Virenschutz mit ClamAV
Als Viren-Scanner und -Killer verwenden wir clamav.
Installation
Wir installieren uns hierzu den entsprechenden daemon via yum.
yum install clamd clamav clamav-db
Info
Was uns die einzelnen Pakete liefern, entnehmen wir den jeweiligen rpm's.
yum info clamd Name : clamd ... Summary: The Clam AntiVirus Daemon Description: The Clam AntiVirus Daemon
yum info clamav Name : clamav ... Summary: Anti-virus software Description: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date
yum info clamav-db Name : clamav-db ... Summary: Virus database for clamav Description: The actual virus database for clamav
Programmpfade und -inhalte
Über die einzelnen Dateien und Pfade der installierten Programme, informieren wir uns mittels:
rpm -ql clamd
/etc/clamd.conf
/etc/logrotate.d/clamav
/etc/rc.d/init.d/clamd
/usr/bin/clamconf
/usr/bin/clamdscan
/usr/sbin/clamd
/usr/share/doc/clamd-0.94.1
/usr/share/doc/clamd-0.94.1/clamd.conf
/usr/share/doc/clamd-0.94.1/clamdwatch
/usr/share/doc/clamd-0.94.1/clamdwatch/clamdwatch.tar.gz
/usr/share/man/man1/clamconf.1.gz
/usr/share/man/man1/clamdscan.1.gz
/usr/share/man/man5/clamd.conf.5.gz
/usr/share/man/man8/clamd.8.gz
/var/clamav
/var/log/clamav
/var/run/clamav
rpm -ql clamav
/etc/freshclam.conf
/usr/bin/clamscan
/usr/bin/freshclam
/usr/bin/sigtool
/usr/lib/libclamav.so.5
/usr/lib/libclamav.so.5.0.3
/usr/lib/libclamunrar.so.5
/usr/lib/libclamunrar.so.5.0.3
/usr/lib/libclamunrar_iface.so.5
/usr/lib/libclamunrar_iface.so.5.0.3
/usr/share/doc/clamav-0.94.1
/usr/share/doc/clamav-0.94.1/AUTHORS
/usr/share/doc/clamav-0.94.1/BUGS
/usr/share/doc/clamav-0.94.1/COPYING
/usr/share/doc/clamav-0.94.1/ChangeLog
/usr/share/doc/clamav-0.94.1/FAQ
/usr/share/doc/clamav-0.94.1/INSTALL
/usr/share/doc/clamav-0.94.1/NEWS
/usr/share/doc/clamav-0.94.1/README
/usr/share/doc/clamav-0.94.1/clamav-mirror-howto.pdf
/usr/share/doc/clamav-0.94.1/clamdoc.pdf
/usr/share/doc/clamav-0.94.1/freshclam.conf
/usr/share/doc/clamav-0.94.1/phishsigs_howto.pdf
/usr/share/doc/clamav-0.94.1/signatures.pdf
/usr/share/doc/clamav-0.94.1/test
/usr/share/doc/clamav-0.94.1/test/.split
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-aspack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-fsg.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-mew.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-nsis.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-pespin.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-petite.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-upx.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.raraa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v2.rarab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.raraa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-v3.rarab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam-wwpack.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.arjab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.bz2.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.cabab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.chmab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.d64.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea05.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ea06.