Hi I have problem with clamav on ispconfig. Clamav use up 99.9 % cpu the consider is switching to clamd/clamdscan. My question is how to disable clamscan and enable clamd on ispconfig ? Sorry for my pour english Best regards
To enable clamd instead of clamav, you must first install the clamd daemon of your linux distribution. Then edit the file /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin and reconfigure clamassassin to use clamd of your linux distribution instead of clamav that comes with ISPconfig.
Found this solutions on web I modify antivirus.rc.master Maybe some users helps Now i have fresh ClamAV version # Rules for running ClamAV CLAMSCAN=/usr/bin/clamdscan VIRUSTARGET=/dev/null :0 * > 10000 * multipart { # Okay, large multipart message run through clamscan VIRUS=`$CLAMSCAN --mbox --disable-summary --stdout -` :0 Di * VIRUS ?? FOUND $VIRUSTARGET
I still recommend to modify the clamassassin script instaed of modifying the antivirus.rc.master. Your solution might work for you but be aware that e.g. the --mbox option is not supported anymore in the latest clamav versions.
After doing this on a Debian 3.1, mail is being scanned by clamd, and deleted if it contains virus (tried with eicar), but warning mail is not sent to "antivirus admin", nor to sender. Is it necessary to change something more to make warning mails work? Thank you very much
Which clamd / clamav version do you have installed? You need a 0.90.x version for the clamassassin script that is used in ISPConfig.
I have installed 0.90.3 from debian-volatile: Code: dpkg --get-selections |grep clam |awk {'print $1'}|while read pkg > do > apt-cache policy $pkg > done clamav-base: Installed: 0.90.3-0volatile1 Candidate: 0.90.3-0volatile1 Version Table: *** 0.90.3-0volatile1 0 500 http://volatile.debian.org sarge/volatile/main Packages 100 /var/lib/dpkg/status 0.90.2-1~bpo.1 0 1 http://www.backports.org sarge-backports/main Packages 0.84-2.sarge.16 0 500 http://security.debian.org sarge/updates/main Packages 0.84-2.sarge.15 0 500 http://ftp.fi.debian.org sarge/main Packages clamav-daemon: Installed: 0.90.3-0volatile1 Candidate: 0.90.3-0volatile1 Version Table: *** 0.90.3-0volatile1 0 500 http://volatile.debian.org sarge/volatile/main Packages 100 /var/lib/dpkg/status 0.90.2-1~bpo.1 0 1 http://www.backports.org sarge-backports/main Packages 0.84-2.sarge.16 0 500 http://security.debian.org sarge/updates/main Packages 0.84-2.sarge.15 0 500 http://ftp.fi.debian.org sarge/main Packages clamav-freshclam: Installed: 0.90.3-0volatile1 Candidate: 0.90.3-0volatile1 Version Table: *** 0.90.3-0volatile1 0 500 http://volatile.debian.org sarge/volatile/main Packages 100 /var/lib/dpkg/status 0.90.2-1~bpo.1 0 1 http://www.backports.org sarge-backports/main Packages 0.84-2.sarge.16 0 500 http://security.debian.org sarge/updates/main Packages 0.84-2.sarge.15 0 500 http://ftp.fi.debian.org sarge/main Packages libclamav2: Installed: 0.90.3-0volatile1 Candidate: 0.90.3-0volatile1 Version Table: *** 0.90.3-0volatile1 0 500 http://volatile.debian.org sarge/volatile/main Packages 100 /var/lib/dpkg/status 0.90.2-1~bpo.1 0 1 http://www.backports.org sarge-backports/main Packages
What exactly did you use. The modification I recommended as described here: http://www.howtoforge.com/forums/showthread.php?t=13385&highlight=clamassassin or the modification from andypl in this thread? If you just modified the antivirus.rc.master as decribed in this thread, you will not have notification emails as this is only supported when you use the clamassassin script.
I've used the modification you reccommends: Code: # grep "CLAMSCAN=" /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin #CLAMSCAN=/home/admispconfig/ispconfig/tools/clamav/bin/clamscan CLAMSCAN=/usr/bin/clamdscan SHORTCLAMSCAN=`${ECHO} ${CLAMSCAN} | ${SED} -e "s/.*\///"` Code: # grep "ScanMail" /etc/clamav/clamd.conf ScanMail true Code: # grep "NotifyClamd" /etc/clamav/freshclam.conf NotifyClamd /etc/clamav/clamd.conf Code: # grep "NotifyClamd" /home/admispconfig/ispconfig/tools/clamav/etc/freshclam.conf #NotifyClamd #NotifyClamd /config/file/path NotifyClamd /etc/clamav/clamd.conf I haven't changed anymore...
The changes look ok. Then I have no Idea why the notifications do not work. Have you checked the mail.log that really no email was send by the clamassassin script?
I can't see mail sent in mail.log, and I can't see *where* mail is sent inside clamassassin. If a virus is detected, headers are rewritten, and "bailiferr" function is called: Code: else # If the result is 1, then a virus was detected if [ ${RESULT} = 1 ] then # Chop off the tempfile name off the virus message # This is a bit complex because there may be multiple status lines REASON=`${SED} -e 's/[^:]*: //' -e '/ FOUND$/!d' \ -e 's/ FOUND$/ FOUND /' < ${LOGTMP} | ${SED} -n -e 'H;${x;s/\n//g;p;}'` # Extract the subject so it can be modified if SUBJECTHEAD is set # Note that some versions of formail will add a leading space to the # subject line, so we strip off one leading space if present. SUBJECT=`${FORMAIL} -c -x "Subject:" < ${MSGTMP} | ${SED} -e "s/^ //"` # Spit out the message with the headers showing it is infected and how ${FORMAIL} -f -I "Subject: ${SUBJECTHEAD}${SUBJECT}" \ -I "X-Virus-Status: Yes" -I "X-Virus-Report: ${REASON}" \ -I "X-Virus-Checker-Version: ${VERSION}" < ${MSGTMP} [B] bailiferr $?[/B] else That function deletes the message but no mail is sent: Code: bail() { ${RM} -f ${MSGTMP} ${LOGTMP} exit ${1} } # Routine to bail if error code is passed bailiferr() { if [ ${1} != 0 ] then bail ${1} fi } Am I not seeing something? Where mail is sent inside spamassassin script? Thank you!
If clamd saves up so much CPU, why isn't it the default option in the ISPConfig package? Also, why is it needed to install distro's specific clamd? I see clamdscan binary inside ISPConfig... Please enlight us.
Well, as I'm not developing ISPconfig I can't really tell you... I guess it's simpler to provide the clamscan package with ISPconfig so that you'll have a working environment from the start. You could always tweak the settings to your liking (on thing I like a lot about ISPconfig). Setting up a daemon (clamd) requires some priviledges - maybe that is why ISPconfig get's delivered with it's own package. ...but: I'm only guessing, let's see what a developer has to say
Hi, This change has been made on a system I have, but the individual user .antivirus.rc files still have this in them: Code: :0fw | /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin :0: * ^X-Virus-Status: Yes /dev/null Should this line also be changed to point to clamd for all users or is this now ignored since the main config file has been changed? Thanks
OK, thanks Till. How can I verify that incoming emails are being scanned, then? I ask because we were getting errors in the X-AntiVirus header prior to switching to clamd, but now we get no anti virus headers at all. I'm not sure if the anti virus header only shows up in emails with positive virus signatures in them or if it should show in in all emails when scanned. Any guidance would he helpful. Thanks, Jon
Send yourself an email were you attached the eicar test virus: http://www.eicar.org/anti_virus_test_file.htm
