
-) updated Spanish "Sendmail + Amavis + ClamAv - Como" by Erick I. Lopez
Carreon <elopezc@technitrade.com>
-) rewritten clamdoc, included clamdoc-html, removed PostScript version (.ps)
-) Clam-Mutant ;) logo update by Michal Hajduczenia <michalis@mat.uni.torun.pl>
-) new man pages: clamd(1), clamav.conf(5); others updated
!!!
Please don't use the oav-update script with this version. It doesn't
update viruses.db2 and supports OpenAntiVirus.org site only (the last
update of the OAV database was 1 July !). Nicholas Chua <nicholas@ncmbox.net>
has generated over 200 new signatures, ClamAV's database is also frequently
updated (expecially when new wild virus/worm appears, eg. W32/BugBear.A).
This software is still in developement (new software == new bugs), however
clamscan should be very stable. You shouldn't use clamd/clamuko (well, clamd is
stable, clamuko isn't) on production systems, yet. Please wait for 0.51 at
least ;). ClamAV 0.50 was tested on Linux and Solaris and should work fine.
There is a problem with clamd on FreeBSD (tested on my FreeBSD 5.0-CURRENT) -
the daemon crashes with Zip/Gzip files (disabling ScanArchive should help).
Enjoy !
--
Tomasz Kojm
October 5, 2002
0.24
----
-) fixed threads deadlock in a critical error situation (bug found by David
Sanchez <dsanchez@veloxia.com>)
-) fixed sigtool bug (negative seeking)
-) fixed potential clamscan segfault in the case of memory allocation error
-) unpacker execution error is no longer treated as critical - a few programs
(eg. Qmail-Scanner, TrashScan) have clamscan command hardcoded with all
archive options turned on. Now, if unpacker can't be executed, raw file is
scanned and scan process is continued.
-) reverted to pthread.h detection
-) TrashScan 0.07 (Trashware <trashware@gmx.net>)
-) --exclude (regular expressions are not supported !)
[ex: clamscan --exclude="/proc/kcore" /], but please use it with care.
-) included html documentation
IMPORTANT NOTE:
~~~~~~~~~~~~~~~
You will probably have a problem with a default Qmail-Scanner (1.13 or newer)
installation. You need to increase qmail-smtpd softlimit or disable it. You
can force clamscan to use only half of the memory which it uses by default, too.
Please change the following line in the clamscan/matcher.h file:
#define MIN_LENGTH 5
to:
#define MIN_LENGTH 3
and recompile the program. Unhappily, scanning may be a little slower in some
cases, but it shouldn't be significant. Then you can safely set the qmail
softlimit to 8 MB. I want to thank Doug Monroe <doug@planetconnect.com> for
his contribution in the problem analysis.
---
New ClamAV version is in a heavy development. It has currently built-in
support for RAR, Zip, Gzip and tar. The daemon will support only built-in
compression/archive support. Snapshot will be available for a few days.
0.23
----
-) fixed compile problem on FreeBSD (thanks to Wieslaw Glod <wkg@x2.pl> and
Ken McKittrick <klmac@usadatanet.com>)
-) clamscan reads all .db files from data directory, so you can put your
own databases there and they won't be overwrited by the updaters. viruses.db
is still the main database file (if --database isn't used).
-) --deb (debian binary packages scanning) by Magnus Ekdahl <magnus@debian.org>
-) --remove option, but be careful with it !
-) new clam logo ;) (GPL) by Michal Hajduczenia <michalis@mat.uni.torun.pl>.
-) TrashScan 0.06 (by Trashware <trashware@gmx.net>) - a script for scanning
mail with procmail. I recommend it. (support/trashscan)
-) documentation updates
0.30 release will contain a daemon and an anti-virus library (with simple API),
so you can use it directly in your projects. I want to build in zip and rar
support, also.
There are binary packages for AIX available. Please check the documentation.
0.22
----
This release fixes bug with scanning archives in unaccessible directories with
*superuser* priviledges (after dropping priviledges scanner wasn't able to
access the archive, although the same archive was accessible), thanks
for Sergei Pronin <sp@finndesign.fi> for the problem description. Now all
archives unaccessible directly by the clamav user are copied (with a respect to
--max-space) to the temporary directory. All old filesystem tricks were removed.
Other fixes / improvements:
-) better error handling, new error codes
-) improved -i (--infected) option
-) removed --strange-unzip option
-) removed eicar test files and logos from the documentation due to the GPL
(thanks for Magnus Ekdahl <magnus@debian.org>), ClamAV-Test-Signature is
used instead
-) removed Qmail-Scanner patch, ClamAV is supported by Q-S 1.13 (thanks guys!)
-) code cleanups
0.21 Release
------------
It fixes following problems:
-) database downloading in freshclam/0.20
-) malformed amavis-perl patch from 0.20
-) clamscan problems with some unzip versions, please try --strange-unzip
option
ClamAV 0.21 source package contains initial support for NetBSD
(thanks to Marc Baudoin <babafou@babafou.eu.org>, Jean-Edouard BABIN
<Jeb@jeb.com.fr>), better support for Mac OS X (Masaki Ogawa <proc@mac.com>),
and clamdoc documentation corrected by Dennis Leeuw <dleeuw@made-it.com>.
0.20 Release
------------
The most important change in this release is a new, linear pattern matching
algorithm. You will find more informations about it in clamscan/matcher.c -
in the sources and in clamdoc. Summary (since 0.15):
New features:
-) fast pattern matching algorithm
-) sigtool utility, check `man sigtool` and clamdoc
-) Linux: threads autodetection on various architectures
(Magnus Ekdahl <magnus@debian.org>)
-) -i, --infected: clamscan prints only infected files
-) 'Data scanned' in summary, size in megabytes with 16 Kb precision
-) configure: --with-dbdir sets the database location
-) support/sigmake shell script by Dennis Leeuw <leeuw@stone-it.com>
-) Spanish "Sendmail+Amavis+ClamAv installation how-to" by
Erick I. Lopez Carreon <elopezc@technitrade.com>
Updates:
-) "Debian GNU/Linux Mail Server v. 0.2.0" by Dennis Leeuw <leeuw@stone-it.com>
-) qmail-scanner patch from Kazuhiko <kazuhiko@fdiary.net>
-) general documentation cleanups / updates
-) freshclam / Internet database location
Fixes:
-) threads autodetection on not-x86 Linux systems
-) gcc 3.x support (David Ford <david+cert@blue-labs.org>)
-) data type fix on Mac OS X (Peter N Lewis <peter@stairways.com.au>)
-) removed -w, --whole-file, now clamscan scans whole files by default
-w is still supported by internal getopt(), because it is used in
various patches
-) removed --one-virus, still supported by getopt(); removed 'Found viruses'
from summary, clamscan stops file scanning after first virus
-) fixed old problem with scanning stdin
-) removed amavisd-patch - strange problems have been reported
OpenAntiVirus Update is a great tool written by Matthew A. Grant
<grantma@anathoth.gen.nz> and it will be the primary updater for ClamAV
in the near future. In contrast to freshclam it has proxy support and many
specific features. Please check clamdoc for more informations and how to
obtain it.
