Hi I just finished to install guide perfect server ipsconfig 3 + centos 5.4 every thing works fine but i got the error or warning in my maillog Apr 12 16:31:58 mail postfix/smtpd[4208]: warning: 216.25.162.201: address not listed for hostname worldcom.co.cr Apr 12 16:31:58 mail postfix/smtpd[4208]: connect from unknown[216.25.162.201] Apr 12 16:31:58 mail postfix/smtpd[4208]: EF40414D02F1: client=unknown[216.25.162.201] Apr 12 16:31:59 mail postfix/cleanup[4220]: EF40414D02F1: message-id=<[email protected]> Apr 12 16:31:59 mail postfix/qmgr[2752]: EF40414D02F1: from=<[email protected]>, size=710, nrcpt=1 (queue active) Apr 12 16:31:59 mail postfix/smtpd[4208]: disconnect from unknown[216.25.162.201] Apr 12 16:31:59 mail amavis[2824]: (02824-03) (!!)WARN: all primary virus scanners failed, considering backups Apr 12 16:32:05 mail pop3d: Connection, ip=[::ffff:209.213.178.252] Apr 12 16:32:05 mail pop3d: LOGIN, [email protected], ip=[::ffff:209.213.178.252], port=[59525] Apr 12 16:32:05 mail pop3d: LOGOUT, [email protected], ip=[::ffff:209.213.178.252], port=[59525], top=0, retr=0, rcvd=28, sent=157, time=0 Apr 12 16:32:05 mail postfix/smtpd[4259]: connect from unknown[127.0.0.1] Apr 12 22:32:05 mail postfix/smtpd[4259]: 7A37714D0305: client=unknown[127.0.0.1] Apr 12 16:32:05 mail postfix/cleanup[4220]: 7A37714D0305: message-id=<[email protected]> Apr 12 16:32:05 mail postfix/qmgr[2752]: 7A37714D0305: from=<[email protected]>, size=1185, nrcpt=1 (queue active) Apr 12 22:32:05 mail postfix/smtpd[4259]: disconnect from unknown[127.0.0.1] Apr 12 16:32:05 mail amavis[2824]: (02824-03) Passed CLEAN, [216.25.162.201] [216.25.162.201] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: jTv3ukslSNdd, Hits: 1.272, size: 710, queued_as: 7A37714D0305, 6494 ms Apr 12 16:32:05 mail postfix/smtp[4221]: EF40414D02F1: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.6, delays=0.06/0.01/0/6.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=02824-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7A37714D0305) Apr 12 16:32:05 mail postfix/qmgr[2752]: EF40414D02F1: removed Apr 12 16:32:05 mail postfix/pipe[4262]: 7A37714D0305: to=<[email protected]>, relay=maildrop, delay=0.05, delays=0.02/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service) Apr 12 16:32:05 mail postfix/qmgr[2752]: 7A37714D0305: removed please advise Jorge
Thanks Till but still the same, it was started to I stop it and restart it but get the same msg Apr 13 16:40:57 mail postfix/smtpd[4676]: C2E9914D04F9: client=unknown[65.183.7.27] Apr 13 16:40:58 mail postfix/cleanup[4687]: A23C114D04D3: message-id=<[email protected]> Apr 13 16:40:58 mail postfix/qmgr[2752]: A23C114D04D3: from=<[email protected]>, size=2494, nrcpt=1 (queue active) Apr 13 16:40:58 mail amavis[1536]: (01536-09) (!!)WARN: all primary virus scanners failed, considering backups Apr 13 16:40:58 mail postfix/smtpd[4678]: NOQUEUE: reject: RCPT from unknown[65.183.7.27]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<agis-group.co.il> Apr 13 16:40:59 mail postfix/smtpd[4677]: disconnect from unknown[65.183.7.27]
Thanks Falko the setting are the ones by default in the installation (perfect Centos 5.4 ispconfig) Everything works fine only got that error msg Thanks again for the help -Jorge [root@mail etc]# cat clamd.conf ## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clamav/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 0 # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no #LogClean yes # Use system logger (can work together with LogFile). # Default: no LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable verbose logging. # Default: no #LogVerbose yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/run/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) DatabaseDirectory /var/clamav # Only load the official signatures published by the ClamAV project. # Default: no #OfficialDatabaseOnly no # The daemon can work in local mode, network mode or both. # Due to security reasons we recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) #LocalSocket /tmp/clamd.socket # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) #LocalSocketGroup virusgroup # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) #LocalSocketMode 660 # Remove stale socket after unclean shutdown. # Default: yes FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 15 MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 25M #StreamMaxLength 10M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 50 # Waiting for data from a client socket will timeout after this time (seconds). # Value of 0 disables the timeout. # Default: 120 