XWALL
The
Mail Filter
Search on this site Home
 

Forum - Use of ClamAV 0.97.1 with XWall

Use of ClamAV 0.97.1 with XWall
maga, 13.07.2011

The following example describes the installation of the Win32 version.
Use either the 32-bit or 64-bit version, depending on your target machine.

Download from http://oss.netfarm.it/clamav/

Win32:
clamav-win32-0.97.1.7z
Microsoft.VC80.8.0.50727.6195.CRT.x86.7z
vcredist_x86_6.0.2900.2180.exe

Amd64:
clamav-amd64-0.97.1.7z
Microsoft.VC80.8.0.50727.6195.CRT.amd64.7z
vcredist_x64_6.0.2900.2180.exe

Extract archive clamav-win32-0.97.1.7z to c:\
If your zipper does not support .7z format, download and install 7-zip
from http://www.7-zip.org.

Rename extracted directory (e.g. clamav-win32-0.97.1) to c:\clamav

Create subdirectories "db", "log" and "tmp" within c:\clamav
md c:\clamav\db
md c:\clamav\log
md c:\clamav\tmp

Extract archive Microsoft.VC80.8.0.50727.6195.CRT.x86.7z to c:\clamav.
Make sure this creates a subdirectory c:\clamav\Microsoft.VC80.CRT
which contains the DLL files.

Install vcredist_x86_6.0.2900.2180.exe on the target machine.

Double click the c:\clamav\clamav.reg file

-------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV]
"ConfigDir"="C:\\Clamav"
"DataDir"="C:\\Clamav\\db"
-------------------

Replace the default file c:\clamav\freshclam.conf
with the following, making it look like this:

------------------
DatabaseMirror database.clamav.net
DNSDatabaseInfo current.cvd.clamav.net
DatabaseDirectory c:\clamav\db
Checks 12
NotifyClamd c:\clamav\clamd.conf
LogFileMaxSize 20480000
LogTime true
UpdateLogFile c:\clamav\log\freshclam.log
------------------

Open a CMD window to c:\clamav and install the freshclam service:

C:\clamav>freshclam --install
Service FreshClam successfully created

Start the freshclam service

C:\clamav>net start freshclam

Check the db directory for successful download of the signatures

C:\clamav\db>
bytecode.cld
daily.cld
main.cld
mirrors.dat

Ignore the warning in the log, it tells you that clamd is not running yet.

---------------------
Wed Jul 13 10:09:17 2011 -> freshclam daemon 0.97.1 (OS: win32, ARCH: i386, CPU: i386)
Wed Jul 13 10:09:17 2011 -> ClamAV update process started at Wed Jul 13 10:09:17 2011
Wed Jul 13 10:09:17 2011 -> main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Wed Jul 13 10:09:19 2011 -> Downloading daily.cvd [100%]
Wed Jul 13 10:09:20 2011 -> daily.cvd updated (version: 13316, sigs: 147409, f-level: 60, builder: guitar)
Wed Jul 13 10:09:20 2011 -> bytecode.cld is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
Wed Jul 13 10:09:21 2011 -> Database updated (993663 signatures) from database.clamav.net (IP: 130.59.10.36)
Wed Jul 13 10:09:22 2011 -> ERROR: NotifyClamd: Can't connect to clamd on localhost:3310
---------------------

Replace the default file C:\clamav\clamd.conf
with the following, making it look like this:

---------------------
TCPSocket 3310
MaxThreads 2
LogFileMaxSize 20480000
LogTime true
LogFile c:\Clamav\log\clamd.log
DatabaseDirectory c:\clamav\db
TemporaryDirectory c:\clamav\tmp
---------------------

Open a CMD window to c:\clamav and install the clamd service:

C:\clamav>clamd --install
Service ClamD successfully created

Start services.msc

Change to Automatic startup and verify both ClamWin... services are started:
ClamWin Free Antivirus Scanner Service
ClamWin Free Antivirus Database Updater

Test if clamdscan is working from the CMD prompt:

C:\clamav>clamdscan --version
ClamAV 0.97.1/13316/Wed Jul 13 02:22:12 2011

c:\clamav>clamdscan .
c:\clamav: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.078 sec (0 m 0 s)


XWall Settings for XWall versions from 3.46 and up:

XWall Admin, Options, Virus, On-Demand Scan
Check Enable virus scan on inbound messages
Virus scanner: ClamAV 0.96 with Clamd (clamdscan.exe)
Executable: c:\clamav\clamdscan.exe
Arguments: <FILE> --no-summary

