Installation und Konfiguration von ClamAV

Transcription

29.12.2016 07:50.
1/55
Installation und Konfiguration von ClamAV
Grundlagen
Die Überprüfung der eMail wie auch der Dateianhänge übernimmt das freie Antivirus Toolkit ClamAV
für Unix, ein unter der GNU GPL1) stehender Virenscanner. Es wurde speziell für zum Scannen von
EMails auf Mailgateways designt. Kann aber ebeso zu zum Prüfen von HTTP-Datenströmen wie auch
zum Scannen von Dateisystemen eingesetzt werden. Das Paket stellt eine Reihe von Hilfsmittel zur
Verfügung: einen flexiblen und skalierbaren Multi-Threaded Daemon, einen Kommandozeilen Scanner
und ein komplexes Programm zur automatischen Aktualisierung über das Internet bereit. Das
Herzstück des Paketes ist ein Antivirus-Einheit in Form einer gemeinsam genutzten Bibliothek.
Die wichtigsten Funktionen von ClamAV sind:
Kommandozeilen Scanner
performanter Multi-Threaded Daemon mit der Unterstützung von on-access scannen
Komplexes Update-Programm für die Datenbank mit Unterstützung für scripted Updates und
digitale Signaturen
Virus Scanner Bibliothek in C
On-Access Scanning
Mehrmals tägliche Updates der Virusdatenbank (siehe Homepage für die gesamte Anzahl von
Signaturen)
Integrierte Unterstützung für verschieden Archiv-Formate wie Zip, RAR, Tar, Gzip, Bzip2, OLE2,
Cabinet, CHM, BinHex, SIS und andere
Integrierte Unterstützung für nahezu alle Mail Dateien Formate
Eingebaute Unterstützung für ELF executables und Portable Executable Dateien komprimiert
mit UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack und verschleiert mit SUE, Y0da Cryptor
und anderen
Linux - Wissensdatenbank - https://dokuwiki.nausch.org/
Last update: 22.11.2013 12:35.
centos:mail_c6:spam_4 https://dokuwiki.nausch.org/doku.php/centos:mail_c6:spam_4
Hauptsächlich wird ClamAV im Zusammenhang mit Postfix und AMaViS genutzt. Die Installation und
Konfiguration des Virenscanner-Umgebung (ClamAV unter CentOS 6.x) ist auf dieser Seite ausführlich
beschrieben.
Nachfolgend befassen wir uns nun mit der Installation und Konfiguration von ClamAV im
Mailserverumfeld.
Installation
Für die Installation von clamav und der zugehörigen Pakete nutzen wir am besten das Repository
rpmforge - die Installation selbst nehmen wir mit Unterstützung von yum vor.
# yum install clamd clamav clamav-db -y
Programminfo
Was uns die einzelnen Pakete alle bei der Installation mitgebracht haben, zeigt uns jeweilsein Blick in
das installierte rpm.
https://dokuwiki.nausch.org/
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
3/55
clamav
# rpm -qil clamav
Name
: clamav
Relocations: (not relocatable)
Version
: 0.97.4
Vendor: Dag Apt Repository,
http://dag.wieers.com/apt/
Release
: 1.el6.rf
Build Date: Thu 15 Mar 2012
08:04:38 AM CET
Install Date: Sun 10 Jun 2012 11:38:35 PM CEST
Build Host:
lisse.hasselt.wieers.com
Group
: Applications/System
Source RPM:
clamav-0.97.4-1.el6.rf.src.rpm
Size
: 6113818
License: GPL
Signature
: DSA/SHA1, Thu 15 Mar 2012 03:28:39 PM CET, Key ID
a20e52146b8d79e6
Packager
: Dag Wieers <[email protected]>
URL
: http://www.clamav.net/
Summary
: Anti-virus software
Description :
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of
this software is the integration with mail servers (attachment scanning).
The package provides a flexible and scalable multi-threaded daemon, a
command line scanner, and a tool for automatic updating via Internet.
The programs are based on a shared library distributed with the Clam
AntiVirus package, which you can use with your own software. Most
importantly, the virus database is kept up to date
/etc/freshclam.conf
/usr/bin/clambc
/usr/bin/clamscan
/usr/bin/freshclam
/usr/bin/sigtool
/usr/lib64/libclamav.so
/usr/lib64/libclamav.so.6
/usr/lib64/libclamav.so.6.1.13
/usr/lib64/libclamunrar.so
/usr/lib64/libclamunrar.so.6
/usr/lib64/libclamunrar.so.6.1.13
/usr/lib64/libclamunrar_iface.so
/usr/lib64/libclamunrar_iface.so.6
/usr/lib64/libclamunrar_iface.so.6.1.13
/usr/share/doc/clamav-0.97.4
/usr/share/doc/clamav-0.97.4/AUTHORS
/usr/share/doc/clamav-0.97.4/BUGS
/usr/share/doc/clamav-0.97.4/COPYING
/usr/share/doc/clamav-0.97.4/ChangeLog
/usr/share/doc/clamav-0.97.4/FAQ
/usr/share/doc/clamav-0.97.4/INSTALL
/usr/share/doc/clamav-0.97.4/NEWS
Last update: 22.11.2013 12:35.
/usr/share/doc/clamav-0.97.4/README
/usr/share/doc/clamav-0.97.4/clamav-mirror-howto.pdf
/usr/share/doc/clamav-0.97.4/clamdoc.pdf
/usr/share/doc/clamav-0.97.4/freshclam.conf
/usr/share/doc/clamav-0.97.4/phishsigs_howto.pdf
/usr/share/doc/clamav-0.97.4/signatures.pdf
/usr/share/man/man1/clambc.1.gz
/usr/share/man/man1/clamscan.1.gz
/usr/share/man/man1/freshclam.1.gz
/usr/share/man/man1/sigtool.1.gz
/usr/share/man/man5/freshclam.conf.5.gz
clamav-db
# rpm -qil clamav-db
Name
: clamav-db
Version
: 0.97.4
Release
: 1.el6.rf
08:04:38 AM CET
Build Host:
Group
: Applications/Databases
Source RPM:
Size
: 33616088
License: GPL
Signature
a20e52146b8d79e6
Packager
URL
Summary
: Virus database for clamav
Description :
The actual virus database for clamav
/etc/cron.daily/freshclam
/etc/logrotate.d/freshclam
/var/clamav
/var/clamav/daily.cvd
/var/clamav/main.cvd
/var/log/clamav
/var/log/clamav/freshclam.log
clamd
# rpm -qil clamd
Name
: clamd
Version
: 0.97.4
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
5/55
Release
: 1.el6.rf
08:04:38 AM CET
Build Host:
Group
: System Environment/Daemons
Source RPM:
Size
: 602939
License: GPL
Signature
a20e52146b8d79e6
Packager
URL
Summary
: The Clam AntiVirus Daemon
Description :
The Clam AntiVirus Daemon
/etc/clamd.conf
/etc/logrotate.d/clamav
/etc/rc.d/init.d/clamd
/usr/bin/clamconf
/usr/bin/clamdscan
/usr/bin/clamdtop
/usr/sbin/clamd
/usr/share/doc/clamd-0.97.4
/usr/share/doc/clamd-0.97.4/clamd.conf
/usr/share/man/man1/clambc.1.gz
/usr/share/man/man1/clamconf.1.gz
/usr/share/man/man1/clamdscan.1.gz
/usr/share/man/man1/clamdtop.1.gz
/usr/share/man/man5/clamd.conf.5.gz
/usr/share/man/man8/clamd.8.gz
/var/clamav
/var/log/clamav
/var/log/clamav/clamd.log
/var/run/clamav
Konfiguration
clamd
Die Konfigurationsdatei /etc/clamd.conf ist bereits optimal vorbereitet - eine besondere Anpassung
an der Konfiguration ist also nicht notwendig.
/etc/clamd.conf
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
Last update: 22.11.2013 12:35.
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log
# By default the log file is locked for writing - the lock protects
against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the
size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases
the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
7/55
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes
# TCP port address.
# Default: no
TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1
Last update: 22.11.2013 12:35.
# Maximum length the queue of pending connections may grow to.
# Default: 200
MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd
daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment
size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
MaxThreads 50
# Waiting for data from a client socket will timeout after this time
(seconds).
# Default: 120
ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after
connecting.
# Default: 5
#CommandReadTimeout 5
# This option specifies how long to wait (in miliseconds) if the send
buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if
possible.
# WARNING: you shouldn't increase this too much to avoid running out
of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
9/55
(usual max is 1024)
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to
work)
# Default: don't drop privileges
User clamav
# Initialize supplementary group access (clamd must be started by
root).
# Default: no
AllowSupplementaryGroups yes
# Stop daemon when libclamav reports out of memory condition.
Last update: 22.11.2013 12:35.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple
times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used
multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and
others),
# ClamAV uses special algorithms to provide accurate detection. This
option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format
used
# in all 32 and 64-bit versions of Windows operating systems. This
option allows
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
11/55
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX,
FSG,
# and Petite. If you turn off this option, the original files will
still be
# scanned, but without additional processing.
# Default: yes
ScanPE yes
# Executable and Linking Format is a standard format for UN*X
executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be
scanned, but
# without additional processing.
# Default: yes
ScanELF yes
# With this option clamav will try to detect broken executables (both
PE and
# ELF) and mark them as Broken.Executable.
# Default: no
DetectBrokenExecutables yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
scanned, but
# Default: yes
ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as
"Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no
# This option enables scanning within PDF files.
scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
Last update: 22.11.2013 12:35.