0.15 Notes
----------
This version contains minor bugfixes only, such as:
-) multiple fixes in freshclam (it has problems, when one of the
hosts wasn't accessible), there were logic flaws in the code
-) fixed problem with password protected archives (unpackers were waiting
for password)
New features:
-) OpenBSD support (thanks to Kamil Andrusz <wizz@mniam.net>)
-) added support for amavisd, qmail-scanner (see ./support)
There were no major bugs and I was very busy, that's why new version is
released just today. In the next 2 months, clamav development will be much
faster. Here are some of my plans:
~ 0.20 : New pattern-matching algorithm
~ 0.30 : clamlib; clamscan and the daemon based on it
There is a new homepage:
http://clamav.elektrapro.com
Thanks to ElektraPro.com for sponsoring this site (it's very fast).
Thanks to NERvOus <nervous@nervous.it>.
If you are interested in current development versions, please check
snapshots link.
Resource usage limits in 0.14
-----------------------------
Two new features: --max-files, --max-space have been implemented. If you have
enabled one of this options, clamscan monitors resource usage (number of
created files and used space) and stops extractor when it has exceeded
the limit. You should use these options to protect your machine against
Denial of Service attacks. In the near future --max-levels (limit for
recursive archives extracting) and --max-time (spent on checking/extracting
files) will be implemented.
FreeBSD: AMaViS compile problems
--------------------------------
Please check FAQ.
!!! Strange signatures in VirusSignatures-2002.04.15.10.51.zip !!!
------------------------------------------------------------------
Last version of signatures was ~90 kb, this version is ~474 kb.
But I don't understand, why some signatures are mega-huge. When I decoded
them, they looked like regular files. In CA they were removed from the
database and I probably add them later, in normal sizes.
Installation :
--------------
Please view documentation in ./docs. There are several formats - pdf, ps
and plain latex, if you want to compile it yourself.
You need GNU make (on Solaris you should have gmake).
It was tested only with gcc 2.9x compilers.
clamav-server
# cat /usr/share/doc/clamav-server-0.98.4/README
To create individual clamd-instance take the following files and modify/copy them in the suggested way: clamd.conf: * set LocalSocket (or better: TCPSocket) and User to suitable values; avoid PidFile unless it is required by system monitoring or something else. Logging through syslog is usually better than an individual Logfile. * place this file into /etc/clamd.d with an unique service-name; e.g. as /etc/clamd.d/<SERVICE>.conf When using TCPSocket, create iptables rules which are limiting the access by source and/or by using '-m owner'. When LogFile feature is wanted, it must be writable for the assigned User. Recommended way to reach this, is to: * make it owned by the User's *group* * assign at least 0620 (u+rw,g+w) permissions A suitable command might be | # touch <logfile> | # chgrp <user> <logfile> | # chmod 0620 <logfile> | # restorecon <logfile> NEVER use 'clamav' as the user since he can modify the database. This is the user who is running the application; e.g. for mimedefang (http://www.roaringpenguin.com/mimedefang), the user might be 'defang'.Theoretically, distinct users could be used, but it must be made sure that the application-user can write into the socket-file, and that the clamd-user can access the files asked by the application to be checked. clamd.logrotate: (only when LogFile feature is used) * set the correct value for the logfile * place it into /etc/logrotate.d clamd@<SERVICE>.service: (systemd instance) * instance of clamd@.service Additionally, when using LocalSocket instead of TCPSocket, the directory for the socket file must be created. For tmpfiles based systems, you might want to create a file /usr/lib/tmpfiles.d/clamd.<SERVICE>.conf with a content of | d /var/run/clamd.<SERVICE> <MODE> <USER> <GROUP> Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP> so that the socket can be accessed by clamd and by the applications using clamd. Make sure that the socket is not world accessible; else, DOS attacks or worse are trivial. [Disclaimer: this file and the script/configfiles are not part of the official clamav package. Please send complaints and comments to mailto:enrico.scholz@informatik.tu-chemnitz.de!]
Konfiguration
clamav-update
Damit ClamAV stets mit den aktuellen Vireninformationen versorgen wird, steht und das Programm freshclam aus dem Paket clamav-update zu Diensten.
In der Standardkonfiguration sorgt freshclam dafür, dass alle 3 Stunden ein Update der Virenpattern-Datenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese dann auf unseren Rechner herunterzuladen und in die lokale Datenbank einfließen zu lassen.
Als erstes aktivieren wir die mitgelieferte Konfigurationsdatei /etc/freshclam.conf, in dem wir den Eintrag Example deaktivieren.
# vim /etc/freshclam.conf
- /etc/freshclam.conf
## ## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. # Django : 2014-11-15 # default: Example #Example ...
Somit beschränkt sich diese Konfigurationsdatei lediglich auf zwei Zeilen.
# egrep -v '(^.*#|^$)' /etc/freshclam.conf
LogSyslog yes DatabaseMirror database.clamav.net
Die komplette Konfigurationsdatei lautet somit.
# vim /etc/freshclam.conf
- /etc/freshclam.conf
## ## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. # Django : 2014-11-15 # default: Example #Example # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default: hardcoded (depends on installation options) #DatabaseDirectory /var/lib/clamav # Path to the log file (make sure it has proper permissions) # Default: disabled #UpdateLogFile /var/log/freshclam.log # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). # in bytes just don't use modifiers. If LogFileMaxSize is enabled, # log rotation (the LogRotate option) will always be enabled. # Default: 1M #LogFileMaxSize 2M # Log time with each message. # Default: no #LogTime yes # Enable verbose logging. # Default: no #LogVerbose yes # Use system logger (can work together with UpdateLogFile). # Default: no LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable log rotation. Always enabled when LogFileMaxSize is enabled. # Default: no #LogRotate yes # This option allows you to save the process identifier of the daemon # Default: disabled #PidFile /var/run/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) #DatabaseOwner clamupdate # Initialize supplementary group access (freshclam must be started by root). # Default: no #AllowSupplementaryGroups yes # Use DNS to verify virus database version. Freshclam uses DNS TXT records # to verify database and software versions. With this directive you can change # the database verification domain. # WARNING: Do not touch it unless you're configuring freshclam to use your # own database verification domain. # Default: current.cvd.clamav.net #DNSDatabaseInfo current.cvd.clamav.net # Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. # You can use db.XY.ipv6.clamav.net for IPv6 connections. #DatabaseMirror db.XY.clamav.net # database.clamav.net is a round-robin record which points to our most # reliable mirrors. It's used as a fall back in case db.XY.clamav.net is # not working. DO NOT TOUCH the following line unless you know what you # are doing. DatabaseMirror database.clamav.net # How many attempts to make before giving up. # Default: 3 (per mirror) #MaxAttempts 5 # With this option you can control scripted updates. It's highly recommended # to keep it enabled. # Default: yes #ScriptedUpdates yes # By default freshclam will keep the local databases (.cld) uncompressed to # make their handling faster. With this option you can enable the compression; # the change will take effect with the next database update. # Default: no #CompressLocalDatabase no # With this option you can provide custom sources (http:// or file://) for # database files. This