The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What anti-virus solutions?

Discussion in 'General Discussion' started by ozzi4648, Oct 13, 2002.

  1. ozzi4648

    ozzi4648 Guest

    I had to laugh when i saw the anti-virus solutions built into Exim, or if you can call it that. Really, what are they thinking. We have Mailscanner running on all our boxes using RAV with that latest db updated on a daily basis. Our server catch hundreds of virus across 22 boxes on a daily basis. This is really what we are aiming to do with our Cpanel box. Anyone interested in a HOWTO? Give me awhile and let me see what i can whip up. ;)
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    A How-to would be great.
     
  3. jdatwood

    jdatwood Active Member

    Joined:
    May 10, 2002
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    I for one think something like this NEEDS to be done!
     
  4. Vital

    Vital Active Member

    Joined:
    Nov 17, 2001
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Undoubtedly this is interesting! As an alternative, i'm experimenting with Kaspersky AntiVirus Protection, let's see, if this thing will work with exim.
     
  5. NEMON

    NEMON Registered

    Joined:
    Sep 4, 2001
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Most of the antivirus softwares for Linux are way too expensive.

    To get a Free Opensource Antivirus software I may suggest you to grab a copy from

    http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.51.tar.gz

    Once you are done downloading that -

    Do the following steps :-

    groupadd clamav
    useradd -g clamav -s /bin/false -c &Clam AntiVirus& clamav

    tar zxpvf clamav-0.51.tar.gz
    cd clamav-0.51
    ./configure
    make
    make install

    Everything will go smooth and clamv antivirus will be installed in

    /usr/loca/bin/

    To update your virus defination issue the following command.

    ./freshclamv

    Autoupdate Virus Def

    touch /var/log/clam-update.log
    chmod 644 /var/log/clam-update.log
    chown clamav /var/log/clam-update.log

    freshclam -d -c 2 -l /var/log/clam-update.log

    It will check for a new database 2 times a day. Please add this line to your startup scripts. The other way is to use the cron daemon. You have to add a similar line to the crontab of root or clamav:

    0 8 * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log

    As you are done installing Clamv Antivirus Scanner. Next step you need is to grab a copy of Amavis Mail Scanner for incoming and outgoing emails.

    tar zxpvf amavis-perl-11.tar.gz
    cp clamav-x.yz/support/amavis/clamavis.patch amavis-perl-11
    cd amavis-perl-11
    patch -p1 & clamavis.patch
    find . -exec touch 01010000 {} \;

    http://www.amavis.org/dist/perl/amavis-perl-11.tar.gz

    tar zxpvf amavis-perl-11.tar.gz
    cd amavis-perl-11
    ./configure
    make
    make install

    Once you issue make install command it will ask you to install few softwares in your server dont worry nothing will got messed up in your server as I am using Above virus scanner in my server.

    If you are missing few software

    Decompressors and Decoders

    -uudecode
    -compress
    -gunzip
    -unzip
    -unarj
    -unrar
    -xbin
    -LHArc
    -bunzip2
    -zoo
    -arc
    -freeze
    -tnef

    You might need to get
    zoo
    arc
    tnef
    freeze

    Cos thats what Amavis ask me to install so you can grab of a copy of those from

    http://www.rpmfind.net and search for those above software but make sure you will download the one which reflects your server version like if you are running RH 7.2 then you have to get a zoo software for RH 7.2 i386

    And install them on your server by using

    rpm -Uvh zoo.rpm

    Issue that above command to all the missing softwares on your servers . now you are done with that part too.

