Activating ClamAV

[saavik]

Hallo!

We use Scalix a while now for testing and are so impressed that we would like to get the first users working with it.

But stop, first of all we need to activate a Virusengine.

We would like to use ClamAV.

Question:

What steps are to take ?

1. Create a ALL-ROUTES.VIR

What would be the correct directory. Each documentation is telling something else ! Is scalix2:/var/opt/scalix/s2/s/rules the correct directory ?

2. The File would look like that :

# cat ALL-ROUTES.VIR
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was"

3. cp examples/general/omvscan.map ./rules/
Is that all ?

4. omvscan.cfg
Where must this file be and what should it look like ?

[schmoe90]

1. Create a ALL-ROUTES.VIR

What would be the correct directory. Each documentation is telling something else ! Is scalix2:/var/opt/scalix/s2/s/rules the correct directory ?

From the setup and configuration guide:

To do this, create a text file in the directory /var/opt/scalix/<nn>/s/rules called ALLROUTES.
VIR, which controls virus protection on the Scalix server.

Where are you seeing anything different?

3. cp examples/general/omvscan.map ./rules/

From the setup and configuration guide:

1 Enable the script in the scan file by copying the omvscan.map file from
/opt/scalix/examples/general to /var/opt/scalix/<nn>/s/rules, where it becomes
active. For example
cp /opt/scalix/examples/general/omvscan.map /var/opt/scalix/<nn>/s/rules
where nn varies with Scalix installation.
2 Change to the directory using the cd command and make sure the file is owned by root
and has permissions set to 555. For example
cd /var/opt/scalix/<nn>/s/rules
chown root omvscan.map
chmod 555 omvscan.map

4. omvscan.cfg
Where must this file be and what should it look like ?

From the setup and configuration guide:

1 Modify the /var/opt/scalix/<nn>/s/sys/omvscan.cfg file, changing the permissions
beforehand.

That should already have the correct settings for ClamAV.

[saavik]

Well, it does not work.

In the meantime we Upgraded to Scalix 11.4.0.11344 but the virusscan still does not work.

As I am still not sure if I RTFM the right way I just post what i did:

1. Created files

:/var/opt/scalix/s2/s/rules # l
total 52
drwxrwx--- 2 scalix scalix 4096 Jun 17 14:44 ./
drwxrwxr-x 52 scalix scalix 4096 Oct 23 2007 ../
-rw-r--r-- 1 root root 285 Jun 12 10:33 ALL-ROUTES
-rw-r--r-- 1 root root 120 Oct 24 2007 ALL-ROUTES.VIR
-r-xr-xr-x 1 root root 35809 Jun 17 11:56 omvscan.map*

# cat ALL-ROUTES
#
# DO NOT EDIT OR CHANGE THIS FILE
# THIS FILE IS DYNAMICALLY GENERATED
# CHANGING THE ORDER OR THE SETTINGS BELOW
# CAN RESULT IN UNDESIRABLE BEHAVIOUR
# -- UberManager
#
OMLIMIT-EXCEEDED=120 ACTION=REJECT
OMLIMIT-EXCEEDED=80 ACTION=ALLOW NOTIFY="Bitte E-Mail Postfach aufräumen."

# cat ALL-ROUTES.VIR
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was"

I just copied the omvscan.map.

For testing i use http://www.heise.de/security/dienste/em ... mail=eicar where you can send an EICAR-Testmail to you.

Why does this mail still reach me?

Seems to me as if I have an access right problem :

# omoff -s sr
scalix2:/var/opt/scalix/s2/s/sys # omon -s sr
scalix2:/var/opt/scalix/s2/s/sys # omshowlog

ERROR Service Router(Service Router) 06.18.08 15:00:36
[OM 5181] Reply timed out or invalid - Mapper protocol problem.
Command sent: <none - expect greeting reply>
Reply received: 503 "ClamAV" cannot scan Scalix-owned file Access denied. ERROR

The access rights seem to be right:
passwd

scalix:x:100:101:Scalix User:/var/opt/scalix:/bin/true
vscan:x:65:101:Vscan account:/var/spool/amavis:/bin/false

group

scalix:!:101:
vscan:!:102:scalix

[schmoe90]

Check the scalix user and group:

Code: Select all

# grep scalix /etc/passwd
scalix:x:100:101:Scalix User:/var/opt/scalix:/bin/true

# grep scalix /etc/group
scalix:x:101:


[saavik]

scalix2:~ # grep scalix /etc/passwd
scalix:x:100:101:Scalix User:/var/opt/scalix:/bin/true
scalix2:~ # grep scalix /etc/group
scalix:!:101:

[saavik]

So, i just reboot the pc and it all worked perfekt....nearly.