option can be used multiple times. # Default: no custom URLs #DatabaseCustomURL http://myserver.com/mysigs.ndb #DatabaseCustomURL file:///mnt/nfs/local.hdb # This option allows you to easily point freshclam to private mirrors. # If PrivateMirror is set, freshclam does not attempt to use DNS # to determine whether its databases are out-of-date, instead it will # use the If-Modified-Since request or directly check the headers of the # remote database files. For each database, freshclam first attempts # to download the CLD file. If that fails, it tries to download the # CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo # and ScriptedUpdates. It can be used multiple times to provide # fall-back mirrors. # Default: disabled #PrivateMirror mirror1.mynetwork.com #PrivateMirror mirror2.mynetwork.com # Number of database checks per day. # Default: 12 (every two hours) #Checks 24 # Proxy settings # Default: disabled #HTTPProxyServer myproxy.com #HTTPProxyPort 1234 #HTTPProxyUsername myusername #HTTPProxyPassword mypass # If your servers are behind a firewall/proxy which applies User-Agent # filtering you can use this option to force the use of a different # User-Agent header. # Default: clamav/version_number #HTTPUserAgent SomeUserAgentIdString # Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for # multi-homed systems. # Default: Use OS'es default outgoing IP address. #LocalIPAddress aaa.bbb.ccc.ddd # Send the RELOAD command to clamd. # Default: no #NotifyClamd /path/to/clamd.conf # Run command after successful database update. # Default: disabled #OnUpdateExecute command # Run command when database update process fails. # Default: disabled #OnErrorExecute command # Run command when freshclam reports outdated version. # In the command string %v will be replaced by the new version number. # Default: disabled #OnOutdatedExecute command # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Timeout in seconds when connecting to database server. # Default: 30 #ConnectTimeout 60 # Timeout in seconds when reading from database server. # Default: 30 #ReceiveTimeout 60 # With this option enabled, freshclam will attempt to load new # databases into memory to make sure they are properly handled # by libclamav before replacing the old ones. # Default: yes #TestDatabases yes # When enabled freshclam will submit statistics to the ClamAV Project about # the latest virus detections in your environment. The ClamAV maintainers # will then use this data to determine what types of malware are the most # detected in the field and in what geographic area they are. # Freshclam will connect to clamd in order to get recent statistics. # Default: no #SubmitDetectionStats /path/to/clamd.conf # Country of origin of malware/detection statistics (for statistical # purposes only). The statistics collector at ClamAV.net will look up # your IP address to determine the geographical origin of the malware # reported by your installation. If this installation is mainly used to # scan data which comes from a different location, please enable this # option and enter a two-letter code (see http://www.iana.org/domains/root/db/) # of the country of origin. # Default: disabled #DetectionStatsCountry country-code # This option enables support for our "Personal Statistics" service. # When this option is enabled, the information on malware detected by # your clamd installation is made available to you through our website. # To get your HostID, log on http://www.stats.clamav.net and add a new # host to your host list. Once you have the HostID, uncomment this option # and paste the HostID here. As soon as your freshclam starts submitting # information to our stats collecting service, you will be able to view # the statistics of this clamd installation by logging into # http://www.stats.clamav.net with the same credentials you used to # generate the HostID. For more information refer to: # http://www.clamav.net/support/faq/faq-cctts/ # This feature requires SubmitDetectionStats to be enabled. # Default: disabled #DetectionStatsHostID unique-id # This option enables support for Google Safe Browsing. When activated for # the first time, freshclam will download a new database file (safebrowsing.cvd) # which will be automatically loaded by clamd and clamscan during the next # reload, provided that the heuristic phishing detection is turned on. This # database includes information about websites that may be phishing sites or # possible sources of malware. When using this option, it's mandatory to run # freshclam at least every 30 minutes. # Freshclam uses the ClamAV's mirror infrastructure to distribute the # database and its updates but all the contents are provided under Google's # terms of use. See http://www.google.com/transparencyreport/safebrowsing # and https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-safebrowsing.md # for more information. # Default: disabled #SafeBrowsing yes # This option enables downloading of bytecode.cvd, which includes additional # detection mechanisms and improvements to the ClamAV engine. # Default: enabled #Bytecode yes # Download an additional 3rd party signature database distributed through # the ClamAV mirrors. Here you can find a list of available databases: # http://www.clamav.net/download/cvd/3rdparty # This option can be used multiple times. #ExtraDatabase dbname1 #ExtraDatabase dbname2
Der Pattern-Update erfolgt mit Hilfe der Datei clamav-update im Verzeichnis /etc/cron.d.
# vim /etc/cron.d/clamav-update
- /etc/cron.d/clamav-update
## Adjust this line... MAILTO=root ## It is ok to execute it as root; freshclam drops privileges and becomes ## user 'clamupdate' as soon as possible # Django : 2014-11-15 # default: alle 3 Stunden # 0 */3 * * * root /usr/share/clamav/freshclam-sleep 0 */3 * * * root /usr/share/clamav/freshclam-sleep
Damit nun alle drei Stunden der Update auch wirklich stattfinden kann, muss noch der Eintrag am Ende der Datei /etc/sysconfig/freshclam deaktiviert oder gelöscht werden.
# vim /etc/sysconfig/freshclam
- /etc/sysconfig/freshclam
## When changing the periodicity of freshclam runs in the crontab, ## this value must be adjusted also. Its value is the timespan between ## two subsequent freshclam runs in minutes. E.g. for the default ## ## | 0 */3 * * * ... ## ## crontab line, the value is 180 (minutes). # FRESHCLAM_MOD= ## A predefined value for the delay in seconds. By default, the value is ## calculated by the 'hostid' program. This predefined value guarantees ## constant timespans of 3 hours between two subsequent freshclam runs. ## ## This option accepts two special values: ## 'disabled-warn' ... disables the automatic freshclam update and ## gives out a warning ## 'disabled' ... disables the automatic freshclam silently # FRESHCLAM_DELAY= ### !!!!! REMOVE ME !!!!!! ### REMOVE ME: By default, the freshclam update is disabled to avoid ### REMOVE ME: network access without prior activation # # Django : 2014-11-15 # default: FRESHCLAM_DELAY=disabled-warn # REMOVE ME
clamav-server
Für die Konfiguration des ClamAV-Servers sind im RPM-Paket neben der Dokumentation auch Beispiele zur Konfiguration enthalten, die wir heranziehen werden.
Als erstes kopieren wir die Datei /usr/share/doc/clamav-server-0.98.4/clamd.sysconfig in das Verzeichnis /etc/sysconfig.
# cp /usr/share/doc/clamav-server*/clamd.sysconfig /etc/sysconfig/clamd.amavisd
Die Konfigurationsdatei passen wir nun an unsere Installation an, in dem wir für unser AMaViS-Frontend die Variablen <SERVICE> mit dem Wert amavisd
befüllen und die beiden Konfigurationszeilen aktivieren.
# vim /etc/sysconfig/clamd.amavisd
- /etc/sysconfig/clamd.amavisd
# Django : 2014-11-15 # default: #CLAMD_CONFIGFILE=/etc/clamd.d/<SERVICE>.conf # #CLAMD_SOCKET=/var/run/clamd.<SERVICE>/clamd.sock CLAMD_CONFIGFILE=/etc/clamd.d/amavisd.conf CLAMD_SOCKET=/var/run/clamd.amavisd/clamd.sock #CLAMD_OPTIONS=
Die verweiste Konfigurationsdatei /etc/clamd.d/amavisd.conf können wir ohne Änderungen übernehmen, da dort alle Werte passen.