##
## Mail files
##
# Enable internal e-mail scanner.
scanned, but
# without parsing individual messages/attachments.
# Default: yes
ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamavpartial directory.
# WARNING: This option may open your system to a DoS attack.
#
Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts
by using
# signatures.
# Default: yes
#PhishingSignatures yes
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the
database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended,
saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be
reported only at
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
13/55
# the end of a scan. If an archive contains both a heuristically
detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found
first,
# the scan is interrupted immediately, regardless of this config
option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a
file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
Last update: 22.11.2013 12:35.
scanned, but
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
scanned, but
# without unpacking and additional processing.
# Default: yes
ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
##
## Limits
##
# The options below protect your system against Denial of Service
attacks
# using archive bombs.
# This option sets the maximum amount of data to be scanned for each
input file.
# Archives and other containers are recursively extracted and scanned
up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in
severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file
itself
# as well as files contained inside it (when the input file is an
archive, a
# document or some other kind of container).
severe damage
# to the system.
# Default: 25M
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
15/55
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive
contains a RAR
# file, all files within it will also be scanned. This options
specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the
system.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any
other
# container file.
severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
##
## Clamuko settings
##
# Enable Clamuko. Dazuko must be configured and running. Clamuko
supports
# both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
# is the preferred option. For more information please visit
www.dazuko.org
# Default: no
#ClamukoScanOnAccess yes
# The number of scanner threads that will be started (DazukoFS only).
# Having multiple scanner threads allows Clamuko to serve multiple
# processes simultaneously. This is particularly beneficial on SMP
machines.
# Default: 3
#ClamukoScannerCount 3
# Don't scan files larger than ClamukoMaxFileSize
# Default: 5M
#ClamukoMaxFileSize 10M
# Set access mask for Clamuko (Dazuko only).
# Default: no
#ClamukoScanOnOpen yes
#ClamukoScanOnClose yes
Last update: 22.11.2013 12:35.
#ClamukoScanOnExec yes
# Set the include paths (all files inside them will be scanned). You
can have
# multiple ClamukoIncludePath directives but each directory must be
added
# in a seperate line. (Dazuko only)
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students
# Set the exclude paths. All subdirectories are also excluded. (Dazuko
only)
# Default: disabled
#ClamukoExcludePath /home/bofh
# With this option you can whitelist specific UIDs. Processes with
these UIDs
# will be able to access all files.
# This option can be used multiple times (one per line).
# Default: disabled
#ClamukoExcludeUID 0
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll
miss detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
#
None - no security at all, meant for debugging. DO NOT USE THIS
ON PRODUCTION SYSTEMS
#
This value is only available if clamav was built with -enable-debug!
#
TrustSigned - trust bytecode loaded from signed .c[lv]d files,
#
insert runtime safety checks for bytecode loaded from
other sources
#
Paranoid - don't trust any bytecode, insert runtime checks for
all
# Recommended: TrustSigned, because bytecode in .cvd files already has
these checks
# Note that by default only signed bytecode is loaded, currently you
can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Set bytecode timeout in miliseconds.
#
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
17/55
# Default: 5000
# BytecodeTimeout 1000
Möchte man sich die gesamte Konfiguration ohne die vielen Kommentarzeilen anzeigen lassen, so
kann man sich diese mit einem geschickten egrep ausgeben lassen.
# egrep -v '(^.*#|^$)' /etc/clamd.conf
LogFile /var/log/clamav/clamd.log
LogFileMaxSize
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no
In der Konfigurationsdatei unseres AMaViS-Daemon finden wir folgenden Konfigurationshinweis für
die Einbindung und Nutzung von ClamAV.
# ### http://www.clamav.net/
# ['ClamAV-clamd',
#
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
#
qr/\bOK$/m, qr/\bFOUND$/m,
#
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #
uid such as clamav, add user clamav to the amavis group, and then add
# #
AllowSupplementaryGroups to clamd.conf;
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name
in
# #
this entry; when running chrooted one may prefer socket
"$MYHOME/clamd".
Wir überpüfen also noch kurz, ob der User clamav bereits Mitglied der Gruppe amavis ist.
Last update: 22.11.2013 12:35.
# grep amavis /etc/group
amavis:x:494:
In der Gruppe amavis befindet sich also nur ein Nutzer mit der ID 494. Ein Blick in die /etc/passwd
zeigt us wer dieser User ist.
# grep 494 /etc/passwd
amavis:x:497:494:Amavis email scan user:/var/amavis:/bin/sh
Dies ist also „nur“ der Nutzer amavis selbst. Wir erweitern also nun die Gruppe amavis um den User
clamav.
# usermod -a -G amavis clamav
Ein erneuter Blick zeigt uns nun, dass wie bei den Hinweisen in der /etc/amavisd.conf angegeben,
der Nutzer clamav nun Mitglied der Gruppe amavis ist.
amavis:x:494:clamav
freshclamd
Damit ClamAV stets mit den aktuellen Vireninformationen versorgen wird, steht und das Programm
freshclam aus dem Paket clamav zu Diensten.
In der Standardkonfiguration sorgt freshclam dafür, dass 1x am Tag ein Update der VirenpatternDatenbank vorgenommen wird. Bei Bedarf können wir den Updatezyklus unseren Erfordernissen
anpassen und so z.B. alle Stunde überprüfen lassen ob neue Patternfiles vorhanden sind und diese
dann auf unseren Rechner herunterzuladen und in die lokale Datenbak einfließen zu lassen. Hierbei
stehen uns prinzipiell zwei Mechanismen zur Verfügung, die crontab und der Daemon-Modus. Beide
Varianten könnten im System parallel genutzt werden - nachfolgend werden bei Möglichkeiten kurz
beschrieben.
Nutzung crontab
Die erste und einfache Variante besteht darin das Update-Script, welches sich mit dem Namen
freshclam aktuell und standardmäßig unter /etc/cron.daily befindet, nach /etc/cron.hourly/ zu
verschieben. Das Updatescript beinhaltet folgende Parameter und Aufrufe:
#!/bin/sh
### A simple update script for the clamav virus database.
### This could as well be replaced by a SysV script.
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
19/55
### fix log file if needed
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
touch "$LOG_FILE"
chmod 644 "$LOG_FILE"
chown clamav.clamav "$LOG_FILE"
fi
/usr/bin/freshclam \
--quiet \
--datadir="/var/clamav" \
--log="$LOG_FILE" \
--daemon-notify="/etc/clamd.conf"
Wir verschieben also das Script bei Bedarf nach /etc/cron.hourly/.
# mv /etc/cron.daily/freshclam /etc/cron.hourly/
Nutzung Daemon-Modus
Die zuvor erwähnte zweite Möglichkeit zum Updaten der Virenpattern-Datenbank ist die Nutzung des
freshclam-Daemons, der im Hintergrund läuft und regelmäßig zu den Pattenservern eine Abfrage
startet.
Startscript
Da bei unserer Installation kein passendes Init-V-Script mitgeliefert wurde legen wir uns ein eigenes
Startscript an.
# vim /etc/init.d/freshclamd
freshclamd
#!/bin/sh
#
# freshclamd
Init Script to start/stop the freshclamd.
#
# chkconfig: - 62 38
# description: freshclam is an update daemon for Clam AV database.
#
# processname: freshclamd
# config: /etc/freshclam.conf
# pidfile: /var/run/clamav/freshclam.pid
# Source function library
. /etc/init.d/functions
# Get network config
Last update: 22.11.2013 12:35.
. /etc/sysconfig/network
test -f /etc/freshclam.conf || exit
RETVAL=
DATA_DIR="/var/clamav"
CLAMD_CONF_FILE="/etc/clamd.conf"
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f
touch
chmod
chown
fi
"$LOG_FILE" ]; then
"$LOG_FILE"
644 "$LOG_FILE"
clamav.clamav "$LOG_FILE"
start() {
echo -n $"Starting freshclam: "
# Start me up!
#
--log="$LOG_FILE" \
#
--log-verbose \
daemon /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid \
-c 48 \
--quiet \
--datadir="$DATA_DIR" \
--daemon-notify="$CLAMD_CONF_FILE"
RETVAL=$?
echo
[ $RETVAL -eq ] && touch /var/lock/subsys/freshclam
return $RETVAL
}
stop() {
echo -n $"Stopping freshclam: "
killproc freshclam
RETVAL=$?
echo
[ $RETVAL -eq ] && rm -f /var/run/clamav/freshclam.pid
/var/lock/subsys/freshclam
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading DB: "
killproc freshclam -ALRM
RETVAL=$?
echo
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
21/55
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status freshclam
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/freshclam ] && restart || :
;;
reload)
reload
;;
*)
echo $"Usage: $0
{start|stop|status|restart|condrestart|reload}"
exit 1
esac
exit $?
Anschließend passen wir noch die Dateirechte an:
# chmod +x /etc/init.d/freshclamd
Konfiguration
Wir passen nun in der Konfigurationsdatei /etc/freshclam.conf das Updateintervall unseren
Vorstellungen entsprechend an.
# vim /etc/freshclam.conf
...
# Number of database checks per day.
# Default: 12 (every two hours)
# Django 2009-05-17 für halbstündlichen Virenpatterndatenbankcheck
Checks 48
...
Last update: 22.11.2013 12:35.
amavisd
Die Konfiguration unseres AV-Scanners clamav erfolgt über dessen Frontend AMaViS. Wir bearbeiten
also die Datei amavisd.conf.
