Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th October 2007, 21:08
erebus erebus is offline
Member
 
Join Date: Sep 2007
Posts: 63
Thanks: 10
Thanked 9 Times in 9 Posts
Default Successfully switching to clamd but... no logs!

Hello all,

I am running a CentOS 4.5 perfect install and I decided to switch to clamd instead of clamscan to save CPU but mainly to eliminate the clamav* files in my /tmp folder which rapidly filled my users' mailbox quota (many similar threads exist in this forum for this issue with no solution).

Instead of downloading clamd from custom CentOS repos using yum, I 've chosen to use the ISPConfig's built in clamd binary (which I find logical so as to stay current with ISPConfig's future settings/modifications). My problem is that although the configuration seem to work fine and I do have logs in /etc/var/clamd.log, when I send a sample virus file the whole message is deleted, never reach the mailbox and it is not logged in clamd.log as a successful virus identification. So here are my questions:

1) Is this really the default behaviour to completely delete the message and not only the attachment?

2) Can I change this behaviour? I would like to have only the attachment deleted and report to the user that this message contained a virus attachment which was removed (maybe by changing the subject, adding X-headers or in message body).

3) Is it normal not to have a notification in clamd.log? I would like to have that.

Here are my settings (comments stripped):

/home/admispconfig/ispconfig/tools/clamav/etc/freshclam.conf
Code:
UpdateLogFile /var/log/freshclam.log
LogFacility LOG_MAIL
DatabaseMirror database.clamav.net
NotifyClamd /home/admispconfig/ispconfig/tools/clamav/etc/clamd.conf
OnUpdateExecute 'chmod -R 755 /home/admispconfig/ispconfig/tools/clamav/share/clamav'
/home/admispconfig/ispconfig/tools/clamav/etc/clamd.conf
Code:
LogFile /var/log/clamd.log
LogTime yes
LocalSocket /home/admispconfig/ispconfig/temp/clamd
MaxDirectoryRecursion 15
User admispconfig
ScanMail 1
ScanArchive 1
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ClamukoScanOnOpen 1
ClamukoScanOnClose 1
ClamukoScanOnExec 1
ClamukoIncludePath /home
ClamukoMaxFileSize 1M
/home/admispconfig/ispconfig/tools/clamav/bin/clamassassin
Code:
TMPPATH=/tmp
SUBJECTHEAD=""
FORMAIL=/usr/bin/formail
CLAMSCAN=/home/admispconfig/ispconfig/tools/clamav/bin/clamdscan
CLAMSCANOPT="--no-summary --stdout"
ADDSCANNERFLAG=1
SIGTOOL=/home/admispconfig/ispconfig/tools/clamav/bin/sigtool
SIGLOC=/home/admispconfig/ispconfig/tools/clamav/share/clamav
SIGVERSFLAG=0
MKTEMP=/bin/mktemp
RM=/bin/rm
CAT=/bin/cat
SED=/bin/sed
ECHO=/bin/echo
/root/ispconfig/isp/conf/antivirus.rc.master
Code:
:0fw
| /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
/dev/null
Log files are in place with proper permissions:
Code:
-rw-r--r--  1 admispconfig admispconfig 15K Oct 29 21:57 /var/log/clamd.log
-rw-r--r--  1 admispconfig admispconfig 1.9K Oct 29 21:36 /var/log/freshclam.log
Here is a sample from clamd.log
Code:
Mon Oct 29 21:57:36 2007 -> --- Stopped at Mon Oct 29 21:57:36 2007
Mon Oct 29 21:57:36 2007 -> +++ Started at Mon Oct 29 21:57:36 2007
Mon Oct 29 21:57:36 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Mon Oct 29 21:57:36 2007 -> Running as user admispconfig (UID 501, GID 501)
Mon Oct 29 21:57:36 2007 -> Log file size limited to 1048576 bytes.
Mon Oct 29 21:57:36 2007 -> Reading databases from /home/admispconfig/ispconfig/tools/clamav/share/clamav
Mon Oct 29 21:57:36 2007 -> Not loading PUA signatures.
Mon Oct 29 21:57:39 2007 -> Loaded 162928 signatures.
Mon Oct 29 21:57:39 2007 -> Unix socket file /home/admispconfig/ispconfig/temp/clamd
Mon Oct 29 21:57:39 2007 -> Setting connection queue length to 15
Mon Oct 29 21:57:39 2007 -> Archive: Archived file size limit set to 10485760 bytes.
Mon Oct 29 21:57:39 2007 -> Archive: Recursion level limit set to 5.
Mon Oct 29 21:57:39 2007 -> Archive: Files limit set to 1000.
Mon Oct 29 21:57:39 2007 -> Archive: Compression ratio limit set to 250.
Mon Oct 29 21:57:39 2007 -> Archive support enabled.
Mon Oct 29 21:57:39 2007 -> Algorithmic detection enabled.
Mon Oct 29 21:57:39 2007 -> Portable Executable support enabled.
Mon Oct 29 21:57:39 2007 -> ELF support enabled.
Mon Oct 29 21:57:39 2007 -> Mail files support enabled.
Mon Oct 29 21:57:39 2007 -> Mail: Recursion level limit set to 64.
Mon Oct 29 21:57:39 2007 -> OLE2 support enabled.
Mon Oct 29 21:57:39 2007 -> PDF support disabled.
Mon Oct 29 21:57:39 2007 -> HTML support enabled.
Mon Oct 29 21:57:39 2007 -> Self checking every 1800 seconds.
In the above log should exist a line reporting the virus found sent.