ReadTimeout 300 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any initial command after connecting. # Default: 5 #CommandReadTimeout 5 # This option specifies how long to wait (in miliseconds) if the send buffer is full. # Keep this value low to prevent clamd hanging # # Default: 500 #SendBufTimeout 200 # Maximum number of queued items (including those being processed by MaxThreads threads) # It is recommended to have this value at least twice MaxThreads if possible. # WARNING: you shouldn't increase this too much to avoid running out of file descriptors, # the following condition should hold: # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) # # Default: 100 #MaxQueue 200 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Don't scan files and directories matching regex # This directive can be used multiple times # Default: scan all #ExcludePath ^/proc/ #ExcludePath ^/sys/ # Maximum depth directories are scanned at. # Default: 15 #MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Scan files and directories on other filesystems. # Default: yes #CrossFilesystems yes # Perform a database check. # Default: 600 (10 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges User clamav # Initialize supplementary group access (clamd must be started by root). # Default: no AllowSupplementaryGroups yes # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # Exclude a specific PUA category. This directive can be used multiple times. # See http://www.clamav.net/support/pua for the complete list of PUA # categories. # Default: Load all categories (if DetectPUA is activated) #ExcludePUA NetTool #ExcludePUA PWTool # Only include a specific PUA category. This directive can be used multiple # times. # Default: Load all categories (if DetectPUA is activated) #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option allows # ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. # Default: yes ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # Default: yes ScanELF yes # With this option clamav will try to detect broken executables (both PE and # ELF) and mark them as Broken.Executable. # Default: no DetectBrokenExecutables yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # Default: yes ScanOLE2 yes # This option enables scanning within PDF files. # Default: yes #ScanPDF yes ## ## Mail files ## # Enable internal e-mail scanner. # Default: yes ScanMail yes # Scan RFC1341 messages split over many emails. # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #ScanPartialMessages yes # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockCloak no # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ## ## Data Loss Prevention (DLP) ## # Enable the DLP module # Default: No #StructuredDataDetection yes # This option sets the lowest number of Credit Card numbers found in a file # to generate a detect. # Default: 3 #StructuredMinCreditCardCount 5 # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 # With this option enabled the DLP module will search for valid # SSNs formatted as xxx-yy-zzzz # Default: yes #StructuredSSNFormatNormal yes # With this option enabled the DLP module will search for valid # SSNs formatted as xxxyyzzzz # Default: no #StructuredSSNFormatStripped yes ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # Default: yes ScanArchive yes # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). # Default: no ArchiveBlockEncrypted no ## ## Limits ## # The options below protect your system against Denial of Service attacks # using archive bombs. # This option sets the maximum amount of data to be scanned for each input file. # Archives and other containers are recursively extracted and scanned up to this # value. # Value of 0 disables the limit # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 100M #MaxScanSize 150M # Files larger than this limit won't be scanned. Affects the input file itself # as well as files contained inside it (when the input file is an archive, a # document or some other kind of container). # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 25M #MaxFileSize 30M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Value of 0 disables the limit. # Default: 16 #MaxRecursion 10 # Number of files to be scanned within an archive, a document, or any other # container file. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10000 #MaxFiles 15000 ## ## Clamuko settings ## # Enable Clamuko. Dazuko must be configured and running. Clamuko supports # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS # is the preferred option. For more information please visit www.dazuko.org # Default: no #ClamukoScanOnAccess yes # The number of scanner threads that will be started (DazukoFS only). # Having multiple scanner threads allows Clamuko to serve multiple # processes simultaneously. This is particularly beneficial on SMP machines. # Default: 3 #ClamukoScannerCount 3 # Don't scan files larger than ClamukoMaxFileSize # Value of 0 disables the limit. # Default: 5M #ClamukoMaxFileSize 10M # Set access mask for Clamuko (Dazuko only). # Default: no #ClamukoScanOnOpen yes #ClamukoScanOnClose yes #ClamukoScanOnExec yes # Set the include paths (all files inside them will be scanned). You can have # multiple ClamukoIncludePath directives but each directory must be added # in a seperate line. (Dazuko only) # Default: disabled #ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. (Dazuko only) # Default: disabled #ClamukoExcludePath /home/bofh # With this option enabled ClamAV will load bytecode from the database. # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. # Default: yes #Bytecode yes # Set bytecode security level. # Possible values: # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS # This value is only available if clamav was built with --enable-debug! # TrustSigned - trust bytecode loaded from signed .c[lv]d files, # insert runtime safety checks for bytecode loaded from other sources # Paranoid - don't trust any bytecode, insert runtime checks for all # Recommended: TrustSigned, because bytecode in .cvd files already has these checks # Note that by default only signed bytecode is loaded, currently you can only # load unsigned bytecode in --enable-debug mode. # # Default: TrustSigned #BytecodeSecurity TrustSigned # Set bytecode timeout in miliseconds. # # Default: 60000 # BytecodeTimeout 60000 [root@mail etc]#
@av_scanners = ( # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) # ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ], # ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/spool/amavisd/clamd.sock"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # # note that Mail::ClamAV requires perl to be build with threading! # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], # qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # \&ask_daemon, ["{}/\n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], # qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ], # ### http://www.f-prot.com/ # ['FRISK F-Prot Daemon', # \&ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202', # '127.0.0.1:10203','127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean<\/summary>/, # qr/(?i)<summary[^>]*>infected<\/summary>/, # qr/(?i)<name>(.+)<\/name>/ ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF # qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], ### The kavdaemon and AVPDaemonClient have been removed from Kasperky ### products and replaced by aveserver and aveclient ['KasperskyLab AVPDaemonClient', [ '/opt/AVP/kavdaemon', 'kavdaemon', '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', '/opt/AVP/AvpTeamDream', 'AvpTeamDream', '/opt/AVP/avpdc', 'avpdc' ], "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ], # change the startup-script in /etc/init.d/kavd to: # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) # adjusting /var/amavis above to match your $TEMPBASE. # The '-f=/var/amavis' is needed if not running it as root, so it # can find, read, and write its pid file, etc., see 'man kavdaemon'. # defUnix.prf: there must be an entry "*/var/amavis" (or whatever # directory $TEMPBASE specifies) in the 'Names=' section. # cd /opt/AVP/DaemonClients; configure; cd Sample; make # cp AvpDaemonClient /opt/AVP/ # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}" ### http://www.centralcommand.com/ ['CentralCommand Vexira (new) vascan', ['vascan','/usr/lib/Vexira/vascan'], "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". "--log=/var/log/vascan.log {}", [0,3], [1,2,5], qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ], # Adjust the path of the binary and the virus database as needed. # 'vascan' does not allow to have the temp directory to be the same as # the quarantine directory, and the quarantine option can not be disabled. # If $QUARANTINEDIR is not used, then another directory must be specified # to appease 'vascan'. Move status 3 to the second list if password # protected files are to be considered infected. ### http://www.avira.com/ ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus ['Avira AntiVir', ['antivir','vexira'], '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/, qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ], # NOTE: if you only have a demo version, remove -z and add 214, as in: # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, ### http://www.commandsoftware.com/ ['Command AntiVirus for Linux', 'csav', '-all -archive -packed {}', [50], [51,52,53], qr/Infection: (.