Clam AntiVirus: User Manual
Contents
1. e VERSION Print the version information e RELOAD Reload the databases e QUIT Perform a clean exit e SCAN file directory Scan a file or directory recursively with archive sup port A full path is required e RAWSCAN file directory Scan a file or directory recursively with archive support disabled A full path is required e CONTSCAN file directory Scan a file or directory recursively with archive support enabled and continue scanning even when virus was found A full path is required e STREAM Scan stream on this command clamd will return PORT num ber and you can connect to that port and send a data to scan Internal threads except clamuko are ignoring all external signals The main thread handles SIGTERM and SIGINT signals and performs a proper exit when one of them is caught 3 2 Clamuko Clamuko is a special thread in clamd that performs on access scanning under Linux It was implemented as a thread in clamd because of Dazuko implemen tation Client clamuko server clamd model is currently not supported by Dazuko There are some benefits from current implementation clamuko is shar ing the database with clamd and it s updated with the RELOAD command You must obey the following principles when using clamuko e Always stop the daemon cleanly with QUIT command or SIGTERM signal In other case you can lose an access to the protected files until the system is restarted e Never protect the2. Found signature end at 11916 11919 moving backward 11917 moving backward t ct ct The scanner was executed 46 times Signature length is 50 so length of hex string should be 100 Saving signature in testfile sig file 4 Compatible software The following software supports ClamAV It s specified which elements are sup ported please note that if the program doesn t support clamd you can use clamd scan instead of clamscan 4 1 clamav milter Location included in clamav package Supports clamd clamav milter by Nigel Horne is a very fast email scanner designed for sendmail It s entirely written in C and uses ClamAV s internal mail scanner also written by Nigel Installation You need libmilter development files Configure ClamAV with configure enable milter 4 Compatible software 16 and recompile The program will be installed in usr local sbin clamav milter The following instructions were adopted from Nigel s INSTALL file add to etc mail sendmail mc INPUT_MAIL FILTER clmilter S local var run clmilter sock F T S 4m R 4m dnl define confINPUT_MAIL FILTERS clmilter Check entries in clamav conf of the form LocalSocket var run clamd sock ScanMail SaveStreamToDisk Start clamav milter usr local sbin clamav milter blo var run clmilter sock and restart sendmail 4 2 mod_clamav Location http software oth
3. usr local bin freshclam quiet l var log clam update log It will check for a new database daily at 8 am You may need to setup the proxy support on your system You should set the environment variable http proxy eg export http_proxy my proxy server 8080 There is also http proxy and proxy user option available 2 9 FreshClam Mirrors and mirrors txt The main server is clamav elektrapro com and there are the following mirrors available e clamav ozforces com database mirror updated manually e clamav essentkabel com full mirror of the main site updated automat ically e clamav linux sxs org database mirror rsync from ozforces In the database directory you will find mirror txt file which freshclam reads each time it tries to download the new database It uses the first server from the file and switches to another one and remembers that position for some time when the previous is not available You can modify that file if you will find some mirror faster however this is not recommended 3 Usage 3 1 Clam daemon clamd is a fully multi threaded daemon based on libclamav It s able to work in one of the two modes using e Unix local sockets e TCP sockets The daemon is configured by the clamav conf file You will find a description of all the options in the clamav conf 5 manual clamd recognizes the following commands 3 Usage KJ e PING Check server s state It should reply with PONG
