[StepByStep] Installing ClamAV antivirus and integrating with Exim and pure-ftpd

[FractalizeR]

Every good server must have a good antivirus installed. Let's install ClamAV to our machine. Paths to distributions are provided to the latest versions at the time of writting. If new version releases all you need to do is to change numbers in shell command.

SSH to your server

Step 1. Installing prerequisites.
Clam uses several system libraries in it's work. We need to install them.

Upgrading gcc compiler
You may skip this step, but in order to compile safe GMP it is better to have the latest GCC version. You may check current gcc version with gcc -v command

cd /usr/local
mkdir gcc
cd gcc
wget ftp://mirrors.kernel.org/gnu/gcc/gcc...-4.2.2.tar.bz2
tar -jxvf gcc-core-4.2.2.tar.bz2
mkdir obj
cd obj
At this point we need to check with what options gcc was compiled at your system before. This can be done using gcc -v. You need to copy all parameters to configure command. Note how we run configure - from obj directory only. Here is an example from my PC
../gcc-4.2.2/configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
make
make install

Installing/upgrading zlib
cd /usr/local
mkdir zlib
cd zlib
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar -zxvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make
make install

Installing/upgrading bzip2
cd /usr/local
mkdir bzip2
cd bzip2
wget http://www.bzip.org/1.0.4/bzip2-1.0.4.tar.gz
tar -zxvf bzip2-1.0.4.tar.gz
cd bzip2-1.0.4
make
make install

Installing/upgrading GMP
cd /usr/local
mkdir gmp
cd gmp
wget ftp://ftp.gnu.org/gnu/gmp/gmp-4.2.2.tar.gz
tar -zxvf gmp-4.2.2.tar.gz
cd gmp-4.2.2
./configure
make
make install

Step 2. Installing ClamAV.
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
cd /usr/local
mkdir clamav
cd clamav
Now wget clamav sources from this page: http://clamav.org/download/sources. Latest ClamAV version at the time of writting is 0.92
wget http://freshmeat.net/redir/clamav/29...av-0.92.tar.gz
tar -zxvf clamav-0.92.tar.gz
cd clamav-0.92
./configure
make
make install
Next two lines will make your clam configuration files fall to default settings. You can edit both of them anytime to change settings.
sed -i 's/Example/#Example/g' /usr/local/etc/freshclam.conf
sed -i 's/Example/#Example/g' /usr/local/etc/clamd.conf
freshclam -d
clamd
At this point clam is successfully installed

Step 3. Sheduling everyday updates
touch /var/log/freshclam.log
chmod 600 /var/log/freshclam.log
chown clamav /var/log/freshclam.log
Let's now make clamd and freshclam starting at machine startup
Locate file rc.local on your server. On CentOS it should be at /etc/rc.d/rc.local. Execute the following commands
echo /usr/local/bin/freshclam -d >> /etc/rc.d/rc.local
Additionally let's make clamd starting on system startup
echo /usr/local/bin/clamd >> /etc/rc.d/rc.local

Step 4. Exim mail daemon integration
To complete this step you need to have exim at least 4.50 installed on your server. Issue the following command:
exim -bV
Check if there is a minimum 4.50 version and a string Content_Scanning in output (around forth line)
If all ok - open WHM and go to Service Configuration -> Exim Configuration Editor -> Advanced editor
Add the following like at the very first text field:

Code:

av_scanner = clamd:/tmp/clamd.socket

And to the second (after begin acl line):

Code:

acl_check_virus:
        deny message   = Message rejected: virus found!
            hosts       = *
            malware     = *
        accept

Save configuration. WHM will restart Exim and apply your settings.

Step 4. Integrating with pure-ftpd
Creating post-upload checking script
echo \#\!/bin/sh > /etc/pure-ftpd/upload-av-check.sh
echo /usr/local/bin/clamdscan --remove --quiet --no-summary "\$1" >> /etc/pure-ftpd/upload-av-check.sh
Instructing pure-ftpd to use it at every server startup
echo /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/upload-av-check.sh >> /etc/rc.d/rc.local
Enabling check-on-upload in pure-ftd config file. You can grep "CallUpload" /etc/pure-ftpd.conf to ensure all changed correctly.
sed -i 's/#CallUploadScript/CallUploadSсript/' /etc/pure-ftpd.conf
Using it now
/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/upload-av-check.sh
Restarting pure-ftpd (this can also be done from WHM of course
service pure-ftpd restart

[activa]

great post .

anyone has tested clamav with ftp ?

[robb3369]

After trying to enable the CallUploadSсript and restarting FTP, the pure-ftpd task hangs and cannot be restarted... looks like it should work, but enabling that directive hangs ftp. oh well...

[FractalizeR]

After trying to enable the CallUploadSсript and restarting FTP, the pure-ftpd task hangs and cannot be restarted... looks like it should work, but enabling that directive hangs ftp. oh well...

Is PureFTPD of latest version?

[robb3369]

According to their website, this is the latest: pure-ftpd v1.0.21

[mykkal]

According to their website, this is the latest: pure-ftpd v1.0.21

Were you able to get it working with pure FTP?

[mykkal]

Is the exim integration supposed to add headers to mail as well?

I have clam .96 and have tried installing the integration but don't notice any changes to my headers.

I have no idea if incoming or outgoing mail is being scanned.

[hackboys]

I set CallUploadScript to yes within pure-ftpd.conf, and after running "/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/upload-av-check.sh", I ran "service pure-ftpd restart".

Then, although the c99_shell.php file (for a test) was uploaded using FTP client software, I do not detect a virus, and not run virusscan-file.
(For virus detection, I am using clamdscan and virusscan-file has described chmod to it.)

Although all logs are recorded on the messages file in syslog, only the log which uploaded the c99_shell.php file is recorded.

If clamdscan is run from ssh shell, c99_shell.php will be detected normally.

Please advise me that CallUploadScript runs normally if you please.

CENTOS 5.7 x86_64 standard on server
WHM 11.31.2 (build 10)
pure-ftpd-1.0.32-1

[FractalizeR]

Try to use "eicar" for testing.

[hackboys]

Then, although the eicar file for a test was uploaded using FTP client (filezilla) software, I do not detect a virus!

If clamdscan is run from ssh command, eicar will be detected normally.

Please help!