Inhaltsverzeichnis

Virenschutz mit ClamAV

Als Viren-Scanner und -Killer verwenden wir clamav.

Installation

Wir installieren uns hierzu den entsprechenden daemon via yum.

yum install clamd clamav clamav-db

Info

Was uns die einzelnen Pakete liefern, entnehmen wir den jeweiligen rpm's.

yum info clamd

Name   : clamd
...
Summary: The Clam AntiVirus Daemon
Description:
The Clam AntiVirus Daemon
yum info clamav


Name   : clamav
...
Summary: Anti-virus software
Description:
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of
this software is the integration with mail servers (attachment scanning).
The package provides a flexible and scalable multi-threaded daemon, a
command line scanner, and a tool for automatic updating via Internet.

The programs are based on a shared library distributed with the Clam
AntiVirus package, which you can use with your own software. Most
importantly, the virus database is kept up to date
yum info clamav-db

Name   : clamav-db
...
Summary: Virus database for clamav
Description:
The actual virus database for clamav

Programmpfade und -inhalte

Über die einzelnen Dateien und Pfade der installierten Programme, informieren wir uns mittels:

rpm -ql clamd

/etc/clamd.conf
/etc/logrotate.d/clamav
/etc/rc.d/init.d/clamd
/usr/bin/clamconf
/usr/bin/clamdscan
/usr/sbin/clamd
/usr/share/doc/clamd-0.94.1
/usr/share/doc/clamd-0.94.1/clamd.conf
/usr/share/doc/clamd-0.94.1/clamdwatch
/usr/share/doc/clamd-0.94.1/clamdwatch/clamdwatch.tar.gz
/usr/share/man/man1/clamconf.1.gz
/usr/share/man/man1/clamdscan.1.gz
/usr/share/man/man5/clamd.conf.5.gz
/usr/share/man/man8/clamd.8.gz
/var/clamav
/var/log/clamav
/var/run/clamav
rpm -ql clamav

/etc/freshclam.conf
/usr/bin/clamscan
/usr/bin/freshclam
/usr/bin/sigtool
/usr/lib/libclamav.so.5
/usr/lib/libclamav.so.5.0.3
/usr/lib/libclamunrar.so.5
/usr/lib/libclamunrar.so.5.0.3
/usr/lib/libclamunrar_iface.so.5
/usr/lib/libclamunrar_iface.so.5.0.3
/usr/share/doc/clamav-0.94.1
/usr/share/doc/clamav-0.94.1/AUTHORS
/usr/share/doc/clamav-0.94.1/BUGS
/usr/share/doc/clamav-0.94.1/COPYING
/usr/share/doc/clamav-0.94.1/ChangeLog
/usr/share/doc/clamav-0.94.1/FAQ
/usr/share/doc/clamav-0.94.1/INSTALL
/usr/share/doc/clamav-0.94.1/NEWS
/usr/share/doc/clamav-0.94.1/README
/usr/share/doc/clamav-0.94.1/clamav-mirror-howto.pdf
/usr/share/doc/clamav-0.94.1/clamdoc.pdf
/usr/share/doc/clamav-0.94.1/freshclam.conf
/usr/share/doc/clamav-0.94.1/phishsigs_howto.pdf
/usr/share/doc/clamav-0.94.1/signatures.pdf
/usr/share/doc/clamav-0.94.1/test
/usr/share/doc/clamav-0.94.1/test/.split
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.raraa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.rarab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.raraa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.rarab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2aa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2ab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64aa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64ab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipab
/usr/share/doc/clamav-0.94.1/test/Makefile
/usr/share/doc/clamav-0.94.1/test/Makefile.am
/usr/share/doc/clamav-0.94.1/test/Makefile.in
/usr/share/doc/clamav-0.94.1/test/README
/usr/share/doc/clamav-0.94.1/test/clam-aspack.exe
/usr/share/doc/clamav-0.94.1/test/clam-fsg.exe
/usr/share/doc/clamav-0.94.1/test/clam-mew.exe
/usr/share/doc/clamav-0.94.1/test/clam-nsis.exe
/usr/share/doc/clamav-0.94.1/test/clam-pespin.exe
/usr/share/doc/clamav-0.94.1/test/clam-petite.exe
/usr/share/doc/clamav-0.94.1/test/clam-upack.exe
/usr/share/doc/clamav-0.94.1/test/clam-upx.exe
/usr/share/doc/clamav-0.94.1/test/clam-v2.rar
/usr/share/doc/clamav-0.94.1/test/clam-v3.rar
/usr/share/doc/clamav-0.94.1/test/clam-wwpack.exe
/usr/share/doc/clamav-0.94.1/test/clam.arj
/usr/share/doc/clamav-0.94.1/test/clam.bz2.zip
/usr/share/doc/clamav-0.94.1/test/clam.cab
/usr/share/doc/clamav-0.94.1/test/clam.chm
/usr/share/doc/clamav-0.94.1/test/clam.d64.zip
/usr/share/doc/clamav-0.94.1/test/clam.ea05.exe
/usr/share/doc/clamav-0.94.1/test/clam.ea06.exe
/usr/share/doc/clamav-0.94.1/test/clam.exe
/usr/share/doc/clamav-0.94.1/test/clam.exe.binhex
/usr/share/doc/clamav-0.94.1/test/clam.exe.bz2
/usr/share/doc/clamav-0.94.1/test/clam.exe.html
/usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.base64
/usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.uu
/usr/share/doc/clamav-0.94.1/test/clam.exe.rtf
/usr/share/doc/clamav-0.94.1/test/clam.exe.szdd
/usr/share/doc/clamav-0.94.1/test/clam.impl.zip
/usr/share/doc/clamav-0.94.1/test/clam.mail
/usr/share/doc/clamav-0.94.1/test/clam.ole.doc
/usr/share/doc/clamav-0.94.1/test/clam.pdf
/usr/share/doc/clamav-0.94.1/test/clam.ppt
/usr/share/doc/clamav-0.94.1/test/clam.sis
/usr/share/doc/clamav-0.94.1/test/clam.tar.gz
/usr/share/doc/clamav-0.94.1/test/clam.tnef
/usr/share/doc/clamav-0.94.1/test/clam.zip
/usr/share/man/man1/clamscan.1.gz
/usr/share/man/man1/freshclam.1.gz
/usr/share/man/man1/sigtool.1.gz
/usr/share/man/man5/freshclam.conf.5.gz
rpm -ql clamav-db
/etc/cron.daily/freshclam
/etc/logrotate.d/freshclam
/var/clamav
/var/clamav/daily.cvd
/var/clamav/main.cvd
/var/log/clamav