    Next Step

    Perl Modules :-

    perl -MCPAN -e shell

    install Unix::Syslog
    install Convert::UUlib
    install Convert::TNEF
    install Compress::Zlib
    install Archive::Tar
    install Archive::Zip
    install G/GB/GBARR/MailTools-1.15.tar.gz
    install MIME::Tools
    install Bundle::libnet

    Once you are done with above then the final step you need to do is :-

    Install the Amavis software
    And issue the following commands and if you dont get any file missing error then it means you are done installing that.

    cd amavis-perl-11
    ./configure
    make
    make install

    Thats all for above part

    pico /etc/mail/sendmail.mc

    dnl
    dnl Change Mlocal to use AMaViS-Perl
    define(`LOCAL_MAILER_PATH', `/usr/sbin/amavis')dnl
    define(`LOCAL_MAILER_ARGS', CONCAT(`amavis $f $u /usr/bin/',
    LOCAL_MAILER_ARGS))dnl
    dnl please set the path to your procmail accordingly!
    dnl the following works only with sendmail 8.10.x or above
    MODIFY_MAILER_FLAGS(`LOCAL', `-m')dnl

    m4 /etc/mail/sendmail.mc & /etc/sendmail.cf

    That should be it...

    to run clamd antivirus you need to remove # from clamd.conf some where in /usr/local/share

    This was done on sendmail server, with no exim. But I think it should be the same thing.

    I also have send the same thing to bdraco day ago.
     
  6. ozzi4648

    ozzi4648 Guest

    [quote:7f68466380][i:7f68466380]Originally posted by NEMON[/i:7f68466380]

    Most of the antivirus softwares for Linux are way too expensive.
    [/quote:7f68466380]

    Mailscanner is free, much better then Amavis, and i can get a RAV anti-virus license for less than $30.00 per server.;)
     
  7. ecoutez

    ecoutez Well-Known Member

    Joined:
    May 23, 2002
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    0
    AMaViS-NG is a better choice

    If you're going the AMaViS route, the -NG version is a better choice. It integrates fairly easily as well.

    I had promised to get some docs together, but this is still somewhat incomplete. Here's what I do have though...

    Start by downloadig amavis-ng:
    http://sourceforge.net/projects/amavis

    Relevent Readme included in the tarball:
    doc/README.exim-perl

    AntiVirus Scanner - my personal preference is uvscan:
    McAfee Download:
    McAfee VirusScan Command Line Scanner for... Linux (4.16)
    http://www.mcafeeb2b.com/naicommon/buy-try/try/products-evals.asp
    register and download vlnx416e.tar.Z


    Now we need to update the DAT file and install the program to do so via cron
    uvupdate:
    http://main.psi.com.br/~julio/uvscan/
    read and follow uvupdate INSTALL file - select experimental or not
    Add symbolic link from /etc/cron.daily/uvupdate to your installed uvupdate program

    edit /etc/exim.conf:
    edit out # message_filter = /etc/antivirus.exim
    insert...
    message_filter = /etc/exim/amavis.filter
    message_filter_user = mail
    message_filter_group = mail
    deliver_load_max = 3
    queue_only_load = 4

    I elected to also edit this value:
    deliver_queue_load_max = 5


    copy /root/src/amavis-ng/amavis-ng-0.1.3.1/doc/exim/exim.filter to /etc/exim/amavis.filter

    insert line at top of /etc/exim.pl:
    do '/usr/share/amavis/amavis-filter.pl';

    cpan install File::MMagic
    cpan install Config::IniFiles
    cpan install MIME::Tools (mine was up-to-date)
    cpan install Convert::TNEF
    cpan install Convert::UUlib
    cpan instlal Compress::Zlib (MINE WAS UP-TO-DATE)
    cpan install Archive::Tar (was up to date)


    Also may be desired (no guarantee that these are the latest though...)
    * unrar ftp://speakeasy.rpmfind.net/linux/contrib/libc6/i386/unrar-3.0-1.i386.rpm
    * zoo http://ftp.task.gda.pl/linux/RPMS/redhat/libc6/contribs/i386/zoo-2.10-7.i386.html
    * arc ftp://speakeasy.rpmfind.net/linux/contrib/libc6/i386/arc-5.21e-6.i386.rpm
    * lha http://www.redhat.com/swr/i386/lha-1.14i-4.i386.html
    * unarj http://www.redhat.com/swr/i386/unarj-2.43-10.i386.html