+)/ ], ### http://www.symantec.com/ ['Symantec CarrierScan via Symantec CommandLineScanner', 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', qr/^Files Infected:\s+0$/, qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], ### http://www.symantec.com/ ['Symantec AntiVirus Scan Engine', 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', [0], qr/^Infected\b/, qr/^(?:Info|Virus Name):\s+(.+)/ ], # NOTE: check options and patterns to see which entry better applies # ### http://www.f-secure.com/products/anti-virus/ version 4.65 # ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], # '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. # '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], # qr/(?:infection|Infected|Suspected): (.+)/ ], ### http://www.f-secure.com/products/anti-virus/ version 5.52 ['F-Secure Antivirus for Linux servers', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/ ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives # ### http://www.avast.com/ # ['avast! Antivirus daemon', # \&ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], # qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], # qr/\t\[L\]\t([^[ \t\015\012]+)/ ], ['CAI InoculateIT', 'inocucmd', # retired product '-sec -nex {}', [0], [100], qr/was infected by virus (.+)/ ], # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) ['CAI eTrust Antivirus', 'etrust-wrapper', '-arc -nex -spm h {}', [0], [101], qr/is infected by virus: (.+)/ ], # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 ### http://mks.com.pl/english.html ['MkS_Vir for Linux (beta)', ['mks32','mks'], '-s {}/*', [0], [1,2], qr/--[ \t]*(.+)/ ], ### http://mks.com.pl/english.html ['MkS_Vir daemon', 'mksscan', '-s -q {}', [0], [1..7], qr/^... (\S+)/ ], # ### http://www.nod32.com/, version v2.52 and above # ['ESET NOD32 for Linux Mail servers', # ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], # '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. # '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. # '--action-on-notscanned=accept {}', # [0,3], [1,2], qr/virus="([^"]+)"/ ], ### http://www.eset.com/, version v2.7 ['ESET NOD32 Linux Mail Server - command line interface', ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ], ## http://www.nod32.com/, NOD32LFS version 2.5 and above ['ESET NOD32 for Linux File servers', ['/opt/eset/nod32/sbin/nod32','nod32'], '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. '-w -a --action=1 -b {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ], # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 # ['ESET Software NOD32 Client/Server (NOD32SS)', # \&ask_daemon2, # greets with 200, persistent, terminate with QUIT # ["SCAN {}/*\r\n", '127.0.0.1:8448' ], # qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ], ### http://www.norman.com/products_nvc.shtml ['Norman Virus Control v5 / Linux', 'nvcc', '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], qr/(?i).* virus in .* -> \'(.+)\'/ ], ### http://www.pandasoftware.com/ ['Panda CommandLineSecure 9 for Linux', ['/opt/pavcl/usr/bin/pavcl','pavcl'], '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', qr/Number of files infected[ .]*: 0+(?!\d)/, qr/Number of files infected[ .]*: 0*[1-9]/, qr/Found virus :\s*(\S+)/ ], # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' # before starting amavisd - the bases are then loaded only once at startup. # To reload bases in a signature update script: # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr # Please review other options of pavcl, for example: # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies # ### http://www.pandasoftware.com/ # ['Panda Antivirus for Linux', ['pavcl'], # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], # qr/Found virus :\s*(\S+)/ ], # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. # Check your RAV license terms before fiddling with the following two lines! # ['GeCAD RAV AntiVirus 8', 'ravav', # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ], # # NOTE: the command line switches changed with scan engine 8.5 ! # # (btw, assigning stdin to /dev/null causes RAV to fail) ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 # and then clear it when finished to avoid confusing anything else. # NOTE2: to treat encrypted files as viruses replace the [13] with: # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ ### http://www.virusbuster.hu/en/ ['VirusBuster', ['vbuster', 'vbengcl'], "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], qr/: '(.