4. There s elegant way to print libclamav s error codes char cl_perror int clerror cl_perror returns a statically allocated string describing clerror code if ret printf cl_loaddbdir error s n cl _perror ret exit 1 When database is loaded you must create the proper trie with void cl buildtrie struct cl_node root In our example cl buildtrie root OK now you can scan a buffer descriptor or file with int cl_scanbuff const char buffer unsigned int length char virname const struct cl node root int cl_scandesc int desc char virname unsigned long int scanned const struct cl node root const struct cl _limits limits int options int cl _scanfile const char filename char virname unsigned long int scanned const struct cl_node root const struct cl_limits limits int options AII the functions save a virus name address under virname pointer virname points to the name in the trie structure thus it can t be released directly cl_scandesc and cl_scanfile can increase scanned value in CL COUNT_PRECISION units They also support archive limits struct cl_limits int maxreclevel int maxfiles long int maxfilesize b 5 LibClamAV EN The last argument configures scan engine Currently 1t supports CL_ARCHIVE enables archive scanning CL_RAW disables archive scanning and CL_MAIL enables mbox and Maildir scanning The functions return 0
5. Authors Nigel Horne lt njh at bandsman co uk gt is an active ClamAV developer re sponsible for the mbox code in libclamav and clamav milter I take care most of these things are working If you have some questions feel free to mail us Tomasz Kojm lt zolw at konarski edu pl gt References 1 Cormen Leiserson Rivest Introduction to Algorithms Chapter 34 MIT Press 2 http www sr informatik uni tuebingen de buehler AC AC html Aho Corasick algorithm description
6. FreeBSD testing hdd donation e Chris van Meerendonk lt cvm at castel nl gt virus samples clamav essentkabel com mirror e Arkadiusz Miskiewicz lt misiek at pld org pl gt Polish ed Linux Distribution http www pld org pl rpm package maintainer fixes and ideas e Doug Monroe lt doug at planetconnect com gt Qmail Scanner prob lem analysis Credits e Hendrik Muhs lt Hendrik Muhs at student uni magdeburg de gt pattern matcher optimization e Luca NERvOus Gibelli lt nervous at nervous it gt ElektraPro com administrator e Wojciech Noworyta lt wnow at konarski edu pl gt bug report buffer overflow in clamscan s help under Windows e Joe Oaks lt joe oaks at hp com gt HPUX support e Washington Odhiambo lt wash at wananchi com gt extensive mbox code testing bug reports e Masaki Ogawa lt proc at mac com gt Mac OS X support Japanese doc umentation e Martijn van Oosterhout lt kleptog at svana org gt code analysis and suggestions e OpenAntiVirus org Team virus database e Eric Parsonage eric at eparsonage com Installing qmail scanner Clam Antivirus and SpamAssassin under FreeBSD how to e Oliver Paukstadt lt pstadt at stud fh heilbronn de gt bug report crash with strange Zip archives e Kristof Petr lt Kristof P at fce vutbr cz gt bug report socket de scriptors leak in clamd file decriptors leak in clamd clam
7. security Dangerous operations in clamscan such as extracting temporary file creation unlink operations are executed with clamav privileges But there are no programs without bugs This is a young project and everything is possible In some places it uses the snprintf function some older systems C libraries however the buffer length in this function isn t checked This example shows that you should check your system first Never set SUID SGID bits on Clam AntiVirus executables If the SUID bit is set and clamscan is owned by root every file on the system may be modified with the log option Nor mal users may use clamscan to scan their files other files shouldn t interest them Clam AntiVirus Daemon was written with security in mind it doesn t allow ex ternal unpackers uses only libclamav unarchivers and contains some additional protections 7 2 Scan engine New versions of Clam AntiVirus are using a mutation of Aho Corasick pattern matching algorithm This algorithm uses a finite state pattern matching automaton 1 The algorithm itself is a generalization of the Knuth Morris Pratt algorithm Please look at matcher h for data type definitions The automaton is represented by the trie Trie is a rooted tree with some specific properties 2 Each node of the trie represents some state of the automaton In the implementation the node 1s defined as following struct node int islast struct patt list int maxpatlen