    Then install amavis-ng:
    make;make install


    cp /root/src/amavis-ng/amavis-ng-0.1.3.1/etc/amavis.conf /etc/

    edit /etc/amavis.conf with your fav. editor:
    - enable EximPerl (line 11) and at least one scanner (I use NAI) -- FSP is FILE::Scan Perl module (free and installed)
    - enable extractor modules which are installed
    - select headers
    - unpack directory - I use /tmp/amavis/ chmod 755, chown mail.mail

    In the [notify] section, I recommend not selecting a local domain at all. This appears to work best in my testing:
    ;; local domain = .*example\.com

    - set admin mail addresses to/from
    - check path for virusscan program and external compression programs

    - /etc/amavis.conf file must be in /etc/amavis/ ... I added a symbolic link to take care of this. It may work with amavis.conf only in /etc/amavis/ but I have not had a chance to test that.

    The only problem with this is if/when CPanel updates Exim. In the past, the exim.conf would be overwritten, but the past few updates seem to have preserved the config file. :) However, you also need to ensure that the first line of your exim.pl doesn't get wiped out. chattr could help here.

    - Jason
     
  8. bdraco

    bdraco Guest

    http://layer1.cpanel.net/exim+virusscan.tar.gz

    If you use this, exim should keep the config between updates
     
  9. macian

    macian Member

    Joined:
    Oct 17, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    mailscanner

    [quote:2be2348ca4][i:2be2348ca4]Originally posted by ozzi4648[/i:2be2348ca4]

    I had to laugh when i saw the anti-virus solutions built into Exim, or if you can call it that. Really, what are they thinking. We have Mailscanner running on all our boxes using RAV with that latest db updated on a daily basis. Our server catch hundreds of virus across 22 boxes on a daily basis. This is really what we are aiming to do with our Cpanel box. Anyone interested in a HOWTO? Give me awhile and let me see what i can whip up. ;) [/quote:2be2348ca4]

    yeah... i would definately be interested in setting something like that up on my server... a quick howto would be great...
     
  10. ozzi4648

    ozzi4648 Guest

    [quote:3066a60aae][i:3066a60aae]Originally posted by macian[/i:3066a60aae]

    [quote:3066a60aae][i:3066a60aae]Originally posted by ozzi4648[/i:3066a60aae]

    I had to laugh when i saw the anti-virus solutions built into Exim, or if you can call it that. Really, what are they thinking. We have Mailscanner running on all our boxes using RAV with that latest db updated on a daily basis. Our server catch hundreds of virus across 22 boxes on a daily basis. This is really what we are aiming to do with our Cpanel box. Anyone interested in a HOWTO? Give me awhile and let me see what i can whip up. ;) [/quote:3066a60aae]

    yeah... i would definately be interested in setting something like that up on my server... a quick howto would be great...[/quote:3066a60aae]

    Still working on this. When its working correctly i will post a howto. All i have to say is its harder to implament with Exim than with Sendmail.
     
  11. bdraco

    bdraco Guest

    wget http://layer1.cpanel.net/exim+virusscan.tar.gz
    tar xfzv exim+virusscan.tar.gz
    cd exim+virusscan
    sh install
     
  12. ozzi4648

    ozzi4648 Guest

    [quote:30c41a186e][i:30c41a186e]Originally posted by bdraco[/i:30c41a186e]

    wget http://layer1.cpanel.net/exim+virusscan.tar.gz
    tar xfzv exim+virusscan.tar.gz
    cd exim+virusscan
    sh install[/quote:30c41a186e]

    No thanks! Mailscanner is a much better soltuions and it runs on 22 of our other servers catching hundreds of infected email daily! Our virus signature db's are updated daily on all our servers and we are using RAV not some generic catch-me-if-you-can solution.
    Thanks for your suggestion.
     
