TestingProcedures

Introduction

This page lists some procedures for testing the various applications that use and depend on ClamAV anti-virus software. These procedures are in somewhat a rough shape used to minimally configure any particular package and shouldn't be used as a production guide.

This page is part of the MOTU/Clamav update/backport effort.

NOTES:

  • testing shouldn't be done on a production machine (obviously)
  • it's always a good idea to purge remove the packages and start from scratch when testing/retesting)

amavisd-new

  • install amavis and postfix (configure it as Internet site)

# sudo apt-get install amavisd-new postfix
  • edit /etc/amavis/conf.d/15-content_filter_mode uncomment:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl,
   \$bypass_virus_checks_re);
  • edit /etc/amavis/conf.d/15-av_scanners, make sure clamd is configured as primary, clamscan as backup scanner, comment the rest out to be sure

  • also make sure that clamd socket points to the correct filename

 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  • edit /etc/amavis/conf.d/50-user, add a valid hostname:

$myhostname = "example.com";
  • edit /etc/postfix/master.cf add:

smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
  • also add the following two lines immediately below the "pickup" transport service (lines need to start with a whitespace/tab!)

        -o content_filter=
        -o receive_override_options=no_header_body_checks
  • edit /etc/postfix/main.cf add the following line to the end:

content_filter = smtp-amavis:[127.0.0.1]:10024
  • add clamav user to the amavis group:

# sudo usermod -a -G amavis clamav
  • verify that /etc/clamav/clamd.conf has:

AllowSupplementaryGroups true
  • (re)start everything that's changed:

# sudo /etc/init.d/postfix restart 
# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/amavis start
  • send a message through with a virus attachment, check /var/log/mail.log for something similar to:

Sep 30 22:53:57 utest-lls32 amavis[7207]: (07207-01) Blocked INFECTED (Eicar-Test-
Signature(44d88612fea8a8f36de82e1278abb02f:68)), LOCAL [172.16.21.1] [172.16.21.1] <gimre@example.com> ->
<gimre@example.com>, quarantine: 1/virus-1-BWG7Fdyonr, Message-ID: <20100930195357.45CD419F8B9@voy>,
mail_id: 1-BWG7Fdyonr, Hits: -, size: 1409, 181 ms
  • stop clamav-daemon to test backup scanner (which should be clamscan), send an email and check the logs:

Sep 30 22:57:11 utest-lls32 amavis[7206]: (07206-01) (!)ClamAV-clamd: Can't connect to UNIX socket 
/var/run/clamav/clamd.ctl: 2, retrying (2)
Sep 30 22:57:17 utest-lls32 amavis[7206]: (07206-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many 
retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: No such 
file or directory) at (eval 115) line 373.\n
Sep 30 22:57:17 utest-lls32 amavis[7206]: (07206-01) (!!)WARN: all primary virus scanners failed, considering 
backups
Sep 30 22:57:22 utest-lls32 amavis[7206]: (07206-01) Blocked INFECTED (Eicar-Test-Signature), LOCAL 
[172.16.21.1] [172.16.21.1] <gimre@example.com> -> <gimre@example.com>, quarantine: 2/virus-2PXuTWKdFjk6,
Message-ID: <20100930195710.0498619F8B9@voy>, mail_id: 2PXuTWKdFjk6, Hits: -, size: 1409, 11889 ms

avscan

  • sudo apt-get install avscan
  • /usr/bin/avscan
  • Scan a file.

clamassassin

  • install clamassassin and procmail (also postfix and clamav-daemon)

# sudo apt-get install postfix procmail clamassassin clamav-daemon
  • configure postfix as Internet site

  • in /etc/postfix/main.cf change the MDA (mail delivery agent) to procmail (just append the following line then restart postfix)

mailbox_command = /usr/bin/procmail
  • create a test user and put a .procmailrc file in his home:

# useradd -m testuser
# touch /home/testuser/.procmailrc
# chown testuser:testuser /home/testuser/.procmailrc
  • copy-paste the following code in .procmailrc to enable clamassassin:

##########
MAILDIR=$HOME/Maildir

:0fw
| /usr/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
.virus/
##########
  • create the user's Maildir:

# cd /home/testuser
# mkdir -p Maildir/new Maildir/cur Maildir/tmp
# mkdir -p Maildir/.virus/new Maildir/.virus/cur Maildir/.virus/tmp
# chown -R testuser:testuser Maildir/
  • make sure clamd is running and the virus databases are up-to-date (in /var/lib/clamav)
  • get the test virus file from http://eicar.org/85-0-Download.html, and send a mail to testuser

  • the mail should be delivered in the .virus/new subfolder in /home/testuser/Maildir

  • open the mail and look for similar lines in the header:

X-Virus-Report: Eicar-Test-Signature FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.97.2/13453/Thu Aug 18 07:34:24 2011

Clamassassin can be configured to use clamdscan/clamav-daemon for scanning email which is preferred over clamscan as it is much faster.

  • edit /etc/default/clamassassin and change the scanner

CLAMSCAN=clamdscan
  • make sure clamd is running and using a local (Unix) socket and not TCP socket (in /etc/clamav/clamd.conf)

  • after sending the email with the virus, look at the header, now it should say 'clamdscan':

X-Virus-Report: Eicar-Test-Signature FOUND 
X-Virus-Checker-Version: clamassassin 1.2.4 with clamdscan / ClamAV 0.97.2/13453/Thu Aug 18 07:34:24 2011

clamcour

  • sudo apt-get install courier-mta
  • sudo apt-get install clamcour
  • Edit /etc/courier/smtpaccess/default change:

192.168.0     allow,RELAYCLIENT
  • Configure a valid DNS domain.
  • Configure a Postfix' on another host to send the messsages. Using Mutt won't work.
  • Edit /etc/courier/locals' add the domain.
  • Edit /etc/courier/defaultdomain set it to host.domain.org
  • sudo makesmtpaccess
  • sudo makehosteddomains
  • sudo /etc/init.d/courier-mta restart
    • Should now maybe be able to send a message through courier
  • sudo filterctl start clamcour
  • Send a virus through the system and it should be logged to /var/log/mail.log.

clamfs

  • install clamfs

# sudo apt-get install clamfs
  • create a temporary folder to be the mountpoint for /tmp (default is /clamfs/tmp)

# mkdir -p /clamfs/tmp
  • get eicar.com file from http://eicar.org/85-0-Download.html, copy it to /tmp

  • run clamfs with the example conf from the package (make sure clamav-daemon is running)
    • this will mount /tmp to /clamfs/tmp (check with mount)

# cp /usr/share/doc/clamfs/clamfs-sample.xml.gz /root
# gunzip /root/clamfs-sample.xml.gz
# clamfs /root/clamfs-sample.xml
22:28:59 (clamfs.cxx:963) ClamFS v1.0.1
22:28:59 (clamfs.cxx:964) Copyright (c) 2007,2008 Krzysztof Burghardt <krzysztof@burghardt.pl>
22:28:59 (clamfs.cxx:965) http://clamfs.sourceforge.net/
22:28:59 (clamfs.cxx:1050) chdir to our 'root' (/tmp)
22:28:59 (clamfs.cxx:1091) ScanCache initialized, 16384 entries will be kept for 10800000 ms max.
22:28:59 (clamfs.cxx:1102) Statistics module initialized
22:28:59 (rlog.cxx:84) logs goes to syslog
# mount | grep clamfs
clamfs on /clamfs/tmp type fuse.clamfs (rw,nosuid,nodev,allow_other,default_permissions)
  • try to read /clamfs/tmp/eicar.com, should get 'operation not permitted' message

  • check syslog for clamfs message:

Aug 18 22:31:13 utest-nns32 clamfs: (root:16714) (root:0) /eicar.com: forced anti-virus scan because extension
blacklisted 
Aug 18 22:31:13 utest-nns32 clamfs: (cat:16714) (root:0) /tmp/eicar.com: Eicar-Test-Signature FOUND

clamsmtp

  • install clamsmtp and postfix

# sudo apt-get install clamsmtp postfix

scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no

127.0.0.1:10025 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

NOTE: stock clamsmtpd in Ubuntu listens on 10026 and forwards scanned mail to 10025, this is where postfix should listen (check /etc/clamsmtpd.conf), above guide does it the other way around

  • edit /etc/postfix/main.cf, append the following line to it

content_filter = scan:[127.0.0.1]:10026
  • sudo /etc/init.d/postfix restart
  • sudo /etc/init.d/clamsmtp restart
  • send a mail through the system with a virus attachment
  • should see the message being rejected and the virus name in /var/log/mail.log

Aug 18 22:44:10 utest-nns32 postfix/smtp[18073]: 51301149F4: to=<gimre@utest-nns32.narancs.net>,
relay=127.0.0.1[127.0.0.1]:10026, delay=0.12, delays=0.07/0/0.04/0, dsn=2.0.0, status=sent
(250 Virus Detected; Discarded Email)
Aug 18 22:44:10 utest-nns32 postfix/qmgr[18065]: 51301149F4: removed
Aug 18 22:44:10 utest-nns32 clamsmtpd: 100000: from=gimre@utest-nns32.narancs.net,
to=gimre@utest-nns32.narancs.net, status=VIRUS:Eicar-Test-Signature

clamtk

  • install clamtk

# sudo apt-get install clamtk

dansguardian

  • install dansguardian and squid proxy:

# sudo apt-get install dansguardian squid
  • to enable dansguardian, edit /etc/dansguardian/dansguardian.conf, comment out "UNCONFIGURED" at the beginning of the file

  • set up squid to listen on 127.0.0.1:3128, for this edit /etc/squid/squid.conf, search for http_port and change it to:

http_port 127.0.0.1:3128

Depending on which part of clamav you are testing, you need to enable a content scanner in /etc/dansguardian/dansguardian.conf

  • for testing libclamav, uncomment the following:

#contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'
  • for testing clamdscan/clamav-daemon, uncomment:

#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

NOTE: there are some extra steps to be taken when using clamdscan:

  • clamav-daemon needs to be installed and running (obviously)
  • the clamav user needs to be in dansguardian group for clamd to be able to scan dansguardian's temporary files, this can be achieved with the following commands:

# usermod -a -G dansguardian clamav
# /etc/init.d/clamav-daemon restart
  • restart squid and (re)start dansguardian:

# sudo /etc/init.d/squid restart
# sudo /etc/init.d/dansguardian start
  • set your browser to use dansguardian as a proxy server (on port 8080), then try to download a test virus file, like one of these: http://eicar.org/85-0-Download.html

  • it should get blocked with a warning and there should be an entry in /var/log/dansguardian/access.log similar to this:

2011.8.17 21:43:34 - 172.16.21.1 http://eicar.org/download/eicar.com.txt *INFECTED* *DENIED* Virus or bad
content detected. Eicar-Test-Signature GET 68 0 Content scanning 1 403 application/octet-stream   -

dspam

  • sudo apt-get install dspam
  • Download dspamit shell script from dspamit_wrapper
  • Save it in /usr/local/bin/dspamit
  • sudo chmod 755 /usr/local/bin/dspamit
  • Edit /etc/dspam/dspam.conf uncomment and change:

TrustedDeliveryAgent "/usr/sbin/sendmail"


ClamAVPort      3310
ClamAVHost      127.0.0.1
ClamAVResponse accept

Opt out
  • Edit /etc/clamav/clamd.conf add:

TCPSocket 3310
TCPAddr 127.0.0.1
  • sudo /etc/init.d/clamav-daemon restart
  • Edit /etc/postfix/master.cf add:

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=dspam:
dspam     unix  -       n       n       -       10      pipe
  flags=Rhqu user=dspam argv=/usr/local/bin/dspamit ${sender} ${recipient}
  • Edit /etc/postfix/main.cf add:

dspam_destination_recipient_limit = 1
  • Edit /etc/default/dspam change no to yes:

START=yes
  • sudo /etc/init.d/postfix restart
  • Send a virus through shouldn't come through, and should be logged to /var/log/clamav/clamav.log

exim4

  • install and configure exim4 (select 'Split configuration')

# sudo apt-get install exim4-daemon-heavy
# sudo dpkg-reconfigure exim4-config
  • should be able to send mail at this point
  • edit /etc/exim4/conf.d/main/02_exim4-config_options, enable:

av_scanner = clamd:/var/run/clamav/clamd.ctl
  • create new file /etc/exim4/conf.d/main/00_localmacros, add:

CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/local_acl
  • create new file /etc/exim4/local_acl and add the following:

# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.
deny message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#
# Reject file extensions used by worms.
#
deny message = This domain has a policy of not accepting certain types \
               of attachments in mail as they may contain a virus.  \
               \
               This mail has a file with a .$found_extension attachment and \
               is not accepted. \
               \
               If you have a legitimate need to send this attachment, send it \
               in a compressed archive, and it will then be forwarded to the \
               recipient.
demime = vbs:bat:pif:scr
.ifdef TEERGRUBE
   delay = TEERGRUBE
.endif
# Reject messages containing malware.
deny message = This message contains a virus ($malware_name) and has been rejected
malware = *
  • restart exim

# sudo update-exim4.conf
# sudo /etc/init.d/exim4 restart
  • you may need to add clamav user to debian-exim group (on Natty at least)

# usermod -a -G Debian-exim clamav
# sudo /etc/init.d/clamav-daemon restart
  • send a virus through the system and you should see a rejection message from ClamAV in /var/log/exim4/mainlog

2011-08-19 00:14:08 1Qu9ui-0005bU-4s H=voy (voy.localdomain) [172.16.21.1] F=<gimre@localhost> rejected after
DATA: This message contains a virus (Eicar-Test-Signature) and has been rejected

gurlchecker

  • sudo apt-get install gurlchecker
  • Execute /usr/bin/gurlchecker
  • Enable Virii scanning in Security section.
  • Check a site with a virus.
  • Should see virus name on console.

havp

  • install havp

# sudo apt-get install havp
  • havp listens only on localhost by default, you may need to change that in /etc/havp/havp.config

    • comment out the line:

BIND_ADDRESS 127.0.0.1
  • don't forget to restart havp
  • change browser connection settings to use proxy on port 8080 (havp default) and clear browser cache
  • browse to a page with a virus (ie: http://eicar.org/85-0-Download.html), and try downloading a file

  • page should be blocked by havp and the virus should be logged to /var/log/havp/access.log:

17/08/2011 21:58:25 172.16.21.1 GET 200 http://eicar.org/download/eicar.com.txt 314+68 VIRUS
ClamAV: Eicar-Test-Signature

NOTE: havp uses libclamav by default but it can be configured to use clamd for scanning, you might want to test that

  • change /etc/havp/havp.config to use clamd and not libclamav:

ENABLECLAMLIB false
ENABLECLAMD true
CLAMDSOCKET /var/run/clamav/clamd.ctl
  • clamav-daemon needs to be installed and running (obviously)
  • the clamav user needs to be in havp group for clamd to be able to scan havp's temporary files, this can be achieved with the following commands:

# usermod -a -G havp clamav
# /etc/init.d/clamav-daemon restart
  • logfile should reflect that scanning was performed using clamd:

17/08/2011 22:09:13 172.16.21.1 GET 200 http://eicar.org/download/eicar.com.txt 314+68 VIRUS
Clamd: Eicar-Test-Signature

klamav

  • install klamav (you will need a running graphical environment for this)

# sudo apt-get install klamav

NOTE: by default, /var/lib/clamav is used as the database folder which cannot be updated by a normal user. To test with latest signatures you can change the database directory to /home/<user>/.klamav/database in the 'Update' tab.

kmail

  • install postfix + dovecot (for POP3), clamav-daemon and kmail

# sudo apt-get install postfix dovecot-pop3d clamav-daemon kmail
  • start kmail, configure a local POP3 email account, make sure it works
  • in the menu go to Tools / Anti-Virus Wizard...

  • clamd should appear in the list, select it, click Next

  • select the first two options (Check messages using the anti-virus tool and Move to selected folder)

  • select Local Folders/trash and click Finish

  • go to Settings / Configure Filters... and check that the antivirus filters got added (there should be two, one for scanning and marking the email in the header, the other one to move the email if virus found)

  • send a test email with virus attached to the account, then Check Mail and see the message moved automatically to the trash folder

libclamav-client-perl

# sudo apt-get install libclamav-client-perl
  • create a new file (say /tmp/test.pl), copy-paste the following perl code:

###################################
#
# libclamav-client-perl test script
#
###################################
#!/usr/bin/perl

use ClamAV::Client;

# connect to clamd through UNIX socket
# Ubuntu default socket patch
$scanner = ClamAV::Client->new(
    socket_name     => '/var/run/clamav/clamd.ctl'
);

# check if clamd is running
die("ClamAV daemon not alive")
    if not defined($scanner) or not $scanner->ping();

# print clamav version information
my $version = $scanner->version;
print "$version\n";

# scan a file, return virus name if found
my ($path, $result) = $scanner->scan_path('/tmp/eicar.com');
if (defined($result)) {
    print "Virus found in $path: $result\n";
}
else {
    print "No virus found.\n";
}
###################################
#
# test script end
#
###################################
  • running the script should result the following output:

root@utest-nns32:/tmp# perl /tmp/test.pl 
ClamAV 0.97.2/13454/Thu Aug 18 18:32:54 2011
Virus found in /tmp/eicar.com: Eicar-Test-Signature

mailscanner

  • sudo apt-get install mailscanner
  • Edit /etc/postfix/main.cf add:

header_checks = regexp:/etc/postfix/header_checks
  • Create /etc/postfix/header_checks add:

/^Received:/ HOLD
  • Edit /etc/MailScanner/MailScanner.conf change:

Run As User = postfix
Run As Group = postfix
 
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Virus Scanners = clamav

sudo chown -R postfix.postfix /var/spool/MailScanner/
sudo chown -R postfix.postfix /var/lib/MailScanner/
sudo chown -R postfix.postfix /var/run/MailScanner/
sudo chown -R postfix.postfix /var/lock/subsys/MailScanner/
  • Edit /etc/default/mailscanner uncomment:

run_mailscanner=1
  • sudo /etc/init.d/mailscanner restart
  • sudo /etc/init.d/postfix restart
  • Send a message through with a virus attached should see it logged to /var/log/mail.log.

mediawiki

  • sudo apt-get install apache2 libapache2-mod-php5 mysql-server
  • sudo apt-get install mediawiki clamav
  • configure MySQL to listen on IP Address:
  • edit /etc/mysql/my.cnf:

bind-address     = 192.168.0.10
  • create a database for the wiki and give access rights to wikiuser
    • mysql -u root

create database wikidb
grant all on wikidb.* to wikiuser@'192.168.0.10' identified by 'password';
  • configure Apache:
    • sudo cp /etc/mediawiki/apache.conf /etc/apache2/sites-available/mediawiki.conf
    • sudo a2ensite mediawiki.conf
    • sudo /etc/init.d/apache2/reload
  • setup the wiki using a browser pointed to http://server/mediawiki to make sure it works

  • edit /etc/mediawiki/LocalSettings.php and enable file uploads, by searching for and uncommenting the following line:

#$wgEnableUploads       = true;
  • edit /etc/mediawiki/LocalSettings.php and add the following to the end, enabling scanning uploaded zip files with clamav:

$wgAntivirus = 'clamav';
$wgFileExtensions[] = 'zip';

Upload warning
The file contains a virus! Details: Eicar-Test-Signature FOUND

mimedefang

  • install mimedefang and sendmail

# sudo apt-get install mimedefang sendmail
  • edit /etc/mail/sendmail.mc, change:

DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=172.18.100.50')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=172.18.100.50')dnl
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m')dnl
  • add clamav to groups

# sudo sendmailconfig
# usermod -a -G defang,smmsp clamav
# usermod -a -G clamav defang
  • edit /etc/mail/mimedefang-filter add the following to the top:

# For clamav.
$Features{'Virus:CLAMD'} = 1;
$ClamdSock  = "/var/run/clamav/clamd.ctl";
  • restart everything:

# mimedefang.pl -test
# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/mimedefang restart
  • send virus through the system and it should be logged to /var/log/mail.log

Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: MDLOG,p7IN4UXO005515,virus,Eicar-Test-Signature,172.16.21.1,
<gergelyimre@gmail.com>,<gimre@utest-nns32.narancs.net>,[TESTMAIL] eicar test mail
Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: Discarding because of virus Eicar-Test-Signature
Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: filter: p7IN4UXO005515:  discard=1
Aug 19 02:04:31 utest-nns32 mimedefang[4543]: p7IN4UXO005515: Discarding because filter instructed us to
Aug 19 02:04:31 utest-nns32 sm-mta[5515]: p7IN4UXO005515: Milter: data, discard
Aug 19 02:04:31 utest-nns32 sm-mta[5515]: p7IN4UXO005515: discarded

nautilus-clamscan

Nautilus-clamscan is a Nautilus extension for scanning files for viruses easily by right-clicking on them. See https://launchpad.net/nautilus-clamscan for more information.

# sudo apt-get install nautilus-clamscan
  • logout/login for the extension to get loaded
  • download a testfile from http://eicar.org/85-0-Download.html to the Desktop

  • right-click on the file and select Scan for viruses...

  • a File manager popup should appear with scanning progress bar, saying that it found 1 infected file

p3scan

  • install dovecot, clamav-daemon and p3scan

# sudo apt-get install dovecot-pop3d clamav-daemon p3scan
  • enable plain POP3 protocol in dovecot (/etc/dovecot/dovecot.conf):

protocols = pop3 imap imaps
  • add the clamav user to p3scan group:

# usermod -a -G p3scan clamav
# id clamav
uid=110(clamav) gid=110(clamav) groups=110(clamav),114(p3scan)
  • configure clamav-daemon to listen on TCP port 3310 (/etc/clamav/clamd.conf)

TCPSocket 3310
TCPAddr 127.0.0.1

NOTE: p3scan uses clamav-daemon either by calling clamdscan or communicating with clamd directly through TCP socket

  • edit /etc/p3scan/p3scan.conf and set the following options:

(for scanning with clamdscan)

scanner = /usr/bin/clamdscan --no-summary
virusregexp = .*: (.*) FOUND

(for scanning directly with clamd through TCP socket)

scannertype = clamd
scanner = 127.0.0.1:3310
virusregexp = .*: (.*) FOUND
  • IMPORTANT! restart everything that changed

# sudo /etc/init.d/clamav-daemon restart
# sudo /etc/init.d/dovecot restart
# sudo /etc/init.d/p3scan restart
  • redirect the POP3 port 110 to 8110 (p3scan default) using iptables:

# sudo iptables -t nat -A PREROUTING -p tcp --dport pop3 -j REDIRECT --to 8110
  • send an email with virus attachment through the system then try opening the mail using POP3

# telnet utest-nns32 110
Trying 172.16.21.183...
Connected to utest-nns32.narancs.net.
Escape character is '^]'.
+OK Dovecot ready.
user gimre
+OK
pass *****
+OK Logged in.
retr 1
+OK P3Scan'ing...
  • should get an email body stating something like:

This message body was generated automatically from P3Scan, which runs on
utest-nns32.(none) for scanning all incoming email.

It replaces the body of a message sent to you that contained a VIRUS!
[...]
  • p3scan should then quarantine the message in /var/spool/p3scan

  • if the above step is not working and p3scan crashes, make sure that clamav-daemon is running and it's in the p3scan group

php5-clamav

Install php5-clamav package (only available since Lucid, replaces php{4,5}-clamavlib)

  • sudo apt-get install php5-clamav
  • sudo /etc/init.d/apache2 restart

Create a test script:

  • vi /var/www/vir.php

<?php

print cl_info()."<br/>";
$virname = '';
$file = '/tmp/eicar_com.zip';

$ret = cl_scanfile($file,$virname); 
print "<br/>"; 
if ($ret) {
  print "Virus found in $file: $virname .<br/>";
}
else {
  print "No virus found in $file.<br/>";
}
?>

Browse to the script, should see virus details if a virus is found.

For more details see /usr/share/doc/php5-clamav/README.Debian included with the package.

php5-clamavlib

  • sudo apt-get install php5-clamavlib
  • sudo /etc/init.d/apache2 restart

Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>
  • Place the script under the web root.
  • Browse to the script, should see virus details if a virus is scanned.
  • If php5-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

php4-clamavlib

  • sudo apt-get install php4-clamlib
  • Edit /etc/php4/apache2/php.ini remove -e from the extension statement:

extension=clamav.so
  • sudo /etc/init.d/apache2 restart
  • Create a test script:

<?php 

print cl_info()."<br/>"; 
$ret = cl_scanfile('/path/to/virus_file'); 
print "<br/>"; 

print $ret; 
print "<br/>"; 
print "<br/>"; 

echo cl_info() . "<br>"; 

$file = "/path/to/virus_file"; 
cl_scanfile_ex($file, CL_SCAN_STDOPT, $virus, $retcode);
if ($retcode == CL_VIRUS) 
    echo $file . " returns: " . cl_pretcode($retcode) . " virus name: " . $virus . "<br>"; 
else 
    echo $file . " returns: " . cl_pretcode($retcode) . "<br>"; 

?>
  • Place the script under the web root.
  • Browse to the script, should see virus details if a virus is scanned.
  • If php4-clamavlib is broken it usually causes an Apache error and it won't start with PHP enabled.

Note: php4-clamavlib is not available on new Ubuntu releases. See php5-clamavlib above or php-clamav (it support Clamav 0.95.x).

pyclamd

# chmod 0666 /tmp/eicar.com
  • fire up python and copy-paste the commands below (the lines starting with >>>)

# python
Python 2.7.1+ (r271:86832, Apr 11 2011, 18:05:24) 
[GCC 4.5.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyclamd
>>> pyclamd.init_unix_socket(filename='/var/run/clamav/clamd.ctl')
>>> print pyclamd.version()
ClamAV 0.97.2/13455/Thu Aug 18 23:04:32 2011
>>> ret = pyclamd.scan_file('/tmp/eicar.com')
>>> print ret
{'/tmp/eicar.com': 'Eicar-Test-Signature'}
>>> ret = pyclamd.scan_stream(open('/tmp/eicar.com').read())
>>> print ret
{'stream': 'Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68)'}

python-clamav

  • install python-clamav package:

# sudo apt-get install python-clamav
  • create a python test script, say in /tmp/test.py with the following content:

###################################
#
# pyClamav test script
#
###################################
import pyclamav

# Print the number of signatures.
print pyclamav.get_numsig()

# Print pyClamav verstion and Clamav version.
print pyclamav.get_version()
print pyclamav.version()

# Setup the file to scan.
scan_file = pyclamav.scanfile('/tmp/eicar.com.txt')
print scan_file
###################################
#
# end of test script
#
###################################

NOTE: download a test file from http://eicar.org/85-0-Download.html and change path to the file (ie: /tmp/eicar.com.txt)

  • execute the script, you should see version and virus information printed to console

# cd /tmp
# python ./test.py
1021013
('0.97.2', 13450, 1313597786)
0.4.1
(1, 'Eicar-Test-Signature')

qpsmtpd

  • install qpsmtpd and postfix

# sudo apt-get install qpsmtpd postfix
  • reconfigure qpsmtpd

# sudo dpkg-reconfigure qpsmtpd
  • answer the following:
    • Enable qpsmtpd startup at boot time: Yes

    • Addresses on which to listen for incoming SMTP connections: 172.18.100.50 (remove 127.0.0.1!)

    • Queueing method for accepted mail: Postfix

    • Destination domain(s) to accept mail for (blank for none): some_test_domain localhost.localdomain localhost

  • configure postfix to listen on localhost only (/etc/postfix/main.cf), then restart postfix:

inet_interfaces = 127.0.0.1

NOTE: qpsmtpd can use either clamscan or clamdscan for scanning incoming emails, configure /etc/qpsmtpd/plugins accordingly

(for testing with clamscan)

virus/clamav clamscan_path=/usr/bin/clamscan action=reject max_size=209715 tmp_dir=/tmp/qpsmtpd.clam

(for testing with clamdscan)

virus/clamdscan clamd_socket /var/run/clamav/clamd.ctl deny_viruses yes
  • add clamav to qpsmtpd group and fix permissions on qpsmtpd spool (only needed for testing with clamdscan):

# usermod -a -G qpsmtpd clamav
# chmod g+u /var/spool/qpsmtpd
  • restart qpsmtpd
  • send an email with virus attachment through and it should be logged in /var/log/qpsmtpd/qpsmtpd.log

Thu Aug 18 12:12:32 2011 utest-nns32[16174]: Virus found: Eicar-Test-Signature
Thu Aug 18 12:12:32 2011 utest-nns32[16174]: 552 Virus found: Eicar-Test-Signature

MOTU/Clamav/TestingProcedures (last edited 2011-10-07 19:53:02 by cemc)