View Full Version : Antivirus Scanning Setup

05-13-2004, 04:44 PM
I successfully got virus scanning of email setup and working for a client on a VPS. Here is the basics of what I'm using and what I had to do to get it working in the VPS.

Antivirus Software:
CLAMAV 0.70 is the antivirus scanner. It's pretty popular and used on a lot of servers. It's virus signature database is actively maintained and updated often (hourly/daily). Get the current tarball at http://www.clamav.net. The documentation is good and will get you going.

If you have the gnu compiler collection installed you have most of what you need for ClamAV already installed on the VPS. The two exceptions are libmilter and libgmp. Libmilter is part of Sendmail and is not compiled into the version that Westhost supports. ClamAV can use the Sendmail milter interface to scan emails while Sendmail is processing them. Libgmp is an arbitrary precision math package that is used by freshclam, a component of ClamAV to verify virus signature database digital signatures.
This is important so I compiled and installed gmp. Download from http://swox.com/gmp. The only complication is that you can't write to /usr/local/lib. So I created '/usr/local/ulib' and used the --libdir directive of 'configure' to ensure the makefiles were setup correctly. Once gmp is compiled and the libraries are installed in /usr/local/ulib you need to add an environment variable to ensure ld can find the new libraries. Add 'EXPORT LD_LIB_DIR=/usr/local/ulib' to your /.bashrc. Be sure to 'source /.bashrc' to reread the variables.

Now that gmp is installed you can build ClamAV.
ClamAV calls for creating its own group and user. You can do this by editing /etc/passwd, /etc/shadow, and /etc/group (I couldn't find any tools to do this. No need for a full user through the site manager). However, I believe the user account is only needed by the Clamd daemon and then only if you were installing as root. The solution I describe here does not use the daemon.
Again, you want ClamAV libraries installed in your /usr/local/ulib directory so use --libdir on the 'configure' command line. You will need the ld environment variables set up right so libgmp is found and linked to.
Once the build is successful and installed, run the tests. Clamscan and freshclam are the programs you will use.

Freshclam is the tool that will check ClamAV database mirrors for updates and download them. You configure /etc/freshclam.conf per the installation instructions. While you can run freshclam as a daemon, you would have to integrate it into the startup scripts to ensure it gets run when the VPS restarts. I opted to run it via cron. Run 'editcron -e' and add the cron entry 'XX * * * * /usr/local/bin/freshclam' substituting any minute in the hour for 'XX'. This will check for updates hourly.

Email Scanner:
Assuming ClamAV is working, it's time to start scanning email. For this I chose Clamassassin. This is a program that works similarly to Spamassassin. Using procmail recipes you send email through Clamassassin which calls ClamAV to scan the file. If a virus signature is found, Clamassassin adds headers to the email which indicates the virus status and virus name. Procmail can then inspect the headers for the virus status and take action. The Clamassassin README explains this well.

Get Clamassassin at http://drivel.com/clamassassin/. Clamassassin needs formail (already installed) and mktemp for it's processing. Mktemp is not installed so you have to get it at http://www.mktemp.org/mktemp/ . Build and install this in the normal way. This does not install libraries so no special configure directives are needed (that I remember).
Clamassassin is just a script so just copy it to /usr/local/bin so that it is available on the PATH.

The procmail recipe is straight-forward and documented in the Clamassassin README.

What I did was set up an email account called 'Virus' which procmail dumps virus email to that account for review online using neomail. So far the results are great and I expect to start dumping the emails to /dev/null in the near future. So far, no non-virus emails have been flagged with a virus.

Thanks to all, especially Jalal and FZ, for the information here on Sendmail, Spamassassin, and procmail. After finally digesting most of the information this installation went pretty smoothly.

I know the instruction above are not detailed. I will type up and add more step-by-step instruction soon. I will also try to provide a tarball of the installation as Jalal has done with some tools. In the mean time, if you try this and get stuck be sure to ask questions here.

Good luck!


05-13-2004, 09:28 PM

I'm really glad you got it working. And thanks a million for posting such a wonderfully detailed and helpful guide on getting it working - I know of lots of people that will really find this helpful. Should I start to receive viral mail again, I know this thread will be the first one I come running back to :lol:

Thanks again.

05-14-2004, 02:15 AM
Kalin, this is great. Look forward to the detailed instructions (although these are pretty good). I'll mention them on my site (or add them to it if thats OK???)


05-14-2004, 10:35 AM
Feel free to add or mention these instructions on your site. Glad to contribute to your excellent content. When I get something else written up I'll let you know.

Do you have a simple way to build a tarball of an installation from the root directory without grabbing all the extra stuff in common directories? I assume you have to specify each file or special directory individually.

Thanks all for the kind comments.

-- Kalin

05-14-2004, 11:06 AM
Hi Kalin

Depends on how complex the file setup is.

If its simple (couple of directories) then:

tar czf /mypackage.tgz /usr/local/ulib /usr/local/bin/someav /etc/someavrc

would do
Otherwise I list the file/directories in a text file and then use:

tar czf /mypackage.tgz --files-from=file-list.txt