8. to database 51 Wrong number of threads was passed to threads It must be a natural num ber gt 0 52 Not supported file type Scanner supports regular files directories and sym links 53 Can t open directory 54 Can t open file 55 Error reading file Probably the medium you are reading is broken gt 56 Can t stat input file or directory File directory you want to scan doesn t exist 57 Can t get absolute pathname of current working directory Your current path name is longer then 200 characters When clamscan is started without a input file directory it scans the current directory For some reasons it needs absolute path names the buffer is hardcoded to 200 characters and that should be sufficient 58 I O error Please check the filesystem 59 Can t get information about current user running clamscan 60 Can t get information about user clamav User clamav default unprivileged user doesn t exist in etc passwd Only in one file mode in recursive mode those errors are ignored 7 Technicals EJ 61 Can t fork Can t create new process please check your limits 63 Can t create temporary file or directory Please check permissions 64 Can t write to temporary directory Please specify another one 70 Can t allocate and clear memory This is a critical error please check your system 71 Can t allocate memory Look above 7 Technicals 7 1 Security Clam AntiVirus cares about
9. 8 Credits 24 struct node next NUM_CHILDS trans NUM_CHILDS fail hi To be continued 8 Credits In alphabetical order e AIX PDSLIB University of California at Los Angeles http aixpdslib seas ucla edu binary packages for AIX e Kamil Andrusz lt wizz at mniam net gt OpenBSD support patch e Jean Edouard BABIN lt Jeb at jeb com fr gt NetBSD support made his NetBSD box available to me e Marc Baudoin lt babafou at babafou eu org gt NetBSD testing e Hilko Bengen lt bengen at vdst ka inka de gt support for Clam An tiVirus in his AMaViS Next Generation e Patrick Bihan Faou lt patrick at mindstep com gt support for with user group in the configure script e Eric I Lopez Carreon lt elopezc at technitrade com gt Spanish Sendmail AMaViS ClamAV Installation how to e Nicholas Chua lt nicholas at ncmbox net gt big database updates e Damien Curtain lt damien at pagefault orqg gt fix for the remove op tion in clamscan it didn t work with internal archivers implementation of the move option in clamscan mirroring support in freshclam e Krisztian Czako lt slapic at linux co hu gt virus signatures e Diego d Ambra lt da softcom dk gt virus samples e Alejandro Dubrovsky lt s328940 at student uq edu au gt patch for including and excluding multiple patterns e Magnus Ekdahl lt magnus at debian org gt D
10. CL_CLEAN when no virus is found CL_VIRUS when virus is found and other value on failure struct cl _ limits limits char virname maximal number of files in archive limits maxfiles 100 maximal archived file size 10 Mb limits maxfilesize 10 1048576 maximal recursion level limits maxreclevel 8 if ret cl _scanfile home zolw test amp virname NULL root slimits CL ARCHIVE CL VIRUS printf Detected s virus n virname else printf No virus detected n if ret CL CLEAN printf Error s n cl_perror ret When you don t need to scan more files the trie should be released with void cl_freetrie struct cl_node root You will find some examples in clamav sources Each program using libclamav must be linked against it gcc Wall exl c o ex1 lclamav Enjoy 6 Problem solving EJ 6 Problem solving 6 1 Return codes Return codes are very useful especially in system scripts You may check the return code from clamscan by running the following command directly after the scanner exits echo Here is a list of return codes from clamscan 0 No virus was found 1 Virus es detected 40 Unknown option was passed to clamscan Please check clamscan help or manual page for available options 50 Problem with initialization of virus database Probably it doesn t exist in the default place or wrong file was passed
11. Clam AntiVirus User Manual version 0 60 Tomasz Kojm Contents Contents 1 Introduction A A ZABRZE OE Z zda r ot Ser ek Zk zk TKE fs 1 2 Mailing NSS os ve ts iS ta a l l Eda E3 Virus s bmittng i s e a pa aa 2S ad YR YS eas 2 Installation y Reguitements e ea a aaa a aa a 2 2 Supported platforms are ti ta IRA 2 3 Actal VESINS bla ds de e bai a 2 4 Binary PACKAGES coa e il a 20 Installation yea 2 a el SS SL ROWE 26 Configuration x ase aah EE o DA NS o An 13 po Geol Se A RK 2 8 FreshClam Setting up auto updating 1 1 12 1 2 9 FreshClam Mirrors and mirrors txt 4 42440011 3 Usage 3 1 Aan eae MOY 4 28 044 Syr ee DW BK ZEP EIAMIKO 4 Ra se Bla Sob dene de He whe 6 Que eS OLR R oe 1G 8 3 3 Archives and compressed files 3 4 O tp t format wad w w ao Wwa Paa PS mari wa aha 300 SIEBAMC LOO r cede tee de Ura Gow A Gok Get PGE RA 4 Compatible software 4 1 clamav milter is as W W ts WOW WO 42 mod ela a wasi oS he PG pla ata cd ASOC tt avenue ac Gs te Cede a a okna hs Re an Bt eres ee da 4 4 AMaViS Next Generation 204 4 5 amavisd new 34 4 2S BN eh EG KKR W 4 6 Qmail Scanner o oo A AP PAA Cog oc a ME GLK E E AA Ae Se RA ne ye ee 4 8 Mam VAM a ec ope ge yea pee ee Ge Se ONA Gee GO fee ee Po RA 490 TACK OLS s us des 4455 i dh o de we ste Cs A 10 MailScanner ze Seo a a leo EO BA Boh 4 1 1 MIMEDefang Css weas