# less /etc/clamd.d/amavisd.conf
# Use system logger. LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. LogFacility LOG_MAIL # This option allows you to save a process identifier of the listening # daemon (main thread). PidFile /var/run/clamd.amavisd/clamd.pid # Remove stale socket after unclean shutdown. # Default: disabled FixStaleSocket yes # Run as a selected user (clamd must be started by root). User amavis # Path to a local socket file the daemon will listen on. LocalSocket /var/run/clamd.amavisd/clamd.sock
Bei systemd-tmpfiles werden für temporäre Dateien und Verzeichnisse unter anderem im Verzeichnis /var/run/ angelegt. Damit für unseren Service der UNix-Dateisocket im richtigen Verzeichnis mit den zugehörigen Berechtigungen gesetzt werden kann, benötigen wir im Verzeichnis /etc/tmpfiles.d/ eine zugehörige Konfigurationsdatei. Diese legen wir nun an.
# vim /etc/tmpfiles.d/clamd.amavisd.conf
# Django : 2014-11-15 Socketverzeichnis im tmpfile based System anlegen d /var/run/clamd.amavisd 0710 amavis amavis -
Bevor wir unseren ClamAV-Daemon starten können müssen wir noch kurz die zugehörige systemd-Konfigurationsdatei /usr/lib/systemd/system/clamd@.service anpassen.
ACHTUNG
Keinenfalls die Datei direkt im Verzeichnis /usr/lib/systemd/system/ bearbeiten! Bei einem Update des zugehörigen Paketes wpürden die Änderungen wieder überschrieben!
Wir kopieren also das systemc-startscript nach /etc/systemd/system/ und bearbeiten dort eine lokale Kopie vom Original. Dadurch sind wir dann auch update-fest!
# cp /usr/lib/systemd/system/clamd@.service /etc/systemd/system/
# vim /etc/systemd/system/clamd@.service
- /etc/systemd/system/clamd@.service
[Unit] Description = clamd scanner (%i) daemon After = syslog.target nss-lookup.target network.target [Service] Type = simple ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp = true # Django : 2014-11-15 [Install] WantedBy=multi-user.target
Anschließend führen wir einen Reload des systemctl-Daemon aus.
# systemctl daemon-reload
amavisd
Die ClamAV spezifischen Konfigurationsoptionen befinden sich in mehreren Sectionen. So finden sich die Angaben zu den Packprogrammen in der Section PFADANGABEN DER LOKALEN INSTALLATION
... # Utilities mit denen amavis Archive auspackt @decoders = ( ['mail', \&do_mime_decode], ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], ['lrz', \&do_uncompress, ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], ['deb', \&do_ar, 'ar'], ['rar', \&do_unrar, ['unrar', 'rar'] ], ['arj', \&do_unarj, ['unarj', 'arj'] ], ['arc', \&do_arc, ['nomarch', 'arc'] ], ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef], [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], [['zip','kmz'], \&do_unzip], ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], [[qw(7z zip gz bz2 Z tar)], \&do_7zip, ['7za', '7z'] ], [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], \&do_7zip, '7z' ], ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); # eMails wird komplett dem Virenscanner zugestellt. Dem Inhalt von Archiven # wird grundsätzlich nicht vertraut. @keep_decoded_original_maps = (new_RE( qr'^MAIL$', qr'^MAIL-UNDECIPHERABLE$', qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)', )); ...
In der Section VIRUS POLICY finden sich die Definitionen zum Virenscanner ClamAV.
################################################################################ ## VIRUS POLICY # # Check aktivieren? # @bypass_virus_checks_maps = (1); # In Quarantäne? $virus_quarantine_to = undef; # Admin benachrichtigen? $virus_admin = undef; # Empfänger benachrichtigen? $warnvirusrecip = 1; # Recipient-Adresse bei Release erweitern? @addr_extension_virus_maps = ('virus'); # eMail bei Release wrappen? $defang_virus = 1; # Wollen wir Content transportieren? $final_virus_destiny = D_REJECT; @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ); @av_scanners_backup = ();
Programmstart
freshclam
Der Update der Virensignatur-Datenbank läuft bereits automatisch über den cron-job. Im Syslog finden wir dazu die entsprechenden Transferversuche und -erfolge.
# less /var/log/maillog
Nov 18 15:48:33 vml000067 freshclam[10698]: ClamAV update process started at Tue Nov 18 15:48:33 2014 Nov 18 15:48:33 vml000067 freshclam[10698]: main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Nov 18 15:48:34 vml000067 freshclam[10698]: getfile: daily-19121.cdiff not found on remote server (IP: 144.76.28.11) Nov 18 15:48:34 vml000067 freshclam[10698]: getpatch: Can't download daily-19121.cdiff from database.clamav.net Nov 18 15:48:34 vml000067 freshclam[10698]: getfile: daily-19121.cdiff not found on remote server (IP: 213.174.32.130) Nov 18 15:48:34 vml000067 freshclam[10698]: getpatch: Can't download daily-19121.cdiff from database.clamav.net Nov 18 15:48:34 vml000067 freshclam[10698]: getfile: daily-19121.cdiff not found on remote server (IP: 176.9.115.53) Nov 18 15:48:34 vml000067 freshclam[10698]: getpatch: Can't download daily-19121.cdiff from database.clamav.net Nov 18 15:48:34 vml000067 freshclam[10698]: Incremental update failed, trying to download daily.cvd Nov 18 15:49:36 vml000067 freshclam[10698]: Downloading daily.cvd [100%] Nov 18 15:49:41 vml000067 freshclam[10698]: daily.cvd updated (version: 19647, sigs: 1264737, f-level: 63, builder: neo) Nov 18 15:49:42 vml000067 freshclam[10698]: Downloading bytecode.cvd [100%] Nov 18 15:49:42 vml000067 freshclam[10698]: bytecode.cvd updated (version: 242, sigs: 46, f-level: 63, builder: dgoddard) Nov 18 15:49:46 vml000067 freshclam[10698]: Database updated (3689008 signatures) from database.clamav.net (IP: 193.27.49.165)
erster Start von clamd
Den ClamAV-Daemon, den wir speziell f+r AMaViS konfiguriert haben, starten wir mit folgendem Aufruf.
# systemctl start clamd@amavisd
Fragen wir nun den Serverstatus ab, erhalten wir detailierte Angaben zum laufenden Daemon.
# systemctl status clamd@amavisd
clamd@amavisd.service - clamd scanner (amavisd) daemon Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled) Active: active (running) since Thu 2014-11-20 21:39:50 CET; 18s ago Main PID: 3054 (clamd) CGroup: /system.slice/system-clamd.slice/clamd@amavisd.service └─3054 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf --nofork=yes Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: Algorithmic detection enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: Portable Executable support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: ELF support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: Mail files support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: OLE2 support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: PDF support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: SWF support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: HTML support enabled. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: Self checking every 600 seconds. Nov 20 21:40:02 vml000067.dmz.nausch.org clamd[3054]: Self checking every 600 seconds.
Im Syslog finden wir naturlich auch Informationen zum erfolgreichen Start des Daemon.