Konfiguration

clamd

Die Konfigurationsdatei des ClamAV-Daemons /etc/clamd.conf passen wir unseren Gegebenheiten entsprechend an. Wichtig sind dabei insbesonders die drei Paramter:

In Summe ergibt sich also folgende Gesamtkonfiguration:

egrep -v '(^.*#|^$)' /etc/clamd.conf 

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /tmp/clamd.socket
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no

Wie in der /etc/amavisd.conf vermerkt

# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #   uid such as clamav, add user clamav to the amavis group, and then add
# # AllowSupplementaryGroups to clamd.conf;

erweitern wir die Gruppe amavis um den User clamav.

vim /etc/group

amavis:x:106:clamav

amavisd

Die Konfiguration unseres Virenkillers clamav erfolgt über dessen frontend AMaViS. Wir bearbeiten also die Datei amavisd.conf.

 vim /etc/amavisd.conf

Die Pfadangaben passen wir unseren Gegebenheiten an:

 $MYHOME = '/var/amavis';                    # a convenient default for other settings, -H
 $TEMPBASE = "$MYHOME/tmp";                  # working directory, needs to exist, -T
 $ENV{TMPDIR} = $TEMPBASE;                   # environment variable TMPDIR, used by SA, etc.
 $QUARANTINEDIR = "/var/virusmails";

Ebenso:

 $db_home   = "$MYHOME/db";                  # dir for bdb nanny/cache/snmp databases, -D
 $helpers_home = "$MYHOME/var";              # working directory for SpamAssassin, -S
 $lock_file = "$MYHOME/var/amavisd.lock";    # -L
 $pid_file  = "$MYHOME/var/amavisd.pid";     # -P
 $unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter

Für den ersten Programmstart drehen wir den Loglevel auf den Wert 3, den wir im späteren Produktivbetrieb dann auf 2 herabsetzen können. Somit erhalten wir in der Anfangsphase wertvolle und ausreichende Hinweise, falls etwas nicht wie geplant laufen sollte.

