Successfully switching to clamd but... no logs!

[erebus]

Hello all,

I am running a CentOS 4.5 perfect install and I decided to switch to clamd instead of clamscan to save CPU but mainly to eliminate the clamav* files in my /tmp folder which rapidly filled my users' mailbox quota (many similar threads exist in this forum for this issue with no solution).

Instead of downloading clamd from custom CentOS repos using yum, I 've chosen to use the ISPConfig's built in clamd binary (which I find logical so as to stay current with ISPConfig's future settings/modifications). My problem is that although the configuration seem to work fine and I do have logs in /etc/var/clamd.log, when I send a sample virus file the whole message is deleted, never reach the mailbox and it is not logged in clamd.log as a successful virus identification. So here are my questions:

1) Is this really the default behaviour to completely delete the message and not only the attachment?

2) Can I change this behaviour? I would like to have only the attachment deleted and report to the user that this message contained a virus attachment which was removed (maybe by changing the subject, adding X-headers or in message body).

3) Is it normal not to have a notification in clamd.log? I would like to have that.

Here are my settings (comments stripped):

/home/admispconfig/ispconfig/tools/clamav/etc/freshclam.conf

Code:

UpdateLogFile /var/log/freshclam.log
LogFacility LOG_MAIL
DatabaseMirror database.clamav.net
NotifyClamd /home/admispconfig/ispconfig/tools/clamav/etc/clamd.conf
OnUpdateExecute 'chmod -R 755 /home/admispconfig/ispconfig/tools/clamav/share/clamav'

/home/admispconfig/ispconfig/tools/clamav/etc/clamd.conf

Code:

LogFile /var/log/clamd.log
LogTime yes
LocalSocket /home/admispconfig/ispconfig/temp/clamd
MaxDirectoryRecursion 15
User admispconfig
ScanMail 1
ScanArchive 1
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ClamukoScanOnOpen 1
ClamukoScanOnClose 1
ClamukoScanOnExec 1
ClamukoIncludePath /home
ClamukoMaxFileSize 1M

/home/admispconfig/ispconfig/tools/clamav/bin/clamassassin

Code:

TMPPATH=/tmp
SUBJECTHEAD=""
FORMAIL=/usr/bin/formail
CLAMSCAN=/home/admispconfig/ispconfig/tools/clamav/bin/clamdscan
CLAMSCANOPT="--no-summary --stdout"
ADDSCANNERFLAG=1
SIGTOOL=/home/admispconfig/ispconfig/tools/clamav/bin/sigtool
SIGLOC=/home/admispconfig/ispconfig/tools/clamav/share/clamav
SIGVERSFLAG=0
MKTEMP=/bin/mktemp
RM=/bin/rm
CAT=/bin/cat
SED=/bin/sed
ECHO=/bin/echo

/root/ispconfig/isp/conf/antivirus.rc.master

Code:

:0fw
| /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
/dev/null

Log files are in place with proper permissions:

Code:

-rw-r--r--  1 admispconfig admispconfig 15K Oct 29 21:57 /var/log/clamd.log
-rw-r--r--  1 admispconfig admispconfig 1.9K Oct 29 21:36 /var/log/freshclam.log

Here is a sample from clamd.log

Code:

Mon Oct 29 21:57:36 2007 -> --- Stopped at Mon Oct 29 21:57:36 2007
Mon Oct 29 21:57:36 2007 -> +++ Started at Mon Oct 29 21:57:36 2007
Mon Oct 29 21:57:36 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Mon Oct 29 21:57:36 2007 -> Running as user admispconfig (UID 501, GID 501)
Mon Oct 29 21:57:36 2007 -> Log file size limited to 1048576 bytes.
Mon Oct 29 21:57:36 2007 -> Reading databases from /home/admispconfig/ispconfig/tools/clamav/share/clamav
Mon Oct 29 21:57:36 2007 -> Not loading PUA signatures.
Mon Oct 29 21:57:39 2007 -> Loaded 162928 signatures.
Mon Oct 29 21:57:39 2007 -> Unix socket file /home/admispconfig/ispconfig/temp/clamd
Mon Oct 29 21:57:39 2007 -> Setting connection queue length to 15
Mon Oct 29 21:57:39 2007 -> Archive: Archived file size limit set to 10485760 bytes.
Mon Oct 29 21:57:39 2007 -> Archive: Recursion level limit set to 5.
Mon Oct 29 21:57:39 2007 -> Archive: Files limit set to 1000.
Mon Oct 29 21:57:39 2007 -> Archive: Compression ratio limit set to 250.
Mon Oct 29 21:57:39 2007 -> Archive support enabled.
Mon Oct 29 21:57:39 2007 -> Algorithmic detection enabled.
Mon Oct 29 21:57:39 2007 -> Portable Executable support enabled.
Mon Oct 29 21:57:39 2007 -> ELF support enabled.
Mon Oct 29 21:57:39 2007 -> Mail files support enabled.
Mon Oct 29 21:57:39 2007 -> Mail: Recursion level limit set to 64.
Mon Oct 29 21:57:39 2007 -> OLE2 support enabled.
Mon Oct 29 21:57:39 2007 -> PDF support disabled.
Mon Oct 29 21:57:39 2007 -> HTML support enabled.
Mon Oct 29 21:57:39 2007 -> Self checking every 1800 seconds.

In the above log should exist a line reporting the virus found sent.

Also I have some mailchk files in /tmp that I don't what they are...

Code:

-rw-------   1 ena.tld_info web43           0 Oct 29 19:01 mailchk.N28529
-rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.TwD898
-rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.VEm893
-rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.ZHC900

clamd is running properly

Code:

[root@nemesis /tmp]# ps auxw|grep clamd
501       1195  0.4  3.0 35604 31368 ?       Ss   21:57   0:02 /home/admispconfig/ispconfig/tools/clamav/sbin/clamd

Thank you in advance for your remarks,

[till]

1) Yes.
2) Most likely you will have to modify the clamasasssin scripts for this.
3) Logging is not enabled by default, but you might be able to do some kind of logging in the clamassassin script or in the clamd configuration.

[erebus]

Hello till, thank you for the reply.

Maybe you have misunderstood something in my post. Let me explain.

I have followed the procedure explained here. The goal was to use the clamd build provided in the ISPConfig package.

However here it is clear that apart from hacking the clamassassin script, clamd should report viruses found in clamd.log by default:

Quote:

stream 1688: Eicar-Test-Signature FOUND

This is what it is not happening to me (no matter how much example mails with eicar I send) which is very weird. That is exactly my problem.

Also something that makes me think that logging is not working as expected, is another hack I did using this info. I have patched the master settings for both spamassassin and antivirus, and updated all users' files using the MySQL command I found in this forum somewhere (by you I think). I 've checked that the local files are identical to the example. Although I have reports in maillog for the spam mails (as expected after the hack), there are no reports for the viruses either in maillog or in clamd.log.

I think there is nothing more that I can change in my clamd.conf so as to enable logging (please check my clamd.conf in the first post).

So can you please enlight me on this?

Thank you.

[erebus]

Anyone please?

[erebus]

For the record, problem solved without touching anything.

Code:

[root@nemesis /home/erebus]# cat /var/log/clamd.log | grep FOUND
Tue Oct 30 13:59:45 2007 -> stream 2008: Worm.SomeFool.Gen-2 FOUND
Wed Oct 31 11:08:09 2007 -> stream 1228: Worm.SomeFool.P FOUND
Wed Oct 31 12:00:55 2007 -> stream 1675: Worm.SomeFool.P FOUND
Wed Oct 31 14:20:50 2007 -> stream 1298: Exploit.HTML.IFrame FOUND
Wed Oct 31 14:55:03 2007 -> stream 1920: Worm.SomeFool.P FOUND
Wed Oct 31 15:11:40 2007 -> stream 1616: Exploit.HTML.IFrame FOUND
Thu Nov  1 09:18:55 2007 -> stream 1655: Worm.SomeFool.AA-2 FOUND

It seems like clamd has its own times on starting reporting viruses to the log. I have read about it elsewhere but didn't pay enough notice then.

Thank you all for your help; I hope this post to help others in the future.