ClamAV

From wiki
Revision as of 06:52, 5 August 2016 by Vincent (talk | contribs) (Add Sanesecurity databases)

Install

# apt install clamav clamdscan clamav-daemon

Configure

clamav-unofficial-sigs

The default signatures of ClamAV are quite useless against the rapidly changing zip attachments you find in spam.

Fortunately Sanesecurity provide for free some hourly updated databases that will detect them. Getting them on your system is as simple as

# apt install clamav-unofficial-sigs

As the version in Debian is quite outdated, it tries by default to download some files that don't exist anymore. This is fixed by creating file /etc/clamav-unofficial-sigs.conf.d/local.conf

# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
si_dbs=""

# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831607
mbl_dbs=""

Integrate with Exim

You need to have Exim installed for this.

Permissions

The ClamAV daemon is running under user clamav. We need to get this user access to the mail spool for the scan to be possible.

# usermod -a -G Debian-exim clamav
# systemctl restart clamav-daemon.service

Exim setup

Create file /etc/exim4/local-acl with the following content

deny
  malware = *
  message = This message was detected as possible malware ($malware_name).

and append the following lines to /etc/exim4/conf.d/main/00_local_settings

CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local-acl
av_scanner = clamd:/var/run/clamav/clamd.ctl

Finally restart Exim

# systemctl restart exim4.service

Test

Testing anti-virus software is commonly done using EICAR anti malware testfile. Although this file is not a virus, it will be recognised by all major anti-virus programs. This allow to test them without risking infecting yourself.

To get the file, simply create a file with the following content

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You can then email this file to yourself. It must be blocked by Exim.

Check the content of /var/log/exim4/rejectlog and /var/log/exim4/paniclog for any issue.