....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Postfix

Postfix Mailing List Archive

From: Martijn (linux@applica.nl)
Date: Fri Dec 31 2004 - 07:05:31 EST


Hello,

If have trouble getting amavisd-new to work with postfix/clamav.

I have Suse 9.1 installed with the latest (orig. Suse) updates.
fetchmail 6.2.5-45
posfix 2.0.1920040312-11
amavisd 20030616p9-0 is running as user vscan
clamd 0.80.22 is running as user vscan
cyrus 2.2.3-83.19

I changed in main.cf the parameter mailbox_transport =
lmtp:unix:public/lmtp to use cyrus imap

When I look at mail.info I see these problems:

** Problem 1:
Dec 31 10:51:39 newserver postfix/smtp[6031]: connect to localhost[::1]:
Connection refused (port 10024)

Dec 31 10:51:39 newserver amavis[5701]: (05701-01) ESMTP::10024
/var/spool/amavis/tmp/amavis-20041231T105139-05701: <test@fake.net> ->
<test@fake.net> Received: SIZE=738 BODY=8BITMIME from newserver.fake.net
([127.0.0.1]) by localhost (newserver [127.0.0.1]) (amavisd-new, port
10024) with ESMTP id 05701-01 for <test@fake.net>; Fri, 31 Dec 2004
10:51:39 +0100 (CET)
Dec 31 10:51:39 newserver amavis[5701]: (05701-01) Checking:
<me@fake.net> -> <test@fake.net>

** Problem 2:
Dec 31 10:51:39 newserver amavis[5701]: (05701-01) Clam Antivirus-clamd:
Can't connect to UNIX socket /var/lib/clamav/clamd-socket: No such file
or directory, retrying (1)

Dec 31 10:51:40 newserver amavis[5701]: (05701-01) Clam Antivirus-clamd:
Can't connect to UNIX socket /var/lib/clamav/clamd-socket: No such file
or directory, retrying (2)
Dec 31 10:51:46 newserver amavis[5701]: (05701-01) Clam Antivirus-clamd
av-scanner FAILED: Too many retries to talk to
/var/lib/clamav/clamd-socket (Can't connect to UNIX socket
/var/lib/clamav/clamd-socket: No such file or directory) at (eval 51)
line 180.
Dec 31 10:51:46 newserver amavis[5701]: (05701-01) WARN: all primary
virus scanners failed, considering backups
Dec 31 10:51:47 newserver amavis[5701]: (05701-01) spam_scan: hits=1.043
tests=NO_REAL_NAME,PRIORITY_NO_NAME

1) My first question: is this setting content_filter=vscan: in main.cf
correct?

This is the default Suse setting. Googling around I see often that
people have to change it
to something like smtp:[127.0.0.1]:10024 but I'am not sure how it works
since I have very little experience with Linux

2) The second question what path/file to use in the clamav.conf?
Is this correct "/var/lib/clamav/clamd-socket"?

# ### http://www.clamav.net/
['Clam Antivirus-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd-socket"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# # NOTE: run clamd under the same user as amavisd; match the socket
# # name (LocalSocket) in clamav.conf to the socket name in this entry
# # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

It would be great to get some pointers.
Thanks in advance
Martijn

I enclosed this info below:
- main.cf
- master.cf
- amavisd.conf
- clamav.conf
- rcamavis start output
- the output I get when I receive an email

To keep this post a bit smaller I removed all #comment lines..

