Clamav
About ClamAV
From: Clamav.net
ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats. The core ClamAV library is utilized in Immunet 3.0, powered by ClamAV, which is a fast, fully featured Desktop AV solution for Windows.
In Qmailtoaster, ClamAV works side-by-side with SpamAssassin under Simscan to make sure all incoming email is free of virus and spam.
Disable / Enable
You can disable (and enable it again) ClamAV per domain or server-wide, make sure you know what you are doing and have a strong reason.
Per Domain
If you have multiple domains, and you want to disable ClamAV feature just for 1 domain you can do it like this:
1. Edit file /var/qmail/control/simcontrol
vi /var/qmail/control/simcontrol
2. Look for line that contains domain you want to disable ClamAV (something like this):
pala.bo-tak.info:clam=yes,spam=yes,spam_hits=11.5,attach=.bat:.chm:.cmd:.com:.dll:.dot:.email:.exe:.hlp:.hta:.inf:.msi:.pif:.reg:.scr:.url:.vbs
3. Change clam=yes into clam=no, so the line look like this:
pala.bo-tak.info:clam=yes,spam=yes,spam_hits=11.5,attach=.bat:.chm:.cmd:.com:.dll:.dot:.email:.exe:.hlp:.hta:.inf:.msi:.pif:.reg:.scr:.url:.vbs
4. Save the file and quit
5. Compile simcontrol file to make rule active
service qmail cdb
To enable ClamAV feature again just follow the steps above but on step 3 change clam=no into clam=yes
Server Wide
Temporary
If you want to stop clamav service temporarily (for whatever reason) here's how: NOTE: clamav service will not be available until you start it manually or server restarted.
If you have QmailToaster Plus tool installed:
1. Stop clamd
qmail-clam stop
2. Check clamd status
qmail-clam stat
3. Start clamd
qmail-clam start
If you do not have QmailToaster Plus installed:
1. Stop clamd
svc -d /var/qmail/supervise/clamd /var/qmail/supervise/clamd/log
2. Check clamd status
svstat /var/qmail/supervise/clamd svstat /var/qmail/supervise/clamd/log
3. Start clamd
svc -u /var/qmail/supervise/clamd /var/qmail/supervise/clamd/log
Forever
If you have another Email-Scanning-Proxy device before your qmailtoaster box you may want to disable ClamAV scanning to save memory. Here's how:
1. Touch down file on clamav service.
touch /var/qmail/supervise/clamd/down touch /var/qmail/supervise/clamd/log/down
2. Stop qmail.
service qmail stop
3. Stop existing freshclam process.
service freshclam stop
4. Remove freshclam from running automatically when server starts.
chkconfig freshclam off
5. Make sure all qmail service has stopped, if not kill the running PID.
service qmail stat
6. Start qmail service again.
service qmail start
Update
Definition update
By default if freshclam service is running it will update clamav definition automatically. But if you want to make sure you have the latest definition you can run this command:
freshclam ClamAV update process started at Wed Mar 23 11:41:16 2011 main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) Downloading daily-12882.cdiff [100%] Downloading daily-12883.cdiff [100%] daily.cld updated (version: 12883, sigs: 76664, f-level: 60, builder: ccordes) bytecode.cld is up to date (version: 142, sigs: 40, f-level: 60, builder: acab) Database updated (922918 signatures) from db.id.clamav.net (IP: 62.75.137.14)
Engine update
ClamAV team will release new version periodically. If they release new version, QMT team will release new clamav-toaster as soon as possible. Here's how to update your clamav engine version:
If you have QmailToaster Plus tool installed you can run qtp-newmodel but this tool not just only updating your clamav engine but also other *-toaster packages if new version available.
qtp-newmodel
If you do not have QmailToaster Plus or you only want to update clamav version only, do these steps:
1. Stop qmail service
service qmail stop
2. Remove existing clamav package
rpm -e --nodeps clamav-toaster
3. Download new clamav-toaster source package from Qmailtoaster Mirros
wget http://mirrors.qmailtoaster.net/clamav-toaster-0.97.0-1.3.41.src.rpm
4. Rebuild new clamav-toaster source package, replace $DISTRO with your OS Name and version. Detail $DISTRO can be see at install-script on Qmailtoaster Distro
rpmbuild --rebuild --with $DISTRO clamav-toaster-newpkg.src.rpm rpmbuild --rebuild --with $cnt4064 clamav-toaster-newpkg.src.rpm
5. Install clamav-toaster binary RPM
rpm -Uvh clamav-toaster-new.rpm rpm -Uvh /usr/src/redhat/RPMS/x86_64/clamav-toaster-0.97.0-1.3.41.x86_64.rpm
6. Compile qmail cdb and start.
service qmail cdb service qmail start
Additional definition
There are additional clamav definitions to help your server minimize incoming spam. Those definitions are provided by:
The easiest way to install additional clamav definitions is by invoking command
qtp-install-sanesecurity
if you have installed QmailToaster Plus. Details about qtp-install-sanesecurity can be found at QTP site
If you do not have QmailToaster Plus, consult directly to each definition providers.
Log Monitoring
If you have QmailToaster Plus you can run: Check with qmlog manual for other options:
qmlog -f clamd
If you do not have QTP then you can run:
tail -f /var/log/qmail/clamd/current | tai64nlocal grep pdf /var/log/qmail/clamd/current | tai64nlocal | more grep -v OK /var/log/qmail/clamd/current | tai64nlocal | more