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.binhexab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2aa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.bz2ab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.htmlab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64aa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.base64ab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.mbox.uuab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.rtfab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exe.szddab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.exeab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.impl.zipab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.mailab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.ole.docab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pdfab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.pptab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.sisab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tar.gzab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.tnefab
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipaa
/usr/share/doc/clamav-0.94.1/test/.split/split.clam.zipab
/usr/share/doc/clamav-0.94.1/test/Makefile
/usr/share/doc/clamav-0.94.1/test/Makefile.am
/usr/share/doc/clamav-0.94.1/test/Makefile.in
/usr/share/doc/clamav-0.94.1/test/README
/usr/share/doc/clamav-0.94.1/test/clam-aspack.exe
/usr/share/doc/clamav-0.94.1/test/clam-fsg.exe
/usr/share/doc/clamav-0.94.1/test/clam-mew.exe
/usr/share/doc/clamav-0.94.1/test/clam-nsis.exe
/usr/share/doc/clamav-0.94.1/test/clam-pespin.exe
/usr/share/doc/clamav-0.94.1/test/clam-petite.exe
/usr/share/doc/clamav-0.94.1/test/clam-upack.exe
/usr/share/doc/clamav-0.94.1/test/clam-upx.exe
/usr/share/doc/clamav-0.94.1/test/clam-v2.rar
/usr/share/doc/clamav-0.94.1/test/clam-v3.rar
/usr/share/doc/clamav-0.94.1/test/clam-wwpack.exe
/usr/share/doc/clamav-0.94.1/test/clam.arj
/usr/share/doc/clamav-0.94.1/test/clam.bz2.zip
/usr/share/doc/clamav-0.94.1/test/clam.cab
/usr/share/doc/clamav-0.94.1/test/clam.chm
/usr/share/doc/clamav-0.94.1/test/clam.d64.zip
/usr/share/doc/clamav-0.94.1/test/clam.ea05.exe
/usr/share/doc/clamav-0.94.1/test/clam.ea06.exe
/usr/share/doc/clamav-0.94.1/test/clam.exe
/usr/share/doc/clamav-0.94.1/test/clam.exe.binhex
/usr/share/doc/clamav-0.94.1/test/clam.exe.bz2
/usr/share/doc/clamav-0.94.1/test/clam.exe.html
/usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.base64
/usr/share/doc/clamav-0.94.1/test/clam.exe.mbox.uu
/usr/share/doc/clamav-0.94.1/test/clam.exe.rtf
/usr/share/doc/clamav-0.94.1/test/clam.exe.szdd
/usr/share/doc/clamav-0.94.1/test/clam.impl.zip
/usr/share/doc/clamav-0.94.1/test/clam.mail
/usr/share/doc/clamav-0.94.1/test/clam.ole.doc
/usr/share/doc/clamav-0.94.1/test/clam.pdf
/usr/share/doc/clamav-0.94.1/test/clam.ppt
/usr/share/doc/clamav-0.94.1/test/clam.sis
/usr/share/doc/clamav-0.94.1/test/clam.tar.gz
/usr/share/doc/clamav-0.94.1/test/clam.tnef
/usr/share/doc/clamav-0.94.1/test/clam.zip
/usr/share/man/man1/clamscan.1.gz
/usr/share/man/man1/freshclam.1.gz
/usr/share/man/man1/sigtool.1.gz
/usr/share/man/man5/freshclam.conf.5.gz
rpm -ql clamav-db
/etc/cron.daily/freshclam
/etc/logrotate.d/freshclam
/var/clamav
/var/clamav/daily.cvd
/var/clamav/main.cvd
/var/log/clamav
Konfiguration
clamd
Die Konfigurationsdatei des ClamAV-Daemons /etc/clamd.conf passen wir unseren Gegebenheiten entsprechend an. Wichtig sind dabei insbesonders die drei Paramter:
- User clamav
- AllowSupplementaryGroups yes
- LocalSocket /tmp/clamd.socket
In Summe ergibt sich also folgende Gesamtkonfiguration:
egrep -v '(^.*#|^$)' /etc/clamd.conf LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime yes LogSyslog yes PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp DatabaseDirectory /var/clamav LocalSocket /tmp/clamd.socket FixStaleSocket yes TCPSocket 3310 TCPAddr 127.0.0.1 MaxConnectionQueueLength 30 MaxThreads 50 ReadTimeout 300 User clamav AllowSupplementaryGroups yes ScanPE yes ScanELF yes DetectBrokenExecutables yes ScanOLE2 yes ScanMail yes ScanArchive yes ArchiveBlockEncrypted no
Wie in der /etc/amavisd.conf vermerkt
# # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf;
erweitern wir die Gruppe amavis um den User clamav.