 $log_level = 3;                             # verbosity 0..5, -d

Da wir uns weder mit Viren, noch mit Spam oder den unerwünschten Dateianhängen herumschlagen wollen, weisen wir AMaViS an, diese Nachrichten über den Mailserver direkt ablehnt.

 $final_virus_destiny      = D_REJECT;
 $final_banned_destiny     = D_REJECT;
 $final_spam_destiny       = D_REJECT;

Da wir AMaViS in erster Linie in der dämonisierten Variante und als Fallback als Backup-Scanner verwenden wollen, aktivieren wir die entsprechenden Konfigurationszeilen kurz nach der Zeile @av_scanners = (. Die Pfadangaben des Socket müssen zu den Angaben in der vorweg beschriebenen /etc/clamd.conf passen!

 # ### http://www.clamav.net/
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
 # # NOTE: run clamd under the same user as amavisd, or run it under its own
 # #   uid such as clamav, add user clamav to the amavis group, and then add
 # # AllowSupplementaryGroups to clamd.conf;
 # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
 # #   this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

Die komplette AMaViS.Konfiguration lautet dann.

# egrep -v '(^#|^$)' /etc/amavisd.conf
amavisd.conf
use strict;
$max_servers = 5;            # num of pre-forked children (2..30 is common), -m
$daemon_user  = "amavis";     # (no default;  customary: vscan or amavis), -u
$daemon_group = "amavis";     # (no default;  customary: vscan or amavis), -g
$myhostname = 'amavis.nausch.org'; # hostname
$mydomain = 'nausch.org';   # a convenient default for other settings
$MYHOME = '/var/amavis';   # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = "/var/virusmails";
$db_home   = "$MYHOME/db";      # dir for bdb nanny/cache/snmp databases, -D
$helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
$lock_file = "$MYHOME/var/amavisd.lock";  # -L
$pid_file  = "$MYHOME/var/amavisd.pid";   # -P
$log_level = 3;              # verbosity 0..5, -d
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_facility = 'mail';   # Syslog facility as a string
           # e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug';  # Syslog base (minimal) priority as a string,
           # choose from: emerg, alert, crit, err, warning, notice, info, debug
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$unix_socketname = "$MYHOME/amavisd.sock";  # amavisd-release or amavis-milter
               # option(s) -p overrides $inet_socket_port and $unix_socketname
$inet_socket_port = 10024;   # listen on this local TCP port(s)
$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
$policy_bank{'AM.PDP-SOCK'} = {
  protocol => 'AM.PDP',
  auth_required_release => 0,  # do not require secret_id for amavisd-release
};
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?
$virus_admin               = "virusalert\@$mydomain";  # notifications recip.
$mailfrom_notify_admin     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_recip     = "virusalert\@$mydomain";  # notifications sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
@addr_extension_virus_maps      = ('virus');
@addr_extension_banned_maps     = ('banned');
@addr_extension_spam_maps       = ('spam');
@addr_extension_bad_header_maps = ('badh');
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name
$defang_by_ccat{+CC_BADH.",3"} = 1;  # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1;  # header line longer than 998 characters
$defang_by_ccat{+CC_BADH.",6"} = 1;  # header field syntax error
$final_virus_destiny      = D_REJECT;
$final_banned_destiny     = D_REJECT;
$final_spam_destiny       = D_REJECT;
$virus_quarantine_to = undef;
$banned_quarantine_to = undef;
$spam_quarantine_to = undef;
$bad_header_quarantine_to = undef;
@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
$banned_filename_re = new_RE(
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,
  # block certain double extensions in filenames
  qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
  qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
);
@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed
  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost
   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),
   { # a hash-type lookup table (associative array)
     'nobody@cert.org'                        => -3.0,
     'cert-advisory@us-cert.gov'              => -3.0,
     'owner-alert@iss.net'                    => -3.0,
     'slashdot@slashdot.org'                  => -3.0,
     'securityfocus.com'                      => -3.0,
     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
     'security-alerts@linuxsecurity.com'      => -3.0,
     'mailman-announce-admin@python.org'      => -3.0,
     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
     'amavis-user-bounces@lists.sourceforge.net' => -3.0,
     'spamassassin.apache.org'                => -3.0,
     'notification-return@lists.sophos.com'   => -3.0,
     'owner-postfix-users@postfix.org'        => -3.0,
     'owner-postfix-announce@postfix.org'     => -3.0,
     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
     'sendmail-announce-request@lists.sendmail.org' => -3.0,
     'donotreply@sendmail.org'                => -3.0,
     'ca+envelope@sendmail.org'               => -3.0,
     'noreply@freshmeat.net'                  => -3.0,
     'owner-technews@postel.acm.org'          => -3.0,
     'ietf-123-owner@loki.ietf.org'           => -3.0,
     'cvs-commits-list-admin@gnome.org'       => -3.0,
     'rt-users-admin@lists.fsck.com'          => -3.0,
     'clp-request@comp.nus.edu.sg'            => -3.0,
     'surveys-errors@lists.nua.ie'            => -3.0,
     'emailnews@genomeweb.com'                => -5.0,
     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
     'returns.groups.yahoo.com'               => -3.0,
     'clusternews@linuxnetworx.com'           => -3.0,
     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,
   },
  ],  # end of site-wide tables
});
@decoders = (
  ['mail', \&do_mime_decode],
  ['asc',  \&do_ascii],
  ['uue',  \&do_ascii],
  ['hqx',  \&do_ascii],
  ['ync',  \&do_ascii],
  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],
  ['gz',   \&do_uncompress,  'gzip -d'],
  ['gz',   \&do_gunzip],
  ['bz2',  \&do_uncompress,  'bzip2 -d'],
  ['lzo',  \&do_uncompress,  'lzop -d'],
