Re: [clamav-users] ClamAVPlugin

[Joe Acquisto-j4]

> Greetings
> 
> Seems time to address this
> . . .
> 6. What happens if you mail to yourself something containing the
 EICAR test file?  Check all your log files as well as looking
 for mail headers etc.
>>>
>>> That has proven difficult as every place I have an email client out in
>>> the great wilderness, has strict checking and blocks EICAR ...
>> 
>> Can you not simply use your own mail server to send yourself mail??
>> 
> 
> Sending mail via the local postfix host bypasses spamassassin (spamd)
> and clamav (clamd/clamav-milter). 
> 
> It gets passed on virtually untouched.  Currently posted on postfix users
> list hoping for an answer. but maybe some one here knows what might be
> wrong with my postfix config?
> 
>> 
>> 73,
>> Ged.
>> 
> 
> joe a
>

The clamd local scanning was resolved by setting up non_smptd_milter to 
the same socket as smtpd_milter.  Simple, obvious.

/var/log/mail/ showed EICAR detected, but the received (locally sent) email
did not have a flag in the header to show that.  

In any event, I now need to do something with, or to, the "infected" email, 
which
could be a simple as adding something to the subject line.  However, how to do
that, or if it is even possible, is not obvious to me.   

joe a.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVPlugin

[Joe Acquisto-j4]

Greetings

Seems time to address this
. . .
6. What happens if you mail to yourself something containing the
>>> EICAR test file?  Check all your log files as well as looking
>>> for mail headers etc.
>>
>> That has proven difficult as every place I have an email client out in
>> the great wilderness, has strict checking and blocks EICAR ...
> 
> Can you not simply use your own mail server to send yourself mail??
> 

Sending mail via the local postfix host bypasses spamassassin (spamd)
and clamav (clamd/clamav-milter). 

It gets passed on virtually untouched.  Currently posted on postfix users
list hoping for an answer. but maybe some one here knows what might be
wrong with my postfix config?

> 
> 73,
> Ged.
> 

joe a


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVPlugin

[Joe Acquisto-j4]

> Hi there,
> 
> On Mon, 22 Feb 2021, Joe Acquisto-j4 wrote:
> 
>> myhost:~ # cp eicar.txt /etc/
>>
>> then this worked::
>>
>> myhost:~ # clamdscan /etc/eicar.txt
>> /etc/eicar.txt: Eicar-Signature FOUND
> 
> You have clamd working. :)
> 
> So you just need to get clamav-milter to talk to clamd, and Postfix to
> talk to clamav-milter,

Easier said than done.  and everything will be peachy.  Well, not really
> peachy - then you'll be starting on your assessment of how it performs
> with your particular profile of unwanted mail, which will be different
> from the profiles seen by everyone else.  Feedback will be useful.
> 
> -- 
> 
> 73,
> Ged.
> 

However, in the end it appears it's working.
At least as far a getting an email header line that states:

"X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.0 at auxilary"

In summary, knowing what logs are where, paying attention to
what the message mean, assuring  you have *exactly* the same 
path in the appropriate config files, assigning proper rights/ownership 
of files, goes a long way toward achieving success.

Thanks for the patience and guidance.

More needs to be done, of course. but this is a boost.

joe a.





___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV not even mentioned in article "The 6 Best Antiviruses for Linux 2021"

[Mark via clamav-users]

for the complainers out there
ClamAV is  *FREE*
 I have checked into other Linux  security apps. and they are roughly $138

On Fri, Feb 19, 2021 at 12:09 PM Paul Kosinski via clamav-users <
clamav-users@lists.clamav.net> wrote:

> https://www.safetydetectives.com/best-antivirus/linux/
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVPlugin

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 22 Feb 2021, Joe Acquisto-j4 wrote:


myhost:~ # cp eicar.txt /etc/

then this worked::

myhost:~ # clamdscan /etc/eicar.txt
/etc/eicar.txt: Eicar-Signature FOUND


You have clamd working. :)

So you just need to get clamav-milter to talk to clamd, and Postfix to
talk to clamav-milter, and everything will be peachy.  Well, not really
peachy - then you'll be starting on your assessment of how it performs
with your particular profile of unwanted mail, which will be different
from the profiles seen by everyone else.  Feedback will be useful.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVPlugin

[Joe Acquisto-j4]

 . . 
>> 3. Can you scan things with the 'clamdscan' command?  Note the 'd' in
>> 'clamdscan'.  Don't use 'clamscan', because that doesn't use clamd.
> 
> myhost:~ # clamdscan eicar.txt
> /root/eicar.txt: lstat() failed: Permission denied. ERROR
> 
>>

Well an obvious issue, rights.  I had the test file in root
which the clamd service could not access (yet ?)

After doing this as a quick test

myhost:~ # cp eicar.txt /etc/

then this worked::

myhost:~ # clamdscan /etc/eicar.txt
/etc/eicar.txt: Eicar-Signature FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.637 sec (0 m 0 s)
Start Date: 2021:02:21 23:32:56
End Date:   2021:02:21 23:32:57

Tune out tomorrow as more of the same twaddle is likely
to post.

joe a.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVPlugin

[Gary R. Schmidt]

On 22/02/2021 21:59, G.W. Haywood via clamav-users wrote:
[SNIP]


If you're going to run your own mail server, ALL this stuff needs to
be at your fingertips.  If it isn't, you're just going to be getting
in your own way (and in everyone else's way).