12. add g clamav s bin false c Clam AntiVirus clamav The above method works on Linux and Solaris if you don t have groupadd useradd please consult your system manual the section about creating new users and groups If you are not a system administrator or won t be using clamscan in superuser mode you may omit this step with the option disable clamav passed to the configure script configure disable clamav This disables test for the clamav user and group clamscan still requires clamav for superuser mode Please don t set a password on this account just assure it s locked with in etc passwd or etc shadow It must be a normal unprivileged user Don t add it to any supplementary groups After you have created the clamav user group extract the archive zcat clamav x yz tar gz tar xvf cd clamav x yz Assuming you want the configuration file installed in etc configure the package as follows configure sysconfdir etc Currently gcc is required for the compilation Support for other compilers will be added in a near future make su c make install In the last step the software is installed in the usr local directory and the config file in etc WARNING Never set SUID SGID bit on Clam AntiVirus programs 2Cygwin note If you don t have etc passwd you don t need the clamav user group 2 Installation 2 6 Configuration If you are going to use the daemon you need to c
13. and argument So the proper way to supply the optional arguments is for example unzip path to unzip unzip You probably don t need this option because Zip is supported by libcla mav But if libclamav will fail to unzip some file it may be useful clamscan was tested with UnZip 5 41 of 16 April 2000 by Info ZIP unrar Tested with UNRAR 3 00 freeware unace It uses options supported by UNACE v1 2 public version not tested but should work arj Tested with arj 3 10b z00 Tested with zoo 2 1 lha Tested with LHa for Unix V 1 14e jar CA uses unzip for jar files Tested with UnZip 5 41 of 16 April 2000 by 3 Usage 13 Info ZIP tar This option supports non compressed archives Tested with GNU tar 1 13 17 deb This option supports debian binary packages Tested with GNU ar 2 12 90 0 14 Implies tgz but doesn t conflict with tgz FULLPATH tgz This option supports tar gz and tgz files You need GNU tar on non Linux system you probably have it as gtar and if this is in PATH just use tgz gtar or supply the full path to this command as an argument 3 4 Output format clamd uses clamscan compatible see below output format zolwtWierszokleta telnet localhost 3310 Trying 127 0 0 1 Connected to localhost Escape character is SCAN home zolw infected home zolw infected sobre com W32 Magistr B FOUND EE Connection closed by foreign host In SCAN mod
14. directory your mail scanner software uses for attachments unpacking Access to all infected files will be blocked and the scanner even clamd won t be able to detect a virus Infected mail will be delivered 3 Usage KI You need to enable clamuko in clamav conf To protect directory home please use the option ClamukoIncludePath home To protect the whole system Q lamukoIncludePath lamukoExcludePath proc lamukoExcludePath tempdir of mail scanner Q Q You can use clamuko to protect file access on Samba Netatalk NFS is not sup ported Dazuko doesn t intercept NFS access calls Another idea you can build a database containing a signatures of the popular exploits it will protect you against script kiddies 3 3 Archives and compressed files Clam AntiVirus depends on LibClamAV It has built in support for the following formats e Zip e Gzip e RAR 2 0 only Archive files are detected by checking a magic strings You need the zlib library for the Zip Gzip support Zip archives are accessed with the zziplib library by Guido Draheim and Tomi Ollila RAR support is based on the UniquE RAR File Library by Christian Scheurer and Johannes Winkelmann Both of them are included and slightly modified in the clamav sources Unrarlib supports RAR 2 0 archives only and according to Christian the new format introduced in WinRAR 3 0 won t be supported The daemon scans archives supported by libclamav only C