  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],
  ['deb',  \&do_ar,          'ar'],
  ['zip',  \&do_unzip],
  ['7z',   \&do_7zip,       ['7zr','7za','7z'] ],
  ['rar',  \&do_unrar,      ['rar','unrar'] ],
  ['arj',  \&do_unarj,      ['arj','unarj'] ],
  ['arc',  \&do_arc,        ['nomarch','arc'] ],
  ['zoo',  \&do_zoo,        ['zoo','unzoo'] ],
  ['lha',  \&do_lha,         'lha'],
  ['cab',  \&do_cabextract,  'cabextract'],
  ['tnef', \&do_tnef_ext,    'tnef'],
  ['tnef', \&do_tnef],
  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
);
@av_scanners = (
['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"],
  qr/\bOK$/m, qr/\bFOUND$/m,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  ### http://www.kaspersky.com/  (kav4mailservers)
  ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
  ],
  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
  # currupted or protected archives are to be handled
  ### http://www.kaspersky.com/
  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
    qr/infected: (.+)/m,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
  ],
  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
  ### products and replaced by aveserver and aveclient
  ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon',       'kavdaemon',
      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
      '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
    # change the startup-script in /etc/init.d/kavd to:
    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    #   directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
  ### http://www.centralcommand.com/
  ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.
  ### http://www.avira.com/
  ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
  ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
  ### http://www.commandsoftware.com/
  ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/m ],
  ### http://www.symantec.com/
  ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],
  ### http://www.symantec.com/
  ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/m,
    qr/^(?:Info|Virus Name):\s+(.+)/m ],
    # NOTE: check options and patterns to see which entry better applies
  ### http://www.f-secure.com/products/anti-virus/  version 5.52
   ['F-Secure Antivirus for Linux servers',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--virus-action1=report --archive=yes --auto=yes '.
    '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
    # NOTE: internal archive handling may be switched off by '--archive=no'
    #   to prevent fsav from exiting with status 9 on broken archives
  ['CAI InoculateIT', 'inocucmd',  # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/m ],
  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
  ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/m ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
  ### http://mks.com.pl/english.html
  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/m ],
  ### http://mks.com.pl/english.html
  ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/m ],
  ### http://www.eset.com/, version 3.0
  ['ESET Software ESETS Command Line Interface',
    ['/usr/bin/esets_cli', 'esets_cli'],
    '--subdir {}', [0], [1,2,3],
    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
  ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
  ### http://www.norman.com/products_nvc.shtml
  ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/m ],
  ### http://www.pandasoftware.com/
  ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/m,
    qr/Number of files infected[ .]*: 0*[1-9]/m,
    qr/Found virus :\s*(\S+)/m ],
  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
  # before starting amavisd - the bases are then loaded only once at startup.
  # To reload bases in a signature update script:
  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
  # Please review other options of pavcl, for example:
  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
  ### http://www.nai.com/
  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
        \ the\ (.+)\ (?:virus|trojan)  |
        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
        :\ (.+)\ NOT\ a\ virus)/m,
  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
  # sub {delete $ENV{LD_PRELOAD}},
  ],
  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
  # and then clear it when finished to avoid confusing anything else.
  # NOTE2: to treat encrypted files as viruses replace the [13] with:
  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
  ### http://www.virusbuster.hu/en/
  ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/m ],
  # VirusBuster Ltd. does not support the daemon version for the workstation
  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
  # binaries, some parameters AND return codes have changed (from 3 to 1).
  # See also the new Vexira entry 'vascan' which is possibly related.
  ### http://www.cyber.com/
  ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
  ],
  ### http://www.avast.com/
  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
  ### http://www.ikarus-software.com/
  ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/m ],
  ### http://www.bitdefender.com/
  ['BitDefender', 'bdscan',  # new version
    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
  ### http://www.bitdefender.com/
  ['BitDefender', 'bdc',  # old version
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
  # not apply to your version of bdc, check documentation and see 'bdc --help'
  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
    '-v 1 -summary 0 -s {}', [0], [1,2],
    qr/(?:VIR|WIR):[ \t]*(.+)/m ],
);
@av_scanners_backup = (
  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
  ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
  ['F-PROT Antivirus for UNIX', ['fpscan'],
    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
  ### http://www.trendmicro.com/   - backs up Trophie
  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
   ### http://www.kaspersky.com/
   ['Kaspersky Antivirus v5.5',
     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
      '/opt/kav/5.5/kav4unix/bin/kavscanner',
      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
   ],
);
1;  # insure a defined return value 

