Clam AntiVirus 0.80 User Manual
Contents
1. e RAWSCAN file directory Scan file or directory recursively with archive sup port disabled a full path is required e CONTSCAN file directory Scan file or directory recursively with archive sup port enabled and do not stop scanning if virus is found e STREAM Scan stream clamd will return a new port number you should connect to and send data to scan e SESSION END Start end a clamd session you can do multiple commands per TCP session WARNING due to the clamd implementation the RELOAD com mand will break the session and reacts to the special signals e SIGTERM perform a clean exit e SIGHUP reopen a log file e SIGUSR2 reload the database 5 2 Clamdscan clamdscan is a simple clamd client In many cases you can use it as a clamscan replacement but you must remember that e it only depends on clamd e although it accepts the same command line options as clamscan most of them are ignored because they must be enabled directly in clama i e clamd conf e scanned files must be accessible for clamd e it can t use external unpackers 5 3 Clamuko Clamuko is a special thread in clamd that performs on access scanning under Linux and FreeBSD and shares internal virus database with the daemon You must follow some important rules when using it 5 Usage e Always stop the daemon cleanly using the SHUTDOWN command or the SIGTERM signal In other case you can lose an access to protected files until the system is2. 4 so Roe SUR 40 8 53 OpenWebMail modules 41 8 54 simscan e 41 Boc v AA A AIR 41 5 06 OSHOPE en RA ee AC 41 Credits 41 9 1 Database Mirrors 41 92 Contributors Gta Bee BS Ae A Me A lh A ed 45 9 3 JDOBOfS cub ta ESSI ee ee Ae OO Sa ee dus 53 VE Graphis oop uus ese Baie andes EE 56 93 OpenAn VIF s 2 45 DAS ek RG ACA Yh OR be RS x 56 Contents EI 10 Authors 56 ClamAV User Manual 2002 2004 Tomasz Kojm This document is distributed under the terms of the GNU General Public License v2 Clam AntiVirus is free software you can redistribute it and or modify it under the terms of the GNU General Public License as published by the Free Software Founda tion either version 2 of the License or at your option any later version This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FIT NESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this program if not write to the Free Software Foundation Inc 675 Mass Ave Cam bridge MA 02139 USA l Introduction 5 1 Introduction Clam AntiVirus is an anti virus toolkit for UNIX designed for e mail scanning on mail gateways It provides a flexible and scalable multi threaded daemon a command line scanner and an advanced tool for automatic database updating via Inte
3. 8 47 Protea AntiVirus Tools Homepage http www proteatools com Supports clamd Protea AntiVirus Tools for Lotus Domino scans and cleans automatically attached files and other objects in Domino mail Clam AntiVirus scanner is used for virus detection Fully configurable scheduled database scanning offers an additional layer of protection 8 48 PTSMail Utilities Homepage http www scanmail software com Supports clamscan 8 Third party software EU PTSMail uses clamscan as part of the ptsfilter a sendmail milter 8 49 mxGuard for IMail Homepage http www mxguard com postmaster Supports clamscan mxGuard is a spam filter for Ipswitch IMail mail server running on Windows platforms It also includes free hooks to major anti virus engines including ClamAV 8 50 BeClam Homepage http www bebits com app 3930 Supports ClamAV ClamAV for BeOS 0 74 8 51 clamXav Homepage http www markallan co uk clamXav Supports ClanAV clamXav is a virus scanner with GUI for Mac OS X 8 52 Secure Mail Intelligence Homepage http www m2smi com Supports libclamav SMI is a server side e mail protection solution that combines firewall elements intru sion detection system anti virus and anti spam modules SMI can use up to 7 anti virus scanners including ClamAV at the same time and 3 different spam filtering engines A built in SMTP engine allows SMI to directly send mail alerts Other features include Routin
4. Andy Igoshin ai vsu ru Jay sysop clamav coronastreet net Stephane Jeannenot lt stephane jeannenot wanadoo fr gt Dave Jones lt dave kalkbay co za gt Jesper Juhl juhl dif dk Alex Kah lt alex narfonix com gt Stefan Kaltenbrunner lt mm mailinglist madness at gt Lloyd Kamara 1 kamara imperial ac uk Kazuhiko lt kazuhiko fdiary net gt Tomasz Klim lt tomek euroneto pl gt Robbert Kouprie robbert exx nl Martin Kraft lt martin kraft fal de gt Petr Kristof lt Kristof P fce vutbr cz gt Henk Kuipers henk opensourcesolutions nl Nigel Kukard lt nkukard lbsd net gt Credits e Dr Andrzej Kurpiel lt akurpiel mat uni torun pl gt e Mark Kushinsky lt mark mdspc com gt e Mike Lambert lt lambert 3eol com gt e Thomas Lamy Thomas Lamy in online net e Marty Lee lt marty maui co uk gt e Dennis Leeuw dleeuw made it com e Martin Lesser admin debian bettercom de e Peter N Lewis lt peter stairways com au gt e Matt Leyda lt mfleyda e one com gt e James Lick lt jlick drivel com gt e Mike Loewen mloewen sturgeon cac psu edu e David S Madole lt david madole net gt e Thomas Madsen tm softcom dk e Bill Maidment bill maidment com au e Joe Maimon jmaimon ttec com e Andrey V Malyshev amal krasn ru e Stefan Martig sm officeco ch e Alexander Marx lt mad ml madness at gt e Andreas Marx http www av test org e Chris Masters lt cmasters
5. Clam AntiVirus 0 80 User Manual Contents Contents 1 Introduction Ll Features d eed eee x e doe M Rm Ce M AS es e Cen 1 2 Sailing ENEE vas Virus s bMmittin s a 55 de e dE deat e sus Vsus O osi e sud Vos 2 Base package 2 1 Supported platforms eco e PS REA ONS ENG EYE es 2 2 Bi ary packages uan edo Lee Ree Eee RR enr qe e Rent 2 3 Daily built snapshots qi piece vus A AA AA XC RR RI 3 Installation Sch Reqgulremebis 4 209 sed es RA A eu URS a CA erat dud rs 32 Installing on a shell account 3 3 Adding new system user and group llle ln 3 4 Compilation of base package 3 5 Compilation with clamav milter enabled 4 Configuration 4 15 clamid saec AC uote v br d Gig M AI 4 1 1 On access scanning A A A EROR 42 clamavsmilt r sis s eR ES Bee eR Se SUO TA BD A dett ee od dee Pedir Sect aout ar se est Unde ftn 44 Setting up auto updating 4 4449 848 449 4484444494 4 5 Closestmirrors 3 R73 ee oe eR ee 032 03 RR E Eeer RO 5 Usage ach Clam dae mo tt Ie de yes en Bee RS 5 2 ClamdsCam 2 does eem sc Boe ae Se eee E ae UR La 503 cC TamukO st euet esce x xp abe Rods n red SA Output formato a sous e AAA ae RS RT CUR 25 4 clamsc n uuo URN oso GOR eh UR A 3 42 cl md eener 6 LibClamAV 6 1 ege Hita eto dee e ee ee ca Bde Ys ee Eno 6 2 Features 6 2 1 Archives and compressed files 6 2 2 Malfiles 0 6 eon g e 9 ot
6. j chkmail ensmp fr Supports libclamav clamd 8 Third party software 34 j chkmail is a fast written in C filter for sendmail It does spam and dangerous content virus filtering with help of ClamAV The program supports many modes of monitoring and run time controlling and was designed to work on highly loaded servers It s an open source software available for free to registered users for non commercial usage 8 19 qscanq Homepage http budney homeunix net 8080 users budney software qscang index html Supports clamscan qscanq replaces qmail queue It initiates a scan using clamscan or clamdscan on an incoming email and returns the exit status of the scanner or of qmail queue to the caller 8 20 clamavr Homepage http raa ruby lang org list rhtml name clamavr Supports libclamav Ruby binding for ClamAV 8 21 pyclamav Homepage http xael org norman python pyclamav index html Supports libclamav Python binding for ClamAV 8 22 DansGuardian Anti Virus Plugin Homepage http www pcxperience org dgvirus Supports clamscan DG AVP is a GPL add on that takes the Virus Scanning capabilities of MailScanner and integrates them into the content filtering web proxy DansGuardian 8 23 Viralator Homepage http viralator sourceforge net Supports clamscan Viralator is a perl script that virus scans http downloads on a linux server after passing through the squid proxy server 8 Third party software
7. built on Tru64 UNIX V5 0A AIX built on AIX Version 5 1 Linux 1386 with glibc 2 3 compiled on Fedora Core 1 works on RH gt 8 Win32 Cygwin compiled on XP They re available at http clamav or id 3 Installation 3 1 Requirements The following elements are required to compile ClamAV 3 Installation 10 e zlib and zlib devel packages e gcc compiler suite both 2 9x and 3 x are supported The following packages are optional but highly recommended e bzip2 and bzip2 devel library e GNU MP3 It s very important to install the GMP package because it allows freshclam to verify the digital signatures of the virus databases If freshclam was compiled without GMP support it will display SECURITY WARNING NO SUPPORT FOR DIGITAL SIGNATURES on every update You can download GNU MP at http www swox com gmp A note for Solaris SPARC users you must set the ABI system variable to 32 e g setenv ABI 32 before running the configuration script of GMP 3 2 Installing on a shell account To install ClamAV on a shell account e g on some shared host you need not create any additional users or groups Assuming your home directory is home gary you should build it as follows configure prefix home gary clamav disable clamav make make install To test your installation execute S clamav bin freshclam clamav bin clamscan The disable clamav switch disables testing for the existence of the c
