Sorry, I should have posted the clamd.monitor used at my shop. The one from http://www.cmpublishers.com/oss/ checks the TCP banner, complains if the socket isn't answered or if you're running an outdated clamd (the latter a nice feature which is not in the one I've been using).
However, the clamd monitor attached to this message goes through the steps to actually submit a piece of email for virus scanning, and uses the EICAR "fake virus" to test whether clamd is actually going through the message. That goes a bit deeper into the internals and might turn up problems that a simple socket open/close wouldn't. We use a similar monitor for SpamAssassin that uses the corresponding "fake spam signature" to test whether spamd is checking messages - if anyone's interested, let me know. -- Ed
#!/usr/local/bin/perl5.6.1 # clamd.monitor - make sure clamd recognizes the EICAR test virus # Written by Jed Davis. Released to public (license is GPL) courtesy of # PANIX Public Access Networks, http://www.panix.com require 5.006; use strict; use Getopt::Std; use ClamAV::Client; use IO::String; my $usage = "clamd.monitor [-d] [-p port] [-t timeout] host [host...]\n"; our ($opt_t, $opt_p, $opt_d); getopts("p:t:d") || die $usage; my $tcpport = $opt_p || 9001; my $timeout = $opt_t || 30; my $debugp = $opt_d; # Standard "test" virus - broken up into two lines to avoid triggering # anti-virus systems (cough, cough) my $virus = 'x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-' . 'ANTIVIRUS-TEST-FILE!$H+H*'; my (@failures); for my $host (@ARGV) { my $result = undef; eval { alarm $timeout; $SIG{ALRM} = sub { die "Timeout ($timeout seconds)\n" }; my $scanner = ClamAV::Client->new( socket_host => $host, socket_port => $tcpport); $result = $scanner->scan_stream(IO::String->new($virus)); print STDERR "DEBUG: $host: $result\n" if $debugp; }; if ($@) { chomp $@; $@ =~ s/^(Could not establish socket connection), tried UNIX domain and TCP sockets at .*/$1/; push @failures, [$host, "Exception: $@"]; } elsif (!$result) { push @failures, [$host, "Responded, but failed to recognize test virus"]; } elsif ($result ne "Eicar-Test-Signature") { push @failures, [$host, "Unexpected response: $result"]; } } print join(" ",map{$$_[...@failures)."\n"; print join("",map{"$$_[0]: $$_[1]\n"}...@failures); exit ($#failures>=0);
_______________________________________________ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon