← Back to branch summary

~yolanda.robla/ubuntu/saucy/clamav/dep-8-tests 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

DOCUMENTATION
  
  Non-Debian documentation has been removed (I.e how to install on UnixXXX
  etc.)  The original documentation is still available in the source
  package. Download the source using the command 'apt-get source clamav'.
  
CONFIGURATION
  There are several changes made to the default configuration provided by
  upstream.  Both the autogenerated configuration files and the ones
  shipped under examples/ have been edited to provide FHS compliant paths
  for things like logfiles, pidfiles, and sockets.  The autogenerated
  configuration files additionally contain some non-default values, as I
  feel the upstream defaults do not provide the 'out of the box'
  arrangement most suited to the average user.

  In particular, I believe the following choices are more suited to most
  default configurations than the upstream defaults:
    FixStaleSocket
      This removes a socket file left over from a previous clamd that had
      an unclean shutdown.  This allows for easier restarting
    LogFileMaxSize
      Setting this to 0 disables truncation of the logfile.  As the default
      Debian configuration uses logrotate, this is not an issue except on
      severely disk constrained systems.
    DetectBrokenExecutables
      This will pick up many viral fragments that are likely not harmful
      in and of themselves, but may cause end users to worry that they
      received something their A/V scanner identifies.
    ArchiveBlockMax
      This makes the assumptions that if you are setting the various
      Archive* options, you would rather block than pass through if one of
      those conditions is met.

  All ClamAV configuration files (in other words, all files under /etc/)
  are handled by ucf, as they are dynamically generated.  If you want
  to affect ucf's behavior with regard to conffile handling, please see
  /etc/ucf.conf or ucf(1).

CLAMAV-DAEMON

  CONFIG FILE HANDLING

   Configuration handling for clamav-daemon has debconf support. During
   install the default values stored in debconf-template are used to
   create a configuration file. Due to the complexity of configuring the
   daemon no questions are asked during install. If you want to change this
   configuration you have two options:
   
   1. 'point-and-click' re-configuration using debconf
      The vast majority of options can be accessed by running 
      'dpkg-reconfigure clamav-base' 
   
      Clamav-daemon's configuration is quite complex. However its full
      complexity shouldn't be felt by users since the majority of the
      questions alraedy have sensible defaults.
   
   2. The package also handles manual editing of it's configuration file,
      /etc/clamav/clamd.conf, gracefully.
   
   While it's possible to mix debconf and manual editing, it isn't
   recommended, since it can lead to confusing results. Debconf attempts to
   respect any changes you have done manually in /etc/clamav/clamd.conf.
   Every care has been taken to make sure your changes are preserved over
   upgrade, but if you are going to manage your conf file manually, please
   take a moment and run dpkg-reconfigure clamav-base, and answer no to
   debconf management.
   
   Just running dpkg-reconfigure clamav-base won't reset
   /etc/clamav/clamd.conf to a debconf generated configuration
   file. If you want to discard all your manual changes just run 'ucf -p
   /etc/clamav/clamd.conf;dpkg-reconfigure clamav-base'
   
  WARNINGS 

   The ScanMail option has stabilized somewhat over previous releases, and
   is now enabled by default.  However, this is where the bulk of libclamav's
   bugs lie.  This is largely due to the arms race nature of trying to keep
   up with virus writers interesting ideas about MIME, and certain MUA's
   willingness to go along with those ideas.  Caveat emptor, you have been
   warned.
   
   As of version 0.71-1, clamd will no longer run as root by default.  This
   decision was made due to the fact that it is still pre-1.0 software, and
   there are still many bugs to be worked out.  This decision can be
   overridden by editing /etc/clamav/clamd.conf, and changing User to the
   value desired.  This decision will help isolate your system from any
   flaws in clamd (see http://bugs.debian.org/247574 for an example of a
   problem caused by clamd following symlinks in an archive), but will mean
   some compromises in functionality.
   
  MTA INTEGRATION
   
   SENDMAIL

   So long as sendmail can write to clamav-milter's socket, the rest
   of the communication is handled between the milter and clamd, and
   permissions are not a problem.  apt-get install clamav-milter, and
   follow the instructions in /usr/share/doc/clamav-milter/README.Debian.

   EXIM4

   Exim4 users will want to either run clamd as User Debian-exim, so clamd
   has read and write permissions on the scan/ diretory, or (better)
   add clamav to group Debian-exim and add AllowSupplementaryGroups
   to clamd.conf.  You may also need to ensure the scan/ directory is
   group writable (on Debian systems, this is /var/spool/exim4/scan)

   To enable clamav in the Debian exim4 packages, add 
   av_scanner = clamd:/var/run/clamav/clamd.ctl
   (or if you've chosen tcp sockets)
   av_scanner = clamd:127.0.0.1 3310
   to the main configuration settings (a new file under 
   /etc/exim4/conf.d/main/ if split config is being used)

   Then add the following to your data time acl:

   deny  message = This message contains a virus: ($malware_name) please scan your system.
         demime = *
         malware = *
   
   (The data acl is defined in /etc/exim4/conf.d/acl/40_exim4-config_check_data 
   by default if split config is being used)
   
   AMAVIS
   
   Amavis variants can achieve the same functionality by adding the clamav
   user to the amavis group.

