Difference between revisions of "ClamAV"
(Add Sanesecurity databases) |
(Introduction) |
||
| Line 1: | Line 1: | ||
| + | ClamAV is a cross-platform antivirus. While it is generic and can scan files in many situations, in this guide we will only configure it to scan emails. Using an antivirus on a mail server serve two goals: | ||
| + | * You wouldn't like you or someone else getting a virus that transited trough your mail server | ||
| + | * The huge majority of emails containing viruses is actually spam. This makes a great complement to [[Spamassassin]]. | ||
| + | |||
| + | == Prerequisite == | ||
| + | This article is part of the [[Emails#Complete|emails]] series. It is assumed that you already covered [[Exim]]. | ||
| + | |||
== Install == | == Install == | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| − | + | $ sudo apt install clamav clamdscan clamav-daemon | |
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 10: | Line 17: | ||
Fortunately Sanesecurity provide for free some [http://sanesecurity.com/usage/signatures/ hourly updated databases] that will detect them. Getting them on your system is as simple as<syntaxhighlight lang="console"> | Fortunately Sanesecurity provide for free some [http://sanesecurity.com/usage/signatures/ hourly updated databases] that will detect them. Getting them on your system is as simple as<syntaxhighlight lang="console"> | ||
| − | + | $ sudo apt install clamav-unofficial-sigs | |
</syntaxhighlight>As the version in Debian is quite [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130 outdated], it tries by default to download some files that [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 don't] [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831607 exist] anymore. This is fixed by creating file <code>/etc/clamav-unofficial-sigs.conf.d/local.conf</code><syntaxhighlight lang="sh"> | </syntaxhighlight>As the version in Debian is quite [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130 outdated], it tries by default to download some files that [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 don't] [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831607 exist] anymore. This is fixed by creating file <code>/etc/clamav-unofficial-sigs.conf.d/local.conf</code><syntaxhighlight lang="sh"> | ||
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 | # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 | ||
| Line 20: | Line 27: | ||
== Integrate with Exim == | == Integrate with Exim == | ||
| − | |||
| − | |||
=== Permissions === | === Permissions === | ||
The ClamAV daemon is running under user <code>clamav</code>. We need to get this user access to the mail spool for the scan to be possible.<syntaxhighlight lang="console"> | The ClamAV daemon is running under user <code>clamav</code>. We need to get this user access to the mail spool for the scan to be possible.<syntaxhighlight lang="console"> | ||
| − | + | $ sudo usermod -a -G Debian-exim clamav | |
| − | + | $ sudo systemctl restart clamav-daemon.service | |
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 37: | Line 42: | ||
av_scanner = clamd:/var/run/clamav/clamd.ctl | av_scanner = clamd:/var/run/clamav/clamd.ctl | ||
</syntaxhighlight>Finally restart Exim<syntaxhighlight lang="console"> | </syntaxhighlight>Finally restart Exim<syntaxhighlight lang="console"> | ||
| − | + | $ sudo systemctl restart exim4.service | |
</syntaxhighlight> | </syntaxhighlight> | ||
=== Test === | === Test === | ||
| − | Testing anti-virus software is commonly done using [http://www.eicar.org/83-0-Anti-Malware-Testfile.html EICAR anti malware testfile]. Although this file is not a virus, it will be recognised by all major anti-virus programs. This | + | Testing anti-virus software is commonly done using [http://www.eicar.org/83-0-Anti-Malware-Testfile.html EICAR anti malware testfile]. Although this file is not a virus, it will be recognised by all major anti-virus programs. This allows you to test them without risking infecting yourself. |
To get the file, simply create a file with the following content<syntaxhighlight lang="text"> | To get the file, simply create a file with the following content<syntaxhighlight lang="text"> | ||
Revision as of 15:18, 2 April 2017
ClamAV is a cross-platform antivirus. While it is generic and can scan files in many situations, in this guide we will only configure it to scan emails. Using an antivirus on a mail server serve two goals:
- You wouldn't like you or someone else getting a virus that transited trough your mail server
- The huge majority of emails containing viruses is actually spam. This makes a great complement to Spamassassin.
Prerequisite
This article is part of the emails series. It is assumed that you already covered Exim.
Install
$ sudo apt install clamav clamdscan clamav-daemon
Configure
clamav-unofficial-sigs
The default signatures of ClamAV are quite useless against the rapidly changing zip attachments you find in spam.
Fortunately Sanesecurity provide for free some hourly updated databases that will detect them. Getting them on your system is as simple as
$ sudo apt install clamav-unofficial-sigs
As the version in Debian is quite outdated, it tries by default to download some files that don't exist anymore. This is fixed by creating file /etc/clamav-unofficial-sigs.conf.d/local.conf
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
si_dbs=""
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831607
mbl_dbs=""
Integrate with Exim
Permissions
The ClamAV daemon is running under user clamav. We need to get this user access to the mail spool for the scan to be possible.
$ sudo usermod -a -G Debian-exim clamav
$ sudo systemctl restart clamav-daemon.service
Exim setup
Create file /etc/exim4/local-acl with the following content
deny
malware = *
message = This message was detected as possible malware ($malware_name).
and append the following lines to /etc/exim4/conf.d/main/00_local_settings
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local-acl
av_scanner = clamd:/var/run/clamav/clamd.ctl
Finally restart Exim
$ sudo systemctl restart exim4.service
Test
Testing anti-virus software is commonly done using EICAR anti malware testfile. Although this file is not a virus, it will be recognised by all major anti-virus programs. This allows you to test them without risking infecting yourself.
To get the file, simply create a file with the following content
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
You can then email this file to yourself. It must be blocked by Exim.
Check the content of /var/log/exim4/rejectlog and /var/log/exim4/paniclog for any issue.