Also I have some mailchk files in /tmp that I don't what they are...
Code:
-rw-------   1 ena.tld_info web43           0 Oct 29 19:01 mailchk.N28529
-rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.TwD898
-rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.VEm893
-rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.ZHC900
clamd is running properly
Code:
[root@nemesis /tmp]# ps auxw|grep clamd
501       1195  0.4  3.0 35604 31368 ?       Ss   21:57   0:02 /home/admispconfig/ispconfig/tools/clamav/sbin/clamd
Thank you in advance for your remarks,

Last edited by erebus; 29th October 2007 at 21:11.
Reply With Quote
Sponsored Links
  #2  
Old 30th October 2007, 12:06
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,805
Thanks: 821
Thanked 5,339 Times in 4,188 Posts
Default

1) Yes.
2) Most likely you will have to modify the clamasasssin scripts for this.
3) Logging is not enabled by default, but you might be able to do some kind of logging in the clamassassin script or in the clamd configuration.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 30th October 2007, 18:58
erebus erebus is offline
Member
 
Join Date: Sep 2007
Posts: 63
Thanks: 10
Thanked 9 Times in 9 Posts
Default

Hello till, thank you for the reply.

Maybe you have misunderstood something in my post. Let me explain.

I have followed the procedure explained here. The goal was to use the clamd build provided in the ISPConfig package.

However here it is clear that apart from hacking the clamassassin script, clamd should report viruses found in clamd.log by default:

Quote:
stream 1688: Eicar-Test-Signature FOUND
This is what it is not happening to me (no matter how much example mails with eicar I send) which is very weird. That is exactly my problem.

Also something that makes me think that logging is not working as expected, is another hack I did using this info. I have patched the master settings for both spamassassin and antivirus, and updated all users' files using the MySQL command I found in this forum somewhere (by you I think). I 've checked that the local files are identical to the example. Although I have reports in maillog for the spam mails (as expected after the hack), there are no reports for the viruses either in maillog or in clamd.log.

I think there is nothing more that I can change in my clamd.conf so as to enable logging (please check my clamd.conf in the first post).

So can you please enlight me on this?

Thank you.
Reply With Quote
  #4  
Old 31st October 2007, 20:26
erebus erebus is offline
Member
 
Join Date: Sep 2007
Posts: 63
Thanks: 10
Thanked 9 Times in 9 Posts
Default

Anyone please?
Reply With Quote
  #5  
Old 1st November 2007, 09:02
erebus erebus is offline
Member
 
Join Date: Sep 2007
Posts: 63
Thanks: 10
Thanked 9 Times in 9 Posts
 
Default

For the record, problem solved without touching anything.

Code:
[root@nemesis /home/erebus]# cat /var/log/clamd.log | grep FOUND
Tue Oct 30 13:59:45 2007 -> stream 2008: Worm.SomeFool.Gen-2 FOUND
Wed Oct 31 11:08:09 2007 -> stream 1228: Worm.SomeFool.P FOUND
Wed Oct 31 12:00:55 2007 -> stream 1675: Worm.SomeFool.P FOUND
Wed Oct 31 14:20:50 2007 -> stream 1298: Exploit.HTML.IFrame FOUND
Wed Oct 31 14:55:03 2007 -> stream 1920: Worm.SomeFool.P FOUND
Wed Oct 31 15:11:40 2007 -> stream 1616: Exploit.HTML.IFrame FOUND
Thu Nov  1 09:18:55 2007 -> stream 1655: Worm.SomeFool.AA-2 FOUND
It seems like clamd has its own times on starting reporting viruses to the log. I have read about it elsewhere but didn't pay enough notice then.

Thank you all for your help; I hope this post to help others in the future.
Reply With Quote
The Following User Says Thank You to erebus For This Useful Post:
falko (1st November 2007)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache won't start: "Too many files error"? bpmee Server Operation 4 31st July 2007 13:37
Where do MyDNS logs go? voipfc General 3 28th November 2006 16:03
Fedora core 5 + clamd kav5 Installation/Configuration 1 10th September 2006 14:19
Problem with logs minskog Installation/Configuration 1 23rd May 2006 19:10
Access Logs themachine Installation/Configuration 4 2nd December 2005 10:15


All times are GMT +2. The time now is 11:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.