# vim /etc/amavisd.conf
Die Pfadangaben passen wir unseren Gegebenheiten an:
$MYHOME = '/var/amavis';
other settings, -H
$TEMPBASE = "$MYHOME/tmp";
exist, -T
$ENV{TMPDIR} = $TEMPBASE;
used by SA, etc.
$QUARANTINEDIR = "/var/virusmails";
# a convenient default for
# working directory, needs to
# environment variable TMPDIR,
Ebenso:
$db_home
= "$MYHOME/db";
databases, -D
$helpers_home = "$MYHOME/var";
SpamAssassin, -S
$lock_file = "$MYHOME/var/amavisd.lock";
$pid_file = "$MYHOME/var/amavisd.pid";
$unix_socketname = "$MYHOME/amavisd.sock";
milter
# dir for bdb nanny/cache/snmp
# working directory for
# -L
# -P
# amavisd-release or amavis-
Für den ersten Programmstart drehen wir den Loglevel auf den Wert 3, den wir im späteren
Produktivbetrieb dann auf 2 herabsetzen können. Somit erhalten wir in der Anfangsphase wertvolle
und ausreichende Hinweise, falls etwas nicht wie geplant laufen sollte.
$log_level = 3;
# verbosity 0..5, -d
Da wir uns weder mit Viren, noch mit Spam oder den unerwünschten Dateianhängen
herumschlagen wollen, weisen wir AMaViS an, diese Nachrichten über den Mailserver direkt ablehnt.
$final_virus_destiny
$final_banned_destiny
$final_spam_destiny
= D_REJECT;
= D_REJECT;
= D_REJECT;
Da wir AMaViS in erster Linie in der dämonisierten Variante und als Fallback als Backup-Scanner
verwenden wollen, aktivieren wir die entsprechenden Konfigurationszeilen kurz nach der Zeile
@av_scanners = (.
Wichtig: Die Pfadangaben des Socket müssen zu den Angaben in der vorweg beschriebenen
/etc/clamd.conf passen!
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
23/55
# Django : 2012-05-21
# ClamAV in der daemonisierten Variante aktiviert
# default: unset
# ['ClamAV-clamd',
#
#
#
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
# # NOTE: run clamd under the same user as amavisd, or run it under its own
# #
uid such as clamav, add user clamav to the amavis group, and then add
# #
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name
in
# #
"$MYHOME/clamd".
Damit uns später das Maillogfile nicht mit unzähligen Meldungen wie No primary av scanner:
und No secondary av scanner: zugemüllt wird für Scan-Engines, die wir nicht installiert haben,
deaktivieren wir diese in der Konfigurationsdatei unseres AMaViS-Daemon.
Die komplette AMaViS-Konfiguration lautet demnach nunmehr.
# less /etc/amavisd.conf
/etc/amavisd.conf
use strict;
# a minimalistic configuration file for amavisd-new with all necessary
settings
#
#
see amavisd.conf-default for a list of all variables with their
defaults;
#
see amavisd.conf-sample for a traditional-style commented file;
#
for more details see documentation in INSTALL, README_FILES/*
#
and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
# COMMONLY ADJUSTED SETTINGS:
# @bypass_virus_checks_maps = (1);
code
# @bypass_spam_checks_maps = (1);
# controls running of anti-virus
# controls running of anti-spam
Last update: 22.11.2013 12:35.
code
# $bypass_decode_parts = 1;
decoders&dearchivers
$max_servers = 2;
common), -m
$daemon_user = "amavis";
amavis), -u
$daemon_group = "amavis";
amavis), -g
# controls running of
# num of pre-forked children (2..30 is
# (no default;
customary: vscan or
# (no default;
customary: vscan or
# Django : 2012-05-21
# default: $mydomain = 'example.com';
$mydomain = 'nausch.org';
# a convenient default for other settings
# Django : 2012-06-25 "by localhost" in den Haederzeilen durch ""
ersetzen
# default: unset
$localhost_name = "";
# Django : 2012-05-21
# default: unset
$MYHOME = '/var/amavis';
# a convenient default for other settings,
-H
$TEMPBASE = "$MYHOME/tmp";
# working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE;
# environment variable TMPDIR, used by SA,
etc.
$QUARANTINEDIR = "/var/virusmails";
# $quarantine_subdir_levels = 1; # add level of subdirs to disperse
quarantine
# $release_format = 'resend';
# 'attach', 'plain', 'resend'
# $report_format = 'arf';
# 'attach', 'plain', 'resend', 'arf'
# $daemon_chroot_dir = $MYHOME;
# chroot directory or undef, -R
$db_home
= "$MYHOME/db";
# dir for bdb nanny/cache/snmp
databases, -D
# Django : 2012-05-21
# default: unset
$helpers_home = "$MYHOME/var";
# working directory for SpamAssassin,
-S
# Django : 2012-05-21
# default: unset
$lock_file = "$MYHOME/var/amavisd.lock"; # -L
# Django : 2012-05-21
# default: unset
$pid_file = "$MYHOME/var/amavisd.pid";
# -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
# Django : 2012-05-21
# default: $log_level = 0;
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
25/55
$log_level = 3;
# verbosity 0..5, -d
$log_recip_templ = undef;
# disable by-recipient level-0 log entries
$DO_SYSLOG = 1;
# log via syslogd (preferred)
$syslog_facility = 'mail';
# Syslog facility as a string
# e.g.: mail, daemon, user, local0, ... local7
$syslog_priority = 'debug'; # Syslog base (minimal) priority as a
string,
# choose from: emerg, alert, crit, err, warning, notice,
info, debug
$enable_db = 1;
# enable use of BerkeleyDB/libdb (SNMP and
nanny)
$enable_global_cache = 1;
# enable use of libdb-based cache if
$enable_db=1
$nanny_details_level = 2;
# nanny verbosity: 1: traditional, 2:
detailed
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1;
# load DKIM signing code, keys defined by
dkim_key
@local_domains_maps = ( [".$mydomain"] );
# list of all local domains
# Django : 2012-05-21
# @mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
#
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
@mynetworks = qw( 127.../8 10.../24 );
$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or
amavis-milter
# option(s) -p overrides $inet_socket_port and
$unix_socketname
$inet_socket_port = 10024;
# listen on this local TCP port(s)
# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports
# Django : 2012-05-21
# default: unset
$inet_socket_bind = '*';
network-interfaces
# listening only on localhost
# listen on this port 10024 on all
# Django : 2012-05-21
# default: @inet_acl = qw( 127.0.0.1 ::1 );
@inet_acl = qw( 127...1 10...80/32 ); # access allowed from this hosts
$policy_bank{'MYNETS'} = {
# mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it
explicit
os_fingerprint_method => undef, # don't query p0f for internal
clients
};
Last update: 22.11.2013 12:35.
# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for
filtering
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our
users
originating => 1, # declare that mail was submitted by our smtp
client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender
=> 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and
types
terminate_dsn_on_notify_success => , # don't remove NOTIFY=SUCCESS
option
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with
$unix_socketname
# Use with amavis-release over a socket or with Petr Rehor's amavismilter.c
# (with amavis-milter.c from this package or old amavis.c client use
'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
auth_required_release => , # do not require secret_id for amavisdrelease
};
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above
that level
# Django : 2012-05-21
# default: $sa_tag2_level_deflt = 6.2;
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that
level
# Django : 2012-05-21
# default: $sa_kill_level_deflt = 6.9;
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions (e.g.
blocks mail)
$sa_dsn_cutoff_level = 10;
# spam level beyond which a DSN is not
sent
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely
valid From
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
27/55
# $sa_quarantine_cutoff_level = 25; # spam level beyond which
quarantine is off
$penpals_bonus_score = 8;
# (no effect without a @storage_sql_dsn
database)
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on
hi spam
$bounce_killer_score = 100; # spam score points to add for joe-jobbed
bounces
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail
is larger
$sa_local_tests_only = ;
# only tests which do not require internet
access?
# @lookup_sql_dsn =
#
( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1',
'passwd1'],
#
['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
#
["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate
database
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is
TIMESTAMP;
#
defaults to 0, which is good for non-MySQL or if msgs.time_iso is
CHAR(16)
$virus_admin
recip.
= "virusalert\@$mydomain";
$mailfrom_notify_admin
sender
$mailfrom_notify_recip
sender
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
sender
$mailfrom_to_quarantine = ''; # null return path; uses
if undef
# notifications
# notifications
# notifications
# notifications
original sender
@addr_extension_virus_maps
= ('virus');
@addr_extension_banned_maps
= ('banned');
@addr_extension_spam_maps
= ('spam');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+'; # undef disables address extensions
altogether
# when enabling addr extensions do also Postfix/main.cf:
recipient_delimiter=+
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';
Last update: 22.11.2013 12:35.
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =
100*1024;
enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024;
enforced)
# bytes
(default undef, not
# bytes
(default undef, not
$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus = 1; # MIME-wrap passed infected mail
$defang_banned = 1; # MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents
categories:
$defang_by_ccat{+CC_BADH.",3"} = 1; # NUL or CR character in header
$defang_by_ccat{+CC_BADH.",5"} = 1; # header line longer than 998
characters
$defang_by_ccat{+CC_BADH.",6"} = 1; # header field syntax error
# OTHER MORE COMMON SETTINGS (defaults may suffice):
# Django : 2010-05-21
# default: unset
$myhostname = 'amavis.dmz.nausch.org';
domain name!