Isn`t there a possibility to send the recipient an email if an email with a virus has been rejected ?
my ALL-ROUTES.VIR

Code: Select all

# cat ALL-ROUTES.VIR
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt
#VIRUS-UNCLEANED=1 ACTION=ALLOW NOTIFY="In der E-Mail wurde ein Virus gefunden !! GEFAHR!!"
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="In der E-Mail wurde ein Virus gefunden und entfernt."
scalix2:/var/opt/scalix/s2/s/rules #

[schmoe90]

VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt

This rejects a message with a virus that can't be cleaned.

VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="In der E-Mail wurde ein Virus gefunden und entfernt.

This allows a message with a cleaned virus to pass through with a notification.

Now, if you want to alert an end user that there's a virus that can't be cleaned, you'd have to ALLOW that message through, even with the uncleaned virus, and that's not a good idea.

You could, however, try the FILTER_TYPES_OF_ATT setting, but that assumes that we've encoded the attachment as a virus, rather than a Word document or suchlike.

[saavik]

Isn`t there a possibility to get a notify ?

[toni31]

Im also interested in a solution.
@scalix: please correct your configuration guide. and give better examples. to notify the sender doesn't make any sense.

helpful should be the use of a quarantine, where you can find the infected file and when it's proven to be ok, release it.

But i really need a notification of antivirus activities which both the user and the admin get a notification about that. i don't really trust clamd, but mailscanner is too heavy for our scalix-vm.

please dont mind, saavik, hope it's in your interest too

[saavik]

Absolutely!

It`s nice that I am not the only one who would like that "action" !

[toni31]

noone providing some best practises?

[mschrijn]

Hi All,

I've got a similar problem (CentOS 5.2, 11.4.0.4501), and I've tried all the proposed options, but it is still not working.
When I increase the loglevel of /var/opt/scalix/ml/s/sys/omvscan.cfg I see the following:

2008-07-19 04:32:23:PID=16164:############## /var/opt/scalix/ml/s/tmp/omvscan_cfg.16164
2008-07-19 04:32:23:PID=16164:OMAV_LOGFILE=$(omrealpath '~/logs/omvscan.log')
2008-07-19 04:32:23:PID=16164:OMAV_LOGLEVEL=3
2008-07-19 04:32:23:PID=16164:CLAMAV_ENGINE=/usr/local/bin/clamdscan
2008-07-19 04:32:23:PID=16164:CLAMAV_SCAN_OPTIONS='--stdout'
2008-07-19 04:32:23:PID=16164:CLAMAV_CLEAN_OPTIONS='--stdout'
2008-07-19 04:32:23:PID=16164:CLAMAV_LOGPGX=$(omrealpath '~/tmp/clamav.log')
2008-07-19 04:32:23:PID=16164:CLAMAV_USE_LOCKING=no
2008-07-19 04:32:23:PID=16164:CLAMAV_LOCK_FILE=clamav.lock
2008-07-19 04:32:23:PID=16164:############## /var/opt/scalix/ml/s/tmp/omvscan_cfg.16164
2008-07-19 04:32:23:PID=16164:/usr/local/bin/clamdscan --stdout /tmp/clamav_test.16164 > /var/opt/scalix/ml/s/tmp/clamav.log.16164
2008-07-19 04:32:23:PID=16164:[Reply]:503 "ClamAV" cannot scan Scalix-owned file2008-07-19 04:32:23:PID=16164:[Reply]:

Here are the highlevel steps taken:

