Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Exim email virus scanning

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


david.kentwood at gmail

Jan 17, 2012, 3:28 PM

Post #1 of 8 (840 views)
Permalink
Exim email virus scanning

Hello,

For the virus scan option in Exim with /etc/exim.conf:
av_scanner = clamd:127.0.0.1 3310

What happens if virus is detected by ClamAV, does the email gets deleted
automatically? or do I have to delete the infected mail manually afterwards?

Thanks,

Dave
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


bdm at fenrir

Jan 17, 2012, 3:39 PM

Post #2 of 8 (817 views)
Permalink
Re: Exim email virus scanning [In reply to]

On Tue, 17 Jan 2012 18:28:29 -0500
David Kentwood <david.kentwood [at] gmail> wrote:

> What happens if virus is detected by ClamAV, does the email gets deleted
> automatically? or do I have to delete the infected mail manually afterwards?

Normally you would configure Exim to refuse the email if it is shown as
infected, so reject at SMTP time and thus never actually deliver the
email.

--

Brian Morrison

"I am not young enough to know everything"
Oscar Wilde
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


david.kentwood at gmail

Jan 17, 2012, 6:25 PM

Post #3 of 8 (823 views)
Permalink
Re: Exim email virus scanning [In reply to]

Sorry i am not experienced with exim configuration. When you say "reject at
SMTP time", does adding the following to exim.conf suffice?

check_message:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content
($malware_name)
demime = *
malware = */defer_ok
deny message = This message contains an attachment of a type which we do
not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still
use an Antivirus

I got the above from a Directadmin tutorial

thanks again

On Tue, Jan 17, 2012 at 6:39 PM, Brian Morrison <bdm [at] fenrir> wrote:

> On Tue, 17 Jan 2012 18:28:29 -0500
> David Kentwood <david.kentwood [at] gmail> wrote:
>
> > What happens if virus is detected by ClamAV, does the email gets deleted
> > automatically? or do I have to delete the infected mail manually
> afterwards?
>
> Normally you would configure Exim to refuse the email if it is shown as
> infected, so reject at SMTP time and thus never actually deliver the
> email.
>
> --
>
> Brian Morrison
>
> "I am not young enough to know everything"
> Oscar Wilde
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


bdm at fenrir

Jan 18, 2012, 6:14 AM

Post #4 of 8 (814 views)
Permalink
Re: Exim email virus scanning [In reply to]

On Tue, 17 Jan 2012 21:25:40 -0500
David Kentwood <david.kentwood [at] gmail> wrote:

> Sorry i am not experienced with exim configuration. When you say "reject at
> SMTP time", does adding the following to exim.conf suffice?

Well it _looks_ OK to me, but Exim configurations are quite individual
though so it might not be absolutely correct for your environment. You
could ask on the Exim users list or do some more Googling to find other
config syntax to reject malware and compare the code with your original
suggestion.

You can then use the EICAR signature as a way to test your setup for
correct function before you make it live.

--

Brian Morrison

"I am not young enough to know everything"
Oscar Wilde
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


david.kentwood at gmail

Jan 18, 2012, 7:14 AM

Post #5 of 8 (813 views)
Permalink
Re: Exim email virus scanning [In reply to]

Thank you very much!

On Wed, Jan 18, 2012 at 9:14 AM, Brian Morrison <bdm [at] fenrir> wrote:

> On Tue, 17 Jan 2012 21:25:40 -0500
> David Kentwood <david.kentwood [at] gmail> wrote:
>
> > Sorry i am not experienced with exim configuration. When you say "reject
> at
> > SMTP time", does adding the following to exim.conf suffice?
>
> Well it _looks_ OK to me, but Exim configurations are quite individual
> though so it might not be absolutely correct for your environment. You
> could ask on the Exim users list or do some more Googling to find other
> config syntax to reject malware and compare the code with your original
> suggestion.
>
> You can then use the EICAR signature as a way to test your setup for
> correct function before you make it live.
>
> --
>
> Brian Morrison
>
> "I am not young enough to know everything"
> Oscar Wilde
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tlyons at ivenue