# must be a fully-qualified
# Django : 2010-05-21
# default: # $notify_method = 'smtp:[127.0.0.1]:10025';
$notify_method = 'smtp:[mail.dmz.nausch.org]:10025';
# Django : 2010-05-21
# default: # $forward_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[mail.dmz.nausch.org]:10025'; # set to undef
with milter!
# Django : 2012-05-21
# default: unset
$final_virus_destiny
= D_DISCARD;
# Django : 2012-05-21
# default: unset
$final_banned_destiny
= D_BOUNCE;
# Django : 2012-05-21
# default: unset
$final_spam_destiny
= D_BOUNCE;
# $final_bad_header_destiny = D_PASS;
# $bad_header_quarantine_method = undef;
# $os_fingerprint_method = 'p0f:*:2345';
# to query p0f-analyzer.pl
## hierarchy by which a final setting is chosen:
##
policy bank (based on port or IP address) -> *_by_ccat
##
*_by_ccat (based on mail contents) -> *_maps
##
*_maps (based on recipient address) -> final configuration value
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
29/55
# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for
all)
# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or
@warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $clean_quarantine_method, $virus_quarantine_to,
$banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam
# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER
ASSIGNMENTS
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$',
# retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains
undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',
# don't trust Archive::Zip
));
# for $banned_namepath_re (a new-style of banned table) see
amavisd.conf-sample
$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'ÛNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$',
# banned file(1) types,
rudimentary
# qr'^\.(exe|lha|cab|dll)$',
# banned file(1) types
### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$'
=> 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$'
=> ], # allow any in Unix-type
archives
Last update: 22.11.2013 12:35.
qr'.\.(pif|scr)$'i,
rudimentary
# qr'^\.zip$',
# banned extensions # block zip type
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these
archives
qr'âpplication/x-msdownload$'i,
qr'âpplication/x-msdos-program$'i,
qr'âpplication/hta$'i,
# qr'^message/partial$'i,
# qr'^message/external-body$'i,
# block these MIME types
# rfc2046 MIME type
# rfc2046 MIME type
# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile
MIME type
# qr'^\.wmf$',
# Windows Metafile file(1)
type
# block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Zaz][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID
CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension
CLSID, loose
qr'.\.(exe|vbs|pif|scr|cpl)$'i,
# banned extension basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension basic+cmd
#
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#
wmf|wsc|wsf|wsh)$'ix, # banned ext - long
# qr'.\.(ani|cur|ico)$'i,
# banned cursors and icons
filename
# qr'^\.ani$',
# banned animated cursor
file(1) type
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip
vulnerab.
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
31/55
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables
are summed
# ## per-recipient personal tables (NOTE: positive: black, negative:
white)
# '[email protected]' => [{'[email protected]' => 10.0}],
# '[email protected]' => [{'.ebay.com'
=> -3.0}],
# '[email protected]' => [{'[email protected]' => -7.0,
#
'.cleargreen.com'
=> -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all softblacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i
=>
5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=>
5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=>
5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i
=>
5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i =>
5.0],
[qr'^(your_friend|greatoffers)@'i
=>
5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i
=>
5.0],
),
#
read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'securityfocus.com'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'=> -3.0,
'[email protected]' => -3.0,
'spamassassin.apache.org'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
Last update: 22.11.2013 12:35.
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]' => -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -3.0,
'[email protected]'
=> -5.0,
'[email protected]'
=> -3.0,
'returns.groups.yahoo.com'
=> -3.0,
'[email protected]'
=> -3.0,
lc('[email protected]')
=> -3.0,
lc('[email protected]') => -5.0,
# soft-blacklisting (positive score)
'[email protected]'
'.example.net'
=>
=>
3.0,
1.0,
},
], # end of site-wide tables
});
@decoders = (
['mail', \&do_mime_decode],
['asc', \&do_ascii],
['uue', \&do_ascii],
['hqx', \&do_ascii],
['ync', \&do_ascii],
['F',
\&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],
['Z',
\&do_uncompress, ['uncompress','gzip -d','zcat'] ],
['gz',
\&do_uncompress, 'gzip -d'],
['gz',
\&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['lzo', \&do_uncompress, 'lzop -d'],
['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],
['cpio', \&do_pax_cpio,
['pax','gcpio','cpio'] ],
['tar', \&do_pax_cpio,
['pax','gcpio','cpio'] ],
['deb', \&do_ar,
'ar'],
# ['a',
\&do_ar,
'ar'], # unpacking .a seems an overkill
['zip', \&do_unzip],
['7z',
\&do_7zip,
['7zr','7za','7z'] ],
['rar', \&do_unrar,
['rar','unrar'] ],
['arj', \&do_unarj,
['arj','unarj'] ],
['arc', \&do_arc,
['nomarch','arc'] ],
['zoo', \&do_zoo,
['zoo','unzoo'] ],
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
['lha',
# ['doc',
['cab',
['tnef',
['tnef',
# ['sit',
['exe',
);
33/55
\&do_lha,
'lha'],
\&do_ole,
'ripole'],
\&do_cabextract, 'cabextract'],
\&do_tnef_ext,
'tnef'],
\&do_tnef],
\&do_unstuff,
'unstuff'], # broken/unsafe decoder
\&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],
@av_scanners = (
# ### http://www.clanfield.info/sophie/
(http://www.vanja.com/tools/sophie/)
# ['Sophie',
#
\&ask_daemon, ["{}/\n", '/var/run/sophie'],
#
qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]*
$)/m,
#
qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&sophos_savi ],
# Django : 2012-05-21
# ClamAV in der daemonisierten Variante aktiviert
# default: unset
# ['ClamAV-clamd',
#
#
#
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
# # NOTE: run clamd under the same user as amavisd, or run it under its
own
# #
uid such as clamav, add user clamav to the amavis group, and then
add
# #
# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket
name in
# #
"$MYHOME/clamd".
# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is
preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/ÎNFECTED: (.+)/m ],
# ### http://www.openantivirus.org/
Last update: 22.11.2013 12:35.
# ['OpenAntiVirus ScannerDaemon (OAV)',
#
\&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
#
qr/ÔK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],
# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
#
\&ask_daemon, ["{}/\n", '/var/run/trophie'],
#
qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]*
$)/m,
#
qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
# ### http://www.grisoft.com/
# ['AVG Anti-Virus',
#
\&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
#
qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ],
# ### http://www.f-prot.com/
# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version
6
#
\&ask_daemon,
#
["SCAN FILE {}/*\n", '127.0.0.1:10200'],
#
qr/^(0|8|64) /m,
#
qr/^([1235679]|1[01345])
|<[^>:]*(?i)(infected|suspicious|unwanted)/m,
#
qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],
# ['F-Prot f-protd', # old version
#
\&ask_daemon,
#
["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
#
['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
#
'127.0.0.1:10203', '127.0.0.1:10204'] ],
#
qr/(?i)<summary[^>]*>clean<\/summary>/m,
#
qr/(?i)<summary[^>]*>infected<\/summary>/m,
#
qr/(?i)<name>(.+)<\/name>/m ],
# ### http://www.sald.com/, http://www.dials.ru/english/,
http://www.drweb.ru/
# ['DrWebD', \&ask_daemon,
# DrWebD 4.31 or later
#
[pack('N',1). # DRWEBD_SCAN_CMD
#
pack('N',0x00280001).
# DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
#
pack('N',
# path length
#
length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
#
'{}/*'.
# path
#
pack('N',0). # content size
#
pack('N',0),
#
'/var/drweb/run/drwebd.sock',
# # '/var/amavis/var/run/drwebd.sock',
# suitable for chroot
# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
# # '127.0.0.1:3000',
# or over an inet socket
#
],
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
35/55
#
qr/\A\x00[\x10\x11][\x00\x10]\x00/sm,
# IS_CLEAN,EVAL_KEY;
SKIPPED
#
qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,#
KNOWN_V,UNKNOWN_V,V._MODIF
#
qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
# ],
# # NOTE: If using amavis-milter, change length to:
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
# Django : 2012-05-21
# Eintrag deaktiviert
# ### http://www.kaspersky.com/ (kav4mailservers)
# ['KasperskyLab AVP - aveclient',
#
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
#
'/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
#
'-p /var/run/aveserver -s {}/*',
#
[0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
#
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
# ],
# # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
# # currupted or protected archives are to be handled
# Django : 2012-05-21
# ### http://www.kaspersky.com/
# ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
#
'-* -P -B -Y -O- {}', [0,3,6,8], [2,4],
# any use for -A -K
?
#
qr/infected: (.+)/m,
#
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
#
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
# ],
# Django : 2012-05-21
# ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
# ### products and replaced by aveserver and aveclient
# ['KasperskyLab AVPDaemonClient',
#
[ '/opt/AVP/kavdaemon',
'kavdaemon',
#
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
#
'/opt/AVP/AvpTeamDream',
'AvpTeamDream',
#
'/opt/AVP/avpdc', 'avpdc' ],
#
"-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
#
# change the startup-script in /etc/init.d/kavd to:
#
#
DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
#
#
(or perhaps:
DPARMS="-I0 -Y -* /var/amavis" )
#
# adjusting /var/amavis above to match your $TEMPBASE.
#
# The '-f=/var/amavis' is needed if not running it as root, so it
#
# can find, read, and write its pid file, etc., see 'man
kavdaemon'.
#
# defUnix.prf: there must be an entry "*/var/amavis" (or whatever
Last update: 22.11.2013 12:35.
