1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
DOCUMENTATION
Non-Debian documentation has been removed (I.e how to install on UnixXXX
etc.) The original documentation is still available in the source
package. Download the source using the command 'apt-get source clamav'.
CONFIGURATION
There are several changes made to the default configuration provided by
upstream. Both the autogenerated configuration files and the ones
shipped under examples/ have been edited to provide FHS compliant paths
for things like logfiles, pidfiles, and sockets. The autogenerated
configuration files additionally contain some non-default values, as I
feel the upstream defaults do not provide the 'out of the box'
arrangement most suited to the average user.
In particular, I believe the following choices are more suited to most
default configurations than the upstream defaults:
FixStaleSocket
This removes a socket file left over from a previous clamd that had
an unclean shutdown. This allows for easier restarting
LogFileMaxSize
Setting this to 0 disables truncation of the logfile. As the default
Debian configuration uses logrotate, this is not an issue except on
severely disk constrained systems.
DetectBrokenExecutables
This will pick up many viral fragments that are likely not harmful
in and of themselves, but may cause end users to worry that they
received something their A/V scanner identifies.
ArchiveBlockMax
This makes the assumptions that if you are setting the various
Archive* options, you would rather block than pass through if one of
those conditions is met.
All ClamAV configuration files (in other words, all files under /etc/)
are handled by ucf, as they are dynamically generated. If you want
to affect ucf's behavior with regard to conffile handling, please see
/etc/ucf.conf or ucf(1).
CLAMAV-DAEMON
CONFIG FILE HANDLING
Configuration handling for clamav-daemon has debconf support. During
install the default values stored in debconf-template are used to
create a configuration file. Due to the complexity of configuring the
daemon no questions are asked during install. If you want to change this
configuration you have two options:
1. 'point-and-click' re-configuration using debconf
The vast majority of options can be accessed by running
'dpkg-reconfigure clamav-base'
Clamav-daemon's configuration is quite complex. However its full
complexity shouldn't be felt by users since the majority of the
questions alraedy have sensible defaults.
2. The package also handles manual editing of it's configuration file,
/etc/clamav/clamd.conf, gracefully.
While it's possible to mix debconf and manual editing, it isn't
recommended, since it can lead to confusing results. Debconf attempts to
respect any changes you have done manually in /etc/clamav/clamd.conf.
Every care has been taken to make sure your changes are preserved over
upgrade, but if you are going to manage your conf file manually, please
take a moment and run dpkg-reconfigure clamav-base, and answer no to
debconf management.
Just running dpkg-reconfigure clamav-base won't reset
/etc/clamav/clamd.conf to a debconf generated configuration
file. If you want to discard all your manual changes just run 'ucf -p
/etc/clamav/clamd.conf;dpkg-reconfigure clamav-base'
WARNINGS
The ScanMail option has stabilized somewhat over previous releases, and
is now enabled by default. However, this is where the bulk of libclamav's
bugs lie. This is largely due to the arms race nature of trying to keep
up with virus writers interesting ideas about MIME, and certain MUA's
willingness to go along with those ideas. Caveat emptor, you have been
warned.
As of version 0.71-1, clamd will no longer run as root by default. This
decision was made due to the fact that it is still pre-1.0 software, and
there are still many bugs to be worked out. This decision can be
overridden by editing /etc/clamav/clamd.conf, and changing User to the
value desired. This decision will help isolate your system from any
flaws in clamd (see http://bugs.debian.org/247574 for an example of a
problem caused by clamd following symlinks in an archive), but will mean
some compromises in functionality.
MTA INTEGRATION
SENDMAIL
So long as sendmail can write to clamav-milter's socket, the rest
of the communication is handled between the milter and clamd, and
permissions are not a problem. apt-get install clamav-milter, and
follow the instructions in /usr/share/doc/clamav-milter/README.Debian.
EXIM4
Exim4 users will want to either run clamd as User Debian-exim, so clamd
has read and write permissions on the scan/ diretory, or (better)
add clamav to group Debian-exim and add AllowSupplementaryGroups
to clamd.conf. You may also need to ensure the scan/ directory is
group writable (on Debian systems, this is /var/spool/exim4/scan)
To enable clamav in the Debian exim4 packages, add
av_scanner = clamd:/var/run/clamav/clamd.ctl
(or if you've chosen tcp sockets)
av_scanner = clamd:127.0.0.1 3310
to the main configuration settings (a new file under
/etc/exim4/conf.d/main/ if split config is being used)
Then add the following to your data time acl:
deny message = This message contains a virus: ($malware_name) please scan your system.
demime = *
malware = *
(The data acl is defined in /etc/exim4/conf.d/acl/40_exim4-config_check_data
by default if split config is being used)
AMAVIS
Amavis variants can achieve the same functionality by adding the clamav
user to the amavis group.