*)' - Virus/ ], # VirusBuster Ltd. does not support the daemon version for the workstation # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of # binaries, some parameters AND return codes have changed (from 3 to 1). # See also the new Vexira entry 'vascan' which is possibly related. # ### http://www.virusbuster.hu/en/ # ['VirusBuster (Client + Daemon)', 'vbengd', # '-f -log scandir {}', [0], [3], # qr/Virus found = (.*);/ ], # # HINT: for an infected file it always returns 3, # # although the man-page tells a different story ### http://www.cyber.com/ ['CyberSoft VFind', 'vfind', '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/, # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, ], ### http://www.avast.com/ ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ], ### http://www.ikarus-software.com/ ['Ikarus AntiVirus for Linux', 'ikarus', '{}', [0], [40], qr/Signature (.+) found/ ], ### http://www.bitdefender.com/ ['BitDefender', 'bdc', '--arc --mail {}', qr/^Infected files *:0+(?!\d)/, qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/, qr/(?:suspected|infected): (.*)(?:\033|$)/ ], # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may # not apply to your version of bdc, check documentation and see 'bdc --help' ### ArcaVir for Linux and Unix http://www.arcabit.pl/ ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], '-v 1 -summary 0 -s {}', [0], [1,2], qr/(?:VIR|WIR):[ \t]*(.+)/ ], # ['File::Scan', sub {Amavis::AV::ask_av(sub{ # use File::Scan; my($fn)=@_; # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); # my($vname) = $f->scan($fn); # $f->error ? (2,"Error: ".$f->error) # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, # ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ], # ### fully-fledged checker for JPEG marker segments of invalid length # ['check-jpeg', # sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, # ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ], # # NOTE: place file JpegTester.pm somewhere where Perl can find it, # # for example in /usr/local/lib/perl5/site_perl ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ### http://www.f-prot.com/ - backs up F-Prot Daemon ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/ ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'], ### http://www.kaspersky.com/ ['Kaspersky Antivirus v5.5', ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ , # sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. # '--no-reset-atime {}', # [0,2], qr/Virus .*? found/, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/, # ], # # other options to consider: -idedir=/usr/local/sav # always succeeds (uncomment to consider mail clean if all other scanners fail) # ['always-clean', sub {0}], ); @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); # # Database connection settings # @lookup_sql_dsn = ( ['DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306', 'ispconfig', '5c322862f383237c59362b1dfc95399a'] ); # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database #$sql_select_policy = 'SELECT "Y" as local FROM mail_domain WHERE CONCAT("@",domain) IN (%k)'; # $banned_files_quarantine_method = 'sql'; # $spam_quarantine_method = 'sql'; # # SQL Select statements # $sql_select_policy = 'SELECT *,spamfilter_users.id'. ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'. ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC'; $sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'. ' WHERE (spamfilter_wblist.rid=?) AND (spamfilter_wblist.email IN (%k))' . ' ORDER BY spamfilter_wblist.priority DESC'; # # Quarantine settings # $final_virus_destiny = D_BOUNCE; $final_spam_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_bad_header_destiny = D_PASS; # # Disable spam and virus notifications for the admin user. # Can be overridden by the policies in mysql # $virus_admin = undef; $spam_admin = undef; # # Enable Logging # $DO_SYSLOG = 1; $LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log) $log_level = 5; # (defaults to 0) 1; # insure a defined return
What are the outputs of Code: ls -l /var/spool/amavisd/clamd.sock and Code: updatedb locate clamd.sock ?
[root@mail ~]# ls -l /var/spool/amavisd/clamd.sock ls: /var/spool/amavisd/clamd.sock: No such file or directory [root@mail ~]# find / -name clamd.sock If I try to find the clamd.sock is not in my system [root@mail ~]# find / -name clamd.* /usr/share/doc/clamd-0.96/clamd.conf /usr/share/man/man5/clamd.conf.5.gz /usr/share/man/man8/clamd.8.gz /var/log/clamav/clamd.log /var/run/clamav/clamd.pid /etc/clamd.conf [root@mail ~]# thanks for the help.
