Question for Chirpy - Mailscanner/Clamav

[knipper]

Hey Jonathan, (read so many of your posts it seems like I know ya!)

About a month ago I installed mailscanner/clamAV from a forum found elsewhere and never got it to work correctly. I then used the Layer1 install and then I had used your update for mailscanner found here and it worked great.

Well, due to too many undocumented changes from me (Thats what I get for working late night ) and then going from a stable to a current build I broke a bunch of stuff.

SOOoooooo Basically I had to format the disk and start from scratch. (This is not yet a production server!)

Now my question for you... there are so many threads about mailscanner/clamAV I'm no longer sure what to follow.

I'd like to make sure I get the most up-to-date mailscanner, ClamAV, etc. and make sure everything is correct (such as using Clammodule instead of AV.)

I was going to start by installing the layer1 version again, do your upgrade again.... but here's where I get lost....

I want to upgrade to the newest ClamAV, (or clammodule??) and am unsure how to upgrade this.

And... if there are any extra changes needed because of the newer exim fix. (which is why I went to current and broke my setup previously)

I don't need a detailed how-to.... if you could just point me to the correct threads/posts on how to do these things, or post a short list here that would be great.

I'm sure several people would be glad to have a new updated all in one spot resource!

Thanks in advance!

[chirpy]

Hi,

No problem

Here's what I do on new servers:

1. Install layer1 mailscanner

2. Upgrade clamav to the latest version simply by:

wget http://heanet.dl.sourceforge.net/sou...av-0.71.tar.gz
tar -xzf clamav-0.71.tar.gz
cd clamav-0.71
./configure
make
make install

3. Upgrade mailscanner using my HOWTO thread (I keep it up to date)

4. To overcome the problem you probably had before: WHM > Exim Configuration Editor > Switch to Advanced Mode > put the following line in the first textarea:

queue_only_override = false

Then scroll to the bottom and hit Save.

5. For Mail::ClamAV

/scripts/perlinstaller Mail::ClamAV

You might get some errors stating that other required perl modules are missing. Just install those too using:

/scripts/perlinstaller <module>

One example will probably be Inline::C, so just do

/scripts/perlinstaller Inline::C

Keep going until Mail::ClamAV will install

Then modify /usr/mailscanner/etc/MailScanner.conf and change the directive:

Virus Scanners = clamav

to:

Virus Scanners = clamavmodule

The stop and start MailScanner:
killall MailScanner
(check that all the MailScanner processes have died):
/usr/mailscanner/bin/check_mailscanner

tail -f /var/log/maillog to make sure MailScanner comes up OK.

Finally, send yourself the EICAR test virus http://www.eicar.org/anti_virus_test_file.htm and make sure it is detected.

Any problems, click on the link in my signature for a package where we can do all this for you

[knipper]

PERFECT!

That's exactly what I needed. I'll do this later tonight or in the AM.

I'll post and let you (and others) know how it goes.

Thanks again!

[knipper]

Thanks for the updated items. Everything went in with no problems at all.

I was able to install layer1 mailscanner,
Follow your upgrade...
Upgrade ClamAV, etc. You were correct... the only missing perl module was the Inline::C

and I got everything tested with no problems delivering mail, and no virus' coming through.

One question though...

What does this step do exactly?

4. To overcome the problem you probably had before: WHM > Exim Configuration Editor > Switch to Advanced Mode > put the following line in the first textarea:

queue_only_override = false

Then scroll to the bottom and hit Save.

Thanks again.

[chirpy]

That option prevents users who have privilege from overriding the option queue_only, like the root account, when sending emails locally. This is because MailScanner splits the exim functionality in two (one for delivery and one for sending) mail from CRON jobs, for example, can end up being lost if that option is not in place.

Glad it all went OK

[Cash]

Hi, i m newbie.
b4 i read this thread.
I was install the mailscan follow the guide from
http://www.hostinglife.com/security/mailscan.php

May I know after i done the installation, is it only function the scan mail ? it does not delete the virus , right?

after i done the steps follow from
http://www.hostinglife.com/security/mailscan.php ,
which steps i need continue to do to optimize my server mail AV?

thank you.

[chirpy]

Hi,

Well it should be scanning for viruses and removing the actual infected files as the cPanel distribution comes with ClamAV. However you do need to do two things:

1. You need to upgrade MailScanner to the latest version and there is a HOWTO here:
http://forums.cpanel.net/showthread....threadid=21290

2. You need to upgrade to the latest ClamAV and make the changes according to my first post in this thread (note: there's a newer version of ClamAv now - 0.72)

[Cash]

Greeting:

Hi. ^_^

After I install the mailscan. I do receive a lot of "Warning: E-mail viruses detected" emails...

Is it just a remider and the virus has been clean?

Regarding to MailScanner.conf,
If I chamne "Delever Cleaned Messages = No"
is it mean the virus mails will not deliver to user ?
after i change, do i need restart mailscan?

Thank you.

[chirpy]

Yes, Yes and Yes

[arhs]

When I run the ./configure

I get this error at end:


ERROR: User "clamav" (and/or group "clamav") doesn't exist. Please create it. You can omit this check with the --disable-clamav option.

[chirpy]

Do this first:

useradd clamav

[arhs]

Do this first:

useradd clamav

Thanks I just installed the CLAM AV , I haven't installed any of the perl modules, do I need to install them ?

[chirpy]

You will need to install the perl modules if you want to use the much quicker and more efficient clamavmodule. You can do so using the following two lines:

/scripts/perlinstaller Net::CIDR Archive::Zip Compress::Zlib Convert::BinHex Inline::C
/scripts/perlinstaller Mail::ClamAV

You can then modify your MailScanner.conf to use clamavmodule as explained in the previous post.

[ShAwNz]

Hi

Thanks for the information, did it and change the Virus Scanners in MailScanner.conf to clamavmodule. Then i noticed in /usr/mailscanner/etc/virus.scanners.conf has this

clamavmodule /bin/false /tmp


May i know if im doing it correctly ?

[chirpy]

That's fine. Clamavmodule uses aperl module (clearly) so doesn't need the information of other scanners in that file.

A word of caution. There is a bug in Mail::ClamAV v0.12 working with ClamAV 0.80 which the author is working on (i.e. it doesn't work!). I would recommend switching back to just clamav in the meantime. It looks like ClamAV 0.80 is much quicker and resource efficient anyway, so not using the perl module isn't such a hit now.