# less /var/log/messages
Nov 20 21:39:50 vml000067 systemd: Starting clamd scanner (amavisd) daemon... Nov 20 21:39:50 vml000067 systemd: Started clamd scanner (amavisd) daemon. Nov 20 21:40:02 vml000067 clamd: Limits: Global size limit set to 104857600 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: File size limit set to 26214400 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: Recursion level limit set to 16. Nov 20 21:40:02 vml000067 clamd: Limits: Files limit set to 10000. Nov 20 21:40:02 vml000067 clamd: Limits: MaxEmbeddedPE limit set to 10485760 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: MaxHTMLNormalize limit set to 10485760 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: MaxHTMLNoTags limit set to 2097152 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: MaxScriptNormalize limit set to 5242880 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: MaxZipTypeRcg limit set to 1048576 bytes. Nov 20 21:40:02 vml000067 clamd: Limits: MaxPartitions limit set to 50. Nov 20 21:40:02 vml000067 clamd: Limits: MaxIconsPE limit set to 100. Nov 20 21:40:02 vml000067 clamd: Archive support enabled. Nov 20 21:40:02 vml000067 clamd: Algorithmic detection enabled. Nov 20 21:40:02 vml000067 clamd: Portable Executable support enabled. Nov 20 21:40:02 vml000067 clamd: ELF support enabled. Nov 20 21:40:02 vml000067 clamd: Mail files support enabled. Nov 20 21:40:02 vml000067 clamd: OLE2 support enabled. Nov 20 21:40:02 vml000067 clamd: PDF support enabled. Nov 20 21:40:02 vml000067 clamd: SWF support enabled. Nov 20 21:40:02 vml000067 clamd: HTML support enabled. Nov 20 21:40:02 vml000067 clamd: Self checking every 600 seconds.
automatischer Start des clamd
Damit nun unser AMaViS-Server beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# systemctl enable clamd@amavisd
ln -s '/usr/lib/systemd/system/clamd@.service' '/etc/systemd/system/multi-user.target.wants/clamd@amavisd.service'
Wollen wir überprüfen ob der Dienst automatisch startet, verwenden wir folgenden Aufruf.
# systemctl is-enabled clamd@amavisd
enabled
Die Rückmeldung enabled zeigt an, dass der Dienst automatisch startet; ein disabled zeigt entsprechend an, dass der Dienst nicht automatisch startet.
Test
Haben wir die Konfiguration unseres AMaViS fertiggestellt, können wir uns auch daransetzen unsere ClamAV-Installation zu überprüfen.
HAM
Als erstes wollen wir ein beliebiges ZIP-Archiv per eMail verschicken. In diesem Beispiel nehmen wir einfach ein Lied/ZIP-Archiv der Ebersberger Liedersammlung. Dieses laden wir erst einmal auf unseren Rechner.
# curl -O http://ebersberger-liedersammlung.de/lib/exe/fetch.php/lieder/in_dulci_jubilo.zip
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 717k 100 717k 0 0 2007k 0 --:--:-- --:--:-- --:--:-- 2004k
Anschließend generieren wir mit Hilfe von swaks eine eMail und packen dazu das ZIP-File in den Anhang.
# swaks --to django@nausch.org --from michael@nausch.org --attach - --server 10.0.0.87 --suppress-data </root/in_dulci_jubilo.zip --header "Subject: Ebersberger Liedersammlung: In dulci jubilo"
=== Trying 10.0.0.87:25... === Connected to 10.0.0.87. <- 220 mx01.nausch.org ESMTP Postfix -> EHLO vml000087.dmz.nausch.org <- 250-mx01.nausch.org <- 250-PIPELINING <- 250-SIZE 52428800 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> MAIL FROM:<michael@nausch.org> <- 250 2.1.0 Ok -> RCPT TO:<django@nausch.org> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> 12914 lines sent <- 250 2.0.0 Ok: queued as 20560C00088 -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host.
Im Maillog des MTA2) finden wir die einträge der erfolgreichen Zustellung.
# less /var/log/maillog
Nov 20 22:37:43 vml000087 postfix/smtpd[12103]: connect from vml000087.dmz.nausch.org[10.0.0.87]
Nov 20 22:37:43 vml000087 postfix/smtpd[12103]: 20560C00088: client=vml000087.dmz.nausch.org[10.0.0.87]
Nov 20 22:37:43 vml000087 postfix/cleanup[12108]: 20560C00088: message-id=<20141120213743.20560C00088@mx01.nausch.org>
Nov 20 22:37:44 vml000087 postfix/qmgr[8701]: 20560C00088: from=<michael@nausch.org>, size=1006405, nrcpt=1 (queue active)
Nov 20 22:37:44 vml000087 postfix/smtpd[12103]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
Nov 20 22:37:44 vml000087 postfix/lmtp[12109]: 20560C00088: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=1.4, delays=0.93/0.02/0.05/0.37, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> KmGbByhfblQOXQAArK2B9Q Saved)
Nov 20 22:37:44 vml000087 postfix/qmgr[8701]: 20560C00088: removed
Auf Seiten unseres AS/AV3)-Hosts wird die Prüfung im Maillog dokumentiert.
# less /var/log/maillog
Nov 20 22:37:43 vml000067 amavis[3310]: loaded policy bank "AM.PDP-SOCK" Nov 20 22:37:43 vml000067 amavis[3310]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: request=AM.PDP Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: queue_id=20560C00088 Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: sender=<michael@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: recipient=<django@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: tempdir=/var/spool/amavisd/afXXXXtVLyxI Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: tempdir_removed_by=client Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: mail_file=/var/spool/amavisd/afXXXXtVLyxI/email.txt Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: delivery_care_of=client Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: client_address=10.0.0.87 Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: client_name=vml000087.dmz.nausch.org Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: helo_name=vml000087.dmz.nausch.org Nov 20 22:37:43 vml000067 amavis[3310]: policy protocol: policy_bank=mx01.nausch.org Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) Request: AM.PDP /var/spool/amavisd/afXXXXtVLyxI: <michael@nausch.org> -> <django@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK" Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) body hash: 5bf56bd1955c4a16ec95bddecda96bb7 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) ip_trace: 10.0.0.87 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) Checking: tlAv90BU3Ydw AM.PDP-SOCK/MYNETS [10.0.0.87] <michael@nausch.org> -> <django@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) 2822.From: <michael@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) p003 1 Content-Type: multipart/mixed Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) p001 1/1 Content-Type: text/plain, size: 22 B, name: Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) p002 1/2 Content-Type: application/octet-stream, size: 734822 B, name: Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) inspect_dsn: not a bounce Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) Checking for banned types and filenames Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) skipping banned check: all recipients bypass banned checks Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) presenting full original message to scanners as /var/spool/amavisd/afXXXXtVLyxI/parts/p008 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/afXXXXtVLyxI/parts\n Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/afXXXXtVLyxI/parts\n