XWall Admin, Options, Virus, On-Access Scan
Uncheck all checkboxes to deactivate any on-access scanning

Click on apply to accept the settings

XWall Admin, Options, Virus, Options
Options: Uncheck Scanner needs to be serialized, all other options can be checked
Action: Inbound message: Discard message
Outbound message: Send a non-delivery report to the sender

Save and exit XWall Admin

Set ClamAV local native mode by adding these lines
to your XWALL.INI file:

---------------------
VirusScannerClamAVNative=True
VirusScannerClamAVHost=localhost
VirusScannerClamAVPort=3310
---------------------
(The entries for VirusScannerClamAVHost and VirusScannerClamAVPort are the default,
which will make them disappear the next time you edit the XWall configuration from the
MBAdmin administration tool. If native mode is temporarily unavailable, XWall tries
falling back to on-demand mode.)


XWall Settings for XWall versions lower than 3.46:

With older XWall versions, you must configure XWall to use ClamAV
in on-demand mode (as native mode is not available yet):

XWall Admin, Options, Virus, On-Demand Scan
Check Enable virus scan on inbound messages
Virus scanner: Custom
Executable: c:\clamav\clamdscan.exe
Arguments: <FILE> --no-summary

XWall Admin, Options, Virus, On-Access Scan
Uncheck all checkboxes to deactivate any on-access scanning

XWall Admin, Options, Virus, Options
Options: Uncheck Scanner needs to be serialized, all other options can be checked
Action: Inbound message: Discard message
Outbound message: Send a non-delivery report to the sender

Save and exit XWall Admin

Edit XWALL.INI to add this line:
VirusScannerExitCode=XxXXXXXXXXXXXXXXXXXXXXXXX
(this tells XWall to treat only error level "1" as virus found, ignoring all other possible errors)


For all versions of XWall:

To use reporting,
change Arguments: <FILE> --no-summary --log=<TEMPFILE>

Download parsereport.zip from http://download.dataenter.co.at/ftp/demk/parsereport.zip
and extract the vbs script to your XWall directory e.g. c:\xwall

Edit XWALL.INI to add these lines:
VirusPostScanner=C:\Windows\system32\cscript.exe
VirusPostScannerPara=C:\XWALL\ParseReport.vbs <TEMPFILE> <MSGFILE> CLAMAV


Exclude the directories c:\xwall and c:\clamav from your standard
On-Access File Scanner solution.


Verify that your XWall really catches viruses using ClamAV:
Send yourself an EICAR test virus, e.g. from http://tools.declude.com.
Verify that the test virus is caught by your XWall by checking the logfiles.


Log sample for clean mail in on-demand ClamAV mode:
11-07-13 10:58:41 0006: Virus: Scanning attachments...
11-07-13 10:58:41 0006: Executing C:\ClamAV\clamdscan.exe c:\xwall\temp\$TE8av5s --no-summary --log=c:\xwall\temp\$TE8av5x
11-07-13 10:58:41 0006: clamdscan.exe returned no error

Log sample for virus mail in on-demand ClamAV mode:
11-07-13 10:51:10 0010: Virus: Scanning attachments...
11-07-13 10:51:10 0010: Executing C:\ClamAV\clamdscan.exe c:\xwall\temp\$TE8av3m --no-summary --log=c:\xwall\temp\$TE8av3p
11-07-13 10:51:10 0010: clamdscan.exe returned error level 1
11-07-13 10:51:10 0010: Executing C:\WINDOWS\system32\cscript.exe C:\XWALL\ParseReport.vbs c:\xwall\temp\$TE8av3p c:\xwall\temp\$TE8av3q CLAMAV
11-07-13 10:51:11 0010: cscript.exe returned no error
11-07-13 10:51:11 0010: Virus: Scanner reported virus infection for eicar.com (clamAV: Eicar-Test-Signature)

Log sample for clean mail in native ClamAV mode:
11-07-13 10:48:54 0007: Virus: Scanning attachments...
11-07-13 10:48:54 0007: Connection opened with ClamAV at localhost:3310
11-07-13 10:48:54 0007: > SCAN c:\xwall\temp\$TE8aty8
11-07-13 10:48:54 0007: < c:\xwall\temp\$TE8aty8: OK
11-07-13 10:48:54 0007: Connection closed with ClamAV at localhost:3310