   POSTFIX

   Recent versions of postfix have support for milters.  This allows clamav-milter to 
   be used reasonably well with postfix, although the problem of group permissions on
   the actual socket is a problem.  See /usr/share/doc/clamav-milter/INSTALL.gz for some 
   details.  A solution for the frequent "I have to change the init script to make sure
   postfix can communicate with the socket" problem is making the directory for the socket 
   setgid.  So:
   uncomment "USE_POSTFIX=yes" in /etc/default/clamav-milter and choose the appropriate 
   socket option.
   mkdir -p /var/spool/postfix/clamav/
   chown clamav:postfix /var/spool/postfix/clamav/
   chmod g+s /var/spool/postfix/clamav/
   ls -l /var/spool/postfix/clamav/
   srwxrwxr-x 1 clamav postfix 0 2006-12-15 03:37 clamav-milter

   Another option is to use a TCP socket for milter <-> postfix communication.  For this 
   option, you can use the syntax:
   SOCKET=inet:12000@127.0.0.1 (port@host, in case it's not clear)
   in /etc/default/clamav-milter.  This has the disadvantage that you lose filesystem 
   permission-based protections on the socket, so use with some caution.

   Other MTA's I am not as familiar with, but the same principles apply -
   clamav needs read and write access to the diretory where messages are
   unpacked (as is the case with amavis and exim4), and the MTA needs
   read/write permissions to clamav's socket file, if it is run listening
   to a unix socket rather than a network socket.

  ERRATA
  
   For those who use clamav-daemon primarily for system scans (although
   since clamd detects largely MS viruses, the utility of doing this on
   a regular basis is somewhat limited in most linux-only environments),
   there is probaly no alternative but to run clamd as User root or
   use clamscan (see below).  If you are doing this, I highly suggest
   running it listening on a Unix socket, and restricting read/write
   permissions to it to prevent unauthorized access.  In these 
   circumstances, running clamscan instead is probably safer as the 
   overhead of per-instance database loading is vastly outweighed by the 
   length of the scan, and it eliminates running a daemon as root.
   
   As of 0.75-1, there is support for running both clamd and clamav-milter 
   under daemon.  Just install daemon, and add Foreground to clamd.conf.  
   Beware that this affects both clamd and clamav-milter, it is not either 
   or.
   
   Note also that the clamd package contains an empty directory
   /etc/clamav/virusevent.d/  Admins and other packagers are encouraged to
   use this directory to store scripts that should be executed after a virus
   is detected.  To enable the feature, you will have to add:
   
   VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/
   
   to /etc/clamav/clamd.conf
   
CLAMSCAN
  
  It has the same flaws as clamav-daemon when it comes to handling mbox 
  attachments (the code with the bugs are in the library).  The result of
  such bugs are not as heavy in clamscan since it is completely restarted on
  each invocation, and clamd may be taken down by the same bug.  If you do 
  a high number of scans (for example, a separate scan for each received
  email), then clamd may better suit your needs.  If you are doing full
  system scans, then there is no noticeable performance benefit to the daemon,
  and you can easily substitute clamscan, and eliminate the need to run clamd
  as root.
  
  
CLAMAV-FRESHCLAM
  
  Clam Antivirus doesn't support the oav-database anymore. The freshclam 
  auto updating setup is much simpler than the oav counterpart.
  
  The clamav-freshclam package includes virus databases, but these
  are only used if fresh ones cannot be downloaded directly from the
  database servers, or if you do not have them already in place (e.g.,
  from the clamav-data package)
  
  If you don't have Internet access you should install the clamav-data
  package, which contains a static database. You can even (re)create
  a clamav-data package yourself from an Internet connected computer
  using the clamav-getfiles package.  Note that this feature will likely
  be phased out in the future - freshclam already verifies digital
  signatures on the databases, and it may refuse to load an unsigned one.
  Hopefully at that point, though, there will be a better mechanism to
  self-sign databases, and feed the correct signature to freshclam.
  
  Note also that the freshclam package contains the empty directories
  /etc/clamav/onupdateexecute.d and /etc/clamav/onerrorexecute.d.
  Admins and other packagers are encouraged to use this directory to store
  scripts that should be executed after an update or an error.  To enable
  the feature, you will have to add to /etc/clamav/freshclam.conf:
  
  OnUpdateExecute /bin/run-parts --lsbsysinit /etc/clamav/onupdateexecute.d/
  OnErrorExecute /bin/run-parts --lsbsysinit /etc/clamav/onerrorexecute.d/
  
  
APPARMOR PROFILES
  
  If your system uses apparmor, please note that the shipped enforcing profile
  works with the default installation, and changes in your configuration may
  require changes to the installed apparmor profile. Please see
  https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
  software.