8. e Christian Pelissier lt Christian Pelissier onera fr gt e Rudolph Pereira r pereira isu usyd edu au e Ed Phillips ed UDel Edu e Andreas Piesk Andreas Piesk heise de e Alex Pleiner lt pleiner zeitform de gt e Ant La Porte ant dvere net gt e Christophe Poujol lt Christophe Poujol atosorigin com gt e Sergei Pronin sp finndesign fi e Thomas Quinot thomas cuivre fr eu org e Ed Ravin eravin panix com e Brian A Reiter breiter wolfereiter com e Rupert Roesler Schmidt r roesler schmidt uplink at e David Sanchez dsanchez veloxia com e David Santinoli lt david santinoli com gt e Vijay Sarvepalli lt vssarvep office uncg edu gt e Martin Schitter e Theo Schlossnagle lt jesus omniti com gt e Enrico Scholz lt enrico scholz informatik tu chemnitz de gt e Karina Schwarz lt k schwarz uplink at gt e Scsi lt scsi softland ru gt e Dr Matthew J Seaman lt m seaman infracaninophile co uk gt e Hector M Rulot Segovia lt Hector Rulot uv es gt e Omer Faruk Sen lt ofsen enderunix org gt Credits e Sergey lt a_s_y sama ru gt e Tuomas Silen tuomas silen nodeta fi e Al Smith lt ajs clamav aeschi ch eu org gt e Kevin Spicer lt kevin kevinspicer co uk gt e Ole Stanstrup ole stanstrup dk e Adam Stein adam scan mc xerox com e Steve lt steveb webtribe net gt e Richard Stevenson lt richard endace com gt e Matt Sullivan lt matt sullivan gen nz gt
9. e Dr Zbigniew Szewczak zssz mat uni torun pl e Joe Talbott lt josepht cstone net gt e Gernot Tenchio lt g tenchio telco tech de gt e Masahiro Teramoto lt markun onohara to gt e Ryan Thompson lt clamav sasknow com gt e Michael L Torrie lt torriem chem byu edu gt e Trashware trashware gmx net e Matthew Trent mtrent localaccess com e Daniel Mario Vega lt dv5a dc uba ar gt e Laurent Wacrenier lwa teaser fr e Charlie Watts cewatts brainstorminternet net e Nicklaus Wicker n wicker cnk networks de e David Woakes lt david mitredata co uk gt e Troy Wollenslegel troy intranet org e Dale Woolridge lt dwoolridge drh net gt e Takumi Yamane yamtak b session com 9 Credits 9 3 Youza Youzovic lt youza post cz gt Leonid Zeitlin lt 1z europe com gt ZMan Z x86zman go a way dyndns org Andoni Zubimendi andoni lpsat net Donors We ve received financial support from ActiveIntra net Inc http www activeintra net Advance Healthcare Group http www ahgl com au Anonymous donor from Colorado US Atlas College http www atlascollege nl AWD Online http www awdonline com Bear and Bear Consulting Inc http www bear consulting com Aaron Begley Norman E Brake Jr cedarcreeksoftware com http www cedarcreeksoftware com Thanos Chatziathanassiou Cheahch from Singapore Joe Cooper Steve Donegan http www donegan org Dynamic
10. Authors Diego d Ambra lt diego clamav net gt Denmark Role virus database maintainer Jason Englander lt jason clamav net gt USA Role inactive Luca Gibelli lt luca clamav net gt Italy Role sysadmin mirror coordinator Nigel Horne lt njh clamav net gt United Kingdom Role coder Tomasz Kojm lt tkojm clamav net gt Poland Role project leader coder virus database maintainer Thomas Lamy lt tlamy clamav net gt Germany Role random hacker Thomas Madsen tmadsen clamav net Denmark Role virus submission management Denis De Messemacker ddm clamav net Belgium Role virus database maintainer Tomasz Papszun tomek clamav net Poland Role virus database maintainer Trog trog clamav net United Kingdom Role coder virus database maintainer
11. EJ 8 24 ClamAssassin Homepage http drivel com clamassassin Supports clamscan clamassassin is a simple script for virus scanning with clamscan which works similarily to spamassassin It s designed for integration with procmail 8 25 clamscan procfilter Homepage http www virtualblueness net blueness clamscan procfilter Supports clamscan A procmail filter for clamscan to work in conjunction with procmail A new email field X CLAMAV with all the viruses found is generated in the email header 8 26 MyClamMailFilter Homepage http muncul0 w interia pl projects htmlfmyclammailfilter Supports clamscan MyClamMail Filter is an e mail filter for procmail or maildrop When a virus is found it renames attachments and modifies the subject It can also rename potentially danger ous attachments looking at their extensions The software is simple fast and easy to customize 8 27 Gadoyanvirus Homepage http oss mdamt net gadoyanvirus Supports libclamav gadoyanvirus is a yet another virus stopper for qmail It replaces the original qmail queue program It scans incoming messages using the ClamAV anti virus library Sus pected message will be quarantined and optionally a notification message will be sent to the recipients By default gadoyanvirus needs QMAILQUEUE patched qmail instal lation 8 28 OpenProtect Homepage http opencompt com Supports ClamAV via MailScanner OpenProtect is a server
12. Englander lt jason englanders cc gt e Oden Eriksson oeriksson mandrakesoft com e Andy Fiddaman lt af jeamland org gt e Edison Figueira Junior lt edison brc com br gt e David Ford lt david cert blue labs org gt e Brian J France list firehawksystems com e Free Oscar lt freeoscar wp pl gt e Martin Fuxa lt yeti email cz gt e Piotr Gackiewicz gacek intertele pl e Jeremy Garcia lt jeremy linuxquestions org gt e Dean Gaudet lt dean clamav arctic org gt e Michel Gaudet Michel Gaudet ehess fr e Philippe Gay ph gay free fr e Nick Gazaloff lt nick sbin org gt e Luca NERvOus Gibelli lt nervous nervous it gt e Scott Gifford sgifford suspectclass com e Wieslaw Glod wkg x2 pl e Stephen Gran steve lobefin net e Matthew A Grant lt grantma anathoth gen nz gt e Christophe Grenier lt grenier cgsecurity org gt e Marek Gutkowski hobbit core segfault pl e Jason Haar lt Jason Haar trimble co nz gt e Hrvoje Habjanic lt hrvoje habjanic zg hinet hr gt Credits Michal Hajduczenia michalis mat uni torun pl Jean Christophe Heger jcheger acytec com Anders Herbjornsen lt andersh gar no gt Paul Hoadley paulh logixsquad net Robert Hogan lt robert roberthogan net gt Przemyslaw Holowczyc doozer skc com pl Thomas W Holt Jr twh cohesive net James F Hranicky lt jfh cise ufl edu gt Douglas J Hunley lt doug hunley homeip net gt Kurt Huwig kurt iku netz de
13. Network Services Inc http www dyndns org Electric Embers Epublica Bernhard Erdmann David Eriksson http www 2good nu Credits e Explido Software USA Inc http www explido us e David Farrick e Petr Ferschmann http petr ferschmann cz e Andries Filmer http www netexpo nl e The Free Shopping Cart people http www precisionweb net e Jack Fung e Paolo Galeazzi e GANDI http www gandi net e Jeremy Garcia http www linuxquestions org e GBC Internet Service Center GmbH http www gbc net e GCS Tech http www gcstech net e Todd Goodman e Bill Gradwohl http www ycc com e Grain of Salt Consulting e Hosting Metro LLC http www hostingmetro com e IDEAL Software GmbH http www IdealSoftware com e Industry Standard Computers http www ISCnetwork com e Invisik Corporation http www invisik com e Craig Jackson e Jason Judge e Keith http www textpad com e Brad Koehn e Logic Partners Inc http www logicpartners com e Michel Machado http oss digirati com br e Olivier Marechal Credits EJ e Midcoast Internet Solutions e Mimecast http www mimecast com e Kazuhiro Miyaji e Bozidar Mladenovic e Paul Morgan e Tomas Morkus e Michael Nolan http www michaelnolan co uk e Oneworkspace com http www oneworkspace com e Origin Solutions http www originsolutions com au e outermedia GmbH http www outermedi
14. by Reinhard Max e FreeBSD The official FreeBSD port is maintained by Masahiro Teramoto There are two version available clamav and clamav devel You can find both of them under usr ports security e OpenBSD The unofficial port for OpenBSD is available at http www fatbsd com openbsd clamav e NetBSD The official port is available e AIX The binary packages for AIX are available in AIX PDSLIB UCLA http aixpdslib seas ucla edu packages clamav html 3 Installation EJ 2 3 Mac OS X There s a binary package available at http clamav darwinports com clamXav see 8 51 a GUI for ClamAV running on MacOS X is available at http www markallan co uk clamXav BeOS BeClam is a port of ClamAV for the BeOS operating system It includes a very simple GUI Get it at http www bebits com app 3930 MS Windows Cygwin All major features of ClamAV are implemented under Win32 using the Cygwin compatibility layer You can download a self installing package at http www sosdg org clamav win32 index php MS Windows Interix A binary package of ClamAV for Interix is maintained at http www interopsystems com tools warehouse htm MS Windows graphical version A standalone GUI version is also available See ClamWin in the Third Party Software section 8 38 Daily built snapshots Thanks to Fajar A Nugraha you can download daily builds from daily snapshots for the following operating systems SPARC Solaris 8 9 DEC OSF