Also wondering in main.cf (postfix) is the only place I need to add
Clamav directives.  master.cf has a spot for Spamassassin as a
"filter" and commented out stuff for amavis.


https://www.oreilly.com/library/view/postfix-the-definitive/0596002122/ch04s05.html 



Don't forget that I don't use Postfix, so check everything I've said
is right for your installation.  There may well be little quirks with
Postfix that I don't know about.  It's all very similar with the MTA
that I do use (Sendmail) but I can't be quite so sure with Postfix as
I can with Sendmail.

Fundamentally you need Postfix to know how to talk to clamav-milter,
clamav-milter to know how to talk to clamd, and the same in the other
direction; clamd needs to know how to talk to clamav-milter, and the
milter needs to know how to talk to Postfix.  That's more or less all
there is to it as far as the communications between the processes is
concerned, but then you have to configure it all to do what you want
it to do of course.  I see that you've started on that already with
things like detecting PUAs.



The canonical information on how to use milters in Postfix is in the 
Postfix source tree: README_FILES/MILTER_README.  There's also an HTML 
version.


And I would also second the Dove book Ged links to above, if you are 
about to start fiddling with Postfix configuration.  It's old, but it's 
probably the most complete, and of course, when in doubt look at the 
source,  has a lot of resources.


Cheers,
GaryB-)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVPlugin

[G.W. Haywood via clamav-users]

Hi there,

On Sun, 21 Feb 2021, Joe Acquisto-j4 wrote:


clamd is running.  I thought I read it does not have to be as
clamav-milter is capable of running mail scans without.  But I could
be mistaken.


If you did read that, whoever wrote it is mistaken.  If you imagined
it, please try not to do that because it isn't helpful.  Note that
it's called clamav-milter (I've taken the liberty correcting your
text) and it's more or less just an interface between an MTA and the
clamd daemon - although it is quite capable, for example it can offer
fault tolerance by handling clamd multiple daemons on multiple servers.

Its configuration and the configuration of the MTA are the first thing
we need to get right - they need to agree with each other, because the
configuration of the MTA tells the MTA how to talk to the milter, and
milter configuration tells the milter how to talk back to the MTA.  So:


Logging is enabled ...


That's good.


myhost:~ # clamd zPING
Sun Feb 21 18:34:45 2021 -> !TCP: Cannot bind to [127.0.0.1]:3310: Address 
already in use
Sun Feb 21 18:34:45 2021 -> !LOCAL: Socket file /var/run/clamav/clamd-socket is 
in use by another process.
Sun Feb 21 18:34:45 2021 -> *Closing the main socket.


This is confusing.  What you've written there looks like you've given
the result on the screen of a command-line command.  First off that
command line command is nonsense (read the 'man' page for clamd) and
secondly what comes after it is taken from the log.  You need to be
clear about what you're doing.  I was clear in my example PING that I
connected to the daemon by using 'telnet'.  You should do the same, or
(as you discovered later) by piping through something like netcat,
socat, or whatever.  The error message in the log from the clamd which
you tried to start at the command line with your 'clamd zPING' command
is simply the new clamd that you're trying to start trying to open the
port that's configured in clamd.conf and finding that there's already
something using that port.  The something already using that port is
of course the running clamd daemon.  I asked you to talk to the daemon,
not to try to start another one.  You *can* start more clamd daemons,
but they each need to have their own unique communication channel, so
they each would need to have a separate file like clamd.conf - when I
run multiple daemons on the same box I have clamd1.conf, clamd2.conf,
and so on, with each daemon using a different port from the default.
You don't need multiplpe clamd daemons at this stage.  Probably never.


3. Can you scan things with the 'clamdscan' command?  Note the 'd' in
'clamdscan'.  Don't use 'clamscan', because that doesn't use clamd.


myhost:~ # clamdscan eicar.txt
/root/eicar.txt: lstat() failed: Permission denied. ERROR


This is a kind of progress.  Put the eicar.txt file in /tmp instead of
/root, with world read permissions, and try again.


5. Anything interesting in the Postfix logs?  Can you increase the
logging verbosity?


Nothing "new" far as I can tell.


We'll look at the log verbosity later.


6. What happens if you mail to yourself something containing the
EICAR test file?  Check all your log files as well as looking
for mail headers etc.


That has proven difficult as every place I have an email client out in
the great wilderness, has strict checking and blocks EICAR ...


Can you not simply use your own mail server to send yourself mail??


I've resorted to a site that purports to send EICAR test email
"as a public service" sort of thing, in the past.


So did you try it?  What happened?


7. Please also let us have the output of

clamconf -n


Unfortunately your configuration is rather a mess.


Config file: clamd.conf
---
...
PidFile = "/var/run/clamav/clamd.pid"
LocalSocket = "/var/run/clamav/clamd-socket"


In passing I note the PID file is under /var/run/.  We'll come back to
that later.  Because clamd is supposed to be talking to clamav-milter,
the local socket above needs to be exactly the same in clamd.conf as
it is in clamav-milter.conf (er, you might say, obviously).  It isn't.


TCPSocket = "3310"
TCPAddr = "127.0.0.1"


If everything is on the same machine, all the processes can use local
(Unix-type) sockets to talk to each other.  That means you don't need
TCP sockets, which use a completely different communication technology
(in fact the same TCP/IP which you use for email, browsing etc. etc.).
So the TCPxxx settings might not be needed, but they're useful (they
have already been useful to us) e.g. for testing and investigation.

Anyway (1) you need to tell the different processes consistent things,
so that they aren't talking to a brick wall; (2) just because you have
a process listening on a port, doesn't necessarily mean that you have
to be using that port; and (3) open TCP ports that you aren't using
can be a security issue.  So if you use clamd carelessly, you might be
a bigger threat to your system than the Bad Guys are because