vim /etc/group amavis:x:106:clamav
amavisd
Die Konfiguration unseres Virenkillers clamav erfolgt über dessen frontend AMaViS. Wir bearbeiten also die Datei amavisd.conf.
vim /etc/amavisd.conf
Die Pfadangaben passen wir unseren Gegebenheiten an:
$MYHOME = '/var/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = "/var/virusmails";
Ebenso:
$db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S $lock_file = "$MYHOME/var/amavisd.lock"; # -L $pid_file = "$MYHOME/var/amavisd.pid"; # -P $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
Für den ersten Programmstart drehen wir den Loglevel auf den Wert 3, den wir im späteren Produktivbetrieb dann auf 2 herabsetzen können. Somit erhalten wir in der Anfangsphase wertvolle und ausreichende Hinweise, falls etwas nicht wie geplant laufen sollte.
$log_level = 3; # verbosity 0..5, -d
Da wir uns weder mit Viren, noch mit Spam oder den unerwünschten Dateianhängen herumschlagen wollen, weisen wir AMaViS an, diese Nachrichten über den Mailserver direkt ablehnt.
$final_virus_destiny = D_REJECT; $final_banned_destiny = D_REJECT; $final_spam_destiny = D_REJECT;
Da wir AMaViS in erster Linie in der dämonisierten Variante und als Fallback als Backup-Scanner verwenden wollen, aktivieren wir die entsprechenden Konfigurationszeilen kurz nach der Zeile @av_scanners = (. Die Pfadangaben des Socket müssen zu den Angaben in der vorweg beschriebenen /etc/clamd.conf passen!
# ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".
Die komplette AMaViS.Konfiguration lautet dann.
# egrep -v '(^#|^$)' /etc/amavisd.conf
- amavisd.conf
use strict; $max_servers = 5; # num of pre-forked children (2..30 is common), -m $daemon_user = "amavis"; # (no default; customary: vscan or amavis), -u $daemon_group = "amavis"; # (no default; customary: vscan or amavis), -g $myhostname = 'amavis.nausch.org'; # hostname $mydomain = 'nausch.org'; # a convenient default for other settings $MYHOME = '/var/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = "/var/virusmails"; $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S $lock_file = "$MYHOME/var/amavisd.lock"; # -L $pid_file = "$MYHOME/var/amavisd.pid"; # -P $log_level = 3; # verbosity 0..5, -d $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $syslog_priority = 'debug'; # Syslog base (minimal) priority as a string, # choose from: emerg, alert, crit, err, warning, notice, info, debug $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key @local_domains_maps = ( [".$mydomain"] ); # list of all local domains @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); $unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter # option(s) -p overrides $inet_socket_port and $unix_socketname $inet_socket_port = 10024; # listen on this local TCP port(s) $policy_bank{'MYNETS'} = { # mail originating from @mynetworks originating => 1, # is true in MYNETS by default, but let's make it explicit os_fingerprint_method => undef, # don't query p0f for internal clients }; $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating => 1, # declare that mail was submitted by our smtp client allow_disclaimers => 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps => ["virusalert\@$mydomain"], spam_admin_maps => ["virusalert\@$mydomain"], warnbadhsender => 1, # forward to a smtpd service providing DKIM signing service forward_method => 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords => ['8BITMIME'], bypass_banned_checks_maps => [1], # allow sending any file names and types terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option }; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname $policy_bank{'AM.PDP-SOCK'} = { protocol => 'AM.PDP', auth_required_release => 0, # do not require secret_id for amavisd-release }; $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions (e.g. blocks mail) $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From $penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) $penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam $bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces $sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? $virus_admin = "virusalert\@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_banned_maps = ('banned'); @addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***SPAM*** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name $defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header $defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998 characters $defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error $final_virus_destiny = D_REJECT; $final_banned_destiny = D_REJECT; $final_spam_destiny = D_REJECT; $virus_quarantine_to = undef; $banned_quarantine_to = undef; $spam_quarantine_to = undef; $bad_header_quarantine_to = undef; @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, )); $banned_filename_re = new_RE( qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(pif|scr)$'i, # banned extensions - rudimentary qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, # block certain double extensions in filenames qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic ); @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed ## site-wide opinions about senders (the '.' matches any recipient) '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'amavis-user-bounces@lists.sourceforge.net' => -3.0, 'spamassassin.apache.org' => -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], ['uue', \&do_ascii], ['hqx', \&do_ascii], ['ync', \&do_ascii], ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], ['bz2', \&do_uncompress, 'bzip2 -d'], ['lzo', \&do_uncompress, 'lzop -d'], ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], ['deb', \&do_ar, 'ar'], ['zip', \&do_unzip], ['7z', \&do_7zip, ['7zr','7za','7z'] ], ['rar', \&do_unrar, ['rar','unrar'] ], ['arj', \&do_unarj, ['arj','unarj'] ], ['arc', \&do_arc, ['nomarch','arc'] ], ['zoo', \&do_zoo, ['zoo','unzoo'] ], ['lha', \&do_lha, 'lha'], ['cab', \&do_cabextract, 'cabextract'], ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], ); @av_scanners = ( ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/m, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.avira.com/ ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus ['Avira AntiVir', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/m ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/m, qr/^(?:Info|Virus Name):\s+(.+)/m ], # NOTE: check options and patterns to see which entry better applies ### http://www.f-secure.com/products/anti-virus/ version 5.52 ['F-Secure Antivirus for Linux servers', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/m ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/m ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/m ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/m ], ### http://www.eset.com/, version 3.0 ['ESET Software ESETS Command Line Interface', ['/usr/bin/esets_cli', 'esets_cli'], '--subdir {}', [0], [1,2,3], qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], ## http://www.nod32.com/, NOD32LFS version 2.5 and above ['ESET NOD32 for Linux File servers', ['/opt/eset/nod32/sbin/nod32','nod32'], '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. '-w -a --action=1 -b {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/m ], ### http://www.pandasoftware.com/ ['Panda CommandLineSecure 9 for Linux', ['/opt/pavcl/usr/bin/pavcl','pavcl'], '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', qr/Number of files infected[ .]*: 0+(?!\d)/m, qr/Number of files infected[ .]*: 0*[1-9]/m, qr/Found virus :\s*(\S+)/m ], # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # before starting amavisd - the bases are then loaded only once at startup. # To reload bases in a signature update script: # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # Please review other options of pavcl, for example: # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/m, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/m ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related. ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/m ], ### http://www.bitdefender.com/ ['BitDefender', 'bdscan', # new version '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', # old version '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, qr/(?:suspected|infected): (.*)(?:\033|$)/m ], # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help' ### ArcaVir for Linux and Unix http://www.arcabit.pl/ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], '-v 1 -summary 0 -s {}', [0], [1,2], qr/(?:VIR|WIR):[ \t]*(.+)/m ], ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 ['F-PROT Antivirus for UNIX', ['fpscan'], '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], ### http://www.kaspersky.com/ ['Kaspersky Antivirus v5.5', ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, ], ); 1; # insure a defined return value
Programmstart
clamd
Nun ist es an der Zeit unseren ClamAV-Daemon das erste mal zu starten.
# service clamd start
Starting Clam AntiVirus Daemon: LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** [ OK ]
Wir müssen also unser Virendatenbank erst einmal updaten - Hierzu nutzen wir das Programm freshclam aus dem Paket clamav. Wir stoppen nun erst einmal unseren Daemon uns fahren mit der Installation und Konfiguration der weiteren Schritte fort.