to socket /var/run/clamd.amavisd/clamd.sock Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) rw_loop read: got eof Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) run_av (ClamAV-clamd): CLEAN Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) run_av (ClamAV-clamd) result: clean Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) truncating a message passed to SA at 410151 bytes, orig 1006367 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) calling SA parse (0), SA vers 3.3.2, 3.003002, data as GLOB, recips_ind [0], user: "amavis" Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) spam_scan: score=-1.01 autolearn=ham tests=[ALL_TRUSTED=-1,T_RP_MATCHES_RCVD=-0.01] recips=0 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) do_notify_and_quar: ccat=CleanTag (1,1) ("1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(), qar_mth= Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) delivery method is 1, recips: django@nausch.org Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) spam-tag, <michael@nausch.org> -> <django@nausch.org>, No, score=-1.01 tagged_above=-1000 required=6.31 tests=[ALL_TRUSTED=-1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) dkim: candidate originators: From:<michael@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) dkim: not signing, empty signing domain, From: <michael@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) DSN: sender is credible (orig), SA: -1.010, <michael@nausch.org> Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) status counters: InMsgsStatus{Accepted,AcceptedInternal,AcceptedOriginating} Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.87] <michael@nausch.org> -> <django@nausch.org>, Queue-ID: 20560C00088, Message-ID: <20141120213743.20560C00088@mx01.nausch.org>, mail_id: tlAv90BU3Ydw, Hits: -1.01, size: 1006367, 772 ms Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) TIMING-SA total 477 ms - parse: 19 (4.1%), extract_message_metadata: 24 (5.1%), get_uri_detail_list: 0.44 (0.1%), tests_pri_-1000: 6 (1.2%), tests_pri_-950: 1.60 (0.3%), tests_pri_-900: 1.17 (0.2%), tests_pri_-400: 0.95 (0.2%), tests_pri_0: 353 (74.0%), check_dkim_adsp: 16 (3.4%), check_spf: 0.37 (0.1%), check_razor2: 260 (54.5%), check_pyzor: 0.24 (0.1%), tests_pri_500: 3 (0.7%), learn: 53 (11.0%), get_report: 0.92 (0.2%) Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) mail checking ended: version_server=2\nlog_id=03310-01\nsetreply=250 2.5.0 Ok,%20id=03310-01,%20continue%20delivery\ninsheader=0 X-Spam-Status No,%20score=-1.01%20tagged_above=-1000%20required=6.31%0a%09tests=[ALL_TRUSTED=-1,%20T_RP_MATCHES_RCVD=-0.01]%20autolearn=ham\ninsheader=0 X-Spam-Level \ninsheader=0 X-Spam-Score -1.01\ninsheader=0 X-Spam-Flag NO\nreturn_value=continue\nexit_code=0 Nov 20 22:37:43 vml000067 amavis[3310]: (03310-01) size: 1006367, TIMING [total 778 ms] - got data: 0.0 (0%)0, check_init: 3.4 (0%)0, digest_hdr: 1.4 (0%)1, digest_body_dkim: 9 (1%)2, collect_info: 1.7 (0%)2, mkdir parts: 1.4 (0%)2, mime_decode: 47 (6%)8, get-file-type2: 17 (2%)10, ren4-unl0-files4: 46 (6%)16, decompose_part: 0.4 (0%)16, get-file-type4: 28 (4%)20, parts_decode: 0.3 (0%)20, check_header: 0.4 (0%)20, AV-scan-1: 124 (16%)36, spam-wb-list: 0.5 (0%)36, SA parse: 22 (3%)39, SA check: 451 (58%)97, decide_mail_destiny: 8 (1%)98, notif-quar: 0.5 (0%)98, prepare-dsn: 4.0 (1%)98, report: 1.4 (0%)99, main_log_entry: 5 (1%)99, update_snmp: 1.5 (0%)99, rundown: 4.0 (1%)100 Nov 20 22:37:44 vml000067 amavis[3310]: (03310-01) extra modules loaded: unicore/lib/Gc/Nd.pl Nov 20 22:37:44 vml000067 amavis[3310]: (03310-01) load: 100 %, total idle 0.000 s, busy 0.804 s
In der Inbox unseres MUA4)s POP3/IMAP-Servers finden wir auch die zugestellte Nachricht.
Return-Path: <michael@nausch.org>
Delivered-To: django@nausch.org
Received: from mx01.nausch.org ([10.0.0.87])
by imap.nausch.org (Dovecot) with LMTP id KmGbByhfblQOXQAArK2B9Q
for <django@nausch.org>; Thu, 20 Nov 2014 22:37:44 +0100
X-Spam-Flag: NO
X-Spam-Score: -1.01
X-Spam-Level:
X-Spam-Status: No, score=-1.01 tagged_above=-1000 required=6.31
tests=[ALL_TRUSTED=-1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from vml000087.dmz.nausch.org (vml000087.dmz.nausch.org [10.0.0.87])
by mx01.nausch.org (Postfix) with ESMTP id 20560C00088
for <django@nausch.org>; Thu, 20 Nov 2014 22:37:43 +0100 (CET)
Date: Thu, 20 Nov 2014 22:37:43 +0100
To: django@nausch.org
From: michael@nausch.org
Subject: Ebersberger Liedersammlung: In dulci jubilo
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_12110"
Message-Id: <20141120213743.20560C00088@mx01.nausch.org>
------=_MIME_BOUNDARY_000_12110
Content-Type: text/plain
This is a test mailing
------=_MIME_BOUNDARY_000_12110
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Transfer-Encoding: BASE64
UEsDBBQDAAAIAFNyDUN6/Zsb2QYAAKUSAAASAAAAaW5fZHVsY2lfanViaWxvLmx5rVdZDtMwEP0m
pxiCECBB2coq9lXsiFVClZCTTBKDYwfbYQdxB36R+OEMfPHXm3ASnh1CCoWwiEpNE2f8Znsz426m
M5IdO7pqPOtMCe/pSWcLJrbOs1KeHhtNV2ReC1Z0VXQur5PNdMloLx76w9T0b07o+GZmbEVbr5+/
Tm2XKZnveMjPaNfTPXsPzk8fnB/aRkmyeAxkCcx0z2z3/tmuNFnULAq29CIh8tIrpqOUXtBUdCqX
9KDLpDIprX+i7bR8l7GFaitLT4DpPaEn0hb0nLW3kq2nCk76535G0OG67JsaSjds2DDAPWHp2fK4
...
...
G9kGAAClEgAAEgAAAAAAAAAAACCAtIEAAAAAaW5fZHVsY2lfanViaWxvLmx5UEsBAj8DFAMAAAgA
U3INQ1XNopkpAgAA7QcAABQAAAAAAAAAAAAggLSBCQcAAGluX2R1bGNpX2p1Ymlsby5taWRpUEsB
Aj8DFAMAAAgAU3INQzZ3dvYIwgkAgAAKABMAAAAAAAAAAAAggLSBZAkAAGluX2R1bGNpX2p1Ymls
by5tcDNQSwECPwMUAwAACABTcg1DPURRdX5pAQAQDgIAEwAAAAAAAAAAACCAtIGdywkAaW5fZHVs
Y2lfanViaWxvLnBkZlBLBQYAAAAABAAEAAQBAABMNQsAAAA=
------=_MIME_BOUNDARY_000_12110--
Virus-Mail
Beim nächsten Test versuchen wir eine eMail mit einem Virus im Anhang an einen Benutzer zu schicken. Hierzu greifen wir auf ein Testsignatur-Datei der EUROPEAN EXPERT GROUP FOR IT-SECURITY zurück. Als erstes laden wir uns eine Testsignaturdatei auf unseren Rechner.
# curl -O http://www.eicar.org/download/eicarcom2.zip
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 308 100 308 0 0 1299 0 --:--:-- --:--:-- --:--:-- 1305
Wie auch schon bei unserem vorherigen Test nutzen wir auch hier swaks zum verschicken einer eMail mit der eicar-Testdatei im Anhang.
# swaks --to django@nausch.org --from michael@nausch.org --attach - --server 10.0.0.87 --suppress-data </root/eicarcom2.zip --header "Subject: Eicar Virentestpattern"
=== Trying 10.0.0.87:25... === Connected to 10.0.0.87. <- 220 mx01.nausch.org ESMTP Postfix -> EHLO vml000087.dmz.nausch.org <- 250-mx01.nausch.org <- 250-PIPELINING <- 250-SIZE 52428800 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> MAIL FROM:<michael@nausch.org> <- 250 2.1.0 Ok -> RCPT TO:<django@nausch.org> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> 28 lines sent <** 554 5.7.0 Reject, id=03311-01 - INFECTED: Eicar-Test-Signature. Contact your postmaster/admin for technical assistance. He can achieve our postmaster via email: postmaster@nausch.org or via fax: +49 8121 883179. In any case, please provide the following information in your problem report: This error message, time (Nov 20 22:43:10), client (10.0.0.87) and server (mx01.nausch.org). -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host.
