Successfully switching to clamd but... no logs!

Discussion in 'Installation/Configuration' started by erebus, Oct 29, 2007.

  1. erebus

    erebus New Member

    Hello all,

    I am running a CentOS 4.5 perfect install and I decided to switch to clamd instead of clamscan to save CPU but mainly to eliminate the clamav* files in my /tmp folder which rapidly filled my users' mailbox quota (many similar threads exist in this forum for this issue with no solution).

    Instead of downloading clamd from custom CentOS repos using yum, I 've chosen to use the ISPConfig's built in clamd binary (which I find logical so as to stay current with ISPConfig's future settings/modifications). My problem is that although the configuration seem to work fine and I do have logs in /etc/var/clamd.log, when I send a sample virus file the whole message is deleted, never reach the mailbox and it is not logged in clamd.log as a successful virus identification. So here are my questions:

    1) Is this really the default behaviour to completely delete the message and not only the attachment?

    2) Can I change this behaviour? I would like to have only the attachment deleted and report to the user that this message contained a virus attachment which was removed (maybe by changing the subject, adding X-headers or in message body).

    3) Is it normal not to have a notification in clamd.log? I would like to have that.

    Here are my settings (comments stripped):

    /home/admispconfig/ispconfig/tools/clamav/etc/freshclam.conf
    Code:
    UpdateLogFile /var/log/freshclam.log
    LogFacility LOG_MAIL
    DatabaseMirror database.clamav.net
    NotifyClamd /home/admispconfig/ispconfig/tools/clamav/etc/clamd.conf
    OnUpdateExecute 'chmod -R 755 /home/admispconfig/ispconfig/tools/clamav/share/clamav'
    /home/admispconfig/ispconfig/tools/clamav/etc/clamd.conf
    Code:
    LogFile /var/log/clamd.log
    LogTime yes
    LocalSocket /home/admispconfig/ispconfig/temp/clamd
    MaxDirectoryRecursion 15
    User admispconfig
    ScanMail 1
    ScanArchive 1
    ArchiveMaxFileSize 10M
    ArchiveMaxRecursion 5
    ArchiveMaxFiles 1000
    ClamukoScanOnOpen 1
    ClamukoScanOnClose 1
    ClamukoScanOnExec 1
    ClamukoIncludePath /home
    ClamukoMaxFileSize 1M
    /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin
    Code:
    TMPPATH=/tmp
    SUBJECTHEAD=""
    FORMAIL=/usr/bin/formail
    CLAMSCAN=/home/admispconfig/ispconfig/tools/clamav/bin/clamdscan
    CLAMSCANOPT="--no-summary --stdout"
    ADDSCANNERFLAG=1
    SIGTOOL=/home/admispconfig/ispconfig/tools/clamav/bin/sigtool
    SIGLOC=/home/admispconfig/ispconfig/tools/clamav/share/clamav
    SIGVERSFLAG=0
    MKTEMP=/bin/mktemp
    RM=/bin/rm
    CAT=/bin/cat
    SED=/bin/sed
    ECHO=/bin/echo
    /root/ispconfig/isp/conf/antivirus.rc.master
    Code:
    :0fw
    | /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin
    