=================================================================================
* main.cf
=================================================================================

soft_bounce = yes
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
unknown_local_recipient_reject_code = 450
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = maildrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/packages/postfix/samples

readme_directory = /usr/share/doc/packages/postfix/README_FILES
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = newserver.fake.net
mydestination = $myhostname, localhost.$mydomain, $mydomain
defer_transports =
disable_dns_lookups = no
relayhost = smtp.direct-adsl.nl
mailbox_command =
mailbox_transport = lmtp:unix:public/lmtp
smtpd_sender_restrictions = hash:/etc/postfix/access
strict_rfc821_envelopes = no
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 30240000
hash_queue_depth = 2
notify_classes = resource, software, bounce
myorigin = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual
mydomain = fake.net
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 100
content_filter = vscan:

=================================================================================
* master.cf
=================================================================================

smtp inet n - n - 2 smtpd -o
content_filter=smtp:[localhost]:10024
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
localhost:10025 inet n - n - - smtpd -o content_filter=
maildrop unix - n n - - pipe
   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
   user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
   flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
vscan unix - n n - 10 pipe
   user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail unix - n n - - pipe
   flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}

=================================================================================
* amavisd.conf:
=================================================================================

use strict;

$MYHOME = '/var/spool/amavis';

$mydomain = 'fake.net';

$myhostname = 'newserver'; # fqdn of this host, default by uname(3)

$daemon_user = 'vscan';
$daemon_group = 'vscan';

$TEMPBASE = "$MYHOME/tmp"; # prefer to keep home dir /var/amavis clean?

$pid_file= "$MYHOME/amavisd.pid"; # (default is "$MYHOME/amavisd.pid")

$ENV{TMPDIR} = $TEMPBASE; # wise to set TMPDIR, but not obligatory

$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications

$max_servers = 2; # number of pre-forked children (default 2)
$max_requests = 10; # retire a child after that many accepts (default 10)

$child_timeout=5*60; # abort child if it does not complete each task in
n sec
                       # (default: 8*60 seconds)

@local_domains_acl = ( ".$mydomain" ); # $mydomain and its subdomains

                                  # (does not apply to sendmail/milter)
                                  # (default is true)

$unix_socketname = "$MYHOME/amavisd.sock"; # amavis helper protocol socket
                                   # (default is undef, i.e. disabled)
                                   # (usual setting is $MYHOME/amavisd.sock)

$inet_socket_port = 10024; # accept SMTP on this local TCP port
                                   # (default is undef, i.e. disabled)

                                   # (default is '127.0.0.1')
@inet_acl = qw( 127.0.0.1 ); # allow SMTP access only from localhost IP
                                   # (default is qw( 127.0.0.1 ) )

$DO_SYSLOG=1;
$SYSLOG_LEVEL='mail.info';

$LOGFILE="$MYHOME/amavis.log";

$log_level=2;

$log_templ = '[? %#V |[? %#F |[?%#D|Not-Delivered|Passed]|BANNED
name/type (%F)]|INFECTED (%V)], #
<%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';

$final_virus_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_banned_destiny = D_BOUNCE; # (defaults to D_BOUNCE)
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE
suggested

$viruses_that_fake_sender_re = new_RE(
   qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
   qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
   qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
   qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
   qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
   [qr'^(EICAR|Joke\.|Junk\.)'i => 0],
   [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
   [qr/.*/ => 1], # true by default (remove or comment-out if undesired)
);

$virus_admin = "virusalert\@$mydomain";

$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";

$mailfrom_to_quarantine = ''; # override sender address with null
return path

$QUARANTINEDIR = '/var/spool/amavis/virusmails';

$virus_quarantine_to = 'virus-quarantine'; # traditional local
quarantine

$spam_quarantine_to = undef;

$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: undef)
$X_HEADER_LINE = "by amavisd-new at $mydomain";

$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned
alone
                                        # (defaults to false)
$remove_existing_spam_headers = 1; # remove existing spam headers if
                                # spam scanning is enabled (default)

$keep_decoded_original_re = new_RE(
   qr'^MAIL-UNDECIPHERABLE$', # retain full mail if it contains
undecipherables
   qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
);

$banned_filename_re = new_RE(
    qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # double extension
    qr'^\.exe$'i, # banned file(1) types
    qr'^application/x-msdownload$'i, # banned MIME types
    qr'^application/x-msdos-program$'i,
);