Programmstart

clamd

Nun ist es an der Zeit unseren ClamAV-Daemon das erste mal zu starten.

 # service clamd start
Starting Clam AntiVirus Daemon: LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
                                                           [  OK  ]

Wir müssen also unser Virendatenbank erst einmal updaten - Hierzu nutzen wir das Programm freshclam aus dem Paket clamav. Wir stoppen nun erst einmal unseren Daemon uns fahren mit der Installation und Konfiguration der weiteren Schritte fort.

 # service clamd stop
 Stopping Clam AntiVirus Daemon:                            [  OK  ]

amavisd

Zum Aktivieren der vorgenannten Konfigurationsänderungen in der /etc/amavisd.conf, führen wir nun einen Restart unseres A MAil Virus Scanners durch.

 # service amavisd restart
 Mail Virus Scanner (amavisd) beenden:                      [  OK  ]
 Mail Virus Scanner (amavisd) starten:                      [  OK  ]
 Mail Virus Scanner (amavisd) starten:                      [  OK  ]

Im Maillog /var/log/maillog wird der erfolgreiche Restart entsprechend vermerkt:

Nov 20 22:52:07 nss amavis[27959]: (27959-10) TempDir removal: empty tempdir is being removed: /var/amavis/tmp/amavis-20081120T212043-27959
Nov 20 22:52:07 nss amavis[27960]: (27960-09) TempDir removal: empty tempdir is being removed: /var/amavis/tmp/amavis-20081120T211933-27960
Nov 20 22:52:07 nss amavis[27957]: Net::Server: 2008/11/20-22:52:07 Server closing!
Nov 20 22:52:09 nss amavis[29613]: logging initialized, log level 3, syslog: amavis.mail
Nov 20 22:52:09 nss amavis[29613]: starting.  /usr/sbin/amavisd at amavis.nausch.org amavisd-new-2.5.4 (20080312), Unicode aware, LANG="de_DE.UTF-8"
Nov 20 22:52:09 nss amavis[29613]: user=103, EUID: 103 (103);  group=, EGID: 106 106 (106 106)
Nov 20 22:52:09 nss amavis[29613]: Perl version               5.008008
Nov 20 22:52:09 nss amavis[29613]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Mail::SpamAssassin::BayesStore::PgSQL Encode::Detect Mail::SpamAssassin::Plugin::DKIM Razor2::Client::Agent IP::Country::Fast Mail::DKIM Mail::DKIM::Verifier Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d Mail::SPF::Query Crypt::OpenSSL::RSA auto::Crypt::OpenSSL::RSA::new_public_key auto::Crypt::OpenSSL::RSA::new_key_from_parameters auto::Crypt::OpenSSL::RSA::get_key_parameters aut...
Nov 20 22:52:09 nss amavis[29613]: ...o::Crypt::OpenSSL::RSA::import_random_seed Digest::SHA Error
Nov 20 22:52:09 nss amavis[29613]: SpamControl: init_pre_chroot done
Nov 20 22:52:09 nss amavis[29614]: Net::Server: Process Backgrounded
Nov 20 22:52:09 nss amavis[29614]: Net::Server: 2008/11/20-22:52:09 Amavis (type Net::Server::PreForkSimple) starting! pid(29614)
Nov 20 22:52:09 nss amavis[29614]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
Nov 20 22:52:09 nss amavis[29614]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Nov 20 22:52:09 nss amavis[29614]: Net::Server: Group Not Defined.  Defaulting to EGID '106 106'
Nov 20 22:52:09 nss amavis[29614]: Net::Server: User Not Defined.  Defaulting to EUID '103'
Nov 20 22:52:09 nss amavis[29614]: config files read: /etc/amavisd.conf
Nov 20 22:52:09 nss amavis[29614]: Module Amavis::Conf        2.094
Nov 20 22:52:09 nss amavis[29614]: Module Archive::Zip        1.16
Nov 20 22:52:09 nss amavis[29614]: Module BerkeleyDB          0.36
Nov 20 22:52:09 nss amavis[29614]: Module Compress::Zlib      1.42
Nov 20 22:52:09 nss amavis[29614]: Module Convert::TNEF       0.17
Nov 20 22:52:09 nss amavis[29614]: Module Convert::UUlib      1.051
Nov 20 22:52:09 nss amavis[29614]: Module DBD::mysql          4.008
Nov 20 22:52:09 nss amavis[29614]: Module DBI                 1.52
Nov 20 22:52:09 nss amavis[29614]: Module DB_File             1.814