15. e it closes the connection when first virus is found In the case of archives the output is exactly the same as with normal files SCAN home zolw Clam test test2 zip home zolw Clam test test2 zip ClamAV Test Signature FOUND CONTSCAN displays all infected files found Error messages are printed in the following format SCAN no such file no such file Can t stat the file ERROR and they can be easily parsed clamscan writes all messages only help is written to stdout by default to stderr In some situations you may want to redirect it to stdout with stdout stdout in contrast to stderr is buffered that s why clamscan flushes this buffer after each message to prevent the creation of trashes on the output During scanning it writes something like this 3 Usage kra TEST test OK TEST Makefile OK TEST getopt c OK TEST virfile Phantom 1 FOUND When a virus is found its name is printed between filename and FOUND If a virus is found in an archive scanned with an external unpacker it s noticed with Infected Archive Infected Archives are not counted as infected files just files in them are Please note the difference between an internal unarchiving because it s realized transparently by the libclamav clamscan doesn t even know the file is an archive 3 5 Signature Tool sigtool automates signature creation If you have an infected file which isn t detected by ClamAV but it is by ano
16. ebian http www debian org package maintainer fixes and improvements Credits EJ e Jason Englander lt jason at englanders cc gt bug report clamd re cursive scanning of the directories on non standard file systems configure script support for id checking Database maintainer e Oden Eriksson lt oden eriksson at kvikkjokk net gt Mandrake package maintainer e Edison Figueira Junior lt edison at brc com br gt money donation e David Ford lt david cert at blue labs org gt gcc 3 x support fix e Piotr Gackiewicz lt gacek at intertele pl gt bug report clamd THREXIT bug e Nick Gazaloff lt nick at sbin org gt socket descriptors leak fix in clamd e Wieslaw Glod lt wkg at x2 pl gt bug report FreeBSD compile problem in 0 22 e Matthew A Grant lt grantma at anathoth gen nz gt OpenAntiVirus Update script oav update e Hrvoje Habjanic lt hrvoje habjanic at zg hinet hr gt syslog sup port patch for clamd virus provider e Michal Hajduczenia lt michalis at mat uni torun pl gt Clam title logo e Paul Hoadley lt paulh at logixsquad net Installing qmail scanner Clam AntiVirus and SpamAssassin under FreeBSD how to e Thomas W Holt Jr lt twh at cohesive net gt information about Cla mAV compiling on Solaris 2 6 and Cobalt MIPS boxes e Douglas J Hunley lt doug at hunley homeip net gt clamav linux sxs org mirror ideas e Kurt Huwig lt k
17. ello ch modl_clamav Supports libclamav clamd mod_clamav is an Apache virus scanning filter It was written and is currently maintained by Andreas Mller The project is very well documented and the instal lation is quite easy 4 3 TrashScan Location clamav sources support trashscan Supports clamscan This is a procmail based scanner from Trashware and it s extremely easy to setup however this is for single users only and not as efficient as MTA based scanners 4 Compatible software 4 4 AMaVis Next Generation Location http sourceforge net projects amavis Supports clamscan AMaViS ng is a rewritten more modular version of amavis perl amavisd devel oped by Hilko Bengen Home site Installation Please download the newest version at least 0 1 4 After installation which is quite easy please uncomment the following line in amavis conf virus scanner CLAM and eventually change the path to clamscan in the CLAM section CLAM clamscan usr local bin clamscan 4 5 amavisd new Location http www ijs si software amavisd Supports clamd clamscan amavisd new is a rewritten version of amavis maintained by Mark Martinec Installation clamscan is enabled automatically if clamscan binary is found at amavisd new starup time clamd is activated by uncommenting its entry in the av_scanners list file etc amavisd conf 4 6 Qmail Scanner Location http qmail scanner sf net Supports cla
18. lamscan tries to scan an archive with built in code but when it fails it s able to switch to the exter nal unpacker Just like the file 1 command 3 Usage 12 clamscan unrar rarfail rar home zolw Clam test rarfail rar RAR module failure UNRAR 3 00 freeware Copyright c 1993 2002 Eugene Roshal Extracting from home zolw Clam test rarfail rar Extracting testl OK All OK tmp 44694f5b2665d2f4 test1l ClamAV Test Signature FOUND home zolw Clam test rarfail rar Infected Archive FOUND clamscan supports many popular compressors it uses external programs for each format If the scanner runs with superuser privileges unpackers are ex ecuted with clamav privileges which makes the process far more secure It also makes sure that clamav user has read access to all scanned compressed files You should have enabled recursive scanning with the r option recursive if you want to scan the whole content of the archive with subdirectories also all archives in archives will be recursively scanned just everything If files in archives are virus free the archive itself is scanned just for prevention it may not be an archive Please look at the options below each option has an optional argument the absolute path to unpacker If it can t be found in PATH please supply it Because Clam AntiVirus uses the standard GNU options format the long options with optional arguments you must remember about the between option
