Jonas Genannt - virus

Clamav daemon on etch - long startup time

nospam@example.com (Jonas Genannt) — Thu, 15 Nov 2007 21:51:13 +0100

If you are running clamav daemon on debian etch, and your clamav daemon takes up to 3-4 minutes to create the unix socket and the pid file, don't despair it's an clamav bug.

While you are running clamav with amavis this bug can be very annoying:

amavis[22480]: (21470-02) (!!) ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket

If you strace your clamv on the startup time you get many of these messages:

read(10, "n.Downloader-14249\n29184:5d2a569"..., 4096) = 4096
read(10, "15872:15a82a8cbbb437f9249c944391"..., 4096) = 4096
read(10, "a6288c61679d87f00:Trojan.Bancos-"..., 4096) = 4096
read(10, "db2a:Trojan.IRCBot-1189\n24576:5e"..., 4096) = 4096

The clamav version is debian etch is 0.90.1.
The bug is fixed in version 0.91rc2. So you could use the backports.org packages (0.91.2).

Debian Volatile Service

nospam@example.com (Jonas Genannt) — Fri, 19 May 2006 02:18:03 +0200

Relating to that Virus Scanning entry I think Debian Volatile is better for an up-to-date ClamAV than Backports.org.

Debian Volatile is made for packages that change very often, and you need the current upstream package on a server. Like an up-to-date virus scanning engine.

So simple and this line to your sources.list and run after that an apt-get update.

deb http://ftp2.de.debian.org/debian-volatile sarge/volatile main

BTW: Volatile Mirror List

Now you can install your clamav normally with an apt-get install clamav.

Postfix with Amavis-new for virus scanning

nospam@example.com (Jonas Genannt) — Thu, 09 Feb 2006 14:41:27 +0100

Here is a short HowTo for configure Postfix to use Amavis with ClamAV for virus scanning!

First you should install ClamAV from backports.org, when you using the ClamAV from stable/sarge you have an old searching engine that maybe have some problems to recognize new viruses with the new files from ClamAV-freshclam.

First add this line to your /etc/apt/sources.list:

deb http://www.backports.org/debian sarge-backports main

Now that is very important to create a /etc/apt/preferences file:

Package: *
Pin: release a=sarge-backports
Pin-Priority: 200

With this entry you deactivate all packages from backports.org this is important because we will only install ClamAV from backports.

Save the file and run an apt-get update to receive the packagefiles from backports.org.

Now install clamav with:
apt-get install -t sarge-backports clamav clamav-freshclam

The -t sarge-backports is necessary, because apt will now install the package from backports.org!

Now install amavis-new:
apt-get install amavis-new

Edit your /etc/postfix/main.cf and add this for amavis:

###E-Mail filter:
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Edit your /etc/postfix/master.cf and add this for amavis:

amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd -o content_filter=
-o local_recipient_maps= -o relay_recipient_maps=
-o smtpd_restriction_classes= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_bin_address=127.0.0.1

Now you have to add clamav user to the amavis system group and add the clamav user to the amavis system group in your /etc/group!
Because clamav user must read files in the amavis directory and the amvis user must read files in the clamav directory.
After the modification /etc/group should look like:

clamav:x:107:amavis
amavis:x:108:clamav

After this modification you have to restart all services!
(postfix, clamav-daemon, clamav-freshclam, amvis)

Than you have to edit the /etc/amavis/amavisd.conf:
It's very big so I only list the changes:

line 66: $mydomain = 'localhost';

->>change to your hostname

line 429: $warnvirussender = 0;

->> no mail to virussender. because often the from emailaddres is faked!

line 442: $warnvirusrecip = 1;

->> the recipient gets an email that he has received an virus email

line 476: $virus_admin = undef;

->> postmaster gets no notification

Safe the configuration file and restart your amavid!

Now try to send an email and than try to send a virus from

If the repicient gets an email about “VIRUS ( EICAR.Test) IN MAIL TO YOU” all works fine.

If not, check the /var/log/mail.log and try to resolv the error!