Log sample for virus mail in native ClamAV mode:
11-07-13 10:48:14 0006: Virus: Scanning attachments...
11-07-13 10:48:14 0006: Connection opened with ClamAV at localhost:3310
11-07-13 10:48:14 0006: > SCAN c:\xwall\temp\$TE8aty2
11-07-13 10:48:14 0006: < \\?\c:\xwall\temp\$TE8aty2: Eicar-Test-Signature FOUND
11-07-13 10:48:14 0006: Connection closed with ClamAV at localhost:3310
11-07-13 10:48:14 0006: Virus: Scanner reported virus infection for eicar.com (Eicar-Test-Signature)


Check the c:\clamav\log\freshclam.log some hours later to verify
that the updates are working and Clamd is notified properly:

---------------------
Wed Jul 13 11:09:17 2011 -> freshclam daemon 0.97.1 (OS: win32, ARCH: i386, CPU: i386)
Wed Jul 13 11:09:17 2011 -> ClamAV update process started at Wed Jul 13 11:09:17 2011
Wed Jul 13 11:09:17 2011 -> main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Wed Jul 13 11:09:19 2011 -> Downloading daily.cvd [100%]
Wed Jul 13 11:09:20 2011 -> daily.cvd updated (version: 13316, sigs: 147409, f-level: 60, builder: guitar)
Wed Jul 13 11:09:20 2011 -> bytecode.cld is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)
Wed Jul 13 11:09:21 2011 -> Database updated (993663 signatures) from database.clamav.net (IP: 130.59.10.36)
Tue Jul 13 11:09:21 2011 -> Clamd successfully notified about the update.
---------------------
(This can be forced by deleting some or all of the signature files in the db
subdirectory and restarting the frashclam service.)


Just for information, this is what my XWALL.INI entries for AV look like:
ScanInboundMessages=True
VirusScanner=C:\ClamAV\clamdscan.exe
VirusScannerPara=<FILE> --no-summary --log=<TEMPFILE>
VirusScannerTyp=10
VirusScannerExitCode=XxXXXXXXXXXXXXXXXXXXXXXXX
VirusPostScanner=C:\WINDOWS\system32\cscript.exe
VirusPostScannerPara=C:\XWALL\ParseReport.vbs <TEMPFILE> <MSGFILE> CLAMAV
DebugVirusScanner=True
VirusScannerSerializeFalse
VirusScannerScanAlways=True
VirusScannerClamAVNative=True
InboundVirusNDRTyp=0


Some "standard" performance data for inbound mail scanning in native ClamAV mode:

clamav-win32-0.97.1.7z
11-07-13 11:14:08 0006: Virus: Scanning attachments...
11-07-13 11:14:08 0006: Connection opened with ClamAV at localhost:3310
11-07-13 11:14:08 0006: > SCAN c:\xwall\temp\$TE8azah
11-07-13 11:14:16 0006: < c:\xwall\temp\$TE8azah: OK
11-07-13 11:14:16 0006: Connection closed with ClamAV at localhost:3310
8 sec

beta_xwall_32.zip (Version 3.47a)
11-07-13 11:16:08 0015: Virus: Scanning attachments...
11-07-13 11:16:08 0015: Connection opened with ClamAV at localhost:3310
11-07-13 11:16:08 0015: > SCAN c:\xwall\temp\$TE8azb4
11-07-13 11:16:09 0015: < c:\xwall\temp\$TE8azb4: OK
11-07-13 11:16:09 0015: Connection closed with ClamAV at localhost:3310
1 sec

mrtg-2.17.2.zip
11-07-13 11:17:33 0006: Virus: Scanning attachments...
11-07-13 11:17:33 0006: Connection opened with ClamAV at localhost:3310
11-07-13 11:17:33 0006: > SCAN c:\xwall\temp\$TE8azbs
11-07-13 11:17:38 0006: < c:\xwall\temp\$TE8azbs: OK
11-07-13 11:17:38 0006: Connection closed with ClamAV at localhost:3310
5 sec


Removal of the ClamAV installation

C:\clamav>net stop freshclam

The ClamWin Free Antivirus Database Updater service was stopped successfully.


C:\clamav>net stop clamd

The ClamWin Free Antivirus Scanner Service service was stopped successfully.


C:\clamav>freshclam --uninstall
Service FreshClam successfully removed

C:\clamav>clamd --uninstall
Service ClamD successfully removed

Services are marked for deletion and will be removed at the next system reboot


remove registry entries

-----------------------
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\ClamAV]
-----------------------

Delete directory c:\clamav

Remember to change the XWall settings for AV scanning, too.

Valid Options for clamd.conf: http://linux.die.net/man/5/clamd.conf

 

  
Changed: 2012-01-19 Sitemap
Copyright ® 1996-2012 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 2020770
support@dataenter.co.at