Need help getting clamav working

Bob Brennan rbrennan96 at gmail.com
Fri Apr 15 13:33:11 UTC 2005 

<snipped resolved info>

> > * added INPUT_MAIL_FILTER(`clamav',`S=local:/var/run/clamav-milter/clamav.sock,F=,T=S:4m;R:4m')dnl
> > to sendmail.mc
> 
> Let me ask: where exactly did you add this milter line?

at the very bottom

> The order matters in sendmail.mc.

I thought that but did not know where to add it. However it seems to
work there since the answer to your next questions are all "yes"

> If you grep your sendmail.cf file you must find a line
> 
> Xclamav, S=local:/var/run/clamav-milter/clamav.sock, F=T, T=S:4m;R:4m

Yes, it is there. The only difference is "F=". From the documentation
this appears to be correct. I will probobly change it to F=T since I
have a very low volume mailserver.

    * F=T   -temporarily fail the connection if the milter is unavailable
(down, too busy, etc.)   This leads to mail delays as people cannot
deliver to you, but periodic retries should happen (initiated from the
sender's end), and when the milter is again available, it should be fine.
    * F=     -accept the mail anyway, even if the milter is unavailable
and continue with normal mail handling.  A virus may be accepted, but your
mail is still flowing.  You do have up to date anti virus running on the
desktop don't you?  Keep a close watch on your logs.

> Be sure about the correct path for the socket file! Is it really
> "/var/run/clamav-milter"?

Yes, I saw that and corrected it from the start. I'm getting to be an
older newbie ;-)

> I think common installs use
> "/var/run/clamav/". So does the RPM from
> http://crash.fce.vutbr.cz/crash-hat/.
> 
> > * m4 the .mc file and restarted sendmail
> > * chkconfig --level 2345 clamav-milter on
> > * chkconfig --level 2345 clamd.milter on
> 
> There is no such service "clamd.milter". clamd is no milter, there is
> just one and that is called "clamav-milter".

service clamd start did not work

> > * service clamav-milter start - [OK]
> > * service clamd.milter start - [OK]
> 
> Did you write that from mind? It should only be "clamd" (see above).

I got it from "service --status-all" which listed those 2 as the only
clamav services and not running.

> > * verified all settings above took effect
> >
> > I let that sit overnight and had no log reports so I forwarded an
> > email with attached virus.zip nasty to myself, it was delivered to me
> > normally and there is no clamav log file or header info indicating it
> > was scanned like spamassasin adds.

correction - clean emails have:
X-Virus-Scanned: clamd / ClamAV version 0.71, clamav-milter version 0.71
X-Virus-Status: Clean
in the header but a known-viral email sent to myself does not have
these headers and is delivered (or was it possibly returned to me?)
It's possibly wrong testing me-virusing-me?

> When starting Sendmail, observe the maillog and messages syslog file.

All normal messages in the maillog after restart but curiously the
milter seems to be working!(?) with "Milter add: header:
X-Virus-Status: Clean". So the problem now seems to be that it does
not add header info to a known viral email and is the database being
updated without freshclam?

> When starting the clamav services (clamd, freshclam, clamav-milter)
> observe the messages log and their log files below /var/log.

"service clamav-milter start" is the only one that works, there does
not appear to be any "service freshclam", no /etc/freshclam.anything
and no /var/log/freshclam. In fact "locate freshclam" returns nothing.

> > The question(s):
> > * clamav doesn't appear to be doing anything to emails, including
> > virus-laden ones, what am I missing?
> 
> I suspect misconfiguration (see above comments).

and missing packages it appears? Note that I've done this same
prcedure on 3 separate machines and got identical results.

> > * there are lots of references to "freshclam" to automatically update
> > but "yum install freshclam" doesn't work and I can't find anything by
> > that name installed on my system. How to ensure proper updating?
> 
> freshclam is part of the clamav RPM. It is a service: service freshclam
> start. But before you use it please adjust it's configuration file
> /etc/freshclam.conf. Most important for the "DatabaseMirror" line.

There is no /etc/freshclam.conf. There is a file /var/log/clamd.milter
that has this:
+++ Started at Thu Apr 14 21:27:06 2005
Log file size limited to 1048576 bytes.
Running as user clamilt (UID 102, GID 104)
Reading databases from /var/lib/clamav
Protecting against 21611 viruses.
Unix socket file /var/run/clamd.milter/clamd.sock
Setting connection queue length to 15
Archive: Archived file size limit set to 10485760 bytes.
Archive: Recursion level limit set to 5.
Archive: Files limit set to 1000.
Archive: Compression ratio limit set to 200.
Archive support enabled.
RAR support disabled.
Mail files support enabled.
OLE2 support enabled.
Self checking every 3600 seconds.
No stats for Database check - forcing reload
Reading databases from /var/lib/clamav
Database correctly reloaded (21611 viruses)
SelfCheck: Database status OK.

More information about the fedora-list mailing list