#
#
#
#
#
directory $TEMPBASE specifies) in the 'Names=' section.
# cd /opt/AVP/DaemonClients; configure; cd Sample; make
# cp AvpDaemonClient /opt/AVP/
# su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
# Django : 2012-05-21
# ### http://www.centralcommand.com/
# ['CentralCommand Vexira (new) vascan',
#
['vascan','/usr/lib/Vexira/vascan'],
#
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
#
"--log=/var/log/vascan.log {}",
#
[0,3], [1,2,5],
#
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\
( [^\]\s']+ )\ \.\.\.\ /m ],
#
# Adjust the path of the binary and the virus database as needed.
#
# 'vascan' does not allow to have the temp directory to be the
same as
#
# the quarantine directory, and the quarantine option can not be
disabled.
#
# If $QUARANTINEDIR is not used, then another directory must be
specified
#
# to appease 'vascan'. Move status 3 to the second list if
password
#
# protected files are to be considered infected.
# Django : 2012-05-21
# ### http://www.avira.com/
# ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira
Antivirus
# ['Avira AntiVir', ['antivir','vexira'],
#
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
#
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
#
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
#
# NOTE: if you only have a demo version, remove -z and add 214, as
in:
#
# '--allfiles -noboot -nombr -rs -s {}', [0,214],
qr/ALERT:|VIRUS:/,
# Django : 2012-05-21
# ### http://www.commandsoftware.com/
# ['Command AntiVirus for Linux', 'csav',
#
'-all -archive -packed {}', [50], [51,52,53],
#
qr/Infection: (.+)/m ],
# Django : 2012-05-21
# ### http://www.symantec.com/
# ['Symantec CarrierScan via Symantec CommandLineScanner',
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
#
#
#
37/55
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/m, qr/Înfected\b/m,
qr/^(?:Info|Virus Name):\s+(.+)/m ],
# Django : 2012-05-21
# ### http://www.symantec.com/
# ['Symantec AntiVirus Scan Engine',
#
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details verbose {}',
#
[0], qr/Înfected\b/m,
#
qr/^(?:Info|Virus Name):\s+(.+)/m ],
#
# NOTE: check options and patterns to see which entry better
applies
# ### http://www.f-secure.com/products/anti-virus/ version 4.65
# ['F-Secure Antivirus for Linux servers',
#
['/opt/f-secure/fsav/bin/fsav', 'fsav'],
#
'--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
#
'--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
#
qr/(?:infection|Infected|Suspected): (.+)/m ],
# Django : 2012-05-21
# ### http://www.f-secure.com/products/anti-virus/ version 5.52
#
['F-Secure Antivirus for Linux servers',
#
['/opt/f-secure/fsav/bin/fsav', 'fsav'],
#
'--virus-action1=report --archive=yes --auto=yes '.
#
'--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
#
qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
#
# NOTE: internal archive handling may be switched off by '-archive=no'
#
#
to prevent fsav from exiting with status 9 on broken archives
# ### http://www.avast.com/
# ['avast! Antivirus daemon',
#
&ask_daemon, # greets with 220, terminate with QUIT
#
["SCAN {}\015\012QUIT\015\012",
'/var/run/avast4/mailscanner.sock'],
#
qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
# ['avast! Antivirus - Client/Server Version', 'avastlite',
#
'-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
#
qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
# Django : 2012-05-21
# ['CAI InoculateIT', 'inocucmd', # retired product
#
'-sec -nex {}', [0], [100],
#
qr/was infected by virus (.+)/m ],
Last update: 22.11.2013 12:35.
#
# see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
# Django : 2012-05-21
# ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex
InoculateIT)
# ['CAI eTrust Antivirus', 'etrust-wrapper',
#
'-arc -nex -spm h {}', [0], [101],
#
qr/is infected by virus: (.+)/m ],
#
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod
reviewer
#
# see
http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
# Django : 2012-05-21
# ### http://mks.com.pl/english.html
# ['MkS_Vir for Linux (beta)', ['mks32','mks'],
#
'-s {}/*', [0], [1,2],
#
qr/--[ \t]*(.+)/m ],
# Django : 2012-05-21
# ### http://mks.com.pl/english.html
# ['MkS_Vir daemon', 'mksscan',
#
'-s -q {}', [0], [1..7],
#
qr/^... (\S+)/m ],
# ### http://www.nod32.com/, version v2.52 (old)
# ['ESET NOD32 for Linux Mail servers',
#
['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#
'--subdir --files -z --sfx --rtp --adware --unsafe --pattern -heur '.
#
'-w -a --action-on-infected=accept --action-on-uncleanable=accept
'.
#
'--action-on-notscanned=accept {}',
#
[0,3], [1,2], qr/virus="([^"]+)"/m ],
# ### http://www.eset.com/, version v2.7 (old)
# ['ESET NOD32 Linux Mail Server - command line interface',
#
['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
#
'--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],
# ### http://www.eset.com/, version 2.71.12
# ['ESET Software ESETS Command Line Interface',
#
['/usr/bin/esets_cli', 'esets_cli'],
#
'--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
# Django : 2012-05-21
# ### http://www.eset.com/, version 3.0
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
#
#
#
#
39/55
['ESET Software ESETS Command Line Interface',
['/usr/bin/esets_cli', 'esets_cli'],
'--subdir {}', [0], [1,2,3],
qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
# Django : 2012-05-21
# ## http://www.nod32.com/, NOD32LFS version 2.5 and above
# ['ESET NOD32 for Linux File servers',
#
['/opt/eset/nod32/sbin/nod32','nod32'],
#
'--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur
'.
#
'-w -a --action=1 -b {}',
#
[0], [1,10], qr/ôbject=.*, virus="(.*?)",/m ],
# Experimental, based on posting from Rado Dibarbora (Dibo) on
2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
#
\&ask_daemon2,
# greets with 200, persistent, terminate with
QUIT
#
["SCAN {}/*\r\n", '127.0.0.1:8448' ],
#
qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
# Django : 2012-05-21
# ### http://www.norman.com/products_nvc.shtml
# ['Norman Virus Control v5 / Linux', 'nvcc',
#
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
#
qr/(?i).* virus in .* -> \'(.+)\'/m ],
# Django : 2012-05-21
# ### http://www.pandasoftware.com/
# ['Panda CommandLineSecure 9 for Linux',
#
['/opt/pavcl/usr/bin/pavcl','pavcl'],
#
'-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
#
qr/Number of files infected[ .]*: 0+(?!\d)/m,
#
qr/Number of files infected[ .]*: 0*[1-9]/m,
#
qr/Found virus :\s*(\S+)/m ],
# # NOTE: for efficiency, start the Panda in resident mode with 'pavcl
-tsr'
# # before starting amavisd - the bases are then loaded only once at
startup.
# # To reload bases in a signature update script:
# #
/opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl tsr
# # Please review other options of pavcl, for example:
# # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
# ### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
Last update: 22.11.2013 12:35.
#
#
#
'-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
[0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
qr/Found virus :\s*(\S+)/m ],
# GeCAD AV technology is acquired by Microsoft; RAV has been
discontinued.
# Check your RAV license terms before fiddling with the following two
lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
#
'--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)
# Django : 2012-05-21
# ### http://www.nai.com/
# ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
#
'--secure -rv --mime --summary --noboot - {}', [0], [13],
#
qr/(?x) Found (?:
#
\ the\ (.+)\ (?:virus|trojan) |
#
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
#
:\ (.+)\ NOT\ a\ virus)/m,
# # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
# # sub {delete $ENV{LD_PRELOAD}},
# ],
# # NOTE1: with RH9: force the dynamic linker to look at
/lib/libc.so.6 before
# # anything else by setting environment variable
LD_PRELOAD=/lib/libc.so.6
# # and then clear it when finished to avoid confusing anything else.
# # NOTE2: to treat encrypted files as viruses replace the [13] with:
# # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
# Django : 2012-05-21
# ### http://www.virusbuster.hu/en/
# ['VirusBuster', ['vbuster', 'vbengcl'],
#
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
#
qr/: '(.*)' - Virus/m ],
# # VirusBuster Ltd. does not support the daemon version for the
workstation
# # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The
names of
# # binaries, some parameters AND return codes have changed (from 3 to
1).
# # See also the new Vexira entry 'vascan' which is possibly related.
# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
#
'-f -log scandir {}', [0], [3],
#
qr/Virus found = (.*);/m ],
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
41/55
# # HINT: for an infected file it always returns 3,
# # although the man-page tells a different story
# Django : 2012-05-21
# ### http://www.cyber.com/
# ['CyberSoft VFind', 'vfind',
#
'--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
# # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
# ],
# Django : 2012-05-21
# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
#
'-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^
\t\n\[\]]+)/m ],
# Django : 2012-05-21
# ### http://www.ikarus-software.com/
# ['Ikarus AntiVirus for Linux', 'ikarus',
#
'{}', [0], [40], qr/Signature (.+) found/m ],
# Django : 2012-05-21
# ### http://www.bitdefender.com/
# ['BitDefender', 'bdscan', # new version
#
'--action=ignore --no-list {}', qr/Înfected
files\s*:\s*0+(?!\d)/m,
#
qr/^(?:Infected files|Identified viruses|Suspect
files)\s*:\s*0*[1-9]/m,
#
qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
# Django : 2012-05-21
# ### http://www.bitdefender.com/
# ['BitDefender', 'bdc', # old version
#
'--arc --mail {}', qr/Înfected files *:0+(?!\d)/m,
#
qr/^(?:Infected files|Identified viruses|Suspect files)
*:0*[1-9]/m,
#
qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
# # consider also: --all --nowarn --alev=15 --flev=15. The --all
argument may
# # not apply to your version of bdc, check documentation and see 'bdc
--help'
# Django : 2012-05-21
# ### ArcaVir for Linux and Unix http://www.arcabit.pl/
# ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
Last update: 22.11.2013 12:35.