19. llation EG HPUX 11 0 e SCO UNIX Mac OS X e BeOS Cobalt MIPS boxes RAQ1 RAQ2 QUBE2 Windows Cygwin Some features may not be available with your operating system If you have run Clam AntiVirus on the system not listed above please let us know 2 3 Actual versions Clam AntiVirus can be obtained from http clamav elektrapro com The site is sponsored by ElektraPro com 2 4 Binary packages There are high quality deb and rpm packages available for Linux The Debian package is maintained by Magnus Ekdahl and you will find it on debian mir rors http www debian org The RPM package is maintained by Arkadiusz Miskiewicz and is distributed with Polish ed Linux Distribution ftp ftp pld org pl There is also the RPM package for Mandrake available it s main tained by Oden Eriksson and can be found on Mandrake mirrors The binary packages for AIX are available in AIX PDSLIB UCLA http aixpdslib seas ucla edu packages clamav html The official FreeBSD port is main tained by Masahiro Teramoto The unofficial port for OpenBSD maintained by Flin Mueller is available at http www activeintra net openbsd article php id 5 2 Installation 6 2 5 Installation Please read the README file in the current version because it probably contains some important release notes If you are installing Clam AV for the first time you have to add a new user and group to your system clamav groupadd clamav user
20. mscan You must increase softlimit value or wait for a daemon support 4 7 Sagator Location http www salstar sk sagator Supports clamscan clamd libclamav 4 Compatible software 18 This program is an email antivirus antispam gateway It is an interface to the postfix or any other smtpd which runs antivirus and or spamchecker Its mod ular architecture can use any combination of antivirus spamchecker according to configuration 4 8 ClamdMail Location http clamdmail sf net Supports clamd A mail processing client for ClamAV Small fast and easy to install 4 9 BlackHole Location http www groovy org blackhole shtml Supports clamscan clamd BlackHole is an advanced spam virus filter for Qmail Postfix Sendmail Exim and Courier written by Chris Kennedy This tool is for advanced administrators installation is hard 4 10 MailScanner Location http www mailscanner info Supports clamscan MailScanner scans all e mail for viruses spam and attacks against security vul nerabilities It is not tied to any particular virus scanner but can be used with any combination of 14 different virus scanners allowing sites to choose the best of breed virus scanner 4 11 MIMEDefang Location http www roaringpenguin com mimedefang Supports clamscan clamd This is an efficient mail scanner for Sendmail milter 4 12 Exiscan Location http duncanthrax net exiscan Supports clamscan clamd e
21. n the source directory recursively clamscan r l scan txt clamav x yz It should find the viruses in the clamav x yz test directory You may check it in the created log scan txt You will find more about clamscan options in the clamscan 1 manual To test clamd first start it and then use clamdscan you can also connect directly to clamd and run the SCAN command clamdscan 1 scan txt clamav x yz 2 8 FreshClam Setting up auto updating The freshclam utility is the default database updater for Clam AntiVirus It works in two modes e interactive from command line e as a daemon works alone silently When started by the superuser it drops the privileges by default it works as cla mav freshclam downloads the database from the Clam AntiVirus homepage and checks its consistency using MD5 sum process for Clam AntiVirus Run fresh clam as root without any parameters to check is it working correctly If everything is OK create the log file in var log owned by clamav touch var log clam update log chmod 600 var log clam update log chown clamav var log clam update log Now you can run freshclam as a daemon freshclam d c 2 1 var log clam update log It will check for a new database 2 times a day Please add the above line to your startup scripts The other way is to use the cron daemon You have to add a similar line to the crontab of root or clamav 3Please run man clamscan 3 Usage 9 0 8
