Red Hat ClamAV amavisd-new

HOWTO install and configure ClamAV (clamd) on a Red Hat or Fedora system running amavisd-new.

Absolutely no warranty. Use entirely at your own risk.

Thankfully, Dag Wieers at http://dag.wieers.com/packages/clamav/ has the packages we need. Here I illustrate installing version 0.87 on a RH9 i386 box. Modify the six lines below as needed for the current version of ClamAV, your version of OS and your architecture. We need to download and install 'clamav-db', 'clamav' and 'clamd' (in that order). Hopefully, you will not have any problems with dependencies.


cd /usr/local/src


wget http://dag.wieers.com/packages/clamav/clamav-db-0.88.3-1.rh9.rf.i386.rpm

wget http://dag.wieers.com/packages/clamav/clamav-0.88.3-1.rh9.rf.i386.rpm
     
wget http://dag.wieers.com/packages/clamav/clamd-0.88.3-1.rh9.rf.i386.rpm

If you have a previous version of ClamAV on your system, you will first need to remove it (in reverse order of installation), for example:


rpm -e clamd-0.88.2

rpm -e clamav-0.88.2

rpm -e clamav-db-0.88.2

The system will save copies of your config files. You may choose to use the old clamd.conf, or reconfigure the new one (preferred). Remember to add the clamav user to the amavisd user's group as described below. Now you can install (and configure) the new version:


rpm -Uvh clamav-db-0.88.3-1.rh9.rf.i386.rpm

rpm -Uvh clamav-0.88.3-1.rh9.rf.i386.rpm

rpm -Uvh clamd-0.88.3-1.rh9.rf.i386.rpm

We may want to make a couple of modifications to the supplied clamd.conf:

If you would like to use the default TCPSocket method of communication, then you do not necessarily need to make changes to the supplied clamd.conf. The default in our Dag Wieers clamd.conf is 'TCPSocket 3310' and 'TCPAddr 127.0.0.1'. Simply skip to the next section.

If you would like to use the LocalSocket method, then:
vi /etc/clamd.conf
Uncomment 'LocalSocket /var/run/clamav/clamd.sock'
Comment out 'TCPSocket 3310'

Save and exit. Here we use LocalSocket instead of TCPSocket. These settings cannot be used together.

One key to getting clamd and amavisd-new to work with each other is to add the user 'clamav' to the 'amavis' (or 'vscan') group. Doing so magically resolves file permission issues (one cause of the the dreaded "Can't connect to UNIX socket" or "Can't connect to INET socket"). The following instructions assume your amavisd-new group is called 'amavis':

Let's add the 'clamav' user to the 'amavis' group; modify if your group is 'vscan' or some other name:

gpasswd -a clamav amavis

You can test your efforts by issuing the command: groups clamav

Now we need to prepare amavisd-new to use clamd. The other key to getting the two programs to work together is to insure the value after 'CONTSCAN' in amavisd.conf is the same as the 'LocalSocket' (or TCPSocket) setting in clamd.conf. In our case this would be '/var/run/clamav/clamd.sock' which is the file that the two programs use to talk to each other (the Unix socket). If using TCPSocket / TCPAddr, the value would be '127.0.0.1:3310'.

vi /etc/amavisd.conf

To enable virus scanning, comment out: @bypass_virus_checks_acl = qw( . );

You may need to uncomment the ClamAV section:

  ['Clam Antivirus-clamd',
     \&ask_daemon, ["CONTSCAN {}\n", '/var/amavis/clamd'],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

If you choose to use LocalSocket as opposed to TCPSocket:
Notice the value after CONTSCAN in this example above is currently '/var/amavis/clamd'
Edit this to reflect what our LocalSocket is set to, which in our case is:
'/var/run/clamav/clamd.sock'

If you choose to use TCPSocket instead of LocalSocket, edit the value after CONTSCAN like so:

  ['Clam Antivirus-clamd',
     \&ask_daemon, ["CONTSCAN {}\n", '127.0.0.1:3310'],
     qr/\bOK$/, qr/\bFOUND$/,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

You should take a look at these items in amavisd.conf and modify them to meet your needs (my personal settings are shown):

$final_virus_destiny      = D_DISCARD;

$virus_admin = "postmaster\@$mydomain";

$virus_quarantine_to = "virii\@$mydomain";

# I created a new mailbox to accommodate this.

$mailfrom_notify_admin     = "postmaster\@$mydomain";

$mailfrom_notify_recip     = "postmaster\@$mydomain";

$mailfrom_notify_spamadmin = "postmaster\@$mydomain";

$hdrfrom_notify_sender = "amavisd-new <postmaster\@$mydomain>";

Before proceeding, obtain the eicar test virus from http://www.eicar.com/anti_virus_test_file.htm and prepare your email client to send an email containing the "virus" through the system. I suggest downloading eicar.com.txt, renaming it to eicar.txt and then attaching it to the email.

Start clamd using the command:
clamd

Run freshclam using the command:
freshclam

Stop amavisd-new:
amavisd stop

Start up amavisd-new in debug mode:
amavisd debug

Now test the system by sending the email containing the eicar test virus through the system. You should see:
Clam Antivirus-clamd: Connecting to socket
and:
INFECTED (Eicar-Test-Signature)

If all goes well, stop debug mode with [Ctrl]+c and restart amavisd-new:
amavisd start

The RPMs I installed only update the database once each day (/etc/cron.daily/freshclam), If this is the case for you I suggest adding a new file to /etc/cron.d that runs freshclam once each hour. We will call the file 'freshclam'.

vi /etc/cron.d/freshclam

And insert the following:
MM * * * * clamav [ -x /usr/bin/freshclam ] && /usr/bin/freshclam --quiet

Replace MM with a number between 1 and 59. It is best not to use the digit "0"

I suggest you check the health of your new ClamAV installation by reading /var/log/clamav/clamd.log and /var/log/clamav/freshclam.log. It is a good idea to insure the daily freshclam cron job and the hourly freshclam cron job do not run at exactly the same time.

mr88talent at yahoo dot com
5/23/2005