$sql_select_white_black_list = undef; # undef disables SQL
white/blacklisting

$recipient_delimiter = '+'; # (default is '+')

$localpart_is_case_sensitive = 0; # (default is false)

$blacklist_sender_re = new_RE(
     qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,

qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCard)@'i,
     qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
     qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
     qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
     qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);

map { $whitelist_sender{lc($_)}=1 } (qw(
   nobody@cert.org
   owner-alert@iss.net
   slashdot@slashdot.org
   bugtraq@securityfocus.com
   NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
   security-alerts@linuxsecurity.com
   amavis-user-admin@lists.sourceforge.net
   notification-return@lists.sophos.com
   mailman-announce-admin@python.org
   owner-postfix-users@postfix.org
   owner-postfix-announce@postfix.org
   owner-sendmail-announce@Lists.Sendmail.ORG
   owner-technews@postel.ACM.ORG
   lvs-users-admin@LinuxVirtualServer.org
   ietf-123-owner@loki.ietf.org
   cvs-commits-list-admin@gnome.org
   rt-users-admin@lists.fsck.com
   clp-request@comp.nus.edu.sg
   surveys-errors@lists.nua.ie
   emailNews@genomeweb.com
   owner-textbreakingnews@CNNIMAIL12.CNN.COM
   yahoo-dev-null@yahoo-inc.com
   returns.groups.yahoo.com
));

$smtpd_recipient_limit=1000;

$MAXLEVELS=14;

$MAXFILES=1500;

$MIN_EXPANSION_QUOTA=100*1024;
$MAX_EXPANSION_QUOTA=300*1024*1024;
$MIN_EXPANSION_FACTOR=5;
$MAX_EXPANSION_FACTOR=500;

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';

$file = 'file'; # file(1) utility; use 3.41 or later to avoid
vulnerability

$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$unarj = ['arj', 'unarj']; # both can extract, arj is recommended
$unrar = ['rar', 'unrar']; # both can extract, same options
$zoo = 'zoo';
$lha = 'lha';
$cpio = ['gcpio','cpio']; # gcpio is a GNU cpio on OpenBSD, which supports
                             # the options needed; the rest of us use cpio

$sa_local_tests_only = 1; # (default: false)

$sa_timeout = 30; # timeout in seconds for a call to SpamAssassin
                            # (default is 30 seconds, undef disables it)
$sa_mail_body_size_limit = 150*1024; # don't waste time on SA if mail is
larger
                            # (less than 1% of spam is > 64k)
                            # default: undef, no limitations

$sa_tag_level_deflt = 3.0; # add spam info headers if at, or above that
level
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
                            # at or above that level: bounce/reject/drop,
                            # quarantine, and adding mail address extension

$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent,
                             # effectively turning D_BOUNCE into D_DISCARD;
                             # undef disables this feature and is a default;

@av_scanners = (

['Clam Antivirus-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/lib/clamav/clamd-socket"],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

   ['KasperskyLab AVP - aveclient',
     ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
      '/opt/kav/bin/aveclient','aveclient'],
     '-p /var/run/aveserver -s {}/*', [0,3,6,8],
qr/\b(INFECTED|SUSPICION)\b/,
     qr/(?:INFECTED|SUSPICION) (.+)/,
   ],

   ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
     '-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
     qr/infected: (.+)/,
     sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
     sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],

   ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
   ### products and replaced by aveserver and aveclient
   ['KasperskyLab AVPDaemonClient',
     [ '/opt/AVP/kavdaemon', 'kavdaemon',
       '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
       '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
       '/opt/AVP/avpdc', 'avpdc' ],
     "-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
     qr/infected: ([^\r\n]+)/ ],
     # change the startup-script in /etc/init.d/kavd to:
     # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
     # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
     # adjusting /var/amavis above to match your $TEMPBASE.
     # The '-f=/var/amavis' is needed if not running it as root, so it
     # can find, read, and write its pid file, etc., see 'man kavdaemon'.
     # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
     # directory $TEMPBASE specifies) in the 'Names=' section.
     # cd /opt/AVP/DaemonClients; configure; cd Sample; make
     # cp AvpDaemonClient /opt/AVP/
     # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