Wie wir sehen, wurde die Annahme der eMail vom Mailserver abgelehnt. Der einliefernde Client bekommt auch sofort mit der Fehlermeldung 554 5.7.0 Reject, id=03311-01 - INFECTED: Eicar-Test-Signature. einen Hinweis, warum die Nachricht nicht angenommen wurde.
Im Maillog des MTA5) finden wir die Einträge des Zustellungsversuch.
# less /var/log/maillog
Nov 20 22:43:10 vml000087 postfix/smtpd[12126]: connect from vml000067.dmz.nausch.org[10.0.0.67]
Nov 20 22:43:10 vml000087 postfix/smtpd[12126]: 44A0AC00089: client=vml000067.dmz.nausch.org[10.0.0.67]
Nov 20 22:43:10 vml000087 postfix/cleanup[12127]: 44A0AC00089: message-id=<VRAnQpYwBJBkmi@viruswall.dmz.nausch.org>
Nov 20 22:43:10 vml000087 postfix/qmgr[8701]: 44A0AC00089: from=<postmaster@nausch.org>, size=1211, nrcpt=1 (queue active)
Nov 20 22:43:10 vml000087 postfix/cleanup[12125]: CCB54C00088: milter-reject: END-OF-MESSAGE from vml000087.dmz.nausch.org[10.0.0.87]: 5.7.0 Reject, id=03311-01 - INFECTED: Eicar-Test-Signature; from=<michael@nausch.org> to=<django@nausch.org> proto=ESMTP helo=<vml000087.dmz.nausch.org>
Nov 20 22:43:10 vml000087 postfix/smtpd[12119]: disconnect from vml000087.dmz.nausch.org[10.0.0.87]
Nov 20 22:43:10 vml000087 postfix/lmtp[12128]: 44A0AC00089: to=<django@nausch.org>, relay=10.0.0.77[10.0.0.77]:24, delay=0.62, delays=0.05/0.19/0/0.37, dsn=2.0.0, status=sent (250 2.0.0 <django@nausch.org> YmGbByhfblQOXQAArK2B9Q Saved)
Nov 20 22:43:10 vml000087 postfix/qmgr[8701]: 44A0AC00089: removed
Details zum Scannvorgang und -ergebnis können wir mit der id 03311-01 im Maillog des AS/AV6)-Host herausfinden.
# less /var/log/maillog
Nov 20 22:43:09 vml000067 amavis[3311]: loaded policy bank "AM.PDP-SOCK" Nov 20 22:43:09 vml000067 amavis[3311]: process_request: fileno sock=13, STDIN=0, STDOUT=1 Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: request=AM.PDP Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: queue_id=CCB54C00088 Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: sender=<michael@nausch.org> Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: recipient=<django@nausch.org> Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: tempdir=/var/spool/amavisd/afXXXXqKQgyd Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: tempdir_removed_by=client Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: mail_file=/var/spool/amavisd/afXXXXqKQgyd/email.txt Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: delivery_care_of=client Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: client_address=10.0.0.87 Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: client_name=vml000087.dmz.nausch.org Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: helo_name=vml000087.dmz.nausch.org Nov 20 22:43:09 vml000067 amavis[3311]: policy protocol: policy_bank=mx01.nausch.org Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) Request: AM.PDP /var/spool/amavisd/afXXXXqKQgyd: <michael@nausch.org> -> <django@nausch.org> Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) loaded policy bank "MYNETS" over "AM.PDP-SOCK" Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) body hash: 45e745bc84324a9251567c19e367fdfb Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) ip_trace: 10.0.0.87 Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) Checking: AnQpYwBJBkmi AM.PDP-SOCK/MYNETS [10.0.0.87] <michael@nausch.org> -> <django@nausch.org> Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) 2822.From: <michael@nausch.org> Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) p003 1 Content-Type: multipart/mixed Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) p001 1/1 Content-Type: text/plain, size: 22 B, name: Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) p002 1/2 Content-Type: application/octet-stream, size: 308 B, name: Nov 20 22:43:09 vml000067 amavis[3311]: (03311-01) inspect_dsn: not a bounce Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) Checking for banned types and filenames Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) skipping banned check: all recipients bypass banned checks Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) presenting full original message to scanners as /var/spool/amavisd/afXXXXqKQgyd/parts/p006 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/spool/amavisd/afXXXXqKQgyd/parts\n Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) ClamAV-clamd: Connecting to socket /var/run/clamd.amavisd/clamd.sock Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) new socket by IO::Socket::UNIX to /var/run/clamd.amavisd/clamd.sock, timeout 10 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/afXXXXqKQgyd/parts\n to socket /var/run/clamd.amavisd/clamd.sock Nov 20 22:43:10 vml000067 clamd[3288]: /var/spool/amavisd/afXXXXqKQgyd/parts/p005: Eicar-Test-Signature FOUND Nov 20 22:43:10 vml000067 clamd[3288]: /var/spool/amavisd/afXXXXqKQgyd/parts/p006: Eicar-Test-Signature FOUND Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) rw_loop read: got eof Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) run_av (ClamAV-clamd): /var/spool/amavisd/afXXXXqKQgyd/parts INFECTED: Eicar-Test-Signature, Eicar-Test-Signature Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) virus_scan: (Eicar-Test-Signature), detected by 1 scanners: ClamAV-clamd Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) Virus Eicar-Test-Signature matches (constant:1), sender addr ignored Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) blocking contents category is (9) for django@nausch.org, final_destiny -3 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) do_notify_and_quar: ccat=Virus (9,0) ("9":Virus, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(9), qar_mth= Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) dkim: candidate originators: From:<postmaster@nausch.org> Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) dkim: not signing, empty signing domain, From: <postmaster@nausch.org> Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp session: setting up a new session Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) new socket using IO::Socket::IP to [10.0.0.87]:10025, timeout 35 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp greeting: 220 mx01.nausch.org ESMTP Postfix, dt: 113.3 ms Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp cmd> EHLO localhost Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp resp to EHLO: 250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nAUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM\nXFORWARD NAME ADDR PROTO HELO SOURCE PORT IDENT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) AUTH not needed, user='', MTA offers 'PLAIN LOGIN DIGEST-MD5 CRAM-MD5 NTLM' Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp cmd> MAIL FROM:<postmaster@nausch.org> ENVID=AM.2T4ZIGYMVawD.20141120T214310Z@viruswall.dmz.nausch.org Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp cmd> RCPT TO:<django@nausch.org> Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp cmd> DATA Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp resp to MAIL (pip): 250 2.1.0 Ok Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp resp to RCPT (pip) (<django@nausch.org>): 250 2.1.5 Ok Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) smtp resp to data-dot (<django@nausch.org>): 250 2.0.0 Ok: queued as 44A0AC00089, dt: 28.4 ms Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) Amavis::Out::SMTP::Session close, keeping connection Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) 2T4ZIGYMVawD(AnQpYwBJBkmi) SEND from <postmaster@nausch.org> -> <django@nausch.org>, ENVID=AM.2T4ZIGYMVawD.20141120T214310Z@viruswall.dmz.nausch.org 250 2.0.0 from MTA(smtp:[10.0.0.87]:10025): 250 2.0.0 Ok: queued as 44A0AC00089 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) delivery method is 1, recips: django@nausch.org Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) DSN: sender is credible (orig), SA: 0.000, <michael@nausch.org> Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) status counters: InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating} Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) Blocked INFECTED (Eicar-Test-Signature) {RejectedInternal}, AM.PDP-SOCK/MYNETS LOCAL [10.0.0.87] <michael@nausch.org> -> <django@nausch.org>, Queue-ID: CCB54C00088, Message-ID: <20141120214309.CCB54C00088@mx01.nausch.org>, mail_id: AnQpYwBJBkmi, Hits: -, size: 1222, 470 ms Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) mail checking ended: version_server=2\nlog_id=03311-01\nsetreply=554 5.7.0 Reject,%20id=03311-01%20-%20INFECTED:%20Eicar-Test-Signature\nreturn_value=reject\nexit_code=69 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) size: 1222, TIMING [total 541 ms] - got data: 0.0 (0%)0, check_init: 7 (1%)1, digest_hdr: 1.9 (0%)2, digest_body_dkim: 0.4 (0%)2, collect_info: 2.8 (1%)2, mkdir parts: 8 (1%)4, mime_decode: 24 (4%)8, get-file-type2: 35 (6%)14, ren1-unl0-files1: 60 (11%)25, decompose_part: 0.9 (0%)26, get-file-type1: 22 (4%)30, ren1-unl0-files1: 38 (7%)37, decompose_part: 0.3 (0%)37, get-file-type1: 13 (2%)39, parts_decode: 0.2 (0%)39, check_header: 0.5 (0%)39, AV-scan-1: 9 (2%)41, read_snmp_variables: 0.7 (0%)41, decide_mail_destiny: 1.7 (0%)41, notif-quar: 0.5 (0%)41, fwd-connect: 132 (24%)66, fwd-mail-pip: 26 (5%)71, fwd-rcpt-pip: 0.5 (0%)71, fwd-data-chkpnt: 0.1 (0%)71, write-header: 0.4 (0%)71, fwd-data-contents: 1.1 (0%)71, fwd-end-chkpnt: 30 (5%)77, prepare-dsn: 1.3 (0%)77, report: 6 (1%)78, main_log_entry: 52 (10%)87, update_snmp: 51 (9%)97, rundown: 17 (3%)100 Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) extra modules loaded: unicore/lib/Gc/Nd.pl Nov 20 22:43:10 vml000067 amavis[3311]: (03311-01) load: 100 %, total idle 0.000 s, busy 0.635 s
Hier suche wir dann nach besagter ID 03311-01 und erfahren den eigentlichen Grund, warum die Annahme der Nachricht verweigert wurde.
Gemäß unseren Einstellungen im AMaViS erhält der Empfänger eine Nachricht, dass versucht wurde ihm eine NAchricht zuzustellen, deren Annahme aber verweigert wurde, da ein Virus erkannt wurde.
Return-Path: <postmaster@nausch.org> Delivered-To: django@nausch.org Received: from mx01.nausch.org ([10.0.0.87]) by imap.nausch.org (Dovecot) with LMTP id YmGbByhfblQOXQAArK2B9Q for <django@nausch.org>; Thu, 20 Nov 2014 22:43:10 +0100 Received: from localhost (vml000067.dmz.nausch.org [10.0.0.67]) by mx01.nausch.org (Postfix) with ESMTP id 44A0AC00089 for <django@nausch.org>; Thu, 20 Nov 2014 22:43:10 +0100 (CET) MIME-Version: 1.0 From: Postmaster <postmaster@nausch.org> Date: Thu, 20 Nov 2014 22:43:09 +0100 (CET) Subject: VIRUS (Eicar-Test-Signature) in mail TO YOU from <michael@nausch.org> To: django@nausch.org Message-ID: <VRAnQpYwBJBkmi@viruswall.dmz.nausch.org> Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit VIRUS ALERT Our content checker found virus: Eicar-Test-Signature in an email to you from probably faked sender: claiming to be: <michael@nausch.org> Content type: Virus Our internal reference code for your message is 03311-01/AnQpYwBJBkmi First upstream SMTP client IP address: [10.0.0.87] vml000087.dmz.nausch.org Received from: 10.0.0.87 Return-Path: <michael@nausch.org> From: michael@nausch.org Message-ID: <20141120214309.CCB54C00088@mx01.nausch.org> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Subject: Eicar Virentestpattern Not quarantined. Please contact your system administrator for details.
Optimierung / RAM-Disk für AMaViS
Da sich bei entsprechenden Traffic die Zugriffe auf die Harddisk ungünstig auf die Performance auswirkt, legen wir eine RAM-Disk für den Virenscanner an. Dort kann ClamAV dann die Dateianhänge der Nachrichten entpacken, ablegen und auf Schadcode hin überprüfen.
Denn wie lautet die alte Serverkonfiguration? Was ist besser als viel RAM? Ganz einfach: Noch mehr RAM! ;)
Bei der Festlegung, wie groß die RAM-Disk denn sein soll, kann man folgende Formel heranziehen:
RAM-Disk ≈ Anzahl AMaViS-Instanzen * (max. e-Mailgröße + (max. e-Mailgröße * Auspackfaktor))
Diesen theoretischen Wert, wird man aber in den seltensten Fällen einstellen können/dürfen. Zum einen gibt es Budgetgrenzen bei der Anschaffung und natürlich andere limitierende Faktoren, wie z.B. den Netzwerkkartendurchsatz und Wahrscheinlichkeit, wie häufig Nachrichten mit Anhängen zugleich bearbeitet werden müssen.
Bei einigen Installationen hat sich die Faustregel RAM-Disk ≈ Anzahl AMaViS-Instanzen * (1,25 * max. Dateigröße) bestens bewährt. Bei vier Instanzen reicht also eine 250MB große RAM-Disk dicke aus!
Damit wir die Zugriffsrechte auf die Ramdisk richtig setzen können, schließlich soll nicht jedermann die Inhalte der eMails lesen können, ermitteln wird zu erst noch die gid und uid.
# grep amavis /etc/passwd
amavis:x:996:995:User for amavisd-new:/var/spool/amavisd:/sbin/nologin
Die UID lautet also 996 und die GID 995.
Da wir nun die Werte RAM-Disk-Größe, GID und UID haben können wir nun in der Konfigurationsdatei /etc/fstab unsere RAM-Disk definieren.
# vim /etc/fstab
... # Django : 2014-11-21 # RAM-Disk für ClamAV eingerichtet tmpfs /var/spool/amavisd/tmp/ tmpfs defaults,size=250m,mode=750,uid=996,gid=995 0 0
Anschließend mounten wir unser neues Laufwerk mit dem folgenden Aufruf.
# mount /var/spool/amavisd/tmp
Je nach Belastung werden nun in unserem Arbeitsverzeichnis die Daten abgelegt.
# df -h -t tmpfs
Filesystem Size Used Avail Use% Mounted on tmpfs 921M 0 921M 0% /dev/shm tmpfs 921M 8.4M 913M 1% /run tmpfs 921M 0 921M 0% /sys/fs/cgroup /dev/shm 250M 168M 250M 67% /var/spool/amavisd/tmp
Der Scanvorgang unserer Nachrichten wird nun wesentlich schneller ablaufen, als bei den Tests ohne die RAM-Disk!