About QmailToaster ClamAV

About ClamAV

From: Clamav.net

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats. The core ClamAV library is utilized in Immunet 3.0, powered by ClamAV, which is a fast, fully featured Desktop AV solution for Windows.

In Qmailtoaster, ClamAV works side-by-side with SpamAssassin under Simscan to make sure all incoming email is free of virus and spam.

Disable / Enable

You can disable (and enable it again) ClamAV per domain or server-wide, make sure you know what you are doing and have a strong reason.

Per Domain

If you have multiple domains, and you want to disable ClamAV feature just for 1 domain you can do it like this:

1. Edit file /var/qmail/control/simcontrol

  vi /var/qmail/control/simcontrol

2. Look for line that contains domain you want to disable ClamAV (something like this):

  pala.bo-tak.info:clam=yes,spam=yes,spam_hits=11.5,attach=.bat:.chm:.cmd:.com:.dll:.dot:.email:.exe:.hlp:.hta:.inf:.msi:.pif:.reg:.scr:.url:.vbs

3. Change clam=yes into clam=no, so the line look like this:

  pala.bo-tak.info:clam=yes,spam=yes,spam_hits=11.5,attach=.bat:.chm:.cmd:.com:.dll:.dot:.email:.exe:.hlp:.hta:.inf:.msi:.pif:.reg:.scr:.url:.vbs

4. Save the file and quit

5. Compile simcontrol file to make rule active

  service qmail cdb

To enable ClamAV feature again just follow the steps above but on step 3 change clam=no into clam=yes

Server Wide

Temporary

If you want to stop clamav service temporarily (for whatever reason) here's how: NOTE: clamav service will not be available until you start it manually or server restarted.

If you have QmailToaster Plus tool installed:

1. Stop clamd

  qmail-clam stop

2. Check clamd status

  qmail-clam stat

3. Start clamd

  qmail-clam start

If you do not have QmailToaster Plus installed:

1. Stop clamd

  svc -d /var/qmail/supervise/clamd /var/qmail/supervise/clamd/log

2. Check clamd status

  svstat /var/qmail/supervise/clamd
  svstat /var/qmail/supervise/clamd/log

3. Start clamd

  svc -u /var/qmail/supervise/clamd /var/qmail/supervise/clamd/log

Forever

If you have another Email-Scanning-Proxy device before your qmailtoaster box you may want to disable ClamAV scanning to save memory. Here's how:

1. Touch down file on clamav service.

  touch /var/qmail/supervise/clamd/down
  touch /var/qmail/supervise/clamd/log/down

2. Stop qmail.

  service qmail stop

3. Stop existing freshclam process.

  service freshclam stop

4. Remove freshclam from running automatically when server starts.

  chkconfig freshclam off

5. Make sure all qmail service has stopped, if not kill the running PID.

  service qmail stat

6. Start qmail service again.

  service qmail start

Update

Definition update

By default if freshclam service is running it will update clamav definition automatically. But if you want to make sure you have the latest definition you can run this command:

freshclam
ClamAV update process started at Wed Mar 23 11:41:16 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-12882.cdiff [100%]
Downloading daily-12883.cdiff [100%]
daily.cld updated (version: 12883, sigs: 76664, f-level: 60, builder: ccordes)
bytecode.cld is up to date (version: 142, sigs: 40, f-level: 60, builder: acab)
Database updated (922918 signatures) from db.id.clamav.net (IP: 62.75.137.14)

Engine update

ClamAV team will release new version periodically. If they release new version, QMT team will release new clamav-toaster as soon as possible. Here's how to update your clamav engine version:

If you have QmailToaster Plus tool installed you can run qtp-newmodel but this tool not just only updating your clamav engine but also other *-toaster packages if new version available.

qtp-newmodel

If you do not have QmailToaster Plus or you only want to update clamav version only, do these steps:

1. Stop qmail service

  service qmail stop

2. Remove existing clamav package

  rpm -e --nodeps clamav-toaster

3. Download new clamav-toaster source package from Qmailtoaster Mirros

  wget http://mirrors.qmailtoaster.net/clamav-toaster-0.97.0-1.3.41.src.rpm

4. Rebuild new clamav-toaster source package, replace $DISTRO with your OS Name and version. Detail $DISTRO can be see at install-script on Qmailtoaster Distro

  rpmbuild --rebuild --with $DISTRO clamav-toaster-newpkg.src.rpm
  rpmbuild --rebuild --with $cnt4064 clamav-toaster-newpkg.src.rpm

5. Install clamav-toaster binary RPM

  rpm -Uvh clamav-toaster-new.rpm
  rpm -Uvh /usr/src/redhat/RPMS/x86_64/clamav-toaster-0.97.0-1.3.41.x86_64.rpm

6. Compile qmail cdb and start.

  service qmail cdb
  service qmail start

Additional definition

There are additional clamav definitions to help your server minimize incoming spam. Those definitions are provided by:

• SaneSecurity
• MSRBL
• SecuriteInfo
• MalwarePatrol
• OITC
• InetMsg

The easiest way to install additional clamav definitions is by invoking command

qtp-install-sanesecurity

if you have installed QmailToaster Plus. Details about qtp-install-sanesecurity can be found at QTP site

If you do not have QmailToaster Plus, consult directly to each definition providers.

Log Monitoring

If you have QmailToaster Plus you can run: Check with qmlog manual for other options:

qmlog -f clamd

If you do not have QTP then you can run:

tail -f /var/log/qmail/clamd/current | tai64nlocal
grep pdf /var/log/qmail/clamd/current | tai64nlocal | more
grep -v OK /var/log/qmail/clamd/current | tai64nlocal | more