# service clamd stop
Stopping Clam AntiVirus Daemon: [ OK ]
amavisd
Zum Aktivieren der vorgenannten Konfigurationsänderungen in der /etc/amavisd.conf, führen wir nun einen Restart unseres A MAil Virus Scanners durch.
# service amavisd restart
Mail Virus Scanner (amavisd) beenden: [ OK ] Mail Virus Scanner (amavisd) starten: [ OK ] Mail Virus Scanner (amavisd) starten: [ OK ]
Im Maillog /var/log/maillog wird der erfolgreiche Restart entsprechend vermerkt:
Nov 20 22:52:07 nss amavis[27959]: (27959-10) TempDir removal: empty tempdir is being removed: /var/amavis/tmp/amavis-20081120T212043-27959 Nov 20 22:52:07 nss amavis[27960]: (27960-09) TempDir removal: empty tempdir is being removed: /var/amavis/tmp/amavis-20081120T211933-27960 Nov 20 22:52:07 nss amavis[27957]: Net::Server: 2008/11/20-22:52:07 Server closing! Nov 20 22:52:09 nss amavis[29613]: logging initialized, log level 3, syslog: amavis.mail Nov 20 22:52:09 nss amavis[29613]: starting. /usr/sbin/amavisd at amavis.nausch.org amavisd-new-2.5.4 (20080312), Unicode aware, LANG="de_DE.UTF-8" Nov 20 22:52:09 nss amavis[29613]: user=103, EUID: 103 (103); group=, EGID: 106 106 (106 106) Nov 20 22:52:09 nss amavis[29613]: Perl version 5.008008 Nov 20 22:52:09 nss amavis[29613]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Mail::SpamAssassin::BayesStore::PgSQL Encode::Detect Mail::SpamAssassin::Plugin::DKIM Razor2::Client::Agent IP::Country::Fast Mail::DKIM Mail::DKIM::Verifier Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d Mail::SPF::Query Crypt::OpenSSL::RSA auto::Crypt::OpenSSL::RSA::new_public_key auto::Crypt::OpenSSL::RSA::new_key_from_parameters auto::Crypt::OpenSSL::RSA::get_key_parameters aut... Nov 20 22:52:09 nss amavis[29613]: ...o::Crypt::OpenSSL::RSA::import_random_seed Digest::SHA Error Nov 20 22:52:09 nss amavis[29613]: SpamControl: init_pre_chroot done Nov 20 22:52:09 nss amavis[29614]: Net::Server: Process Backgrounded Nov 20 22:52:09 nss amavis[29614]: Net::Server: 2008/11/20-22:52:09 Amavis (type Net::Server::PreForkSimple) starting! pid(29614) Nov 20 22:52:09 nss amavis[29614]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM Nov 20 22:52:09 nss amavis[29614]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1 Nov 20 22:52:09 nss amavis[29614]: Net::Server: Group Not Defined. Defaulting to EGID '106 106' Nov 20 22:52:09 nss amavis[29614]: Net::Server: User Not Defined. Defaulting to EUID '103' Nov 20 22:52:09 nss amavis[29614]: config files read: /etc/amavisd.conf Nov 20 22:52:09 nss amavis[29614]: Module Amavis::Conf 2.094 Nov 20 22:52:09 nss amavis[29614]: Module Archive::Zip 1.16 Nov 20 22:52:09 nss amavis[29614]: Module BerkeleyDB 0.36 Nov 20 22:52:09 nss amavis[29614]: Module Compress::Zlib 1.42 Nov 20 22:52:09 nss amavis[29614]: Module Convert::TNEF 0.17 Nov 20 22:52:09 nss amavis[29614]: Module Convert::UUlib 1.051 Nov 20 22:52:09 nss amavis[29614]: Module DBD::mysql 4.008 Nov 20 22:52:09 nss amavis[29614]: Module DBI 1.52 Nov 20 22:52:09 nss amavis[29614]: Module DB_File 1.814 Nov 20 22:52:09 nss amavis[29614]: Module Digest::MD5 2.36 Nov 20 22:52:09 nss amavis[29614]: Module Digest::SHA1 2.11 Nov 20 22:52:09 nss amavis[29614]: Module IO::Socket::INET6 2.51 Nov 20 22:52:09 nss amavis[29614]: Module MIME::Entity 5.420 Nov 20 22:52:09 nss amavis[29614]: Module MIME::Parser 5.420 Nov 20 22:52:09 nss amavis[29614]: Module MIME::Tools 5.420 Nov 20 22:52:09 nss amavis[29614]: Module Mail::Header 1.77 Nov 20 22:52:09 nss amavis[29614]: Module Mail::Internet 1.77 Nov 20 22:52:09 nss amavis[29614]: Module Mail::SpamAssassin 3.002004 Nov 20 22:52:09 nss amavis[29614]: Module Net::DNS 0.59 Nov 20 22:52:09 nss amavis[29614]: Module Net::Server 0.97 Nov 20 22:52:09 nss amavis[29614]: Module Time::HiRes 1.86 Nov 20 22:52:09 nss amavis[29614]: Module URI 1.35 Nov 20 22:52:09 nss amavis[29614]: Module Unix::Syslog 1.0 Nov 20 22:52:09 nss amavis[29614]: Amavis::DB code loaded Nov 20 22:52:09 nss amavis[29614]: Amavis::Cache code loaded Nov 20 22:52:09 nss amavis[29614]: SQL base code NOT loaded Nov 20 22:52:09 nss amavis[29614]: SQL::Log code NOT loaded Nov 20 22:52:09 nss amavis[29614]: SQL::Quarantine NOT loaded Nov 20 22:52:09 nss amavis[29614]: Lookup::SQL code NOT loaded Nov 20 22:52:09 nss amavis[29614]: Lookup::LDAP code NOT loaded Nov 20 22:52:09 nss amavis[29614]: AM.PDP-in proto code loaded Nov 20 22:52:09 nss amavis[29614]: SMTP-in proto code loaded Nov 20 22:52:09 nss amavis[29614]: Courier proto code NOT loaded Nov 20 22:52:09 nss amavis[29614]: SMTP-out proto code loaded Nov 20 22:52:09 nss amavis[29614]: Pipe-out proto code NOT loaded Nov 20 22:52:09 nss amavis[29614]: BSMTP-out proto code NOT loaded Nov 20 22:52:09 nss amavis[29614]: Local-out proto code loaded Nov 20 22:52:09 nss amavis[29614]: OS_Fingerprint code NOT loaded Nov 20 22:52:09 nss amavis[29614]: ANTI-VIRUS code loaded Nov 20 22:52:09 nss amavis[29614]: ANTI-SPAM code loaded Nov 20 22:52:09 nss amavis[29614]: ANTI-SPAM-SA code loaded Nov 20 22:52:09 nss amavis[29614]: Unpackers code loaded Nov 20 22:52:09 nss amavis[29614]: Found $file at /usr/bin/file Nov 20 22:52:09 nss amavis[29614]: No $dspam, not using it Nov 20 22:52:09 nss amavis[29614]: No $altermime, not using it Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .mail Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .asc Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .uue Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .hqx Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .ync Nov 20 22:52:09 nss amavis[29614]: Found decoder for .F at /usr/bin/unfreeze Nov 20 22:52:09 nss amavis[29614]: Found decoder for .Z at /usr/bin/uncompress Nov 20 22:52:09 nss amavis[29614]: Found decoder for .gz at /usr/bin/gzip -d Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .gz (backup, not used) Nov 20 22:52:09 nss amavis[29614]: Found decoder for .bz2 at /usr/bin/bzip2 -d Nov 20 22:52:09 nss amavis[29614]: Found decoder for .lzo at /usr/bin/lzop -d Nov 20 22:52:09 nss amavis[29614]: Found decoder for .rpm at /usr/bin/rpm2cpio Nov 20 22:52:09 nss amavis[29614]: Found decoder for .cpio at /usr/bin/pax Nov 20 22:52:09 nss amavis[29614]: Found decoder for .tar at /usr/bin/pax Nov 20 22:52:09 nss amavis[29614]: Found decoder for .deb at /usr/bin/ar Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .zip Nov 20 22:52:09 nss amavis[29614]: No decoder for .7z tried: 7zr, 7za, 7z Nov 20 22:52:09 nss amavis[29614]: Found decoder for .rar at /usr/bin/unrar Nov 20 22:52:09 nss amavis[29614]: Found decoder for .arj at /usr/bin/arj Nov 20 22:52:09 nss amavis[29614]: Found decoder for .arc at /usr/bin/nomarch Nov 20 22:52:09 nss amavis[29614]: Found decoder for .zoo at /usr/bin/zoo Nov 20 22:52:09 nss amavis[29614]: Found decoder for .lha at /usr/bin/lha Nov 20 22:52:09 nss amavis[29614]: Found decoder for .cab at /usr/bin/cabextract Nov 20 22:52:09 nss amavis[29614]: No decoder for .tnef tried: tnef Nov 20 22:52:09 nss amavis[29614]: Internal