Rob's web

Clam antivirus

Introduction

ClamAV is the de facto open source virus scanner for linux. Amavis can be linked to many different free and commercial virus scanners, but here clamav will be used. ClamAV is specifically designed for scanning e-mail. It consists of two parts, clamav itself, and freshclam, the clamav updating service. By default it updates every two hours, which should be enough for anyone.

Installing

Installing anti-virus protection:

# dnf install clamav clamd clamav-freshclam
# clamscan --version	// Shows version and date virus database
# freshclam		// Update virus database

Configuration

To begin, we will need to edit /etc/clamd.d/scan.conf. Change the following lines in:

# vi /etc/clamd.d/scan.conf
#Example
LocalSocket /run/clamd.scan/clamd.sock

Then enable and start the clamav scanner daemon:

# setsebool -P antivirus_can_scan_system 1
# systemctl start clamd@scan clamav-freshclam
# systemctl enable clamd@scan clamav-freshclam

At this point it is worth and well to check on the service's status:

# systemctl status clamd@scan
.....
# systemctl status clamav-freshclam
.....

Using ClamAV for scanning files

Manual scanning

To perform a scan with ClamAV, you can use the following command:

# clamscan -r --bell -i /home/

This command recursively scans all files, only outputs infected files, and rings a bell when found. Be aware that scanning the entire filesystem can take a considerable amount of time.

This can take some time.

Automating scans and notifications

Regular scans are essential for maintaining system integrity. You can automate the scanning process by creating a cron job. For instance, to schedule a weekly system scan, you could edit the crontab with:

# crontab -u root -e
30 4 * * 0 /usr/bin/clamscan -r -i /home/ >> /var/log/clamav/scan.log

For notification of scan results, you can use a script to monitor the log file and send alerts if infections are found.

Using ClamAV for scanning e-mails

Introduction Amavis

Amavis is an open-source content filter for electronic mail, implementing mail message transfer, decoding, some processing and checking, and interfacing with external content filters to provide protection against spam and viruses and other malware. It can be considered an interface between a mailer (MTA, Mail Transfer Agent) and one or more content filters.

Amavis will actually behave as a mail server in itself, accept mail, filter it, and send it onwards again. For this to work, postfix will need to actually listen for mail twice. The default port 25 is where mail initially is received on. From there on it is sent to amavis, which will be listening on port 10024. When amavis is done with the message, it will be sent to postfix on a different port, 10025. The reason for this should be obvious. If mail would be offered again on port 25, it would be passed to amavis again and thus in an endless loop. Obviously, postfix on port 10025 would only be listening to known hosts, like localhost and not check for spam anymore.

Before installing amavis be sure the mailsystems work without any problems in real world use.

Installing amavis

# dnf install amavisd-new unrar

Basic Configuration

Amavisd offers an enormous amount of options and going over all them will take some time. The configuration file /etc/amavisd.conf however is well documented and divided into clear sections. Each section will be examined as needed. Only options that will be changed will be mentioned to cut down the text for readability.

Note: The configuration file is actually perl code and proper precautions should be taken when editing this file.

For this example amavisd will be running on host foo but this could be any other host as well, amavisd does not require to run on the same host as postfix. Also the domain used is only used to identify the server itself with, not the domains amavisd will be scanning.

Note: With amavis being quite complex, troubleshooting can be difficult enough as it is.

The first step, is to disable all actual checks and to enable logging. Also some default values should be setup:

# cd /etc/amavisd
# vi amavisd.conf
@bypass_virus_checks_maps = (1);  # controls running of anti-virus code
@bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
# $bypass_decode_parts = 1;         # controls running of decoders&dearchivers
 
$mydomain = 'example.com';
$myhostname = 'foo.example.com';
 
$log_level = 5;              # verbosity 0..5, -d

Starting amavis

# systemctl start amavisd
# systemctl enable amavisd

Testing amavis

# telnet localhost 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavis service ready
ehlo localhost
250-[127.0.0.1]
250-VRFY
250-PIPELINING
250-SIZE
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SMTPUTF8
250-DSN
250 XFORWARD NAME ADDR PORT PROTO HELO IDENT SOURCE
.....
quit
221 2.0.0 [127.0.0.1] amavis closing transmission channel
Connection closed by foreign host.
#

Linking amavisd to postfix

With amavisd working in bare skeletal mode, it should theoretically just pass mail through. Perfect for testing the postfix -> amavisd -> postfix binding.

First, a second postfix transport, where amavis will inject its mail, is added. A lot of options are defaulted to empty, since either they have been checked already, or interfere otherwise:

# cd /etc/postfix/
# vi masster.cf

#
# anti spam & anti virus section
#
amavisfeed      unix  -    -       n       -       2       smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20

127.0.0.1:10025 inet n     -       y       -       -       smtpd
 -o content_filter=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o smtpd_restriction_classes=
 -o mynetworks=127.0.0.0/8
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001 
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
 -o local_header_rewrite_clients=

Postfix will listen to port 10025 so that Amavis can send back checked emails to that port.

Also add to smtp, submission and smtps: -o content_filter=amavisfeed:[127.0.0.1]:10024.

# postfix check
# systemctl restart postfix

Testing

We only have to check the second postfix server.

# telnet localhost 10025
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server5.robkalmeijer.nl ESMTP Postfix (3.5.9)
ehlo localhost
250-server5.robkalmeijer.nl
250-PIPELINING
250-SIZE 4194304
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.

You can send an email for testing.

If you look in the maillog you will find amavis[xxxxx].

When this works you can activate the virusscanner.

Activating virus scanning

# cd /etc/amavisd
# vi amavisd.conf
#@bypass_virus_checks_maps = (1);  # controls running of anti-virus code
@bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
#$bypass_decode_parts = 1;         # controls running of decoders&dearchivers

Test if mail is received and send between test email address and the mailserver.

Links