15. clamd ERROR Please edit the example config file etc clamd conf This shows the location of the default configuration file The format and options of this file are fully described in the clamd conf 5 manual The config file is well commented and configuration should be straightforward 4 1 1 On access scanning An interesting feature of clamd is on access scanning based on the Dazuko module available from http dazuko org Itis not required to run clamd furthermore you shouldn t run Dazuko on production systems The special thread in clama re sponsible for the communication with Dazuko is called Clamuko due to the funny name of Dazuko and it s only supported on Linux and FreeBSD To compile dazuko execute tar zxpvf dazuko a b c tar gz cd dazuko a b c make dazuko or make dazuko smp for smp kernels su insmod dazuko o cp dazuko o lib modules uname r misc depmod a Depending on your Linux distribution you have to add a dazuko entry to etc modules or run the module during system s startup by adding modprobe dazuko to some startup file You must also create a new device 4 Configuration ES cat proc devices grep dazuko 254 dazuko su c mknod m 600 dev dazuko c 254 0 Now configure Clamuko in clamd conf and read the 5 3 section 4 2 clamav milter Nigel Horne s clamav milter is a very fast email scanner designed for Sendmail It s written entirely in C and only depe
16. from having to manually deal with viruses 8 32 wbmclamav Homepage http wbmclamav labs libre entreprise org Supports ClanAV wbmclamav is a webmin module to manage Clam AntiVirus written by Emmanuel Saracco 8 Third party software 8 33 Scan Log Analyzer Homepage http pandaemail sourceforge net av tools Supports ClamAV Scan analyzer allows you to plot and view graphical representation of log data from virus logs of RAV ClamAV and Vexira 8 34 mailgraph Homepage http people ee ethz ch dws software mailgraph Supports clamd mailgraph is a very simple mail statistics RRDtool frontend for Postfix that produces daily weekly monthly and yearly graphs of received sent and bounced rejected mail SMTP traffic 8 35 INSERT Homepage http www inside security de INSERT en html Supports ClamAV INSERT the Inside Security Rescue Toolkit aims to be a multi functional multi purpose disaster recovery and network analysis system It boots from a credit card sized CD ROM and is basically a stripped down version of Knoppix It features good hardware detection fluxbox emelfm links hacked ssh tcpdump nmap chntpwd and much more It provides full read write support for NTFS partitions using captive and the ClamAV virus scanner including the signature database 8 36 Local Area Security Homepage http www localareasecurity com Supports ClamAV Local Area Security Linux is a Live CD distribu
17. insl co uk gt e Fletcher Mattox lt fletcher cs utexas edu gt e Serhiy V Matveyev lt matveyev uatele com gt e Reinhard Max lt max suse de gt e Brian May lt bam debian org gt e Ken McKittrick lt klmac usadatanet com gt Credits e Chris van Meerendonk cvm castel nl e Andrey J Melnikoff temnota kmv ru e Damian Menscher menscher uiuc edu e Arkadiusz Miskiewicz lt misiek pld linux org gt e Mark Mielke lt mark mark mielke cc gt e Jo Mills lt Jonathan Mills frequentis com gt e Dustin Mollo lt dustin mollo sonoma edu gt e Remi Mommsen lt remigius mommsen cern ch gt e Doug Monroe doug planetconnect com e Alex S Moore lt asmoore edge net gt e Dirk Mueller lt mueller kde org gt e Flinn Mueller lt flinn activeintra net gt e Hendrik Muhs lt Hendrik Muhs student uni magdeburg de gt e Farit Nabiullin http program farit ru e Nemosoft Unv nemosoft smcc demon nl e Wojciech Noworyta wnow konarski edu pl e Jorgen Norgaard jnp anneli dk e Fajar A Nugraha lt fajar telkom co id gt e Joe Oaks lt joe oaks hp com gt e Washington Odhiambo wash wananchi com e Masaki Ogawa proc mac com e Phil Oleson oz nixil net e Martijn van Oosterhout lt kleptog svana org gt e OpenAntiVirus Team http www OpenAntiVirus org e Tomasz Papszun tomek lodz tpsa pl Credits e Eric Parsonage lt eric eparsonage com gt e Oliver Paukstadt pstadt stud fh heilbronn de
18. nisms int cl _loaddb const char filename struct cl node root unsigned int signo int cl loaddbdir const char dirname struct cl node root unsigned int signo 6 LibClamAV EN const char cl_retdbdir void cl loaddb loads selected database while c1 loaddbdir loads all databases from a dirname directory cl retdbdir returns a default hardcoded database directory path After an initialisation an internal database representation will be saved under root which must initially point to NULL and a number of loaded signatures will be added 7to virnum You can eventually pass NULL if you don t care about a signature counter Both c1 loaddb and cl loaddbdir functions return 0 on success and a non negative value on failure struct cl node root NULL int ret signo 0 ret cl loaddbdir cl retdbdir amp root amp signo 6 3 3 Error handling Use c1 strerror to convert error codes into human readable messages The function returns a statically allocated string if ret printf cl loaddbdir error sMn cl strerror ret exit 1 6 3 4 Database structure Now initialise internal transitions with c1 build int cl build struct cl node root In our example if ret cl build root printf cl build error s n cl strerror ret Remember to initialize the virus counter variable with 0 6 LibClamAV 22 6 4 Database reloading The most important thing is to keep the internal
19. o o od RR US UR Rn DQO U Y Contents 6 4 6 5 8 1 8 2 8 3 8 4 8 5 8 6 8 7 8 8 8 9 8 10 8 11 8 12 8 13 8 14 8 15 8 16 8 17 8 18 8 19 8 20 8 21 8 22 8 23 8 24 8 25 8 26 63 1 Header dle sus 224 A ete 6 3 2 Database loading 4 99 A RON Xo eU 3 6 3 3 Error handling 994 2 goad bee poa TA ES 6 3 4 Database structure oc a a a OR US Database reloading A PR ga d we 64 1 Data scan functions 2e 04 2 AMEN uu ats Aet Heating EE o bas Wicd Med A 6 4 3 elamay eobfig c Lor Su eur vox etd de e aede o E GAA Examples 1 D oe eh s A Brie ENDING o ecu fuod ues Frequently Asked Questions Third party software V S Milter via eub e eset Gate E yr RI E var ecu aie um OAS nima MN RAR cre mod clamav AMaViS Next Generation 2 2 a aMAVISGSNEW cuota we ee ha ela ee as E e eG E Qmail Scanner ss 42065 a hak eR ST EE RUM WEST G Sagator a Sn Aas ac fee Sin ns tn he Sen hn EE ClamdMall i23 iO a Ar ae Se rds a d Ewe s Malte c x ROBERT ACA SES MIME De tang A ul dieu GS Miet a 4h au ioa RIETS E e Se Eet e EE ClamAV EE EE File Scan zGClamAV ux EN OpenAntiVirus samba vscan 2e Sylpheed Class o 6nd c e a nt NOR ree Y es clama ee e A E RM A EE a Se vu KS WR Mad ie Mette TP TPE PE RC NENT fe atop Ge teo aedi te de een ie QUO We Sree d E erepti Suede e Geek Sn 2 ded O cd enr euo ur urge a Ar dong clam vt 5 sd EIN Need ete tv ed eleng 2 9 C58 25 12 Pas Seb a A ME LR MS ques raid
20. restarted e Never protect a directory your mail scanner software uses for attachment unpack ing Access to all infected files will be automatically blocked and the scanner even clamd won t be able to detect any virus In the result all infected mails will be delivered For example to protect a whole system add the following lines to clamd conf lamukoScanOnAccess lamukoIncludePath lamukoExcludePath proc lamukoExcludePath temporary dir of your mail scanning software CH CO CH OC You can also use clamuko to protect files on Samba Netatalk but far more better and safe idea is to use the samba vscan module see 8 14 NFS is not supported because Dazuko doesn t intercept NFS access calls 5 4 Output format 5 4 1 clamscan clamscan by default writes all messages to stderr Run it with stdout enabled to redirect them to the standard output An example of the clamscan output is tmp test removal tool exe Worm Sober FOUND tmp test md5 o OK tmp test blob c OK tmp test message c OK tmp test error hta VBS Inor D FOUND When a virus is found its name is printed between the filename and FOUND strings In case of archives the scanner depends on libclamav and only prints the first virus found within an archive zolw localhost tmp clamscan malware zip malware zip Worm Mydoom U FOUND 5 Usage 18 TIP You can force clamscan to list all infected files in an archive using no archive tha