  13. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:ca0a8b7aac][i:ca0a8b7aac]Originally posted by ozzi4648[/i:ca0a8b7aac]

    [quote:ca0a8b7aac][i:ca0a8b7aac]Originally posted by bdraco[/i:ca0a8b7aac]

    wget http://layer1.cpanel.net/exim+virusscan.tar.gz
    tar xfzv exim+virusscan.tar.gz
    cd exim+virusscan
    sh install[/quote:ca0a8b7aac]No thanks! Mailscanner is a much better soltuions and it runs on 22 of our other servers catching hundreds of infected email daily! Our virus signature db's are updated daily on all our servers and we are using RAV not some generic catch-me-if-you-can solution.
    Thanks for your suggestion.[/quote:ca0a8b7aac]
    I believe Nick was replying to a comment made by ecoutez about exim.conf. You must be so pre-occupied with your own &best& solution that you obviously don't bother either paying attention to or reading other members' posts.

    Well, you can keep paying for your scanner; that's your choice. I can't see anything wrong with the step-by-step solutions recommended by nemon and ecoutez where you pay zilch, and you'd still get equally reasonable results!
     
  14. hkewell

    hkewell Well-Known Member

    Joined:
    May 17, 2002
    Messages:
    170
    Likes Received:
    0
    Trophy Points:
    0
    How to update db of virus ??

    what is command or autoupdate ?
     
  15. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Nick you bloody legend! :)
     
  16. ozzi4648

    ozzi4648 Guest

    I have completed the integration of Mailscanner+Rav Anti-virus+Exim on our Cpanel server, working great. Already had many many viruses caught. Here is one.

    The following e-mail messages were found to have viruses in them:

    Sender: &sevenweb@korea.com&
    IP address: 61.254.68.111
    Recipient: fdgfh@cvf.net
    Subject: (±¤°í) ȨÆäÀÌÁöÁ¦ÀÛ ¼îÇθôÁ¦ÀÛ Çѱ¹ÀÎÅͳݹðÅ©
    MessageID: 182Zfo-0002ES-00
    Report: Possible Microsoft security vulnerability attack

    --
    MailScanner
    Email Virus Scanner

    and another

    The following e-mail messages were found to have viruses in them:

    Sender: &mail@clubweekend.co.kr&
    IP address: 218.234.58.180
    Recipient: fdgfh@cvf.net
    Subject: (±¤°í)¿©·¯ºÐÀ» ¹é¾ç ´ÜdzÃàÁ¦¿¡ ÃÊ´ëÇÕ´Ï´Ù.(Commercial)
    MessageID: 182Zex-0002Db-00
    Report: Possible Microsoft security vulnerability attack

    --
    MailScanner
    Email Virus Scanner

    Here is what you will see in your /var/log/maillog when a virus is detected.

    Oct 18 09:07:40 srv08 mailscanner[5991]: Scanning 1 messages, 12566 bytes
    Oct 18 09:07:42 srv08 mailscanner[5991]: Detected Microsoft-specific exploits in 182Zex-0002Db-00
    Oct 18 09:07:43 srv08 mailscanner[5991]: Found 1 viruses in messages 182Zex-0002Db-00
    Oct 18 09:07:43 srv08 mailscanner[5991]: Scanned 1 messages, 12566 bytes in 0 seconds
    Oct 18 09:07:43 srv08 mailscanner[5991]: Saved entire message to /var/spool/MailScanner/quarantine/20021018/182Zex-0002Db-0$
    Oct 18 09:07:43 srv08 mailscanner[5991]: Notified root@srv08.primenet.cc about 1 infections
    Oct 18 09:07:44 srv08 mailscanner[5991]: Scanning 1 messages, 921 bytes
    Oct 18 09:07:45 srv08 mailscanner[5991]: Scanned 1 messages, 921 bytes in 0 seconds
    Oct 18 09:08:30 srv08 mailscanner[5991]: Scanning 1 messages, 10595 bytes
    Oct 18 09:08:34 srv08 mailscanner[5991]: Detected Microsoft-specific exploits in 182Zfo-0002ES-00
    Oct 18 09:08:34 srv08 mailscanner[5991]: Found 1 viruses in messages 182Zfo-0002ES-00
    Oct 18 09:08:34 srv08 mailscanner[5991]: Scanned 1 messages, 10595 bytes in 0 seconds
    Oct 18 09:08:34 srv08 mailscanner[5991]: Saved entire message to /var/spool/MailScanner/quarantine/20021018/182Zfo-0002ES-0$
    Oct 18 09:08:34 srv08 mailscanner[5991]: Notified root@srv08.primenet.cc about 1 infections
    Oct 18 09:08:35 srv08 mailscanner[5991]: Scanning 1 messages, 907 bytes
    Oct 18 09:08:36 srv08 mailscanner[5991]: Scanned 1 messages, 907 bytes in 0 seconds