#
#
'-v 1 -summary 0 -s {}', [0], [1,2],
qr/(?:VIR|WIR):[ \t]*(.+)/m ],
# ### a generic SMTP-client interface to a SMTP-based virus scanner
# ['av_smtp', \&ask_av_smtp,
#
['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'],
#
qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],
# ['File::Scan', sub {Amavis::AV::ask_av(sub{
#
use File::Scan; my($fn)=@_;
#
my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
#
my($vname) = $f->scan($fn);
#
$f->error ? (2,"Error: ".$f->error)
#
: ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
#
["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],
# ### fully-fledged checker for JPEG marker segments of invalid length
# ['check-jpeg',
#
sub { use JpegTester ();
Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
#
["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
# #
for example in /usr/local/lib/perl5/site_perl
);
@av_scanners_backup = (
### http://www.clamav.net/
- backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# Django : 2012-05-21
- backs up F-Prot Daemon, V6
# ['F-PROT Antivirus for UNIX', ['fpscan'],
#
'--report --mount --adware {}', # consider: --applications -s 4 u 3 -z 10
#
[0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
#
qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
# Django : 2012-05-21
- backs up F-Prot Daemon (old)
# ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
#
'-dumb -archive -packed {}', [0,8], [3,6],
# or: [0], [3,6,8],
#
qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m
],
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
43/55
# Django : 2012-05-21
# ### http://www.trendmicro.com/
- backs up Trophie
# ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
#
'-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
# Django : 2012-05-21
# ### http://www.sald.com/, http://drweb.imshop.de/
- backs up
DrWebD
# ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and
earlier
#
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
#
'-path={} -al -go -ot -cn -upn -ok-',
#
[0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
# Django : 2012-05-21
#
### http://www.kaspersky.com/
#
['Kaspersky Antivirus v5.5',
#
['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
#
'/opt/kav/5.5/kav4unix/bin/kavscanner',
#
'/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
#
'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
#
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
##
sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
##
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
#
],
# Commented out because the name 'sweep' clashes with Debian and
FreeBSD
# package/port of an audio editor. Make sure the correct 'sweep' is
found
# in the path when enabling.
#
# ### http://www.sophos.com/
- backs up Sophie or SAVI-Perl
# ['Sophos Anti Virus (sweep)', 'sweep',
#
'-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
#
'--no-reset-atime {}',
#
[0,2], qr/Virus .*? found/m,
#
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
# ],
# # other options to consider: -idedir=/usr/local/sav
# Always succeeds and considers mail clean.
# Potentially useful when all other scanners fail and it is desirable
# to let mail continue to flow with no virus checking (when
uncommented).
# ['always-clean', sub {0}],
);
Last update: 22.11.2013 12:35.
1;
# insure a defined return value
erster Programmstart
clamd
Nun starten wir unseren ClamAV-Daemon das erste mal.
# service clamd start
Starting Clam AntiVirus Daemon:
[
OK
]
Im Logfile /var/log/clamav/clamd.log wird der Start entsprechend protokolliert.
# less /var/log/clamav/clamd.log
Mon Jun 11 12:08:26 2012 ->
Mon Jun 11 12:08:26 2012 ->
x86_64, CPU: x86_64)
Mon Jun 11 12:08:26 2012 ->
Mon Jun 11 12:08:26 2012 ->
Mon Jun 11 12:08:26 2012 ->
Mon Jun 11 12:08:26 2012 ->
Mon Jun 11 12:08:26 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
/var/run/clamav/clamd.sock
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
bytes.
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
Mon Jun 11 12:08:30 2012 ->
+++ Started at Mon Jun 11 12:08:26 2012
clamd daemon 0.97.4 (OS: linux-gnu, ARCH:
Running as user clamav (UID 496, GID 493)
Log file size limited to -1 bytes.
Reading databases from /var/clamav
Not loading PUA signatures.
Bytecode: Security mode set to "TrustSigned".
Loaded 1256207 signatures.
TCP: Bound to address 127.0.0.1 on port 3310
TCP: Setting connection queue length to 30
LOCAL: Unix socket file
LOCAL: Setting connection queue length to 30
Limits: Global size limit set to 104857600
Limits: File size limit set to 26214400 bytes.
Limits: Recursion level limit set to 16.
Limits: Files limit set to 10000.
Archive support enabled.
Algorithmic detection enabled.
Portable Executable support enabled.
ELF support enabled.
Detection of broken executables enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
HTML support enabled.
Self checking every 600 seconds.
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
45/55
Mon Jun 11 12:08:39 2012 -> Pid file removed.
freshclamd
Unseren Updatemechanismus freshclam-daemon starten wir wie gewohnt mit:
# service freshclamd start
Starting freshclam:
[
OK
]
Im Logfile /var/log/clamav/freshclam.log wird der Programmaufruf entsprechend dokumentiert:
# less /var/log/clamav/freshclam.log
freshclam daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Mon Jun 11 12:32:48 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder:
sven)
Downloading daily-15026.cdiff [100%]
Downloading daily-15027.cdiff [100%]
daily.cld updated (version: 15027, sigs: 217122, f-level: 63, builder:
ccordes)
bytecode.cvd is up to date (version: 185, sigs: 39, f-level: 63, builder:
neo)
Database updated (1261548 signatures) from db.de.clamav.net (IP:
212.1.60.18)
WARNING: Clamd was NOT notified: Can't connect to clamd through
-------------------------------------Die Meldung WARNING: Clamd was NOT notified: Can't connect to clamd through
/var/run/clamav/clamd.sock stimmt natürlich, da der ClamAV-Daemon clamd noch nicht gestartet
ist.
Daher starten wir nun auch den ClamAV-Daemon erneut an.
# service clamd start
Starting Clam AntiVirus Daemon:
[
OK
]
Starten wir nun unseren freshclam-Daemon einmal durch und kontrollieren anschließend dessen
logfile.
# service freshclamd restart
Stopping freshclam:
Starting freshclam:
[
[
OK
OK
]
]
Ein Blick in das Logfile des freshclam-Daemon zeigt nun, keine entsprechende Fehlermeldung mehr!
Last update: 22.11.2013 12:35.
# less /var/log/clamav/freshclam.log
-------------------------------------freshclam daemon 0.97.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Mon Jun 11 12:39:25 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder:
sven)
daily.cld is up to date (version: 15027, sigs: 217122, f-level: 63, builder:
ccordes)
bytecode.cvd is up to date (version: 185, sigs: 39, f-level: 63, builder:
neo)
amavisd
Zum Aktivieren der Konfigurationsänderungen am AMaViS-Frontend starten wir den Daemon nun
einmal durch.
# service amavisd restart
Shutting down Mail Virus Scanner (amavisd):
Starting Mail Virus Scanner (amavisd):
[
[
OK
OK
]
]
Der Start wird im Maillogfile entsprechend protokolliert.
Jun 11 13:21:43 vml000060 amavis[18664]: logging initialized, log level 3,
syslog: amavis.mail
Jun 11 13:21:43 vml000060 amavis[18664]: starting. /usr/sbin/amavisd at
amavis.dmz.nausch.org amavisd-new-2.6.6 (20110518), Unicode aware,
LANG="en_US.UTF-8"
Jun 11 13:21:43 vml000060 amavis[18664]: user=497, EUID: 497 (497); group=,
EGID: 494 494 (494 494)
Jun 11 13:21:43 vml000060 amavis[18664]: Perl version
5.010001
Jun 11 13:21:43 vml000060 amavis[18664]: SpamControl: scanner SpamAssassin,
module Amavis::SpamControl::SpamAssassin
Jun 11 13:21:44 vml000060 amavis[18664]: INFO: SA version: 3.3.1, 3.003001,
no optional modules: Net::CIDR::Lite Sys::Hostname::Long
Razor2::Client::Agent IP::Country::Fast Image::Info Image::Info::GIF
Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF
Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A
Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists
Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include
Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp
Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record
Mail::SPF::v2::Record Error
Jun 11 13:21:44 vml000060 amavis[18664]: SpamControl: init_pre_chroot on
SpamAssassin done
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Process Backgrounded
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: 2012/06/11-13:21:44
Amavis (type Net::Server::PreForkSimple) starting! pid(18665)
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
47/55
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Using default listen
value of 128
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Binding to UNIX socket
file /var/amavis/amavisd.sock using SOCK_STREAM
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Binding to TCP port
10024 on host *
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: Group Not Defined.
Defaulting to EGID '494 494'
Jun 11 13:21:44 vml000060 amavis[18665]: Net::Server: User Not Defined.