21. Asked Questions The FAQ section is maintained by Luca Gibelli e What does WARNING Current functionality level 1 required 2 mean The functionality level of the database determines which scanner engine version is required to use all of its signatures If you don t upgrade immediately you will be in big trouble What does SECURITY WARNING NO SUPPORT FOR DIGITAL SIGNA TURES mean The ClamAV package requires the GMP library to verify the digital signature of the virus database When building ClamAV you need the GMP library and its headers if you are using Debian just run apt get install libgmp3 dev if you are using an RPM based distribution install the gmp devel package How often is the virus database updated The virus database is usually updated many times per week Check out http news gmane org gmane comp security virus clamav virusdb to see our response times to new threats The virusdb team tries to keep up with the latest worm in the wild When a new worm spreads out often it is less than one hour before we release a database update You can contribute to make the virusdb updating process more efficient by submitting samples of viruses via our web interface I tried to submit a sample through the web interface but it said the sample is already recognized by ClamAV My clamscan tells me it s not I already updated my database what s wrong with my setup Frequently Asked Questions Please run clamscan with the mbox
22. ENEN MEET clamav securitywonks net 66 197 159 213 USA D Raghu Veer clamav pcn de 213 203 254 4 Hamburg Karsten Gessner 9 Credits EZ Administrator clamav enderunix org 193 140 143 23 Turkey Omer Faruk Sen ee S O clamav ovh net 213 186 33 38 France Germain Masse oo remm ES clamav spod org 195 92 99 99 United Kingdom Ian Kirk ep qeu uuu eu clamav intercom net ua 195 13 43 28 Ukraine Artie Missirov NO RUMP a a tw clamav mirror vutbr cz 147 229 3 16 Czech Republic Tomas Kreuzwieser database clamav ps pl 212 14 28 36 Poland Adam Popik clamav fx services com 69 93 108 98 USA Robin Vley clamav univ nantes fr 193 52 101 131 France Yann Dupont clamav blackroute net 64 246 44 108 Texas USA Maarten Van Horenbeeck maarten daemon be Kachun Lee lt kachun pathlink com gt clamav mirror camelnetwork com 213 230 200 242 UK Chris Burton lt clamav mirror camelnetwork com gt 62 133 206 90 Netherlands Cliff Albert lt cliff unilogicnetworks net gt clamav edebris com 216 24 174 245 USA Edward Kujawski a ee campana clamav inoc net 64 246 134 133 USA Robert Blayzor tt Pee reine clamav devolution com 206 58 251 131 California Scott Call clamavdb hostlink com hk 210 245 160 22 Hong Kong Alex Fong O E ee PA clamav clearfield com 65 110 48 11 USA Jean Francois Pirus Lal ageet clamavdb mithril linux org 211 10 155 48 Japan Hideki Yamane lt henrich samba gr jp gt clamav oltrelinux com 194 242 226 43 Italy Luca Gibe
23. Konqueror menu 8 41 QMVC Qmail Mail and Virus Control Homepage http www fehcom de qmail gmvc html Supports clamdscan clamscan QMVC is an unidirectional mail filter for qmail It works in conjunction with the dot qmail mechanism for qmail local and is entirely designed for qmail no additional patches required 8 42 FETCAV Homepage http www thymox uklinux net Supports clamscan FETCAV stands for Front End To Clam AntiVirus It s a GUI interface to ClamAV and requires Xdialog 8 Third party software EJ 8 43 Famuko Homepage http www campana vi it ottavio Progetti Famuko Supports libclamav Famuko is an on access scanner based on libfam and working in a userspace 8 44 SoftlabsAV Homepage http antivirus softlabs info Supports clamscan Softlabs AntiVirus is a generic anti virus filter for incoming mail servers on Unix run ning as plugin for procmail In addition it plugs to the Clam AntiVirus scanner clam scan if available 8 45 OdeiaVir Homepage http odeiavir sourceforge net Supports clamdscan OdeiaVir is an e mail filter for qmail or Exim 8 46 ClamSMTP Homepage http memberwebs com nielsen software clamsmtp Supports clamd ClamSMTP is an SMTP filter for Postfix and other mail servers that checks for viruses using the ClamAV anti virus software It aims to be lightweight reliable and simple rather than have a myriad of options Written in C without major dependencies
24. a database mirror9 1 freshclam is an advanced tool it supports database version verification through DNS proxy servers with authentication digital signatures and various error scenarios Quick test run freshclam as superuser with no parameters and check the output If everything is OK you may create the log file in var log owned by clamav or another user freshclam will be running as user touch var log clam update log chmod 600 var log clam update log chown clamav var log clam update log Now you should edit the configuration file freshclam conf or clamd conf if they re merged and configure the UpdateLogFile directive to point to the created log file Fi nally to run freshclam in the daemon mode execute freshclam d The other method is to use the cron daemon You have to add the following line to the crontab of the root or clamav users N usr local bin freshclam quiet to check for a new database every hour N should be a number between 3 and 57 of your choice Please don t choose any multiple of 10 because there are already too many clients using those time slots Proxy settings are only configurable via the configuration file and freshclam will require strict permissions on the config file when HTTPProxyPasswordis enabled IPProxyServer myproxyserver com IPProxyPort 1234 IPProxyUsername myusername IPProxyPassword mypass di Hi Hi HH 5 Usage 15 4 5 Closest m
25. a de e Dan Pelleg e Thodoris Pitikaris e Paul Rantin e Luke Reeves http www neuro tech net e RHX http www rhx it e Roaring Penguin Software Inc http www roaringpenguin com e Luke Rosenthal e School of Engineering University of Pennsylvania http www seas upenn edu e Tim Scoff e Seattle Server http www seattleserver com e Solutions In A Box http www siab com au e Stephane Rault e Fernando Augusto Medeiros Silva http www linuxplace com br e StarBand http www starband com 10 Authors EJ e Synchro Sistemas de Informacao http synchro com br e Sahil Tandon e Brad Tarver e Per Reedtz Thomsen e William Tisdale e Up Time Technology http www uptimetech com e Ulfi e Jeremy Vanderburg http www jeremytech com e Webzone Srl http www webzone it e Nicklaus Wicker e David Williams http kayakero net 9 4 Graphics The authors of the nice ClamAV logo look at the title page and other graphics are Mia Kalenius and Sergei Pronin sp f inndesign fi from Finndesign http www finndesign fi 9 5 OpenAntiVirus Our database includes the virus database about 7000 signatures from http OpenAntiVirus org 10 Authors e aCaB acab clamav net Italy Role virus database maintainer coder e Mike Cathey mike clamav net USA Role co sysadmin e Christoph Cordes ccordes clamav net Germany Role virus database maintainer 10
26. acilities are supported an tivirus antispam regular expressions and file extensions 8 12 Mail ClamAV Homepage http cpan gossamer threads com modules by authors id S SA SABECK Supports libclamav Perl binding for ClamAV 8 Third party software EJ 8 13 File Scan ClamAV Homepage http search cpan org cfaber File Scan ClamAV 1 06 1lib File Scan ClamAV pm Supports clamd Scan files and control clamd directly from Perl 8 14 OpenAntiVirus samba vscan Homepage http www openantivirus org projects phptsamba vscan Supports clamd samba vscan provides on access scanning of Samba shares It supports Samba 2 2 x 3 0 with working virtual file system VFS support 8 15 Sylpheed Claws Homepage http claws sylpheed org Supports libclamav Sylpheed Claws is a bleeding edge branch of Sylpheed a light weight mail user agent for UNIX It can scan attachments in mail received from POP IMAP or a local account and optionally delete the mail or save it to a designated folder 8 16 nclamd Homepage http www kyzo com nclamd Supports libclamav nclamd nclamav milter and nclamdscan are rewritten versions of the original tools and use processes instead of threads and ripMIME instead of the clamav built in MIME decoder 8 17 cgpav Homepage http program farit ru Supports clamd This is a fast written in C CommuniGate Pro anti virus plugin with support for clamd 8 18 chkmail Homepage http
27. aseMirror machinel mylan First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it e How can Iist the virus signature names contained in the database If you are using a recent version of ClamAV just run sigtool list sigs e I found an infected file in my HD floppy mailbox but ClamAV doesn t rec ognize it yet Can you help me Our virus database is kept up to date with the help of the community Whenever you find a new virus which is not detected by ClamAV you should submit it on our website go to www clamav net and click on submit sample The virusdb team will review your submission and update the database if necessary Before submitting a new sample check that the value of DatabaseDirectory in both clamd conf and freshclam conf is the same Frequently Asked Questions EJ update your database by running freshclam e Why is ClamAV calling the XXX virus with another name This usually happens when we add a signature before other AV vendors No well known name is available at that moment so we have to invent one Renaming the virus after a few days would just confuse people more so we usually keep on using our name for that virus The only exception is when a new name is established soon after the signature addition You can find more info about this in the virus naming page at http www clamav net cvdinfo html e How do I know wh