22. onfigure it clamd ERROR Please edit the example config file etc clamav conf Now you know where the configuration file is located The format and options of this file are fully described in the clamav conf 5 manual clamd con figuration is rather easy the config file is well commented Remember you must remove the Example directive Another feature of clamd is on access scanning based on the Dazuko module available from http dazuko org This is not required to run clamd fur thermore you shouldn t run Dazuko on production systems A special thread in clamd responsible for the communication with Dazuko is called Clamuko it s due to the funny name of Dazuko I don t know what Clamuko means Clamuko is supported on Linux 2 2 and 2 4 only Dazuko instalation tar zxpvf dazuko a b c tar gz cd dazuko a b c make dazuko or make dazuko smp for smp kernels su insmod dazuko o cp dazuko o lib modules uname r misc depmod a Depending on your Linux distribution you have to add dazuko entry to etc modules or the following line modprobe dazuko to some startup file to load dazuko at the boot time You must also create the dev dazuko device cat proc devices grep dazuko 254 dazuko su c mknod m 600 dev dazuko c 254 0 Now you must configure Clamuko in clamav conf Please check 3 2 section 2 Installation 8 2 7 Testing OK Let s do some tests Try to sca
23. scan and libcla mav e Ed Phillips lt ed at UDel Edu gt patch for the internal logger in clamd e Andreas Piesk lt Andreas Piesk at heise de gt clamd ScannerDaemonOutputFormat option e Ant La Porte lt ant at dvere net gt proxy support enhancement e Sergei Pronin lt sp at finndesign fi gt bug report access problems in superuser mode e Thomas Quinot lt thomas at cuivre fr eu org gt patch for non default prefix and incoherent database location specification in defaults h of clamscan and freshclam References EJ e David Sanchez lt dsanchez at veloxia com gt bug report thread dead locking in a critical error situation e Martin Schitter bug report libclamav crash on certain zip files e Enrico Scholz lt enrico scholz at informatik tu chemnitz de gt daemonize enhancements e Dr Zbigniew Szewczak lt zssz at mat uni torun pl gt ideas sugges tions and time spent on discussing some aspects of ClamAV e Gernot Tenchio lt g tenchio at telco tech de gt proxy authoriza tion support in freshclam e Masahiro Teramoto lt markun onohara to gt official FreeBSD port main tainer e Trashware trashware at gmx net TrashScan e Troy Wollenslegel lt troy at intranet org gt bug report handling in accessible directories in archives e Andoni Zubimendi lt andoni at lpsat net gt fix for segmentation fault in 0 12 NULL pointer dereference 9
24. t That means the subscribers are not allowed to write into the mailing list 2 Installation zi e virusdb clamav elektrapro com database update information You can subscribe by sending an empty email to listname subscribe clamav elektrapro com or via www at http clamav elektrapro com ml After subscribing you must reply to a special message sent at your address Mailing lists are archived at http archive elektrapro com clamav elektrapro com users http archive elektrapro com clamav elektrapro com devel 1 3 Virus submitting If you have a virus that is not detected by ClamAV with the latest database please send it as a normal attachment to virus clamav elektrapro com If your system doesn t allow you to send infected files please archive the virus sample into a zip archive with password virus 2 Installation 2 1 Requirements You will need the zlib and zlib devel packages and the gcc compiler both 2 9x and 3 x are supported You can install the bzip2 library and its development files to get bzip2 support but this is not required 2 2 Supported platforms Clam AntiVirus is prepared for the installation on the following operating systems architectures tested platforms in brackets e GNU Linux 2 2 2 4 All flavours Intel SPARC Alpha zSeries S 390 e Solaris 2 6 7 8 9 Intel SPARC e FreeBSD 4 5 6 7 5 0 Intel Alpha OpenBSD 3 0 1 2 Intel AIX 4 1 4 2 4 3 5 1 RISC 6000 2 Insta
25. ther anti virus scanner working in the console you can create the signature easily Example of usage Create a random file and put the test1 file content into it We will use clamscan to generate the signature it s just an example Scan it with clamscan stdout testfile the output is testfile ClamAV Test Signature FOUND Sana RTZ SCAN SUMMARY Known viruses 7734 Scanned directories 0 Scanned files 1 Data scanned 0 95 Mb Infected files 1 I O buffer size 131072 bytes Time 0 245 sec 0 m0 s The unique string in this output is ClamAV Test Signature Run sigtool with the following parameters sigtool c clamscan stdout f testfile s ClamAV Test The program will concatenate arguments for c command and f file that s why the scanner s options must be given in the proper order At the end it will generate a file testfile sig which should contain 100 bytes in our example It contains the proper signature 4 Compatible software 15 Detected at 12103 moving backward Detected at 11983 moving backward Detected at 11923 moving backward Not detected increasing pos 11893 gt 11923 ct ct ct Detected at 11923 moving backward Not detected increasing pos 11908 gt 11923 Detected at 11923 moving backward Not detected increasing pos 11915 gt 11923 Detected at 11923 moving backward Detected a Detected a Detected at 11916 moving backward Starting precise loop