Defaulting to EUID '497'
Jun 11 13:21:44 vml000060 amavis[18665]: config files read:
/etc/amavisd.conf
Jun 11 13:21:44 vml000060 amavis[18665]: Module Amavis::Conf
2.209
Jun 11 13:21:44 vml000060 amavis[18665]: Module Archive::Zip
1.30
Jun 11 13:21:44 vml000060 amavis[18665]: Module BerkeleyDB
0.43
Jun 11 13:21:44 vml000060 amavis[18665]: Module Compress::Zlib
2.02
Jun 11 13:21:44 vml000060 amavis[18665]: Module Convert::TNEF
0.17
Jun 11 13:21:44 vml000060 amavis[18665]: Module Convert::UUlib
1.34
Jun 11 13:21:44 vml000060 amavis[18665]: Module Crypt::OpenSSL::RSA 0.25
Jun 11 13:21:44 vml000060 amavis[18665]: Module DB_File
1.82
Jun 11 13:21:44 vml000060 amavis[18665]: Module Digest::MD5
2.39
Jun 11 13:21:44 vml000060 amavis[18665]: Module Digest::SHA
5.47
Jun 11 13:21:44 vml000060 amavis[18665]: Module IO::Socket::INET6
2.56
Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Entity
5.427
Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Parser
5.427
Jun 11 13:21:44 vml000060 amavis[18665]: Module MIME::Tools
5.427
Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::DKIM::Signer 0.37
Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::DKIM::Verifier 0.37
Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::Header
2.04
Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::Internet
2.04
Jun 11 13:21:44 vml000060 amavis[18665]: Module Mail::SpamAssassin 3.003001
Jun 11 13:21:44 vml000060 amavis[18665]: Module Net::DNS
0.65
Jun 11 13:21:44 vml000060 amavis[18665]: Module Net::Server
0.99
Jun 11 13:21:44 vml000060 amavis[18665]: Module NetAddr::IP
4.027
Jun 11 13:21:44 vml000060 amavis[18665]: Module Socket6
0.23
Jun 11 13:21:44 vml000060 amavis[18665]: Module Time::HiRes
1.9721
Jun 11 13:21:44 vml000060 amavis[18665]: Module URI
1.40
Jun 11 13:21:44 vml000060 amavis[18665]: Module Unix::Syslog
1.1
Jun 11 13:21:44 vml000060 amavis[18665]: Amavis::DB code
loaded
Jun 11 13:21:44 vml000060 amavis[18665]: Amavis::Cache code
loaded
Jun 11 13:21:44 vml000060 amavis[18665]: SQL base code
NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: SQL::Log code
NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: SQL::Quarantine
NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: Lookup::SQL code
NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: Lookup::LDAP code
NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: AM.PDP-in proto code loaded
Jun 11 13:21:44 vml000060 amavis[18665]: SMTP-in proto code
loaded
Jun 11 13:21:44 vml000060 amavis[18665]: Courier proto code
NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: SMTP-out proto code loaded
Jun 11 13:21:44 vml000060 amavis[18665]: Pipe-out proto code NOT loaded
Jun 11 13:21:44 vml000060 amavis[18665]: BSMTP-out proto code NOT loaded
Last update: 22.11.2013 12:35.
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
/usr/bin/file
Jun 11 13:21:44 vml000060
/usr/bin/altermime
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
/usr/bin/unfreeze
Jun 11 13:21:44 vml000060
/usr/bin/uncompress
Jun 11 13:21:44 vml000060
/usr/bin/gzip -d
Jun 11 13:21:44 vml000060
not used)
Jun 11 13:21:44 vml000060
/usr/bin/bzip2 -d
Jun 11 13:21:44 vml000060
/usr/bin/lzop -d
Jun 11 13:21:44 vml000060
/usr/bin/rpm2cpio
Jun 11 13:21:44 vml000060
/bin/cpio
Jun 11 13:21:44 vml000060
/bin/cpio
Jun 11 13:21:44 vml000060
/usr/bin/ar
Jun 11 13:21:44 vml000060
Jun 11 13:21:44 vml000060
/usr/bin/7za
Jun 11 13:21:44 vml000060
/usr/bin/unrar
Jun 11 13:21:44 vml000060
/usr/bin/arj
Jun 11 13:21:44 vml000060
/usr/bin/nomarch
Jun 11 13:21:44 vml000060
/usr/bin/zoo
Jun 11 13:21:44 vml000060
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
Local-out proto code
OS_Fingerprint code
ANTI-VIRUS code
ANTI-SPAM code
ANTI-SPAM-EXT code
ANTI-SPAM-C code
ANTI-SPAM-SA code
Unpackers code
DKIM code
Tools code
Found $file
loaded
NOT loaded
loaded
loaded
NOT loaded
NOT loaded
loaded
loaded
loaded
NOT loaded
at
amavis[18665]: Found $altermime
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
amavis[18665]:
at
Internal decoder for
Found decoder for
.mail
.asc
.uue
.hqx
.ync
.F
at
amavis[18665]: Found decoder for
.Z
at
.gz
at
amavis[18665]: Internal decoder for .gz
(backup,
.bz2
at
.lzo
at
.rpm
at
.cpio at
.tar
at
.deb
at
amavis[18665]: Internal decoder for .zip
.7z
at
.rar
at
.arj
at
.arc
at
.zoo
at
.lha
at
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
49/55
/usr/bin/lha
Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for
.cab at
/usr/bin/cabextract
Jun 11 13:21:44 vml000060 amavis[18665]: No decoder for
.tnef tried:
tnef
Jun 11 13:21:44 vml000060 amavis[18665]: Internal decoder for .tnef
Jun 11 13:21:44 vml000060 amavis[18665]: Found decoder for
.exe at
/usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
Jun 11 13:21:44 vml000060 amavis[18665]: Using primary internal av scanner
code for ClamAV-clamd
Jun 11 13:21:44 vml000060 amavis[18665]: Found secondary av scanner ClamAVclamscan at /usr/bin/clamscan
Jun 11 13:21:44 vml000060 amavis[18665]: Creating db in /var/amavis/db/;
BerkeleyDB 0.43, libdb 4.7
Jun 11 13:21:44 vml000060 amavis[18665]: initializing Mail::SpamAssassin
Jun 11 13:21:44 vml000060 amavis[18665]: SpamAssassin debug facilities: info
Jun 11 13:21:46 vml000060 amavis[18665]: SpamAssassin loaded plugins:
AutoLearnThreshold, Bayes, BodyEval, Check, DKIM, DNSEval, FreeMail,
HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval,
MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL,
URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Jun 11 13:21:46 vml000060 amavis[18665]: SpamControl: init_pre_fork on
SpamAssassin done
Jun 11 13:21:46 vml000060 amavis[18665]: extra modules loaded after
daemonizing/chrooting: Mail/SpamAssassin/Plugin/FreeMail.pm
Jun 11 13:21:46 vml000060 amavis[18679]: TIMING [total 10 ms] - bdb-open: 10
(100%)100, rundown: 0 (0%)100
Jun 11 13:21:46 vml000060 amavis[18680]: TIMING [total 9 ms] - bdb-open: 9
(100%)100, rundown: 0 (0%)100
automatisches Starten der Dienste beim Systemstart
clamd
Damit nun unser clamav-daemon beim Booten automatisch gestartet wird, nehmen wir noch folgende
Konfigurationsschritte vor.
# chkconfig clamd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep clamd
clamd
0:off
1:off
2:on
3:on
4:on
5:on
6:off
Last update: 22.11.2013 12:35.
freshclamd
Damit nun auch unser freshclamd beim Booten automatisch gestartet wird, nehmen wir noch
folgende Konfigurationsschritte vor.
# chkconfig freshclamd on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep freshclamd
freshclamd
0:off
1:off
2:on
3:on
4:on
5:on
6:off
amavisd
Bei unserem Frontend AMaViS muss keinerlei Änderung vorgenommen werden, haben wir die nötige
Konfiguration ja bereits bei der Grundkonfiguration von amavisd-new vorgenommen.
Test (eicar)
Zum Testen schicken wir eine eMail an einen Empfänger und hängen im Anhang einfach mal einen
Eicar-Testvirus an die eMail.
Der Versuch scheitert natürlich kläglich und dem einliefernden Mailclient wird auch promt der Grund
angegeben, warum die Nachricht nicht angenommern werden konnte.
An error occurred while sending mail.
The mail server responded: 5.7.0 Reject, id=19056-05 - INFECTED: EicarTest-Signature.
Please check the message and try again.
Im Maillog unseres AMaViS-Hosts wird der erfolglose Versuch der Einlieferung der eAmil mit dem
Eicar-Textpattern im Anhang entsprechend protokolliert.