28. bafou babafou eu org gt e Scott Beck sbeck gossamer threads com e Rolf Eike Beer lt eike mail math uni mannheim de gt e Rene Bellora lt rbellora tecnoaccion com ar gt e Hilko Bengen bengen vdst ka inka de e Patrick Bihan Faou lt patrick mindstep com gt e Martin Blapp lt mb imp ch gt e Dale Blount dale velocity net Credits Oliver Brandmueller lt ob e Gitt NEI Igor Brezac lt igor ipass net gt Mike Brudenell pmb1 york ac uk Brian Bruns bruns 2mbit com Len Budney 1budney pobox com Matt Butt mattb cre8tiv com Christopher X Candreva chris westnet com Eric I Lopez Carreon elopezc technitrade com Andrey Cherezov andrey cherezov koenig su Alex Cherney alex cher id au Tom G Christensen tgc statsbiblioteket dk Nicholas Chua lt nicholas ncmbox net gt Chris Conn cconn abacom com Christoph Cordes lt ib precompiled de gt Ole Craig lt olc cs umass edu gt Eugene Crosser crosser rol ru Damien Curtain lt damien pagefault org gt Krisztian Czako lt slapic linux co hu gt Diego d Ambra lt da softcom dk gt Michael Dankov misha btrc ru David lt djgardner users sourceforge net gt Maxim Dounin mdounin rambler co ru Alejandro Dubrovsky lt s328940 student uq edu au gt Magnus Ekdahl magnus debian org gt Mehmet Ekiz lt ekizm tbmm gov tr gt Credits e Jens Elkner lt elkner linofee org gt e Fred van Engen lt fred wooha org gt e Jason
29. c DansGuardian Anti Virus Plugin Malte 2 eet ades cerner nce ue eur SNR S e AR ClanmASSassHl eh woe der a EUR E EIE CLAU IRL clamscan procfilter 424 44 aor s scopo A A rs MyClamMallFill r a a eg eR md ID WO x xum A we 20 20 20 21 21 22 22 25 25 25 25 26 Contents 3 8 27 Gadoyanvirus quu X CEN VENCER e NS Rex 35 8 25 OpenProteet nr s AR RR A A ek AS LA 35 8 29 RevolSys SMTP kit for Postfix 36 8 30 POP3 Virus Scanner Daemon 36 8 31 mailman clamav 2 2 2 2 7 4 36 8 32 wbmclamav 36 8 33 Scan Log Analyzer Gs ere Rec EE 37 8 34 mailgraph 2s due ba da ead ous Be Ay ee Me gt Me qe de M 37 8 33 INSERT A ee Ges te Aue een er e A O 37 8 36 Local Area Security S desees Order ben Bones o e Be te Bea 37 8 37 redWall Firewall e 37 8 38 ClamWin ee ene amp o O BS aS tytn rahe 38 3307 AMA EP 38 8 40 Clamaktion ne 38 8 41 QMVC Qmail Mail and Virus Control 38 Ba FETCAV ea deditio p aiti d aa ds ae 38 5 43 Pam kO scams a A coU URS SRM X eem SE 39 8 44 SoftlabsAV ur 353 G05 SC S Ge V xU Ve A VOR ida 39 O AAA A TTL TTE TETTE 39 8 46 Cams MTP Tic dani woe EE 39 8 47 Protea AntiVirus Tools 39 SAS PTSM il Ut lii s s re A I Coe See an ete WN ot Se 39 8 49 mxGuard for IMail 000 eee ee 40 SL eund d o Po MAL Ld dues No als 40 E sni WERE ROG REL MIS UE e Rud us 40 8 52 Secure Mail Intelligence
30. cimen Scanner http test clamav power netz de and then submit it on our website http www clamav net sendvirus html 2 Base package 2 1 Supported platforms All popular operating systems are supported Clam AntiVirus was tested on e GNU Linux e Solaris e FreeBSD OpenBSD e AIX 4 1 4 2 4 3 5 1 Subscribers are not allowed to post to the mailing list Installation from a port is recommended 2 Base package HPUX 11 0 e SCO UNIX IRIX 6 5 20f Mac OS X e BeOS Cobalt MIPS boxes e Cygwin e Windows Services for Unix 3 5 Interix Some features may not be available on your operating system If you are successfully running Clam AntiVirus on a system not listed above please let us know 2 20 Binary packages e Debian The package is maintained by Stephen Gran and Thomas Lamy ClamAV has been officially included in the Debian distribution starting from the Sarge re lease Run apt cache search clamav to find the names of the packages avail able for installation Unofficial packages for Woody and Sarge are available and they are usually more recent than official ones Add the following lines to your etc apt sources list for stable woody 1386 deb http people debian org sgran debian woody main deb src http people debian org sgran debian woody main for testing sarge 1386 deb http people debian org sgran debian sarge main deb src http people debian org sgran debian sarge main Feel free
31. d Zabit for content filtering 9 Credits 9 1 Database mirrors Thanks to the help of many companies and organisations we have a few dozens of very fast and reliable mirrors Moreover our advanced push mirroring mechanism allows database maintainers to update all of them in less than one minute 9 Credits EJ Location clamav man olsztyn pl 213 184 16 3 Olsztyn Robert d Aystetten avmirrorl prod rxgsys com 64 74 124 90 US Graham Wooden avmirror2 prod rxgsys com 207 201 202 73 US Graham Wooden clamav power netz de 212 162 12 159 Dusseldorf Andreas Gietl clamav essentkabel com 195 85 130 84 Netherlands Chris van Meerendonk clamav gossamer threads com 64 69 64 158 Canada Alex Krohn mirrors gossamer threads com clamav catt com 64 18 100 4 US Mike Cathey mirrors catt com S lt fajar telkom co id gt clamav du viaverio com 199 239 233 95 U Scott Wiersdorf clamav sj viaverio com 128 121 60 235 USA Scott Wiersdorf clamavdb heanet ie 193 1 219 100 Ireland Colm MacCarthaigh clamav sonic net 209 204 175 217 U Kelsey Cummings lt kgc sonic net gt clamav inet6 fr 62 210 153 201 France Lionel Bouton 62 210 153 202 lt clamavdb inet6 fr gt A A A A A clamav netopia pt 193 126 14 29 Portugal Miguel Bettencourt Dias lt mbd netopia pt gt 9 Credits ES 15266249132 Bencsath Boldizsar clamav rockriver net 209 94 36 5 Illinois USA Thomas D Harker clamav xmundo net 200 68 106 40 Argentina Cristian Daniel Merz cla
32. e av_scanners list file etc amavisd conf 8 6 Qmail Scanner Homepage http qmail scanner sf net Supports clamscan Please increase the softlimit value if you are going to use it with clamscan 8 7 Sagator Homepage http www salstar sk sagator Supports clamscan clamd libclamav This program is an email antivirus antispam gateway It is an interface to the postfix 8 Third party software 32 or any other smtpd which runs antivirus and or spamchecker Its modular architecture can use any combination of antivirus spamchecker according to configuration 8 8 ClamdMail Homepage http clamdmail sf net Supports clamd A mail processing client for ClamAV Small fast and easy to install 8 9 MailScanner Homepage http www mailscanner info Supports clamscan MailScanner scans all e mail for viruses spam and attacks against security vulnerabili ties It is not tied to any particular virus scanner but can be used with any combination of 14 different virus scanners allowing sites to choose the best of breed virus scanner 8 10 MIMEDefang Homepage http www roaringpenguin com mimedefang Supports clamscan clamd This is an efficient mail scanner for Sendmail milter 8 11 exiscan Homepage http duncanthrax net exiscan acl Supports clamscan clamd exiscan is a patch against exim version 4 providing support for content scanning in email messages received by exim Four different scanning f
33. en database updates are released Subscribe to the clamav virusdb mailing list e How can I scan a file on my hard disk for viruses without installing ClamAV Use the online scanning tool available at http test clamav power netz de e I found a false positive in ClamAV virus database What shall I do Fill the form at http www clamav net sendvirus html Be sure to select The file attached is a false positive e How do I verify the integrity of ClamAV sources Using GnuPG http www gnupg org you can easily verify the authenticity of your stable release downloads by using the following method Download Tomasz Kojm s key from the clamav net site wget http www clamav net gpg tkojm gpg Import the key into your local public keyring V gpg import tkojm gpg Download the stable release AND the corresponding sig file to the same directory wget http prdownloads sourceforge net clamav clamav X XX tar gz wget http prdownloads sourceforge net clamav clamav X XX tar gz sig Verify that the stable release download is signed with the proper key gpg verify clamav X XX tar gz sig Make sure the resulting output contain the following information Good signature from Tomasz Kojm tk lodz tpnet pl e Can ClamAV disinfect files No it can t We will add support for disinfecting OLE2 files in one of the next 7 Frequently Asked Questions EJ stable releases There are no plans for disinfec
34. g amp Queuing Module Disclaimer amp Messages Module Updater Module Pol icy CheckModule Mail Storage Module Image Analysis Module Cryptography Series and Mail Analysis SMI runs on Microsoft Windows 98 NT 2k XP 2003 platforms both Professional and Server releases Linux 1586 OpenBSD FreeBSD and Solaris 9 x86 and SPARC and supports almost all SMTP software including Lotus Domino and Microsoft Exchange The daemon part based on libclamav is licensed under the GPL 9 Credits EM 8 53 OpenWebMail modules Homepage http openwebmail com openwebmail Supports clamscan Open WebMail by default can use ClamAV as the external viruscheck module to scan messages fetched from pop3 servers or all incoming messages If a message or its attachments is found to have virus Open WebMail will move the message from INBOX to the VIRUS folder automatically 8 54 simscan Homepage http www inter7 com page simscan Supports clamscan Simscan is a mail filter for qmail designed to block attachments during the SMTP conversation It is open source and only uses open components Very efficent written in C 8 55 Zabit Homepage http www enderunix org zabit Supports clamscan Zabit is a content and attachment filter for Qmail 8 56 qSheff Homepage http www enderunix org qsheff Supports clamdscan clamd The tool allows running anti virus and content filtering software simultaneously Sup ports ClamAV for virus checking an