    There are documents on the net trying to explain how to integrate Mailscanner with Exim but as usual they DONT work or there is some vital piece of information missing from them and of course the author of Mailscanner is of very little help.

    I will post my HOWTO as soon as i have time to write it up.

    For those who are in a hurry and wish integration, please contact us for more information.
     
  17. ozzi4648

    ozzi4648 Guest

    [quote:c8a4922127][i:c8a4922127]Originally posted by moronhead[/i:c8a4922127]

    [quote:c8a4922127][i:c8a4922127]Originally posted by ozzi4648[/i:c8a4922127]

    [quote:c8a4922127][i:c8a4922127]Originally posted by bdraco[/i:c8a4922127]

    wget http://layer1.cpanel.net/exim+virusscan.tar.gz
    tar xfzv exim+virusscan.tar.gz
    cd exim+virusscan
    sh install[/quote:c8a4922127]No thanks! Mailscanner is a much better soltuions and it runs on 22 of our other servers catching hundreds of infected email daily! Our virus signature db's are updated daily on all our servers and we are using RAV not some generic catch-me-if-you-can solution.
    Thanks for your suggestion.[/quote:c8a4922127]
    I believe Nick was replying to a comment made by ecoutez about exim.conf. You must be so pre-occupied with your own &best& solution that you obviously don't bother either paying attention to or reading other members' posts.

    Well, you can keep paying for your scanner; that's your choice. I can't see anything wrong with the step-by-step solutions recommended by nemon and ecoutez where you pay zilch, and you'd still get equally reasonable results![/quote:c8a4922127]

    Your message was simply not worth reply!
     
  18. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:2db986bb76][i:2db986bb76]Originally posted by ozzi4648[/i:2db986bb76]

    Your message was simply not worth reply![/quote:2db986bb76]I just stated the facts.

    I wasn't expecting a reply!
     
  19. dandanfireman

    dandanfireman Well-Known Member
    PartnerNOC

    Joined:
    May 31, 2002
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Hey Nick. I got this when installing:

    Writing /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/AMAVIS/.packlist
    # Install Exim filter script
    install -D -m644 amavis-filter \
    /usr/bin/../share/amavis/amavis-filter
    # Install magic cookie file
    install -D -m644 magic.mime \
    /usr/bin/../share/amavis/magic.mime
    # Install AMaViS main script
    install -D -m755 amavis /usr/bin/amavis
    install -D -m4755 -omail -gmail qmail-queue.amavis \
    /usr/bin/../sbin/qmail-queue.amavis
    install -D -m755 amavis-milter/amavis-milter \
    /usr/bin/../sbin/amavis-milter
    install: cannot stat `amavis-milter/amavis-milter': No such file or directory
    make: *** [pure_install] Error 1
    `amavis.conf' -& `/etc/amavis/amavis.conf'
    `antivirus.clam.exim' -& `/etc/antivirus.clam.exim'
    exim (pid 19703 16993 10259) is running...
     
  20. Omar

    Omar Well-Known Member

    Joined:
    Jul 30, 2002
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    I'm still slightly confused as to what is included in that file:

    Is it an updated version of Exim + virus-scanner, or just a virus scanner add-on?

    What's the difference between this new virus scanner and the one that Exim is using already on cpanel servers?

    Thanks

    - Omar
     
Loading...

Share This Page