   ### http://www.hbedv.com/ or http://www.centralcommand.com/
   ['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
     ['antivir','vexira'],
     '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
     qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
          (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
     # NOTE: if you only have a demo version, remove -z and add 214, as in:
     # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

   ### http://www.commandsoftware.com/
   ['Command AntiVirus for Linux', 'csav',
     '-all -archive -packed {}', [50], [51,52,53],
     qr/Infection: (.+)/ ],

   ### http://www.symantec.com/
   ['Symantec CarrierScan via Symantec CommandLineScanner',
     'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
     qr/^Files Infected:\s+0$/, qr/^Infected\b/,
     qr/^(?:Info|Virus Name):\s+(.+)/ ],

   ### http://www.symantec.com/
   ['Symantec AntiVirus Scan Engine',
     'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details
-verbose {}',
     [0], qr/^Infected\b/,
     qr/^(?:Info|Virus Name):\s+(.+)/ ],
     # NOTE: check options and patterns to see which entry better applies

   ### http://www.sald.com/, http://drweb.imshop.de/
   ['drweb - DrWeb Antivirus',
     ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
     '-path={} -al -go -ot -cn -upn -ok-',
     [0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

   ### http://www.f-secure.com/products/anti-virus/
   ['F-Secure Antivirus', 'fsav',
    '--dumb --mime --archive {}', [0], [3,8],
    qr/(?:infection|Infected|Suspected): (.+)/ ],

   ['CAI InoculateIT', 'inocucmd',
     '-sec -nex {}', [0], [100],
     qr/was infected by virus (.+)/ ],

   ['MkS_Vir for Linux (beta)', ['mks32','mks'],
     '-s {}/*', [0], [1,2],
     qr/--[ \t]*(.+)/ ],

   ['MkS_Vir daemon',
     'mksscan', '-s -q {}', [0], [1..7],
     qr/^... (\S+)/ ],

   ### http://www.nod32.com/
   ['ESET Software NOD32', 'nod32',
     '-all -subdir+ {}', [0], [1,2],
     qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],

   ### http://www.nod32.com/
   ['ESET Software NOD32 - Client/Server Version', 'nod32cli',
     '-a -r -d recurse --heur standard {}', [0], [10,11],
     qr/^\S+\s+infected:\s+(.+)/ ],

   ### http://www.norman.com/products_nvc.shtml
   ['Norman Virus Control v5 / Linux', 'nvccmd',
     '-c -l:0 -s -u {}', [0], [1],
     qr/(?i).* virus in .* -> \'(.+)\'/ ],

   ### http://www.pandasoftware.com/
   ['Panda Antivirus for Linux', ['pavcl'],
     '-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
     qr/Number of files infected[ .]*: 0(?!\d)/,
     qr/Number of files infected[ .]*: 0*[1-9]/,
     qr/Found virus :\s*(\S+)/ ],

   ### http://www.nai.com/
   ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
     '--secure -rv --mime --summary --noboot - {}', [0], [13],
     qr/(?x) Found (?:
         \ the\ (.+)\ (?:virus|trojan) |
         \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
         :\ (.+)\ NOT\ a\ virus)/,
   # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
   # sub {delete $ENV{LD_PRELOAD}},
   ],
   # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6
before
   # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
   # and then clear it when finished to avoid confusing anything else.
   # NOTE2: to treat encrypted files as viruses replace the [13] with:
   # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

   ### http://www.virusbuster.hu/en/
   ['VirusBuster', ['vbuster', 'vbengcl'],
     # VirusBuster Ltd. does not support the daemon version for the
workstation
     # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The
names of
     # binaries, some parameters AND return codes (from 3 to 1) changed.
     "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
     qr/: '(.*)' - Virus/ ],

