Ebroch at 18:54, 19 October 2024

2024-10-19T18:54:06Z

← Older revision		Revision as of 12:54, 19 October 2024
Line 1:		Line 1:
	[[Configuration#~~clamav~~\|Back]]<br>		[[Configuration#Clamav\|Back]]<br>
	== About ClamAV ==		== About ClamAV ==

Ebroch at 16:09, 19 October 2024

2024-10-19T16:09:55Z

← Older revision		Revision as of 10:09, 19 October 2024
Line 1:		Line 1:
			[[Configuration#clamav\|Back]]<br>
	== About ClamAV ==		== About ClamAV ==

Ebroch: Created page with "== About ClamAV == From: [http://www.clamav.net Clamav.net] ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detect..."

2024-03-16T16:10:26Z

Created page with "== About ClamAV == From: [http://www.clamav.net Clamav.net] ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detect..."

New page

== About ClamAV ==

From: [http://www.clamav.net Clamav.net]

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats. The core ClamAV library is utilized in Immunet 3.0, powered by ClamAV, which is a fast, fully featured Desktop AV solution for Windows.

In Qmailtoaster, ClamAV works side-by-side with SpamAssassin under Simscan to make sure all incoming email is free of virus and spam.

== Disable / Enable ==

You can disable (and enable it again) ClamAV per domain or server-wide, make sure you know what you are doing and have a strong reason.

=== Per Domain ===

If you have multiple domains, and you want to disable ClamAV feature just for 1 domain you can do it like this:

1. Edit file /var/qmail/control/simcontrol
vi /var/qmail/control/simcontrol
2. Look for line that contains domain you want to disable ClamAV (something like this):
pala.bo-tak.info:clam=yes,spam=yes,spam_hits=11.5,attach=.bat:.chm:.cmd:.com:.dll:.dot:.email:.exe:.hlp:.hta:.inf:.msi:.pif:.reg:.scr:.url:.vbs
3. Change clam=yes into clam=no, so the line look like this:
pala.bo-tak.info:clam=yes,spam=yes,spam_hits=11.5,attach=.bat:.chm:.cmd:.com:.dll:.dot:.email:.exe:.hlp:.hta:.inf:.msi:.pif:.reg:.scr:.url:.vbs
4. Save the file and quit

5. Compile simcontrol file to make rule active
service qmail cdb

To enable ClamAV feature again just follow the steps above but on step 3 change clam=no into clam=yes

=== Server Wide===
==== Temporary ====
If you want to stop clamav service temporarily (for whatever reason) here's how:
NOTE: clamav service will not be available until you start it manually or server restarted.

If you have [http://qtp.qmailtoaster.com/ QmailToaster Plus tool] installed:

1. Stop clamd
qmail-clam stop
2. Check clamd status
qmail-clam stat
3. Start clamd
qmail-clam start

If you do not have QmailToaster Plus installed:

1. Stop clamd
svc -d /var/qmail/supervise/clamd /var/qmail/supervise/clamd/log
2. Check clamd status
svstat /var/qmail/supervise/clamd
svstat /var/qmail/supervise/clamd/log
3. Start clamd
svc -u /var/qmail/supervise/clamd /var/qmail/supervise/clamd/log

==== Forever ====
If you have another Email-Scanning-Proxy device before your qmailtoaster box you may want to disable ClamAV scanning to save memory. Here's how:

1. Touch down file on clamav service.
touch /var/qmail/supervise/clamd/down
touch /var/qmail/supervise/clamd/log/down
2. Stop qmail.
service qmail stop
3. Stop existing freshclam process.
service freshclam stop
4. Remove freshclam from running automatically when server starts.
chkconfig freshclam off
5. Make sure all qmail service has stopped, if not kill the running PID.
service qmail stat
6. Start qmail service again.
service qmail start

== Update ==
=== Definition update ===

By default if freshclam service is running it will update clamav definition automatically. But if you want to make sure you have the latest definition you can run this command:
freshclam
ClamAV update process started at Wed Mar 23 11:41:16 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-12882.cdiff [100%]
Downloading daily-12883.cdiff [100%]
daily.cld updated (version: 12883, sigs: 76664, f-level: 60, builder: ccordes)
bytecode.cld is up to date (version: 142, sigs: 40, f-level: 60, builder: acab)
Database updated (922918 signatures) from db.id.clamav.net (IP: 62.75.137.14)

=== Engine update ===

ClamAV team will release new version periodically. If they release new version, QMT team will release new clamav-toaster as soon as possible. Here's how to update your clamav engine version:

If you have [http://qtp.qmailtoaster.com QmailToaster Plus] tool installed you can run [http://qtp.qmailtoaster.comtrac/wiki/qtp-newmodel qtp-newmodel] but this tool not just only updating your clamav engine but also other *-toaster packages if new version available.

qtp-newmodel

If you do not have QmailToaster Plus or you only want to update clamav version only, do these steps:

1. Stop qmail service
service qmail stop
2. Remove existing clamav package
rpm -e --nodeps clamav-toaster
3. Download new clamav-toaster source package from [http://mirrors.qmailtoaster.net/ Qmailtoaster Mirros]
wget http://mirrors.qmailtoaster.net/clamav-toaster-0.97.0-1.3.41.src.rpm
4. Rebuild new clamav-toaster source package, replace $DISTRO with your OS Name and version. Detail $DISTRO can be see at install-script on [http://www.qmailtoaster.net/distro/ Qmailtoaster Distro]
rpmbuild --rebuild --with $DISTRO clamav-toaster-newpkg.src.rpm
rpmbuild --rebuild --with $cnt4064 clamav-toaster-newpkg.src.rpm
5. Install clamav-toaster binary RPM
rpm -Uvh clamav-toaster-new.rpm
rpm -Uvh /usr/src/redhat/RPMS/x86_64/clamav-toaster-0.97.0-1.3.41.x86_64.rpm
6. Compile qmail cdb and start.
service qmail cdb
service qmail start

== Additional definition ==

There are additional clamav definitions to help your server minimize incoming spam. Those definitions are provided by:
* [http://www.sanesecurity.com/clamav/index.htm SaneSecurity]
* [http://msrbl.com/ MSRBL]
* [http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml SecuriteInfo]
* [http://malwarepatrol.com.br/ MalwarePatrol]
* [http://www.oitc.com/winnow/clamsigs/index.html OITC]
* [http://www.inetmsg.com/pub/ InetMsg]

The easiest way to install additional clamav definitions is by invoking command

qtp-install-sanesecurity

if you have installed [http://qtp.qmailtoaster.com/ QmailToaster Plus]. Details about qtp-install-sanesecurity can be found at [http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-install-sanesecurity QTP site]

If you do not have QmailToaster Plus, consult directly to each definition providers.

== Log Monitoring ==
If you have [http://qtp.qmailtoaster.com/ QmailToaster Plus] you can run:
Check with [http://qtp.qmailtoaster.com/trac/wiki/Features#qmlog qmlog manual] for other options:
qmlog -f clamd

If you do not have QTP then you can run:
tail -f /var/log/qmail/clamd/current | tai64nlocal
grep pdf /var/log/qmail/clamd/current | tai64nlocal | more
grep -v OK /var/log/qmail/clamd/current | tai64nlocal | more

Clamav - Revision history

Ebroch at 18:54, 19 October 2024

Ebroch at 16:09, 19 October 2024