Nov 20 22:52:09 nss amavis[29614]: Module Digest::MD5         2.36
Nov 20 22:52:09 nss amavis[29614]: Module Digest::SHA1        2.11
Nov 20 22:52:09 nss amavis[29614]: Module IO::Socket::INET6   2.51
Nov 20 22:52:09 nss amavis[29614]: Module MIME::Entity        5.420
Nov 20 22:52:09 nss amavis[29614]: Module MIME::Parser        5.420
Nov 20 22:52:09 nss amavis[29614]: Module MIME::Tools         5.420
Nov 20 22:52:09 nss amavis[29614]: Module Mail::Header        1.77
Nov 20 22:52:09 nss amavis[29614]: Module Mail::Internet      1.77
Nov 20 22:52:09 nss amavis[29614]: Module Mail::SpamAssassin  3.002004
Nov 20 22:52:09 nss amavis[29614]: Module Net::DNS            0.59
Nov 20 22:52:09 nss amavis[29614]: Module Net::Server         0.97
Nov 20 22:52:09 nss amavis[29614]: Module Time::HiRes         1.86
Nov 20 22:52:09 nss amavis[29614]: Module URI                 1.35
Nov 20 22:52:09 nss amavis[29614]: Module Unix::Syslog        1.0
Nov 20 22:52:09 nss amavis[29614]: Amavis::DB code      loaded
Nov 20 22:52:09 nss amavis[29614]: Amavis::Cache code   loaded
Nov 20 22:52:09 nss amavis[29614]: SQL base code        NOT loaded
Nov 20 22:52:09 nss amavis[29614]: SQL::Log code        NOT loaded
Nov 20 22:52:09 nss amavis[29614]: SQL::Quarantine      NOT loaded
Nov 20 22:52:09 nss amavis[29614]: Lookup::SQL code     NOT loaded
Nov 20 22:52:09 nss amavis[29614]: Lookup::LDAP code    NOT loaded
Nov 20 22:52:09 nss amavis[29614]: AM.PDP-in proto code loaded
Nov 20 22:52:09 nss amavis[29614]: SMTP-in proto code   loaded
Nov 20 22:52:09 nss amavis[29614]: Courier proto code   NOT loaded
Nov 20 22:52:09 nss amavis[29614]: SMTP-out proto code  loaded
Nov 20 22:52:09 nss amavis[29614]: Pipe-out proto code  NOT loaded
Nov 20 22:52:09 nss amavis[29614]: BSMTP-out proto code NOT loaded
Nov 20 22:52:09 nss amavis[29614]: Local-out proto code loaded
Nov 20 22:52:09 nss amavis[29614]: OS_Fingerprint code  NOT loaded
Nov 20 22:52:09 nss amavis[29614]: ANTI-VIRUS code      loaded
Nov 20 22:52:09 nss amavis[29614]: ANTI-SPAM code       loaded
Nov 20 22:52:09 nss amavis[29614]: ANTI-SPAM-SA code    loaded
Nov 20 22:52:09 nss amavis[29614]: Unpackers code       loaded
Nov 20 22:52:09 nss amavis[29614]: Found $file            at /usr/bin/file
Nov 20 22:52:09 nss amavis[29614]: No $dspam,             not using it
Nov 20 22:52:09 nss amavis[29614]: No $altermime,         not using it
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .mail
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .asc 
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .uue 
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .hqx 
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .ync 
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .F    at /usr/bin/unfreeze
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .Z    at /usr/bin/uncompress
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .gz   at /usr/bin/gzip -d
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .gz   (backup, not used)
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .lzo  at /usr/bin/lzop -d
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .cpio at /usr/bin/pax
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .tar  at /usr/bin/pax
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .deb  at /usr/bin/ar
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .zip 
Nov 20 22:52:09 nss amavis[29614]: No decoder for       .7z   tried: 7zr, 7za, 7z
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .rar  at /usr/bin/unrar
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .arj  at /usr/bin/arj
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .arc  at /usr/bin/nomarch
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .zoo  at /usr/bin/zoo