35. hould release it if you no longer need to scan files void cl free struct cl node root 6 4 3 clamav config Use clamav config to check libclamav compilation information zolw localhost clamav config libs L usr local lib lz 1bz2 lgmp lpthread zolw localhost clamav config cflags I usr local include g 02 6 4 4 Example You will find an example scanner application in the clamav sources example Re member that all programs based on libclamav must be linked against it gcc Wall exl c o exl lclamav 6 5 CVD format CVD ClamAV Virus Database is a digitally signed tarball file that contains one or more databases The header is a 512 bytes long string with colon separated fields ClamAV VDB build time version number of signatures functionality level required MD5 checksum digital signature builder name build time sec sigtool info displays detailed information on CVD files 7 Frequently Asked Questions EJ 7 zolw localhost usr local share clamav sigtool i daily cvd Build time 11 Sep 2004 21 07 0200 Version 487 of signatures 1189 Functionality level 2 Builder ccordes MD5 a3f4f98694229e461f17d2aa254e9a43 Digital signature uwJS6dty 9g5SXGEOHhlrXyjZW PGK zqVtWWVL3 tfHEn Al7z6VB21BR2I OitKRYzmVo3ibU7bPCJNgi6fPcWl1PQwvCunwAswvROehrvY 4ks UjUOXo1VwQ1W7186HZmiMUSyAjnF gciOSsOQa9H1i8D5uETIRDzVpoWu id Verification OK Frequently
36. instance of the database up to date You can watch database changes with the cl_stat functions family int cl statinidir const char dirname struct cl stat dbstat int cl statchkdir const struct cl stat dbstat int cl statfree struct cl stat dbstat Initialization struct cl stat dbstat memset amp dbstat 0 sizeof struct cl stat cl statinidir dbdir amp dbstat To check for a change you only need to call cl statchkdir if cl statchkdir amp dbstat 1 reload database cl statfree amp dbstat cl statinidir cl retdbdir amp dbstat Remember to reinitialize the structure after reload 6 4 1 Data scan functions It s possible to scan a buffer a descriptor or a file with int cl scanbuff const char buffer unsigned int length const char virname const struct cl node root int cl scandesc int desc const char virname unsigned long int scanned const struct cl node root const struct cl limits limits unsigned int options int cl scanfile const char filename const char virname unsigned long int scanned const struct cl node root const struct cl limits limits unsigned int options 6 LibClamAV 23 All the functions save a virus name under virname pointer It points to a field in the internal database structure and must not be released directly If the scanned pointer 1s not NULL the functions will increase a value represented by this pointer by a size
37. irrors The DatabaseMirror directive in the config file specifies the database server freshclam will attempt up to MaxAttempts times to download the database from The default database mirror is database clamav net but multiple directives are allowed In order to download the database from the closest mirror you should configure freshclam to use db xx clamav net where xx represents your country code For example if your server is in Ascension Island you should add the following lines to freshclam conf DNSDatabaseInfo current cvd clamav net DatabaseMirror db ac clamav net DatabaseMirror database clamav net The second entry acts as a fallback in case a connection to the first mirror fails for some reason The full list of two letters country codes is available at http www iana org cctld cctld whois htm 5 Usage 5 1 Clam daemon clamd is a multi threaded daemon that uses libclamav to scan files against viruses It may work in one of the two network modes listening on a e Unix local socket e TCP socket The daemon is fully configurable via the clamd conf file clamd recognizes the following commands e PING Check daemon state should reply with PONG e VERSION Print program and database versions e RELOAD Reload databases e SHUTDOWN Perform a clean exit 5man 5 clamd conf 5 Usage 16 e SCAN file directory Scan file or directory recursively with archive support en abled a full path is required
38. lamav user and group but clamscan would still require an unprivileged account to work in a superuser mode 3 3 Adding new system user and group If you are installing ClamAV for the first time you have to add a new user and group to your system S 3Cygwin note If you have not etc passwd you can skip this procedure 3 Installation EH groupadd clamav useradd g clamav s bin false c Clam AntiVirus clamav Consult a system manual if your OS has not groupadd and useradd utilities The account should be locked in etc passwd or etc shadow 3 4 Compilation of base package Once you have created the clamav user and group please extract the archive zcat clamav x yz tar gz tar xvf cd clamav x yz Assuming you want to install the configuration files in etc configure the package as follows configure sysconfdir etc Currently gcc is required to compile ClamAV make su c make install In the last step the software is installed in the usr local directory and the config file goes to etc WARNING Never enable the SUID or SGID bits in Clam AntiVirus binaries 3 5 Compilation with clamav milter enabled libmilter and its development files are required To enable clamav milter configure ClamAV with configure enable milter 4 Configuration ED 4 Configuration 4 1 clamd If you are going to use the daemon you have to edit the configuration file in other case clamd won t run
39. lli lt 1 gibelli oltrelinux com gt clamavdb planetmirror com 203 16 234 78 Australia Jason Andrade clamavdb raimei co jp 219 106 255 66 Japan Araki Musashi Mcd LEM AA OM clamav artcoms ru 80 244 224 247 Russia Syrnikov Alexei IO Ia E O xarch clamav net 129 27 62 129 Austria Reini Urban ee ci O PSP clamav easynet fr 212 180 1 29 France Jean Louis Bergamo mailadmin easynet fr clamav linux it 213 92 8 5 Italy Marco d Itri md linux it 9 Credits ES clamav coldmoon net 204 89 193 10 Chicago Scott J Lopez USA lt scott coldmoon net gt clamav mirrors webpartner dk 195 184 96 15 Denmark Nicolai Gylling lt nsg webpartner dk gt Lasse Brandt 1b webpartner dk clamav kgt org 217 20 122 250 Germany Thomas Koeppe clamav mirror waycom net 195 214 240 53 France Frederic Deletang clamav cryms info 194 29 5 19 Lugano Lorenzo Patocchi od Switzerland Xlorenzo patocchi cryms com 9 2 Contributors mirror etf bg ac yu 147 91 8 58 Belgrade Serbia Ljubisa Radivojevic De Peres ee clamav bridgeband net 63 166 28 8 Montana Mikel Bauer Lal A EU C The following people contributed to our project in some way providing patches bug reports technical support documentation good ideas e Sergey Y Afonin asy kraft s ru e Robert Allerstorfer lt roal anet at gt e Claudio Alonso cfalonso yahoo com e Kamil Andrusz lt wizz mniam net gt e Jean Edouard Babin lt Jeb jeb com fr e Marc Baudoin lt ba
40. mav infotex com 66 139 73 146 Texas USA Matthew Jonkman clamav mirror transip nl 80 69 67 3 The Netherlands Walter Hop clamavdb osj net 218 44 253 75 Japan Masaki Ikeda ee E PR clamav ialfa net 210 22 201 152 People s Republic Alfa Shen BENE EET CN clamavdb ikk sztaki hu 193 225 86 3 Hungary Gabor Kiss o esL PP clamav mirrors nks net 24 73 112 74 Florida USA James Neal pomme clamav kratern se 212 31 160 239 Sweden Emil Ljungdahl clamav dif dk 193 138 115 108 Denmark Jesper Juhl EBENEN clamav dbplc com 217 154 108 81 United Kingdom Simon Pither clamav unet brandeis edu 129 64 99 170 USA Rich Graves clamav iml net 65 77 42 207 Florida US Dmitri Pavlenkov lt dmitri iml com gt clamav elektrotech ker hu 80 95 80 7 Hungary Bodrogi Zsolt lt odin szilank hu gt clamav stockingshq com 212 113 16 74 United Kingdom lt dave stockingshq com gt clamav acnova com 203 81 40 167 Singapore Lennard Seah myself lennardseah com clamdb prolocation net 213 73 255 243 The Netherlands Raymond Dijkxhoorn lt raymond prolocation net gt clamav xyxx com 65 75 154 69 San Francisco Palo Alto Myron Davis clamav walkertek com 38 136 139 7 USA Stephen Walker Io e PS clamav mirror cygnal ca 24 244 193 21 Burlington Rafal Rzeczkowski pe T Mauern leste Leer clamav securityminded net 209 8 40 140 Ashburn USA Thomas Petersen e o IPP clamav island net au 203 28 142 36 Sydney Hugh Blandford clamav iol cz 194 228 2 38 Czech Republic Lenka Sevcikova EB