   ### http://www.cyber.com/
   ['CyberSoft VFind', 'vfind',
     '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
   # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
   ],

   ### http://www.ikarus-software.com/
   ['Ikarus AntiVirus for Linux', 'ikarus',
     '{}', [0], [40], qr/Signature (.+) found/ ],

   ### http://www.bitdefender.com/
   ['BitDefender', 'bdc',
     '--all --arc --mail {}', qr/^Infected files *:0(?!\d)/,
     qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
     qr/(?:suspected|infected): (.*)$/ ],

);

@av_scanners_backup = (

   ### http://www.clamav.net/
   ['Clam Antivirus - clamscan', 'clamscan',
     '--stdout --no-summary -r {}', [0], [1],
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

   ### http://www.f-prot.com/
   ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
     '-dumb -archive -packed {}', [0,8], [3,6],
     qr/Infection: (.+)/ ],

   ### http://www.trendmicro.com/
   ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
     '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

   ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
     '-i1 -xp {}', [0,10,15], [5,20,21,25],
     qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
     sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
     sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
   ],

);

1; # insure a defined return

=================================================================================
* clamav.conf
=================================================================================

LogFile /var/log/clamav/clamd.log

LogFileMaxSize 2M

LogSyslog

LogFacility LOG_MAIL

PidFile /var/lib/clamav/clamd.pid

TemporaryDirectory /tmp

FixStaleSocket

TCPSocket 3310

TCPAddr 127.0.0.1

User vscan
Foreground

=================================================================================
* rcamavis start shows this output:
=================================================================================

Dec 31 09:05:22 newserver amavis[2858]: starting. amavisd at
newserver.fake.net amavisd-new-20030616-p9, Unicode aware
Dec 31 09:05:22 newserver amavis[2858]: Perl version 5.008003
Dec 31 09:05:22 newserver amavis[2858]: Module Amavis::Conf 1.15
Dec 31 09:05:22 newserver amavis[2858]: Module Archive::Tar 1.10
Dec 31 09:05:22 newserver amavis[2858]: Module Archive::Zip 1.14
Dec 31 09:05:22 newserver amavis[2858]: Module Compress::Zlib 1.33
Dec 31 09:05:22 newserver amavis[2858]: Module Convert::TNEF 0.17
Dec 31 09:05:22 newserver amavis[2858]: Module Convert::UUlib 1.0
Dec 31 09:05:22 newserver amavis[2858]: Module DB_File 1.808
Dec 31 09:05:22 newserver amavis[2858]: Module MIME::Entity 5.404
Dec 31 09:05:22 newserver amavis[2858]: Module MIME::Parser 5.406
Dec 31 09:05:22 newserver amavis[2858]: Module MIME::Tools 5.411
Dec 31 09:05:22 newserver amavis[2858]: Module Mail::Header 1.60
Dec 31 09:05:22 newserver amavis[2858]: Module Mail::Internet 1.60
Dec 31 09:05:22 newserver amavis[2858]: Module Mail::SpamAssassin 2.64
Dec 31 09:05:22 newserver amavis[2858]: Module Net::Cmd 2.24
Dec 31 09:05:22 newserver amavis[2858]: Module Net::DNS 0.46
Dec 31 09:05:22 newserver amavis[2858]: Module Net::SMTP 2.26
Dec 31 09:05:22 newserver amavis[2858]: Module Net::Server 0.87
Dec 31 09:05:22 newserver amavis[2858]: Module Time::HiRes 1.52
Dec 31 09:05:22 newserver amavis[2858]: Module Unix::Syslog 0.100
Dec 31 09:05:22 newserver amavis[2858]: Found myself: /usr/sbin/amavisd
-c /etc/amavisd.conf
Dec 31 09:05:22 newserver amavis[2858]: Lookup::SQL code NOT loaded
Dec 31 09:05:22 newserver amavis[2858]: Lookup::LDAP code NOT loaded
Dec 31 09:05:22 newserver amavis[2858]: AMCL-in protocol code loaded
Dec 31 09:05:22 newserver amavis[2858]: SMTP-in protocol code loaded
Dec 31 09:05:22 newserver amavis[2858]: ANTI-VIRUS code loaded
Dec 31 09:05:22 newserver amavis[2858]: ANTI-SPAM code loaded
Dec 31 09:05:22 newserver amavis[3578]: Net::Server: Process Backgrounded
Dec 31 09:05:22 newserver amavis[3578]: Net::Server: 2004/12/31-09:05:22
Amavis (type Net::Server::PreForkSimple) starting! pid(3578)
Dec 31 09:05:23 newserver amavis[3578]: Net::Server: Binding to UNIX
socket file /var/spool/amavis/amavisd.sock using SOCK_STREAM
Dec 31 09:05:23 newserver amavis[3578]: Net::Server: Binding to TCP port
10024 on host 127.0.0.1
Dec 31 09:05:23 newserver amavis[3578]: Net::Server: Setting gid to "101
101"
Dec 31 09:05:23 newserver amavis[3578]: Net::Server: Setting uid to "65"
Dec 31 09:05:23 newserver amavis[3578]: Found $file at /usr/bin/file
Dec 31 09:05:23 newserver amavis[3578]: Found $arc at /usr/bin/arc
Dec 31 09:05:23 newserver amavis[3578]: Found $gzip at /usr/bin/gzip
Dec 31 09:05:23 newserver amavis[3578]: Found $bzip2 at /usr/bin/bzip2
Dec 31 09:05:23 newserver amavis[3578]: No $lzop, not using it
Dec 31 09:05:23 newserver amavis[3578]: Found $lha at /usr/bin/lha
Dec 31 09:05:23 newserver amavis[3578]: Found $unarj at /usr/bin/unarj
Dec 31 09:05:23 newserver amavis[3578]: Found $uncompress at
/usr/bin/uncompress
Dec 31 09:05:23 newserver amavis[3578]: No $unfreeze, not using it
Dec 31 09:05:23 newserver amavis[3578]: Found $unrar at /usr/bin/unrar
Dec 31 09:05:23 newserver amavis[3578]: Found $zoo at /usr/bin/zoo
Dec 31 09:05:23 newserver amavis[3578]: Found $cpio at /usr/bin/cpio
Dec 31 09:05:23 newserver amavis[3578]: Using internal av scanner code
for (primary) Clam Antivirus-clamd
Dec 31 09:05:23 newserver amavis[3578]: Found secondary av scanner Clam
Antivirus - clamscan at /usr/bin/clamscan
Dec 31 09:05:23 newserver amavis[3578]: SpamControl: initializing
Mail::SpamAssassin
Dec 31 09:05:24 newserver spamd[3546]: server started on port 783/tcp
(running version 2.64)
Dec 31 09:05:24 newserver amavis[3578]: SpamControl: done
Dec 31 09:05:26 newserver postfix/postfix-script: starting the Postfix
mail system
Dec 31 09:05:26 newserver postfix/master[3747]: daemon started --
version 2.0.19-20040312
Dec 31 09:05:30 newserver freshclam[3935]: Daemon started.
Dec 31 09:05:30 newserver freshclam[3947]: freshclam daemon 0.80 (OS:
linux-gnu, ARCH: i386, CPU: i686)
Dec 31 09:05:30 newserver freshclam[3947]: ClamAV update process started
at Fri Dec 31 09:05:30 2004
Dec 31 09:05:30 newserver freshclam[3947]: ERROR: Can't query
current.cvd.clamav.net
Dec 31 09:05:30 newserver clamd[3934]: Daemon started.
Dec 31 09:05:30 newserver clamd[3934]: clamd daemon 0.80 (OS: linux-gnu,
ARCH: i386, CPU: i686)
Dec 31 09:05:30 newserver clamd[3934]: Log file size limited to 2097152
bytes.
Dec 31 09:05:30 newserver clamd[3934]: Running as user vscan (UID 65,
GID 101)
Dec 31 09:05:30 newserver clamd[3934]: Reading databases from
/var/lib/clamav
Dec 31 09:05:30 newserver freshclam[3947]: main.cvd is up to date
(version: 28, sigs: 26630, f-level: 3, builder: tomek)
Dec 31 09:05:30 newserver freshclam[3947]: ERROR: Can't query
current.cvd.clamav.net
Dec 31 09:05:30 newserver freshclam[3947]: daily.cvd is up to date
(version: 646, sigs: 2329, f-level: 3, builder: tkojm)
Dec 31 09:05:30 newserver freshclam[3947]:
--------------------------------------
Dec 31 09:05:31 newserver clamd[3934]: Protecting against 28959 viruses.
Dec 31 09:05:31 newserver clamd[3934]: Bound to address 127.0.0.1 on
port 3310
Dec 31 09:05:31 newserver clamd[3934]: Setting connection queue length
to 15
Dec 31 09:05:31 newserver clamd[3934]: Archive: Archived file size limit
set to 10485760 bytes.
Dec 31 09:05:31 newserver clamd[3934]: Archive: Recursion level limit
set to 5.
Dec 31 09:05:31 newserver clamd[3934]: Archive: Files limit set to 1000.
Dec 31 09:05:31 newserver clamd[3934]: Archive: Compression ratio limit
set to 250.
Dec 31 09:05:31 newserver clamd[3934]: Archive support enabled.
Dec 31 09:05:31 newserver clamd[3934]: Archive: RAR support disabled.
Dec 31 09:05:31 newserver clamd[3934]: Portable Executable support enabled.
Dec 31 09:05:31 newserver clamd[3934]: Mail files support enabled.
Dec 31 09:05:31 newserver clamd[3934]: OLE2 support enabled.
Dec 31 09:05:31 newserver clamd[3934]: HTML support enabled.
Dec 31 09:05:31 newserver clamd[3934]: Self checking every 1800 seconds.

=================================================================================
* receiving a email shows this output:
=================================================================================

Dec 31 09:55:16 newserver postfix/smtpd[4595]: connect from
localhost[127.0.0.1]
Dec 31 09:55:16 newserver postfix/smtpd[4595]: 4E53DF23C:
client=localhost[127.0.0.1]
Dec 31 09:55:16 newserver postfix/cleanup[4598]: 4E53DF23C:
message-id=<1404.192.168.0.14.1104483316.squirrel@192.168.0.1>
Dec 31 09:55:16 newserver postfix/smtpd[4595]: disconnect from
localhost[127.0.0.1]
Dec 31 09:55:16 newserver postfix/qmgr[3806]: 4E53DF23C:
from=<test@fake.net>, size=737, nrcpt=1 (queue active)
Dec 31 09:55:16 newserver postfix/smtp[4599]: connect to localhost[::1]:
Connection refused (port 10024)
Dec 31 09:55:16 newserver amavis[4583]: (04583-01) ESMTP::10024
/var/spool/amavis/tmp/amavis-20041231T095516-04583: <test@fake.net> ->
<test@fake.net> Received: SIZE=737 BODY=8BITMIME from newserver.fake.net
([127.0.0.1]) by localhost (newserver.fake.net [127.0.0.1])
(amavisd-new, port 10024) with ESMTP id 04583-01 for <test@fake.net>;
Fri, 31 Dec 2004 09:55:16 +0100 (CET)
Dec 31 09:55:16 newserver amavis[4583]: (04583-01) Checking:
<test@fake.net> -> <test@fake.net>
Dec 31 09:55:16 newserver amavis[4583]: (04583-01) Clam Antivirus-clamd:
Can't connect to UNIX socket /var/lib/clamav/clamd-socket: No such file
or directory, retrying (1)
Dec 31 09:55:17 newserver amavis[4583]: (04583-01) Clam Antivirus-clamd:
Can't connect to UNIX socket /var/lib/clamav/clamd-socket: No such file
or directory, retrying (2)
Dec 31 09:55:23 newserver amavis[4583]: (04583-01) Clam Antivirus-clamd
av-scanner FAILED: Too many retries to talk to
/var/lib/clamav/clamd-socket (Can't connect to UNIX socket
/var/lib/clamav/clamd-socket: No such file or directory) at (eval 51)
line 180.
Dec 31 09:55:23 newserver amavis[4583]: (04583-01) WARN: all primary
virus scanners failed, considering backups
Dec 31 09:55:24 newserver amavis[4583]: (04583-01) spam_scan: hits=1.043
tests=NO_REAL_NAME,PRIORITY_NO_NAME
Dec 31 09:55:24 newserver amavis[4583]: (04583-01) FWD via SMTP:
[127.0.0.1]:10025 <test@fake.net> -> <test@fake.net>
Dec 31 09:55:24 newserver postfix/smtpd[4602]: connect from
localhost[127.0.0.1]
Dec 31 09:55:24 newserver postfix/smtpd[4602]: 2B81015EAD:
client=localhost[127.0.0.1]
Dec 31 09:55:24 newserver postfix/cleanup[4598]: 2B81015EAD:
message-id=<1404.192.168.0.14.1104483316.squirrel@192.168.0.1>
Dec 31 09:55:24 newserver postfix/smtpd[4602]: disconnect from
localhost[127.0.0.1]
Dec 31 09:55:24 newserver amavis[4583]: (04583-01) Passed,
<test@fake.net> -> <test@fake.net>, Message-ID:
<1404.192.168.0.14.1104483316.squirrel@192.168.0.1>, Hits: 1.043
Dec 31 09:55:24 newserver amavis[4583]: (04583-01) TIMING [total 7816
ms] - SMTP EHLO: 3 (0%), SMTP pre-MAIL: 0 (0%), mkdir tempdir: 0 (0%),
create email.txt: 1 (0%), SMTP pre-DATA-flush: 4 (0%), SMTP DATA: 37
(0%), body hash: 1 (0%), mkdir parts: 1 (0%), mime_decode: 15 (0%),
get-file-type: 186 (2%), decompose_part: 2 (0%), parts: 0 (0%),
AV-scan-1: 7006 (90%), AV-scan-2: 426 (5%), SA msg read: 2 (0%), SA
parse: 2 (0%), SA check: 50 (1%), fwd-connect: 18 (0%), fwd-mail-from: 1
(0%), fwd-rcpt-to: 4 (0%), write-header: 4 (0%), fwd-data: 0 (0%),
fwd-data-end: 50 (1%), fwd-rundown: 2 (0%), unlink-1-files: 5 (0%),
rundown: 1 (0%)
Dec 31 09:55:24 newserver postfix/qmgr[3806]: 2B81015EAD:
from=<test@fake.net>, size=1235, nrcpt=1 (queue active)
Dec 31 09:55:24 newserver postfix/smtp[4599]: 4E53DF23C:
to=<test@fake.net>, relay=localhost[127.0.0.1], delay=8, status=sent
(250 2.6.0 Ok, id=04583-01, from MTA: 250 Ok: queued as 2B81015EAD)
Dec 31 09:55:24 newserver postfix/qmgr[3806]: 4E53DF23C: removed
Dec 31 09:55:24 newserver postfix/lmtp[4604]: 2B81015EAD:
to=<test@fake.net>, relay=public/lmtp[public/lmtp], delay=0, status=sent
(250 2.1.5 Ok)
Dec 31 09:55:24 newserver postfix/qmgr[3806]: 2B81015EAD: removed



[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.