This site is now 100% read-only, and retired.

Scanning incoming mail for viruses

Posted by Steve on Wed 29 Sep 2004 at 19:13

Viruses are a fact of life nowadays, be they real viruses or worms which require manual intervention on the half of a user to propogate. Unix systems tend to be immune from the viruses themselves, but they still have mail queues full of viral messages. Read on to learn how to remove them safely.

There are several virus scanners available for GNU/Linux systems, ClamAV is the only one which is licensed under the terms of the GNU General Public license.

This is available for Debian systems, either in the official Debian archives, or as a backport for Woody.

Installing the software you'll be prompted for a frequency to update your signatures - these must be updated regularly to allow the scanner to recognise new threats, choose 'Hourly' when prompted.

Once you've installed the clamav package you will discover that you have a binary installed called clamscan. This is used to scan files for Windows viruses.

To scan your mail automatically is a simple process if you're using procmail to sort your mail after it is delivered.

Most of the work is writing a small snippet of code to invoke the scanner on incoming messages.

Once such script is called clamfilter, and it can be invoked by a procmail recipe as follows:

#
# Scan for Viral emails
#
:0fw
| /usr/local/bin/clamfilter.pl

:0 H:
* X-Virus-Found: yes
$HOME/Mail/virus

This will invoke the script on all incoming mail, and if any of the messages contain a known virus then the will be moved into a local folder called virus.

From there you can do as you wish.

 

 


Re: Scanning incoming mail for viruses
Posted by Anonymous (127.0.xx.xx) on Tue 9 Nov 2004 at 15:36
The name of the Perl script ist clamfilter.pl and therefore it should be invoked by
/usr/local/bin/clamfilter.pl

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by GoodTimes (65.247.xx.xx) on Thu 12 May 2005 at 21:02
[ View Weblogs ]
another thing to try is to use it as a sendmail milter

the package in the repository is called clamav-milter

the /usr/share/doc/clamav-milter/README.Debian has everything you need to know

of course, you need to be using sendmail...

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by simms (216.46.xx.xx) on Tue 31 Jan 2006 at 17:26
I just installed procmail + clamav + clamfilter as per Steve's instructions, but I'm not entirely sure that clamfilter is really doing its job ..

I can tell from the log that procmail *does* get invoked for each new message, but when I look at the headers of incoming mail, I see no indication that it was actually scanned for viruses (e.g. X-Virus-Found: no or something).

Is this normal? When using clamfilter, will a special header be added only to detected `viral' mail?
(oh, and clamfilter's source is clearly not meant for clueless Perl newbies like myself -- I get dizzy just looking at it)

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by Steve (82.41.xx.xx) on Wed 1 Feb 2006 at 20:42
[ View Weblogs ]

The header is only added to infected mails.

You can see this by running something like:

skx@itchy:/tmp$ echo "test" >> /tmp/t
skx@itchy:/tmp$ echo >> /tmp/t
skx@itchy:/tmp$ cat /tmp/t | perl clamfilter.pl 
test

By contrast the EICAR test virus shows a match:

skx@itchy:/tmp$ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$ H+H*' > /tmp/t
skx@itchy:/tmp$ echo >> /tmp/t
skx@itchy:/tmp$ cat /tmp/t | perl clamfilter.pl 
X-Virus-Found: yes
X-Virus-Status:
 ------------------------------------------------------------
 Virus Scan Status:
 ------------------------------------------------------------
 stdin: Eicar-Test-Signature FOUND
 
 ----------- SCAN SUMMARY -----------
 Known viruses: 43895
 Engine version: 0.88
 Scanned directories: 0
 Scanned files: 1
 Infected files: 1
 Data scanned: 0.00 MB
 Time: 0.648 sec (0 m 0 s)
 
 ------------------------------------------------------------


Steve

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by simms (216.13.xx.xx) on Thu 2 Feb 2006 at 13:55
Thanks for the tip.

I ended up realizing that clamfilter was indeed being invoked for each message. Unfortunately this script seems like it needs a bit more work, as after about 18h in operation, it completely fudged up my system. I didn't have the patience to analyze the problem in detail, but it seemed as if my clamfilter processes were stalling ad infinitum, while new ones were being created with every fetchmail/procmail invokation (i.e. every minute in my case). The whole thing created a kind of cumulative memory leak situation, and in the end my server ran out of resources completely and slowed to a crawl. I had to reboot in single-user mode and disable clamfilter to bring the situation back to normal.

That being said, I can't really blame clamfilter for this problem, as it may have been caused by other parts of my setup, or simply because I fetch my mail too often.

Does anyone know of a more reliable / less resource-greedy way of clam-scanning incoming mail? I'm not sure if this would help, but perhaps it would be better if clam could be run as a daemon (like spamd) for this purpose.

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by Steve (82.41.xx.xx) on Thu 2 Feb 2006 at 14:00
[ View Weblogs ]

Using clamav directly at SMTP time is probably a better way to go - but that only applies if you're in control of the mailserver.

(It sounds like you're not, if you're fetching mail remotely using fetchmail.)

I used the clamfilter script without problems on my machine for about eight months before upgrading to Exim4 with SMTP-time scanning. So I'm afraid I'm not really familiar with the alternatives.

Steve

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by simms (216.13.xx.xx) on Thu 2 Feb 2006 at 14:10
Allright, valid points, but just a sec.. isn't fetchmail supposed to deliver mail via my exim4 installation? My understanding of the matter, as per the fetchmail man page is that it will pass fetched messages on to port 25 on the local machine, thus invoking the normal local delivery system (in my case exim4):
As each message is retrieved fetchmail normally delivers it via SMTP to port 25 on the machine it is running on (localhost), just as though it were being passed in over a normal TCP/IP link. The mail will then be delivered locally via your system's MDA (Mail Delivery Agent, usually sendmail(8) but your system may use a different one such as smail, mmdf, exim, or qmail).
Given the above, do you think that your instructions would be applicable to my situation? If fetchmail truly uses exim4 to make the final delivery to my local inbox, then your exim4-based viral mail rejection setup should work in my case as well, right?

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by Steve (82.41.xx.xx) on Thu 2 Feb 2006 at 14:17
[ View Weblogs ]

I thought fetchmail did a local delivery via procmail - but I'm hazy on the details.

If it does invoke exim4 then yes it would seem like the instructions should work. (Hmmm I wonder what it would do to a bounce ..?)

Steve

[ Parent ]

Re: Scanning incoming mail for viruses
Posted by simms (216.46.xx.xx) on Thu 2 Feb 2006 at 14:54
Allright, I guess we'll be finding out soon :)
I just backed up my exim config, and now I'm trying your daemon-based solution.

I'll certainly post the details later, if I can get this working.

[ Parent ]

Re: Scanning incoming mail for viruses - a different way
Posted by simms (216.13.xx.xx) on Thu 2 Feb 2006 at 15:33
Allright!
Looks like everything worked.

For posterity's sake, here's a description of my setup:
  • fetchmail running as a daemon, polling remote mailboxes every minute;
    NB: the mda option in my .fetchmailrc is disabled, so that fetchmail's default behaviour -- delivering to the local port 25 listener, i.e. exim4 -- applies.
  • exim4-daemon-heavy and clamav-daemon installed and configured as per Steve's article;
    this also required me to punch in adduser clamav Debian-exim so as to prevent permission issues, and then to restart both exim4 and clamav-daemon;
  • procmail is also invoked during mail processing, as per the default settings of Debian's exim4 packages (no configuration was necessary other than setting up my 'recipes' in ~/.procmailrc).

[ Parent ]