Linux

SolutionBase: Stop viruses on a Linux-based e-mail server with ClamAV

Linux is less susceptible to viruses than Windows-based servers and clients, but it isn't immune. You need to take the precautions necessary to prevent viruses from spreading. Clam AntiVirus is an open source antivirus toolkit designed for scanning on mail gateways. Jack Wallen takes an in-depth look into ClamAV.

In a perfect world, you'd be using Linux as your mail server and would be connecting to that mail server with Linux-based clients. In that world, you wouldn't be so worried about viruses coming from e-mail, because Linux is less susceptible to viruses than Windows-based servers and clients. But we do not live in a perfect world, so you need to take the precautions necessary to prevent viruses from spreading.

Clam AntiVirus (ClamAV) is an open source antivirus toolkit designed for scanning on mail gateways. ClamAV is easy to install, easy to configure, and as reliable an AV scanner as any proprietary on the market.

What's in ClamAV?

ClamAV is host to a great number of features:

  • ClamAV is fast-scanning
  • ClamAV supports on-access scanning
  • ClamAV detects over 90,000 threats
  • ClamAV can scan archive files
  • ClamAV supports portable executable files hidden within numerous formats
  • ClamAV supports nearly all mail file formats
  • ClamAV supports special file formats such as HTML, RTF, PDF, TNEF, etc.
  • ClamAV has an advanced database updater

ClamAV will work with most UNIX-based operating systems. If you're using Linux, Solaris, FreeBSD, OpenBSD, or Mac OS X, you're in luck.

Since Sendmail is one of the more popular mail server applications, I'm going to show you how to set ClamAV up to work in conjunction with Sendmail. To do this we are going to have to install another application, clamav-milter.

Getting and installing

The environment I am going to be installing ClamAV on is Fedora 7. I have done a fairly comprehensive installation, so many of the requirements are already met. The requirements for ClamAV include:

  • gmp
  • zlib
  • zlib-devel packages
  • gcc compiler

Once you have met those (each can be found using the yum package installer), you can then download the source for ClamAV.

With the source on your hard drive, open up a console window, su to root, and take care of a couple of preliminary steps. The first thing you need to do is add the clamav group with the command groupadd clamav. The next step is to add the clamav user. You need to add the user into it's own group (with the -g switch), name the users login shell (with the -s switch), and add a shell comment (with the -c switch). To do this issue the command useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav.

Now ClamAV is ready to be installed. To do this issue, again as root, the following commands (from within the unpacked clamav archive):

./configure
make
make install

Once the installation is complete, the software is installed into the /usr/local directory (executables in /usr/local/bin) and the config files into /usr/local/etc.

Configuring ClamAV

Notice that the ClamAV config file is located in /usr/local/etc. The sample config file is there. But if you try to run the clamd command, you will get the following error:

ERROR: Please edit the example config file /usr/local/etc/clamd.conf.
ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf

The first thing you will notice when you open up the clamd.conf file is this line:

# Comment or remove the line below.

Example

Until that line is commented out (or removed), you will continue to get that error and clamd will not start, so remove that line. Now let's poke around the configuration file.

As with most UNIX-based configuration files, the clamd.conf file is set up in sections. The first section is dedicated to logging. You will more than likely want to enable logging until you get ClamAV working to your satisfaction, so uncomment out the line:

LogFile /tmp/clamd.log

The next logging section is for file locking; I would not mess with this section unless you plan on having more than one clamd running. The next logging section is for maximum log file size. The default is 1 M. You can use any size you want, but larger log files can tend to slow machines down due to write times; I would keep it at the 1 M default.

Once you have decided on this section, you can then decide if you want log time associated with each message. The default is no, and that's smart. Unless you are trying to track specific messages down, I wouldn't bother with this configuration, but it is useful when troubleshooting. Here are the final logging configurations:

  • Log clean files: Not necessary but good for debugging.
  • Use system logger: An unnecessary, but helpful secondary logger for the ClamAV system.
  • Specify type of syslog message: See "man syslog".
  • Enable verbose logging: Useful when debugging, but can cause log files to grow rather large.

Now we move on to some global configurations. The first is for saving process identifier (pid) for the daemon. The default is disabled. The next configuration is for the global temporary directory. The default is /tmp. Depending upon your setup, you may want to change this. The next configuration is the path to the database directory. I would leave this as the hardcoded default. There are a few more global configurations, all of which should use the defaults.

It's not until we get to the address configurations that we start seeing the real configurations. Most of these configurations will be dictated by your particular network setup. Fortunately, all of the configurations within are well commented and straightforward. Read through the entire clamd.conf file and you'll see how easy to configure the system is.

Initial run

Before you start running clamd, you are going to need to download the latest virus database. The first thing you will want to do is open up /usr/local/etc/freshclam.conf and comment out the Example line, as you did for clamd.conf. Now run the command freshclam without any switches. You will see a bunch of lines scroll by, like so:

Downloading daily-3597.cdiff [100%]
Downloading daily-3598.cdiff [100%]
Downloading daily-3599.cdiff [100%]
Downloading daily-3600.cdiff [100%]
Downloading daily-3601.cdiff [100%]
Downloading daily-3602.cdiff [100%]
Downloading daily-3603.cdiff [100%]
Downloading daily-3604.cdiff [100%]
Downloading daily-3605.cdiff [100%]
Downloading daily-3606.cdiff [100%]
Downloading daily-3607.cdiff [100%]
Downloading daily-3608.cdiff [100%]
Downloading daily-3609.cdiff [100%]
Downloading daily-3610.cdiff [100%]
Downloading daily-3611.cdiff [100%]
Downloading daily-3612.cdiff [100%]
Downloading daily-3613.cdiff [100%]

These lines indicate that the system is downloading the latest databases. Once you have the latest databases you can run clamd. Of course, you're going to need to set up a system so that you always have the latest antivirus databases. There are two ways you can do this: Via cron or with the freshclam.conf file.

If you decide to go with cron, you will need to add a crontab entry either to root's crontab or to the clamav user's crontab. The cron entry should look something like:

12 * * * *             /usr/local/bin/freshclam --quiet

which will update every hour.

An easier method is to use the freshclam.conf file. Within that file is this section:

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

Uncomment out the Checks 24 line and decide how often you want freshclam to check for updates. Obviously 24 is one every hour. You can do the math from there.

Now let's run clamd. All you have to do is, as root, enter the command clamd to start the ClamAV daemon running.

Let's run a test. I am going have ClamAV run a recursive scan on my entire system. To do this, I am going to run the command:

clamscan -r /

At first, it will seem like nothing is happening. After a moment, however, output will start scrolling:

//tmp/.gdmSIGIUT: OK
//tmp/clamd.log: OK
//tmp/svma7.tmp/svma9.tmp: Empty file
//tmp/svma7.tmp/svmaa.tmp: Empty file
//tmp/svma7.tmp/svma8.tmp: Empty file
//tmp/orbit-root/bonobo-activation-register.lock: Empty file
//tmp/orbit-root/bonobo-activation-server-ior: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/.dbLock: Empty file
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.db: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.mdb: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/COPYING: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.fp: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.ndb: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.info: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.zmd: OK
//tmp/clamav-1cf02dfdfd47c3e36fbc8153145357f1/main.hdb: OK

If there are any infected files, you will be notified after the run of the scan.

Running with Sendmail

Now you can make ClamAV working with Sendmail. First, you will need to install clamav-milter. I did this easily by issuing the command yum install clamav-milter as root. There were a number of dependencies to be met, but yum picked them all up.

Setting this system up is very simple. Open up your /etc/mail/sendmail.mc file and add these lines to the bottom of the file:

INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')

Start clamav-milter with the command /usr/sbin/clamav-milter -lo /var/run/clamav/clmilter.sock. You will notice the difference in paths between clamd and clamav-milter. The reason for this is because I installed clamav-milter via yum (for the purposes of this article) and yum placed the binaries in its usual path.

For consistency, you would probably want to install clamav-milter from source so the binaries are located in the same spot as the clamd binaries. But that is personal choice. Now restart Sendmail with the command /etc/rc.d/init.d/sendmail restart and Sendmail will begin using clamav-milter.

There is another way to start the milter. You can issue the command /etc/rc.d/init.d/clamav-milter start. Discovering that the clamav-milter system has an entry in init.d tells us that we can set it up to start at boot via the Services Configuration Tool. Another difference is that, because of installing with yum, the clamav-milter configuration file is located in /etc/clamd.d/ the file is called milter.conf. The configuration options are very similar to those found in clamd.conf.

You now have a reliable, incredibly cost-effective method of detecting viruses on your mail server. Of course, you could take this one step further and install ClamAV on your Linux-based clients and have clamscan run every night for added protection. Of course,   this won't work for your Windows clients.

Final thoughts

Imagine knowing your mail server is protected from sending out viruses; now, imagine that that protection has come free of charge. That's a pretty good feeling. The Open Source community has created some tools that every admin should employ. ClamAV is one such tool. It's easy to install, fast, reliable, open, and free. You can get daily database updates and won't have to worry about restarting your mail server or seeing the CPU spike each time the system starts a scan. Give ClamAV a try; you'll quite possibly save your network from disaster.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

1 comments
A. G.
A. G.

http://www.clamwin.com/ "Of course,this won't work for your Windows clients." Actually I use it on my mom's computer and both of my laptops. One with WinXP and one with Win98. It's a nice light, not a memory or processor hog, easy to use antivirus. It works great. AG