# less /var/log/maillog
Jun 11 16:48:12 vml000060 amavis[19055]: (19055-05) process_request: fileno
sock=11, STDIN=0, STDOUT=1
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ESMTP:[10.0.0.60]:10024
/var/amavis/tmp/amavis-20120611T142736-19055: <[email protected]> ->
<[email protected]> SIZE=1043 Received: from mx1.nausch.org ([10.0.0.80]) by
localhost (amavis.dmz.nausch.org [10.0.0.60]) (amavisd-new, port 10024) with
ESMTP for <[email protected]>; Mon, 11 Jun 2012 16:48:12 +0200 (CEST)
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp connection cache,
dt: 1153.6, state: 0
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) body hash:
d87eeb64bae8fd89341d4f6332e5263e
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
51/55
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Checking: Cn1wWSZI30ms
[192.168.10.45] <[email protected]> -> <[email protected]>
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) 2822.From:
<[email protected]>
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p003 1 Content-Type:
multipart/mixed
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p001 1/1 Content-Type:
text/plain, size: 5 B, name:
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p002 1/2 Content-Type:
application/zip, size: 184 B, name: eicar_com.zip
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) inspect_dsn: not a
bounce
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Checking for banned
types and filenames
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) collect banned table[0]:
[email protected], tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3be71a0)
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p.path
[email protected]: "P=p003,L=1,M=multipart/mixed |
P=p001,L=1/1,M=text/plain,T=asc"
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) p.path
[email protected]: "P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/zip,T=zip,N=eicar_com.zip |
P=p004,L=1/2/1,T=asc,N=eicar.com"
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) presenting full original
message to scanners as
/var/amavis/tmp/amavis-20120611T142736-19055/parts/p005
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ask_av Using (ClamAVclamd): CONTSCAN /var/amavis/tmp/amavis-20120611T142736-19055/parts\n
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ClamAV-clamd: Connecting
to socket /var/run/clamav/clamd.sock
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) ClamAV-clamd: Sending
CONTSCAN /var/amavis/tmp/amavis-20120611T142736-19055/parts\n to UNIX socket
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20120611T142736-19055/parts INFECTED: Eicar-TestSignature, Eicar-Test-Signature
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) virus_scan: (Eicar-TestSignature), detected by 1 scanners: ClamAV-clamd
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Virus Eicar-TestSignature matches (constant:1), sender addr ignored
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) blocking contents
category is (9) for [email protected]
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) do_notify_and_quar:
ccat=Virus (9,0) ("9":Virus, "1":Clean, "0":CatchAll) ccat_block=(9),
qar_mth=
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp session: setting up
a new session
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp creating socket by
IO::Socket::INET6 to [mail.dmz.nausch.org]:10025
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to greeting:
220 mx1.nausch.org ESMTP Postfix
Last update: 22.11.2013 12:35.
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> EHLO localhost
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to EHLO: 250
mx1.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nXFORWARD NAME
ADDR PROTO HELO SOURCE PORT\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) AUTH not needed,
user='', MTA offers ''
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> MAIL
FROM:<[email protected]>
[email protected]
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> RCPT
TO:<[email protected]>
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> DATA
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to MAIL (pip):
250 2.1.0 Ok
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to RCPT (pip)
(<[email protected]>): 250 2.1.5 Ok
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to DATA: 354
End data with <CR><LF>.<CR><LF>
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp cmd> QUIT
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) smtp resp to data-dot
(<[email protected]>): 250 2.0.0 Ok: queued as 36EE653
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06)
Amavis::Out::SMTP::Session close, disconnecting
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) SEND via SMTP:
<[email protected]> ->
<[email protected]>,[email protected] 250
2.0.0 from MTA([mail.dmz.nausch.org]:10025): 250 2.0.0 Ok: queued as 36EE653
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) Blocked INFECTED (EicarTest-Signature), [192.168.10.45] [192.168.10.45] <[email protected]> ->
<[email protected]>, Message-ID: <[email protected]>, mail_id:
Cn1wWSZI30ms, Hits: -, size: 1317, 274 ms
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) sending SMTP response:
"554 5.7.0 Reject, id=19055-06 - INFECTED: Eicar-Test-Signature"
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) TIMING [total 279 ms] SMTP greeting: 4 (2%)2, SMTP EHLO: 1 (0%)2, SMTP pre-MAIL: 1 (0%)2, SMTP
pre-DATA-flush: 7 (2%)5, SMTP DATA: 37 (13%)18, check_init: 1 (0%)18,
digest_hdr: 2 (1%)19, digest_body_dkim: 1 (0%)19, gen_mail_id: 1 (0%)19,
mime_decode: 16 (6%)25, get-file-type2: 17 (6%)31, decompose_part: 2 (1%)32,
decompose_part: 6 (2%)34, get-file-type1: 13 (5%)39, decompose_part: 1
(0%)39, parts_decode: 0 (0%)39, check_header: 2 (1%)40, AV-scan-1: 26
(9%)49, read_snmp_variables: 1 (1%)50, best_try_originator: 2 (1%)51,
update_cache: 2 (1%)51, decide_mail_destiny: 3 (1%)52, fwd-connect: 52
(19%)71, fwd-mail-pip: 14 (5%)76, fwd-rcpt-pip: 1 (0%)76, fwd-data-chkpnt: 0
(0%)76, write-header: 1 (0%)77, fwd-data-contents: 3 (1%)78, fwd-end-chkpnt:
50 (18%)95, prepare-dsn: 1 (0%)96, main_log_entry: 7 (2%)98, update_snmp: 2
(1%)99, SMTP pre-response: 0 (0%)99, SMTP response: 1 (0%)99, unlink-3files: 1 (0%)100, rundown: 1 (0%)100
Jun 11 16:48:13 vml000060 amavis[19055]: (19055-06) load: 0 %, total idle
8420.239 s, busy 16.845 s
Dem Postmaster [email protected] wird hier auch eine Hinweisnachricht geschickt,in der drauf
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
53/55
hingewiesen wird, dass jemand versucht hat einen Virus abzuladen.
From: "Content-filter at amavis.dmz.nausch.org" <[email protected]>
Date: Mon, 11 Jun 2012 16:48:12 +0200 (CEST)
Subject: VIRUS (Eicar-Test-Signature) in mail FROM [192.168.10.45]
<[email protected]>
To: <[email protected]>
Message-ID: <[email protected]>
This is a multi-part message in MIME format...
------------=_1339426093-19055-1
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
A virus was found: Eicar-Test-Signature
Scanner detecting a virus: ClamAV-clamd
Content type: Virus
Internal reference code for the message is 19055-06/Cn1wWSZI30ms
First upstream SMTP client IP address: [192.168.10.45]
According to a 'Received:' trace, the message apparently originated at:
[192.168.10.45], pml010051.nausch.org unknown [192.168.10.45] using TLSv1
with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits) No client certificate
requested
Return-Path: <[email protected]>
From: Django <[email protected]>
Subject: TesteMail mit Eicar-Testfile im Anhang
Not quarantined.
Notification to sender will not be mailed.
The message WAS NOT relayed to:
<[email protected]>:
554 5.7.0 Reject, id=19055-06 - INFECTED: Eicar-Test-Signature
Virus scanner output:
p004: Eicar-Test-Signature FOUND
p005: Eicar-Test-Signature FOUND
------------=_1339426093-19055-1
Content-Type: text/rfc822-headers; name="header"
Content-Disposition: inline; filename="header"
Content-Transfer-Encoding: 7bit
Content-Description: Message header section
Last update: 22.11.2013 12:35.
Return-Path: <[email protected]>
Received: from pml010051.nausch.org (unknown [192.168.10.45])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
(No client certificate requested)
by mx1.nausch.org (Postfix) with ESMTPS
for <[email protected]>; Mon, 11 Jun 2012 16:48:12 +0200 (CEST)
Date: Mon, 11 Jun 2012 16:48:13 +0200
From: Django <[email protected]>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120329
Thunderbird/11.0.1
MIME-Version: 1.0
To: [email protected]
Subject: TesteMail mit Eicar-Testfile im Anhang
Content-Type: multipart/mixed;
boundary="------------010707070506040503040902"
Bei Bedarf kann man diese Benachrichtigung abstellen. Hierzu sind folgende werte in der
amavis.conf relevant.
$virus_admin
recip.
# notifications
$mailfrom_notify_admin
sender
$mailfrom_notify_recip
sender
# notifications
# notifications
Optimierung / RAM-Disk für AMaViS
Da sich bei entsprechenden Traffic die Zugriffe auf die Harddisk ungünstig auf die Performance
auswirkt, legen wir eine RAM-Disk für den Virenscanner an. Dort kann ClamAV dann die Dateianhänge
der Nachrichten entpacken, ablegen und auf Schadcode hin überprüfen.
Damit wir die Zugriffsrechte auf die Ramdisk richtig setzen können, schließlich soll nicht jedermann
die Inhalte der eMails lesen können, ermitteln wird zu erst noch die gid und uid.
amavis:x:494:clamav
# grep amavis /etc/passwd
amavis:x:497:494:Amavis email scan user:/var/amavis:/bin/sh
Für unsere Zwecke legen uns eine 250 MB große RAM-Disk an:
# vim /etc/fstab
Printed on 29.12.2016 07:50.
29.12.2016 07:50.
55/55
# RAM-Disk für ClamAV
/dev/shm
/var/amavis/tmp
defaults,size=250m,mode=750,uid=497,gid=494 0 0
tmpfs
Anschließend mounten wir unser neues Laufwerk mit
# mount /var/amavis/tmp
Je nach Belastung werden nun in unserem Arbeitsverzeichnis die Daten abgelegt
# df -h -t tmpfs
Filesystem
/dev/shm
Size
250M
Used Avail Use% Mounted on
0 250M
0% /var/amavis/tmp
Links
Zurück zum Kapitel >>Mailserverinstallation unter CentOS 6<<
Zurück zu >>Projekte und Themenkapitel<<
Zurück zur Startseite
1)
GNU General Public License
From:
https://dokuwiki.nausch.org/ - Linux - Wissensdatenbank
Permanent link:
https://dokuwiki.nausch.org/doku.php/centos:mail_c6:spam_4
Last update: 22.11.2013 12:35.

Installation und Konfiguration von ClamAV

Transcription

Similar documents

Installation und Konfiguration von ClamAV unter CentOS 6.x

Installation und Konfiguration von Spamassassin

Das Handbuch - was der Mensch braucht

Kaspersky Anti-Virus® 5.0 for Linux, FreeBSD and OpenBSD File

Virenschutz mit Hilfe von AMaViS und SpamAssassin

16 Linux als E-Mail-Server - Linux