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .lha  at /usr/bin/lha
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .cab  at /usr/bin/cabextract
Nov 20 22:52:09 nss amavis[29614]: No decoder for       .tnef tried: tnef
Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .tnef
Nov 20 22:52:09 nss amavis[29614]: Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
Nov 20 22:52:09 nss amavis[29614]: Using primary internal av scanner code for ClamAV-clamd
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: KasperskyLab AVP - aveclient
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: KasperskyLab AntiViral Toolkit Pro (AVP)
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: KasperskyLab AVPDaemonClient
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CentralCommand Vexira (new) vascan
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Avira AntiVir
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Command AntiVirus for Linux
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Symantec CarrierScan via Symantec CommandLineScanner
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Symantec AntiVirus Scan Engine
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: F-Secure Antivirus for Linux servers
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CAI InoculateIT
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CAI eTrust Antivirus
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: MkS_Vir for Linux (beta)
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: MkS_Vir daemon
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: ESET NOD32 Linux Mail Server - command line interface
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: ESET NOD32 for Linux File servers
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Norman Virus Control v5 / Linux
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Panda CommandLineSecure 9 for Linux
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: NAI McAfee AntiVirus (uvscan)
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: VirusBuster
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CyberSoft VFind
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: avast! Antivirus
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Ikarus AntiVirus for Linux
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: BitDefender
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: BitDefender
Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: ArcaVir for Linux
Nov 20 22:52:09 nss amavis[29614]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: F-PROT Antivirus for UNIX
Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: FRISK F-Prot Antivirus
Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: Trend Micro FileScanner
Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: drweb - DrWeb Antivirus
Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: Kaspersky Antivirus v5.5
Nov 20 22:52:09 nss amavis[29614]: Creating db in /var/amavis/db/; BerkeleyDB 0.36, libdb 4.3
Nov 20 22:52:09 nss amavis[29614]: SpamControl: initializing Mail::SpamAssassin
Nov 20 22:52:10 nss amavis[29614]: SpamControl: init_pre_fork done
Nov 20 22:52:10 nss amavis[29620]: TIMING [total 5 ms] - bdb-open: 5 (100%)100, rundown: 0 (0%)100
Nov 20 22:52:10 nss amavis[29621]: TIMING [total 5 ms] - bdb-open: 5 (100%)100, rundown: 0 (0%)100

automatisches Starten der Dienste beim Systemstart

clamd

Damit nun unser clamav-daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.

chkconfig clamd on

Anschließend überprüfen wir noch unsere Änderung:

 chkconfig --list | grep clamd
 clamd           0:Aus   1:Aus   2:Ein   3:Ein   4:Ein   5:Ein   6:Aus

amavisd

Den automatischen Start haben wir bereits im Kapitel grundinstallation_von_amavis vorgenommen.