26. ura W old Wowie Pal de e Grae aha 4 12 Exiscan Contents 5 LibClamAV 51 ABD x 423 6 Problem solving 6 1 Return codes 7 Technicals 7 Security 7 2 Scan engine 8 Credits 9 Authors 19 19 22 22 23 23 23 24 28 1 Introduction Za 1 Introduction Clam AntiVirus is an anti virus toolkit for UNIX The main purpose of this soft ware is the integration with mail servers attachment scanning The package provides a flexible and scalable multi threaded daemon a command line scanner and a tool for automatic updating via Internet The programs are based on a shared library distributed with the Clam AntiVirus package which you can use with your own software The virus database is based on the virus database from OpenAn tiVirus org but contains additional signatures including signatures for popular polymorphic viruses too and is kept up to date 1 1 Features e GNU GPL v2 license e POSIX compliant portable e Secure e Very fast e Multi threaded e User friendly e On access scanning Linux only e Detects over 7000 viruses worms and trojans e Supports compressed files and archives e Built in support for RAR 2 0 Zip Gzip Bzip2 1 2 Mailing lists There are three mailing lists available e announce clamav elektrapro com info about new versions including debian package releases moderated e users clamav elektrapro com user questions e devel O clamav elektrapro com developemen
27. urt at iku netz de gt smart suggestions ScannerDae mon OpenAntiVirus author e Dave Jones lt dave at kalkbay co za gt bug report problem in option parser e Kazuhiko lt kazuhiko at fdiary net gt Qmail Scanner 0 12 support patch Credits EJ e Robbert Kouprie lt robbert at exx nl gt patch for unrarlib buffer over flow e Henk Kuipers lt henk at opensourcesolutions nl gt bug report 0 50 compile problem e Nigel Kukard lt nkukard at lbsd net gt virus signatures e Dr Andrzej Kurpiel lt akurpiel at mat uni torun pl gt choice of this project from my list e Dennis Leeuw lt dleeuw at made it com gt Debian GNU Linux Mail Server how to corrections of this document e Free Oscar lt freeoscar at wp pl gt hex2str enhancement e Martin Lesser lt admin debian at bettercom de gt patch for the http proxy problem in 0 51 e Peter N Lewis lt peter at stairways com au gt Mac OS X data type problem bugfix e Mike Loewen lt mloewen at sturgeon cac psu edu gt bug report clamscan 0 24 compile error on Solaris 8 various Solaris and AIX tips e Stefan Martig lt sm at officeco ch gt bug report proc cpuinfo prob lem analysis on Linux Alpha providing me with access to the Linux Alpha system e Brian May lt bam at debian org gt bug report clamd writing to an undefined file e Ken McKittrick lt klmac at usadatanet com gt intensive
28. xiscan is a patch against exim version 4 providing support for content scanning 5 LibClamAV KJ in email messages received by exim Four different scanning facilities are sup ported antivirus antispam regular expressions and file extensions 5 LibClamAV libclamav may be used to add a virus protection into your software The library is thread safe automatically recognizes and scans an archives Scanning is very fast in most cases it won t be noticeable 5 1 API Each program using libclamav must include clamav h header file include lt clamav h gt The first step is an engine initialization There are three functions available int cl_loaddb const char filename struct cl node root int virnum int cl_loaddbdir const char dirname struct cl node root int virnum char cl_retdbdir void cl_loaddb loads one database per time cl Joaddbdir loads all db and db2 files from the directory dirname cl_retdbdir returns hardcoded database directory path The database will be saved under root and the number of the loaded sig natures will be added to virnum Pointer to the tree structure trie see 7 2 must initially point to the NULL If you don t want to save the number of signatures loaded pass the NULL as the third argument cl_loaddb functions return 0 on success and other value on failure struct cl node root NULL int ret ret cl _loaddbdir cl _retdbdir root NULL 5 LibClamAV EN
Download Pdf Manuals
Related Search