    :0:
    * ^X-Virus-Status: Yes
    /dev/null
    Log files are in place with proper permissions:
    Code:
    -rw-r--r--  1 admispconfig admispconfig 15K Oct 29 21:57 /var/log/clamd.log
    -rw-r--r--  1 admispconfig admispconfig 1.9K Oct 29 21:36 /var/log/freshclam.log
    Here is a sample from clamd.log
    Code:
    Mon Oct 29 21:57:36 2007 -> --- Stopped at Mon Oct 29 21:57:36 2007
    Mon Oct 29 21:57:36 2007 -> +++ Started at Mon Oct 29 21:57:36 2007
    Mon Oct 29 21:57:36 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
    Mon Oct 29 21:57:36 2007 -> Running as user admispconfig (UID 501, GID 501)
    Mon Oct 29 21:57:36 2007 -> Log file size limited to 1048576 bytes.
    Mon Oct 29 21:57:36 2007 -> Reading databases from /home/admispconfig/ispconfig/tools/clamav/share/clamav
    Mon Oct 29 21:57:36 2007 -> Not loading PUA signatures.
    Mon Oct 29 21:57:39 2007 -> Loaded 162928 signatures.
    Mon Oct 29 21:57:39 2007 -> Unix socket file /home/admispconfig/ispconfig/temp/clamd
    Mon Oct 29 21:57:39 2007 -> Setting connection queue length to 15
    Mon Oct 29 21:57:39 2007 -> Archive: Archived file size limit set to 10485760 bytes.
    Mon Oct 29 21:57:39 2007 -> Archive: Recursion level limit set to 5.
    Mon Oct 29 21:57:39 2007 -> Archive: Files limit set to 1000.
    Mon Oct 29 21:57:39 2007 -> Archive: Compression ratio limit set to 250.
    Mon Oct 29 21:57:39 2007 -> Archive support enabled.
    Mon Oct 29 21:57:39 2007 -> Algorithmic detection enabled.
    Mon Oct 29 21:57:39 2007 -> Portable Executable support enabled.
    Mon Oct 29 21:57:39 2007 -> ELF support enabled.
    Mon Oct 29 21:57:39 2007 -> Mail files support enabled.
    Mon Oct 29 21:57:39 2007 -> Mail: Recursion level limit set to 64.
    Mon Oct 29 21:57:39 2007 -> OLE2 support enabled.
    Mon Oct 29 21:57:39 2007 -> PDF support disabled.
    Mon Oct 29 21:57:39 2007 -> HTML support enabled.
    Mon Oct 29 21:57:39 2007 -> Self checking every 1800 seconds.
    In the above log should exist a line reporting the virus found sent.

    Also I have some mailchk files in /tmp that I don't what they are...
    Code:
    -rw-------   1 ena.tld_info web43           0 Oct 29 19:01 mailchk.N28529
    -rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.TwD898
    -rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.VEm893
    -rw-------   1 ena.tld_info web43           0 Oct 29 21:48 mailchk.ZHC900
    clamd is running properly
    Code:
    [root@nemesis /tmp]# ps auxw|grep clamd
    501       1195  0.4  3.0 35604 31368 ?       Ss   21:57   0:02 /home/admispconfig/ispconfig/tools/clamav/sbin/clamd
    Thank you in advance for your remarks,
     
    Last edited: Oct 29, 2007
  2. till

    till Super Moderator

    1) Yes.
    2) Most likely you will have to modify the clamasasssin scripts for this.
    3) Logging is not enabled by default, but you might be able to do some kind of logging in the clamassassin script or in the clamd configuration.
     
  3. erebus

    erebus New Member

    Hello till, thank you for the reply.

    Maybe you have misunderstood something in my post. Let me explain.

    I have followed the procedure explained here. The goal was to use the clamd build provided in the ISPConfig package.

    However here it is clear that apart from hacking the clamassassin script, clamd should report viruses found in clamd.log by default:

    This is what it is not happening to me (no matter how much example mails with eicar I send) which is very weird. That is exactly my problem.

    Also something that makes me think that logging is not working as expected, is another hack I did using this info. I have patched the master settings for both spamassassin and antivirus, and updated all users' files using the MySQL command I found in this forum somewhere (by you I think). I 've checked that the local files are identical to the example. Although I have reports in maillog for the spam mails (as expected after the hack), there are no reports for the viruses either in maillog or in clamd.log.

    I think there is nothing more that I can change in my clamd.conf so as to enable logging (please check my clamd.conf in the first post).

    So can you please enlight me on this?

    Thank you.
     
  4. erebus

    erebus New Member

    Anyone please?
     
  5. erebus

    erebus New Member

    For the record, problem solved without touching anything.

    Code:
    [root@nemesis /home/erebus]# cat /var/log/clamd.log | grep FOUND
    Tue Oct 30 13:59:45 2007 -> stream 2008: Worm.SomeFool.Gen-2 FOUND
    Wed Oct 31 11:08:09 2007 -> stream 1228: Worm.SomeFool.P FOUND
    Wed Oct 31 12:00:55 2007 -> stream 1675: Worm.SomeFool.P FOUND
    Wed Oct 31 14:20:50 2007 -> stream 1298: Exploit.HTML.IFrame FOUND
    Wed Oct 31 14:55:03 2007 -> stream 1920: Worm.SomeFool.P FOUND
    Wed Oct 31 15:11:40 2007 -> stream 1616: Exploit.HTML.IFrame FOUND
    Thu Nov  1 09:18:55 2007 -> stream 1655: Worm.SomeFool.AA-2 FOUND
    It seems like clamd has its own times on starting reporting viruses to the log. I have read about it elsewhere but didn't pay enough notice then.

    Thank you all for your help; I hope this post to help others in the future.
     

Share This Page