41. nable it by default but make it optional e CL SCAN OLE2 Enables support for Microsoft Office document files e CL SCAN PE This flag enables scanning withing Portable Executable files and allows libclamav to unpack UPX Petite and FSG compressed executables e CL SCAN BLOCKBROKEN libclamav will try to detect broken executables and mark them as Broken Executable e CL SCAN HTML This flag enables HTML normalisation including JScript decryption functions return O CL CLEAN if the file is clean CL VIRUS when virus is detected and an another value on failure de mem Lim im imi imi struct cl_limits limits const char virname set amp limits 0 sizeof struct cl limits maximal number of files in archive its maxfiles 1000 naximal archived file size its maxfilesize 10 1048576 10 MB naximal recursion level ts maxreclevel 5 ts maxratio 200 isable memory limit for bzip2 scanner limi n i n i maximal compression ratio i d T ts archivememlim 0 if ret cl scanfile home zolw test amp virname NULL root amp limits CL STDOPT CL VIRUS printf Detected s virus n virname else printf No virus detected Wn if ret CL CLEAN 6 LibClamAV EJ printf Error s n cl strerror ret 6 4 2 Memory Because the internal database uses a few megabytes of memory you s
42. nds on clamd You can find detailed installation instructions in the INSTALL file that comes with the clamav milter sources Basically to connect it with Sendmail add the following lines to etc mail sendmail mc INPUT MAIL FILTER clmilter S local var run clmilter sock F T S 4m R 4m dnl define confINPUT MAIL FILTERS clmilter Check entry in clamd conf of the form LocalSocket var run clamd sock Start clamav milter usr local sbin clamav milter lo var run clmilter sock and restart sendmail 4 3 Testing Try to scan recursively the source directory clamscan r 1 scan txt clamav x yz It should find some test files in the clamav x yz test directory The scan result will be saved in the scan txt log file 4 To test clama start it and use clamdscan or connect directly to its socket and run the SCAN command instead clamdscan 1 scan txt clamav x yz Please note that the scanned files must be accessible by the user running clamd or you get an error To get more info on clamscan options execute man clamscan 4 Configuration EI 4 4 Setting up auto updating freshclam is the default database updater for Clam AntiVirus It can work in two modes e interactive from command line verbosely e daemon alone silently When started by a superuser it drops privileges and switches to the clamav user reshclam uses the database clamav net round robin DNS which automatically selects
43. ns you are not allowed to link commercial close source applications against it All software using libclamav must be GPL compliant 6 2 Features 6 2 1 Archives and compressed files The library has a built in support for the following formats e Zip e RAR 2 0 e Tar e Gzip e Bzip2 e MS OLE2 e MS Cabinet Files e MS CHM Compiled HTML e MS SZDD compression format e UPX all versions e FSG 1 3 1 31 1 33 e Petite 2 x You can still use clamd or clamscan instead 6 LibClamAV EJ Due to license issues support for RAR 3 0 archives is currently not available in libcla mav they will cause RAR module failure error message You can scan them with help of external unpackers in c1amscan though clamscan unrar clam error rar home zolw test clam error rar RAR module failure UNRAR 3 00 freeware Copyright c 1993 2002 Eugene Roshal Extracting from home zolw test clam error rar Extracting clam exe OK All OK tmp 44694f5b2665d2f4 clam exe ClamAV Test File FOUND home zolw test clam error rar Infected Archive FOUND 6 2 2 Mail files Advanced mail scanner built into libclamav transparently scans e mails for infected attachments All popular UNIX mail formats are supported 6 3 API 6 3 1 Header file Every program using libclamav must include the clamav h header file include lt clamav h gt 6 3 2 Database loading The following set of functions provides an interface to database initialisation mecha
44. of scanned data in CL_COUNT_PRECISION units The last two functions also support archive limits required to protect against Denial of Service attacks struct cl limits int maxreclevel maximal recursion level int maxfiles maximal number of files to be scanned within archive ES int maxratio maximal compression ratio short archivememlim limit memory usage for bzip2 0 1 long int maxfilesize archived files larger than this value will not be scanned d Nu The options argument configures the scan engine and supports the following flags that can be combined using bit operators e CL SCAN STDOPT This is an alias for a recommended set of scan options You should use it to make your software ready for new features in future versions of libclamav e CLSCAN RAW It does nothing Please use it alone if you don t want to scan any special files e CL SCAN ARCHIVE This flag enables transparent scanning of various archive formats e CL SCAN BLOCKENCRYPTED With this flag the library marks encrypted archives as viruses Encrypted Zip Encrypted RAR e CL SCAN BLOCKMAX Mark archives as viruses if maxfiles maxfilesize or maxreclevel limit is reached e CL SCAN MAIL It enables support for mail files 6 All LibClamAV 24 e CLSCAN_MAILURL The mail scanner will download and scan URLs listed in a mail body This flag should not be used on loaded servers Due to potential problems please do not e
45. option Also check that freshclam and clam scan are using the same path for storing reading the database e ClamAV crashes hangs doesn t compile doesn t start Did I find a bug Before reporting a bug please download the latest CVS code and try to reproduce the bug with it Chances are the bug you encountered has already been fixed If you really feel like you found a bug please send a message bugs clamav net How do I automatically restart clamd when it dies Set up a cronjob which checks that clamd is up and running every XX minutes You can find an example script in the contrib clamdwatch directory You can also read how to run clamd supervised in the docs clamd supervised directory e How do I keep my virus database up to date ClamAV comes with freshclam a tool which periodically checks for new database releases and keeps your database up to date e I m running ClamAV on a lot of clients on my local network Can I mirror the database locally so that each client doesn t have to download it from your servers Sure install a proxy server and then configure your freshclam clients to use it watch for the HTTPProxyServer parameter in man freshclam conf Alter natively you can configure a local webserver on one of your machines say ma chinel mylan and let freshclam download the cvd files from http database clamav net to the webserver s DocumentRoot Finally change reshclam conf on your clients so that it reads Datab
46. rnet The package also includes a virus scanner shared library 1 1 Features e Licensed under the GNU General Public License Version 2 e POSIX compliant portable e Fast scanning e Supports on access scanning Linux and FreeBSD only e Detects over 20000 viruses worms and trojans including Microsoft Office and MacOffice macro viruses e Scans within archives and compressed files also protects against archive bombs built in support includes Zip RAR 2 0 Tar Gzip Bzip2 MS OLE2 MS Cabinet Files MS CHM Compiled HTML MS SZDD compression format e Supports Portable Executable files compressed with UPX FSG Petite e Powerful mail scanner Advanced database updater with support for digital signatures and DNS based database version queries 2 Base package EJ 1 2 Mailing lists If you have a trouble installing or using ClamAV try to ask on our mailing lists There are four lists available e clamav announce lists clamav net info about new versions moderated e clamav users lists clamav net user questions e clamav devel lists clamav net technical discussions e clamav virusdb lists clamav net database update announcements moderated You can subscribe and search the mailing list archives at http www clamav net ml html 1 3 Virus submitting If you have got a virus which is not detected by your ClamAV with the latest databases please check it with the ClamAV Online Spe
47. rs to large ISPs 8 2 smtp vilter Homepage http www etc msys ch software smtp vilter Supports clamd smtp vilter is a high performance content filter for sendmail using the milter API The software scans e mail messages for viruses and drops or marks infected messages Cla mAV is the default scanner backend 8 3 mod clamav Homepage http software othello ch mod clamav Supports libclamav clamd mod clamav is an Apache virus scanning filter It was written and is currently main tained by Andreas Muller The project is very well documented and the installation is quite easy 8 Third party software EN 8 4 AMaVisS Next Generation Homepage http sourceforge net projects amavis Supports clamscan AMAaViS ng is a rewritten more modular version of amavis perl amavisd developed by Hilko Bengen Installation Please download the newest version at least 0 1 4 After installation which is quite easy please uncomment the following line in amavis conf virus scanner CLAM and if it s needed change the path to clamscan in the CLAM section CLAM clamscan usr local bin clamscan 8 5 amavisd new Homepage http www ijs si software amavisd Supports clamd clamscan amavisd new is a rewritten version of amavis maintained by Mark Martinec Installation clamscan is enabled automatically 1f clamscan binary is found at amavisd new startup time clamd is activated by uncommenting its entry in th