Clamav anti-virus software installation

1.Download the latest Clamav anti-virus software tar-ball from www.clamav.org
2.Optionally: Binary ftp the tar-ball to the mailserver.
3.Store the Clamav anti-virus tar-ball in the /tmp filesystem
4.Login to the mailserver as user root.
5.Change directory to /tmp with: cd /tmp
6.Extract the tar-ball with (e.g.): tar -zxvf clamav-0.93.3.tar.gz
7.Change directory to the extraction directory: cd clamav-0.93.3
8.Create a unix-group with: groupadd clamav
9.Create a unix-user with: useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
10.Configure the Clamav software with: ./configure --sysconfdir=/etc
11.Compile the Clamav software with: make
12.Install the Clamav software with: su -c "make install"
13.Edit the file: /etc/clamd.conf
Remark: c=comment line, s=set value.
c: Example
s: LogFile /var/log/clamd.log
s: LogTime yes
s: LogSyslog yes
s: LogFacility LOG_MAIL
s: LogVerbose yes
s: PidFile /var/run/clamd/clamd.pid
s: DatabaseDirectory /var/lib/clamav
s: LocalSocket /var/run/clamd/clamd.sock
s: FixStaleSocket yes
s: User clamav
s: AllowSupplementaryGroups yes
s: ScanOLE2 yes
s: ScanMail yes
s: PhishingSignatures yes
s: PhishingScanURLs yes
s: ScanHTML yes
s: ScanArchive yes
14.Create the database directory /var/lib/clamav with: mkdir /var/lib/clamav
15.Change ownership of the directory with: chown clamav:clamav /var/lib/clamav
16.Change permission on the directory with: chmod 755 /var/lib/clamav
17.Create the socket directory /var/run/clamd with: mkdir /var/run/clamd
18.Change ownership of the directory with: chown clamav:clamav /var/run/clamd
19.Change permission on the directory with: chmod 700 /var/run/clamd
20.Edit the file: /etc/freshclam.conf
Remark: c=comment line, s=set value, v=verify value.
c: Example
s: DatabaseDirectory /var/lib/clamav
s: UpdateLogFile /var/log/freshclam.log
s: LogTime yes
s: LogVerbose yes
s: LogSyslog yes
s: LogFacility LOG_MAIL
s: DatabaseOwner clamav
s (first entry): DatabaseMirror db.NL.clamav.net
v (second entry): DatabaseMirror database.clamav.net
s: ScriptedUpdates yes
21.Create the freshclam logfile with: touch /var/log/clamd.log
22.Change ownership of the freshclam logfile with: chown clamav /var/log/clamd.log
23.Change permissions on the freshclam logfile: chmod 600 /var/log/clamd.log
24.Create the freshclam logfile with: touch /var/log/freshclam.log
25.Change ownership of the freshclam logfile with: chown clamav /var/log/freshclam.log
26.Change permissions on the freshclam logfile: chmod 600 /var/log/freshclam.log
27.Test the Clamav anti-virus software with: clamscan -r -l scan.txt /tmp/clamav-0.93.3
It should find some files in /tmp/clamav-0.93.3/test
28.Edit the crontab with: crontab -e
29.Add the following line to the crontab: 17 * * * * /usr/local/bin/freshclam –quiet
30.Create the file /etc/rc.d/init.d/clamd:
.......
1.chmod 755 clamd
2.chkconfig --add clamd
3.chkconfig --levels 345 clamd on
4.Modify the file /etc/group bij adding the clamav user to the scalix group using:
usermod -G scalix clamav
5.service clamd start
Scalix – Clamav anti-virus integration configuration
1.Create an anti-virus rule-file in /var/opt/scalix/ml/s/rules (where ml is the instance-name) with with name ALL-ROUTES.VIR and content:
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was found in your message. It was successfully cleaned and sent to the recipient. We recommend that you install or update your virus protection software and scan your computer for viruses."
2.Create a non-delivery-notification file in /var/opt/scalix/ml/s/rules (where ml is the instance-name) with with name ndninfo.txt and content:
Text = A virus was detected in your message and could not be cleaned, therefore it was not delivered. We highly recommend that you install or update your virus protection software.
3.Create a scan-file which provides the necessary information for the anti-virus software to scan all messages sent to Scalix users with (where ml is the instance-name), and make sure the file-permissons are set properly:
cp /opt/scalix/examples/general/omvscan.map /var/opt/scalix/ml/s/rules
cd /var/opt/scalix/ml/s/rules
chown root omvscan.map
chmod 555 omvscan.map
4.Modify the file /var/opt/scalix/ml/s/sys/omvscan.cfg (where ml is the instance-name):
CLAMAV_ENGINE=/usr/local/bin/clamdscan

What am I missing, because I'm looking for it already for 8 hours, reading and testing.

Any help is appreciated!

[toni31]

try user vscan in your clamd.conf instead of clamav.

[mschrijn]

Hi Toni,

Thanks for your reply, but I found a solution.
The security for the /var/run/spamd directory was too tight, as both clamav as well as scalix seem te be needing this directory.
So changing the permissions from 700 to 770, and change the ownership from clamav:clamav to clamav:scalix solved the problem.

Though it is necessary to have clamac in the same group as scalix by modifying the /etc/group file.