Hi Falko yes it is started [root@mail log]# service clamd status clamd (pid 4208) is running... [root@mail log]# Apr 19 08:21:41 mail pop3d: Connection, ip=[::ffff:216.25.164.14] Apr 19 08:21:41 mail pop3d: LOGIN, [email protected], ip=[::ffff:216.25.164.14], port=[52643] Apr 19 08:21:41 mail pop3d: LOGOUT, [email protected], ip=[::ffff:216.25.164.14], port=[52643], top=0, retr=0, rcvd=12, sent=39, time=0 Apr 19 08:21:45 mail postfix/smtpd[30676]: connect from unknown[58.64.87.129] Apr 19 08:21:47 mail postfix/smtpd[30676]: 17F3414D0F3B: client=unknown[58.64.87.129] Apr 19 08:21:49 mail postfix/cleanup[31121]: 17F3414D0F3B: message-id=<[email protected]> Apr 19 08:21:49 mail postfix/qmgr[2752]: 17F3414D0F3B: from=<[email protected]>, size=9548, nrcpt=1 (queue active) Apr 19 08:21:49 mail amavis[29659]: (29659-10) (!!)WARN: all primary virus scanners failed, considering backups Apr 19 08:21:50 mail postfix/smtpd[30676]: disconnect from unknown[58.64.87.129] Apr 19 08:21:57 mail amavis[29659]: (29659-10) Blocked SPAM, [58.64.87.129] [58.64.87.129] <[email protected]> -> <[email protected]>, quarantine: spam-EsmTDthKJ3B1.gz, Message-ID: <[email protected]>, mail_id: EsmTDthKJ3B1, Hits: 14.809, size: 9533, 8196 ms Apr 19 14:21:57 mail postfix/smtp[31122]: 17F3414D0F3B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=3/0/0/8.2, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=29659-10, DISCARD(bounce.suppressed)) Apr 19 08:21:57 mail postfix/qmgr[2752]: 17F3414D0F3B: removed Apr 19 08:22:12 mail postfix/smtpd[30676]: connect from localhost[127.0.0.1] Apr 19 08:22:12 mail postfix/smtpd[30676]: lost connection after CONNECT from localhost[127.0.0.1] Apr 19 08:22:12 mail postfix/smtpd[30676]: disconnect from localhost[127.0.0.1] Apr 19 08:22:15 mail pop3d: Connection, ip=[::ffff:216.25.164.14] Apr 19 08:22:15 mail pop3d: LOGIN, [email protected], ip=[::ffff:216.25.164.14], port=[52670] Apr 19 08:22:15 mail pop3d: LOGOUT, [email protected], ip=[::ffff:216.25.164.14], port=[52670], top=0, retr=0, rcvd=12, sent=39, time=0 Apr 19 08:22:15 mail pop3d: Connection, ip=[::ffff:216.25.164.14] Apr 19 08:22:15 mail pop3d: LOGIN, [email protected], ip=[::ffff:216.25.164.14], port=[52673] Apr 19 08:22:15 mail pop3d: LOGOUT, [email protected], ip=[::ffff:216.25.164.14], port=[52673], top=0, retr=0, rcvd=12, sent=39, time=0 Apr 19 08:22:15 mail postfix/smtpd[30676]: warning: 189.107.105.233: hostname 189107105233.user.veloxzone.com.br verification failed: Name or service not known Apr 19 08:22:15 mail postfix/smtpd[30676]: connect from unknown[189.107.105.233] Apr 19 08:22:16 mail postfix/smtpd[30676]: 1443814D0F3B: client=unknown[189.107.105.233] Apr 19 08:22:17 mail postfix/cleanup[31121]: 1443814D0F3B: message-id=<[email protected]> Apr 19 08:22:17 mail postfix/qmgr[2752]: 1443814D0F3B: from=<[email protected]>, size=8718, nrcpt=1 (queue active) Apr 19 08:22:17 mail amavis[31208]: (31208-01) (!!)WARN: all primary virus scanners failed, considering backups Apr 19 08:22:17 mail postfix/smtpd[30676]: disconnect from unknown[189.107.105.233] Apr 19 08:22:19 mail pop3d: Connection, ip=[::ffff:209.213.178.252] Apr 19 08:22:19 mail pop3d: Connection, ip=[::ffff:209.213.178.252] Apr 19 08:22:19 mail pop3d: LOGIN, [email protected], ip=[::ffff:209.213.178.252], port=[57800] Apr 19 08:22:19 mail pop3d: LOGIN, [email protected], ip=[::ffff:209.213.178.252], port=[57801] Apr 19 08:22:19 mail pop3d: LOGOUT, [email protected], ip=[::ffff:209.213.178.252], port=[57800], top=0, retr=0, rcvd=18, sent=69, time=0 Apr 19 08:22:19 mail pop3d: LOGOUT, [email protected], ip=[::ffff:209.213.178.252], port=[57801], top=0, retr=0, rcvd=28, sent=91, time=0 Apr 19 08:22:20 mail pop3d: Connection, ip=[::ffff:216.25.164.14] Apr 19 08:22:20 mail pop3d: Connection, ip=[::ffff:216.25.164.14] Apr 19 08:22:20 mail pop3d: LOGIN, [email protected], ip=[::ffff:216.25.164.14], port=[52682] Apr 19 08:22:20 mail pop3d: LOGIN, [email protected], ip=[::ffff:216.25.164.14], port=[52683]
Hi Falko I can see I have a /etc/amavisd directory and inside I have the aamavisd.conf and I have another amavisd.conf in the /etc. So what I just did is to copy the one from amavisd directory to the etc and restarted the services. Now I'm getting this pr 19 08:44:09 mail amavis[32101]: (32101-03) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/alternative\nP=p002\tL=1/2\tM=text/html\tT=html" does not match Apr 19 08:44:09 mail amavis[32101]: (32101-03) p.path [email protected]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html" Apr 19 08:44:09 mail amavis[32101]: (32101-03) banned check: any=0, all=N (1) Apr 19 08:44:09 mail amavis[32101]: (32101-03) lookup_re("MAIL"), no matches Apr 19 08:44:09 mail amavis[32101]: (32101-03) lookup [keep_decoded_original] => undef, "MAIL" does not match Apr 19 08:44:09 mail amavis[32101]: (32101-03) Calling virus scanners, 2 files to scan in /var/spool/amavisd/tmp/amavis-20100419T083943-32101/parts Apr 19 08:44:09 mail amavis[32101]: (32101-03) run_av (ClamAV-clamd): query template(1,1): CONTSCAN {}\n Apr 19 08:44:09 mail amavis[32101]: (32101-03) prolong_timer run_av: timer set to 480 s Apr 19 08:44:09 mail amavis[32101]: (32101-03) prolong_timer run_av: timer set to 384 s Apr 19 08:44:09 mail amavis[32101]: (32101-03) ask_av Using (ClamAV-clamd): CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T083943-32101/parts\n Apr 19 08:44:09 mail amavis[32101]: (32101-03) ask_daemon_internal: timer set to 10 s (was 384 s) Apr 19 08:44:09 mail amavis[32101]: (32101-03) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T083943-32101/parts\n to UNIX socket /var/spool/amavisd/clamd.sock Apr 19 08:44:09 mail amavis[32101]: (32101-03) prolong_timer ask_daemon_internal: timer set to 384 s Apr 19 08:44:09 mail amavis[32101]: (32101-03) ClamAV-clamd: Can't send to socket /var/spool/amavisd/clamd.sock: Transport endpoint is not connected, retrying (1) Apr 19 08:44:09 mail amavis[32101]: (32101-03) ClamAV-clamd: sleeping for 1 s Apr 19 08:44:09 mail postfix/smtpd[32171]: disconnect from unknown[93.86.145.251] Apr 