48. side e mail protection solution consisting of MailScanner Spa massassin ClamAV with support for Sendmail Postfix Exim and qmail It also consists 8 Third party software EJ of a fully automatic installer and uninstaller which configures everything automatically including setting up perl modules and virus scanner settings 8 29 RevolSys SMTP kit for Postfix Homepage http smtp revolsys org Supports ClamAV via amavisd new The RevolSyS SMTP kit for Postfix provides an antispam and antivirus tools installa tion It uses amavisd new Spamassassin ClamAV and Razor It aims to enhance an already installed mail server running Postfix 8 30 POP3 Virus Scanner Daemon Homepage http p3scan sourceforge net Supports clamscan This is a full transparent proxy server for POP3 clients It runs on a Linux box with iptables for port re direction It can be used to provide POP3 email scanning from the Internet to any internal network and is ideal for helping to protect your Other OS LAN from harm especially when used in conjunction with a firewall and other Internet Proxy servers 8 31 mailman clamav Homepage http www tummy com Software mailman clamav Supports clamd This module includes a Mailman handler for scanning incoming messages through Cla mAV The handler allows Mailman to be configured to hold or discard messages which contain viruses Particularly useful is the discard option which prevents list administra tors
49. t disables transparent decompressors built into libclamav and external decompres sors unzip unrar zolw localhost tmp clamscan no archive unzip malware zip Archive tmp malware zip inflating testl exe inflating test2 exe inflating test3 exe tmp clamav 77e7bfdbb2d3872b testl exe Worm Mydoom U FOUND tmp clamav 77e7bfdbb2d3872b test2 exe Trojan Taskkill A FOUND tmp clamav 77e7bfdbb2d3872b test3 exe Worm Nyxem D FOUND tmp malware zip Infected Archive FOUND 5 4 2 clamd clamd uses a clamscan compatible output format zolw localhost telnet localhost 3310 Trying 27 0 0 1 Connected to localhost Escape character is SCAN home zolw test home zolw test clam exe ClamAV Test File FOUND Connection closed by foreign host In the SCAN mode it closes the connection when the first virus is found SCAN home zolw test clam zip home zolw test clam zip ClamAV Test File FOUND CONTSCAN continues scanning even if virus was already found Error messages are printed in the following format SCAN no such file no such file Can t stat the file ERROR 6 LibClamAV 19 6 LibClamAV libclamav is a simple and easy way to add a virus protection to your software The library is thread safe and transparently recognizes and scans within archives mail files MS Office document files executables and other file formats 6 1 Licence libclamav is licensed under the GNU GPL licence That mea
50. ting other types of files There are many reasons for it cleaning viruses from files is virtually pointless these days It is very seldom that there is anything useful left after cleaning and even if there is would you trust it e When using clamscan is there a way to know which message within an mbox is infected No clamscan stops at the first infected message You can convert the mbox to Maildir format run clamscan on it and then convert it back to mbox format There are many tools available which can convert to and from Maildir format e g for mail mbox2maildir and maildir2mbox e I m running qmail Qmail Scanner ClamAV and get the following error in my mail logs clamdscan corrupt or unknown clamd scanner error or mem ory resource perms problem What s wrong with it Most likely clamd is not running at all or you are running Qmail Scanner and clamd under a different uid If you are running Qmail Scanner as qscand de fault setting you could put User qscand inside your clamd conf file and restart clamd Remember to check that qscand can create clamd ctl usually located at var run clamav clamd ct1 The same applies to the log file e How do I use ClamAV with p3scan Add the following lines to your pop3vscan configuration file virusregexp FOUND scanner usr bin clamdscan no summary i scannertype basic e Where can I ask questions about using ClamAV Subscribe to our clamav users mailing list at http w
51. tion with a strong emphasis on security tools and small footprint It can be used to run ClamAV from a CDROM 8 37 redWall Firewall Homepage http redwall sourceforge net Supports ClamAV redWall is a bootable CD ROM firewall which focuses on web based reporting of the firewall s status It supports virus filtering with amavisd new and ClamAV 8 Third party software EJ 8 38 ClamWin Homepage http clamwin sourceforge net Supports clamscan freshclam ClamWin provides Graphical User Interface to Clam AntiVirus scanning engine It allows to select and scan a folder or file configure settings and update virus databases It also includes a Windows Taskbar tray icon ClamWin also features a context menu handler for Windows Explorer which installs Scan into the right click explorer menu for files and folders The package comes with an installer built with InnoSetup Cygwin dlls are included 8 39 KlamAV Homepage http sourceforge net projects klamav Supports ClamAV ClamAV Anti Virus protection for the KDE desktop The features include on access scanning manual scanning quarantine management downloading updates mail scan ning KMail Evolution automated installation ClamAV and Dazuko pre packaged 8 40 Clamaktion Homepage http web tiscali it rospolosco clamaktion Supports clamscan clamaktion is a little utility which allows KDE 3 users to scan files and directories with clamscan from the right click
52. to search for clamav on http www apt get org too e RedHat Fedora The packages are maintained by Petr Kristof Fedoral http crash fce vutbr cz crash hat 1 clamav Fedora2 http crash fce vutbr cz crash hat 2 clamav Devel snapshots http crash fce vutbr cz crash hat testing 2 Please follow the instructions at http crash fce vutbr cz yum repository html and then run 2 Base package EJ yum update clamav Or up2date u clamav Another very good repository is maintained by Dag Wieers http dag wieers com packages clamav e PLD Linux Distribution The RPM packages for the Polish ed Linux Distribution are maintained by Arka diusz Miskiewicz visit http www pld linux org e Mandrake A RPM package for Mandrake is available on Mandrake s mirrors and is main tained by Oden Eriksson Another set of RPM packages maintained by Bill Ran dle is available at ftp ftp neocat org pub e Slackware Slackware packages without milter support are maintained by Jay Scott Raymond You can find them at http webpages charter net jay_scott_raymond linux slackages If you need milter enabled ClamAV try Peter Kaagman s packages available at http bilbos stekkie com clamav Both of them are also available at http www linuxpackages net e SuSE SuSE 8 2 and 9 1 RPMs are maintained by Joe Benden You can down load them at http www ispservices com clamav html Official ClamAV packages for SuSE are maintained
53. ww clamav net ml html e Where can I get the latest CVS snapshot of ClamAV Basically there are two ways Run cvs d pserver anonymous cvs sourceforge net cvsroot clamav co clamav d Misit http www clamav net snapshot e I m a MS Windows user Can I take advantage of ClamAV virus protection Yes you can use ClamWin a port of ClamAV for win32 systems with a very nice graphic interface Download it at http www clamwin net 8 Third party software EN e Where can I find more information about ClamAV Please read this documentation You can also try searching the mailing list archives If you can t find the answer you can ask for support on the clamav users mailing list but please before doing it search the archives Also make sure that you don t send HTML ized email messages and that you don t top post these violate the netiquette and lessen your chances of being answered e How can I contribute to the ClamAV project There are many ways to contribute to the ClamAV project See the donations page http www clamav net donate html for more info 8 Third party software There are many projects with support for our scanner Here is the list of software that was tested and is known to work well 8 1 IVS Milter Homepage http ivs milter lbsd net Supports clamd IVS Milter is a virus and spam scanning milter The name stands for Industrial Virus Spam milter It s designed to be used by anything from home use
Download Pdf Manuals
Related Search