decoder for .tnef Nov 20 22:52:09 nss amavis[29614]: Found decoder for .exe at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj Nov 20 22:52:09 nss amavis[29614]: Using primary internal av scanner code for ClamAV-clamd Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: KasperskyLab AVP - aveclient Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: KasperskyLab AntiViral Toolkit Pro (AVP) Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: KasperskyLab AVPDaemonClient Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CentralCommand Vexira (new) vascan Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Avira AntiVir Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Command AntiVirus for Linux Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Symantec CarrierScan via Symantec CommandLineScanner Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Symantec AntiVirus Scan Engine Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: F-Secure Antivirus for Linux servers Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CAI InoculateIT Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CAI eTrust Antivirus Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: MkS_Vir for Linux (beta) Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: MkS_Vir daemon Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: ESET NOD32 Linux Mail Server - command line interface Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: ESET NOD32 for Linux File servers Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Norman Virus Control v5 / Linux Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Panda CommandLineSecure 9 for Linux Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: NAI McAfee AntiVirus (uvscan) Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: VirusBuster Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: CyberSoft VFind Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: avast! Antivirus Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: Ikarus AntiVirus for Linux Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: BitDefender Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: BitDefender Nov 20 22:52:09 nss amavis[29614]: No primary av scanner: ArcaVir for Linux Nov 20 22:52:09 nss amavis[29614]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: F-PROT Antivirus for UNIX Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: FRISK F-Prot Antivirus Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: Trend Micro FileScanner Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: drweb - DrWeb Antivirus Nov 20 22:52:09 nss amavis[29614]: No secondary av scanner: Kaspersky Antivirus v5.5 Nov 20 22:52:09 nss amavis[29614]: Creating db in /var/amavis/db/; BerkeleyDB 0.36, libdb 4.3 Nov 20 22:52:09 nss amavis[29614]: SpamControl: initializing Mail::SpamAssassin Nov 20 22:52:10 nss amavis[29614]: SpamControl: init_pre_fork done Nov 20 22:52:10 nss amavis[29620]: TIMING [total 5 ms] - bdb-open: 5 (100%)100, rundown: 0 (0%)100 Nov 20 22:52:10 nss amavis[29621]: TIMING [total 5 ms] - bdb-open: 5 (100%)100, rundown: 0 (0%)100
automatisches Starten der Dienste beim Systemstart
clamd
Damit nun unser clamav-daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
chkconfig clamd on
Anschließend überprüfen wir noch unsere Änderung:
chkconfig --list | grep clamd clamd 0:Aus 1:Aus 2:Ein 3:Ein 4:Ein 5:Ein 6:Aus
amavisd
Den automatischen Start haben wir bereits im Kapitel grundinstallation_von_amavis vorgenommen.