Jan 19, 2012, 7:06 AM

Post #6 of 8 (815 views)
Permalink
Re: Exim email virus scanning [In reply to]

On Tue, Jan 17, 2012 at 6:25 PM, David Kentwood
<david.kentwood [at] gmail> wrote:
> Sorry i am not experienced with exim configuration. When you say "reject at
> SMTP time", does adding the following to exim.conf suffice?
>
> check_message:
>  deny message = This message contains malformed MIME ($demime_reason)
>  demime = *
>  condition = ${if >{$demime_errorlevel}{2}{1}{0}}
<snip>
> I got the above from a Directadmin tutorial

Here's how I do it in mine. First I set in global setting:

# Path to your clamav unix socket or network socket
av_scanner = clamd:/var/clamav/clamd.sock

Then I put this somewhere early in the data acl:

# Reject viruses
deny message = Contains a virus, malware, or is Phishing:
$malware_name
malware = *

Run 'exim -bV' and make sure that the changes don't generate any
errors. As an example, if I typo one line, it will tell me:

2012-01-19 15:05:35 Exim configuration error in line 86 of /etc/exim/exim.conf:
main option "avi_scanner" unknown

Regards... Todd
--
SOPA: Any attempt to [use legal means to] reverse technological
advances is doomed.  --Leo Leporte
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


david.kentwood at gmail

Jan 19, 2012, 8:09 AM

Post #7 of 8 (815 views)
Permalink
Re: Exim email virus scanning [In reply to]

That's a neater solution than what I found. Thanks.

Just wondering, how do you set variables such as $malware_name? or are the
variables automatically set by Exim or by the ClamAV?

On Thu, Jan 19, 2012 at 10:06 AM, Todd Lyons <tlyons [at] ivenue> wrote:

> On Tue, Jan 17, 2012 at 6:25 PM, David Kentwood
> <david.kentwood [at] gmail> wrote:
> > Sorry i am not experienced with exim configuration. When you say "reject
> at
> > SMTP time", does adding the following to exim.conf suffice?
> >
> > check_message:
> > deny message = This message contains malformed MIME ($demime_reason)
> > demime = *
> > condition = ${if >{$demime_errorlevel}{2}{1}{0}}
> <snip>
> > I got the above from a Directadmin tutorial
>
> Here's how I do it in mine. First I set in global setting:
>
> # Path to your clamav unix socket or network socket
> av_scanner = clamd:/var/clamav/clamd.sock
>
> Then I put this somewhere early in the data acl:
>
> # Reject viruses
> deny message = Contains a virus, malware, or is Phishing:
> $malware_name
> malware = *
>
> Run 'exim -bV' and make sure that the changes don't generate any
> errors. As an example, if I typo one line, it will tell me:
>
> 2012-01-19 15:05:35 Exim configuration error in line 86 of
> /etc/exim/exim.conf:
> main option "avi_scanner" unknown
>
> Regards... Todd
> --
> SOPA: Any attempt to [use legal means to] reverse technological
> advances is doomed. --Leo Leporte
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tlyons at ivenue

Jan 19, 2012, 1:48 PM

Post #8 of 8 (816 views)
Permalink
Re: Exim email virus scanning [In reply to]

On Thu, Jan 19, 2012 at 8:09 AM, David Kentwood
<david.kentwood [at] gmail> wrote:
> That's a neater solution than what I found. Thanks.
>
> Just wondering, how do you set variables such as $malware_name? or are the
> variables automatically set by Exim or by the ClamAV?

You'll want to read through the docs, chapter 41 if I recall
correctly. Yes, $malware_name is set if the malware matches.

...Todd
--
SOPA: Any attempt to [use legal means to] reverse technological
advances is doomed.  --Leo Leporte
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.