POSTFIX
Recent versions of postfix have support for milters. This allows clamav-milter to
be used reasonably well with postfix, although the problem of group permissions on
the actual socket is a problem. See /usr/share/doc/clamav-milter/INSTALL.gz for some
details. A solution for the frequent "I have to change the init script to make sure
postfix can communicate with the socket" problem is making the directory for the socket
setgid. So:
uncomment "USE_POSTFIX=yes" in /etc/default/clamav-milter and choose the appropriate
socket option.
mkdir -p /var/spool/postfix/clamav/
chown clamav:postfix /var/spool/postfix/clamav/
chmod g+s /var/spool/postfix/clamav/
ls -l /var/spool/postfix/clamav/
srwxrwxr-x 1 clamav postfix 0 2006-12-15 03:37 clamav-milter
Another option is to use a TCP socket for milter <-> postfix communication. For this
option, you can use the syntax:
SOCKET=inet:12000@127.0.0.1 (port@host, in case it's not clear)
in /etc/default/clamav-milter. This has the disadvantage that you lose filesystem
permission-based protections on the socket, so use with some caution.
Other MTA's I am not as familiar with, but the same principles apply -
clamav needs read and write access to the diretory where messages are
unpacked (as is the case with amavis and exim4), and the MTA needs
read/write permissions to clamav's socket file, if it is run listening
to a unix socket rather than a network socket.
ERRATA
For those who use clamav-daemon primarily for system scans (although
since clamd detects largely MS viruses, the utility of doing this on
a regular basis is somewhat limited in most linux-only environments),
there is probaly no alternative but to run clamd as User root or
use clamscan (see below). If you are doing this, I highly suggest
running it listening on a Unix socket, and restricting read/write
permissions to it to prevent unauthorized access. In these
circumstances, running clamscan instead is probably safer as the
overhead of per-instance database loading is vastly outweighed by the
length of the scan, and it eliminates running a daemon as root.
As of 0.75-1, there is support for running both clamd and clamav-milter
under daemon. Just install daemon, and add Foreground to clamd.conf.
Beware that this affects both clamd and clamav-milter, it is not either
or.
Note also that the clamd package contains an empty directory
/etc/clamav/virusevent.d/ Admins and other packagers are encouraged to
use this directory to store scripts that should be executed after a virus
is detected. To enable the feature, you will have to add:
VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/
to /etc/clamav/clamd.conf
CLAMSCAN
It has the same flaws as clamav-daemon when it comes to handling mbox
attachments (the code with the bugs are in the library). The result of
such bugs are not as heavy in clamscan since it is completely restarted on
each invocation, and clamd may be taken down by the same bug. If you do
a high number of scans (for example, a separate scan for each received
email), then clamd may better suit your needs. If you are doing full
system scans, then there is no noticeable performance benefit to the daemon,
and you can easily substitute clamscan, and eliminate the need to run clamd
as root.
CLAMAV-FRESHCLAM
Clam Antivirus doesn't support the oav-database anymore. The freshclam
auto updating setup is much simpler than the oav counterpart.
The clamav-freshclam package includes virus databases, but these
are only used if fresh ones cannot be downloaded directly from the
database servers, or if you do not have them already in place (e.g.,
from the clamav-data package)
If you don't have Internet access you should install the clamav-data
package, which contains a static database. You can even (re)create
a clamav-data package yourself from an Internet connected computer
using the clamav-getfiles package. Note that this feature will likely
be phased out in the future - freshclam already verifies digital
signatures on the databases, and it may refuse to load an unsigned one.
Hopefully at that point, though, there will be a better mechanism to
self-sign databases, and feed the correct signature to freshclam.
Note also that the freshclam package contains the empty directories
/etc/clamav/onupdateexecute.d and /etc/clamav/onerrorexecute.d.
Admins and other packagers are encouraged to use this directory to store
scripts that should be executed after an update or an error. To enable
the feature, you will have to add to /etc/clamav/freshclam.conf:
OnUpdateExecute /bin/run-parts --lsbsysinit /etc/clamav/onupdateexecute.d/
OnErrorExecute /bin/run-parts --lsbsysinit /etc/clamav/onerrorexecute.d/
APPARMOR PROFILES
If your system uses apparmor, please note that the shipped enforcing profile
works with the default installation, and changes in your configuration may
require changes to the installed apparmor profile. Please see
https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
software.
|