19 08:44:10 mail amavis[32101]: (32101-03) ask_daemon_internal: timer set to 10 s (was 384 s) Apr 19 08:44:10 mail amavis[32101]: (32101-03) ClamAV-clamd: Connecting to socket /var/spool/amavisd/clamd.sock, retry #1 Apr 19 08:44:10 mail amavis[32101]: (32101-03) creating socket by IO::Socket::UNIX to /var/spool/amavisd/clamd.sock Apr 19 08:44:10 mail amavis[32101]: (32101-03) prolong_timer ask_daemon_internal: timer set to 383 s Apr 19 08:44:10 mail amavis[32101]: (32101-03) (!)ClamAV-clamd: Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory, retrying (2) Thanks
I think I finally got it reading in google I got the answer to this error in amavisd.conf I change the deamon to var/run/clamav/clamd.ctl # ### http://www.clamav.net/ ['ClamAV-clamd', #\&ask_daemon, ["CONTSCAN {}\n", "/var/spool/amavisd/clamd.sock"], \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], and in the clamd.conf I change the deamon to var/run/clamav/clamd.ctl # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) #LocalSocket /tmp/clamd.socket LocalSocket /var/run/clamav/clamd.ctl now look at my log Apr 19 09:34:54 mail amavis[3073]: (03073-01) lookup_re("MAIL"), no matches Apr 19 09:34:54 mail amavis[3073]: (03073-01) lookup [keep_decoded_original] => undef, "MAIL" does not match Apr 19 09:34:54 mail amavis[3073]: (03073-01) Calling virus scanners, 2 files to scan in /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts Apr 19 09:34:54 mail amavis[3073]: (03073-01) run_av (ClamAV-clamd): query template(1,1): CONTSCAN {}\n Apr 19 09:34:54 mail amavis[3073]: (03073-01) prolong_timer run_av: timer set to 480 s Apr 19 09:34:54 mail amavis[3073]: (03073-01) prolong_timer run_av: timer set to 384 s Apr 19 09:34:54 mail amavis[3073]: (03073-01) ask_av Using (ClamAV-clamd): CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts\n Apr 19 09:34:54 mail amavis[3073]: (03073-01) ask_daemon_internal: timer set to 10 s (was 384 s) Apr 19 09:34:54 mail amavis[3073]: (03073-01) ClamAV-clamd: Connecting to socket /var/run/clamav/clamd.ctl Apr 19 09:34:54 mail amavis[3073]: (03073-01) creating socket by IO::Socket::UNIX to /var/run/clamav/clamd.ctl Apr 19 09:34:54 mail amavis[3073]: (03073-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts\n to UNIX socket /var/run/clamav/clamd.ctl Apr 19 09:34:54 mail amavis[3073]: (03073-01) prolong_timer ask_daemon_internal: timer set to 307 s Apr 19 09:34:55 mail amavis[3073]: (03073-01) prolong_timer ask_daemon_internal: timer set to 383 s Apr 19 09:34:55 mail amavis[3073]: (03073-01) prolong_timer ask_av: timer set to 479 s Apr 19 09:34:55 mail amavis[3073]: (03073-01) ask_av (ClamAV-clamd) result: /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts: OK\n Apr 19 09:34:55 mail amavis[3073]: (03073-01) run_av (ClamAV-clamd): CLEAN Apr 19 09:34:55 mail amavis[3073]: (03073-01) run_av (ClamAV-clamd) result: clean Apr 19 09:34:55 mail amavis[3073]: (03073-01) wbl: checking sender <[email protected]> Apr 19 09:34:55 Thanks for the help I will monitor my log to see what happends.