Sun Java System Messaging Server 6.3 Administration Guide

14.6 Using ClamAV

Messaging server supports the use of the popular and freely available third-party virus scanner ClamAV for the detection of virus- and Trojan horse- infected messages. Virus signatures used by ClamAV to detect newly created viruses can be automatically updated using the freshclam utility provided with the ClamAV software package.

Further information on ClamAV can be found at the ClamAV website.

14.6.1 ClamAV/Messaging Server Theory of Operations

ClamAV integration in Messaging Server makes use of the clamd daemon that is provided as part of the ClamAV package. clamd is a multi-threaded process that listens on a socket for requests to process messages. After processing the message, it sends back a response and closes the connection. The client portion, clamdscan from the ClamAV installation, is not used. This function is done by a shared library called libclamav.so, which is part of Messaging Server.

libclamav.so is loaded the same way as the Brightmail SDK is loaded.

14.6.2 ClamAV Requirements and Usage Considerations

ClamAV can run on a separate system of its own, on the same system as the Messaging Server in a single system deployment, or on the same system as the MTA in a two-tier deployment. If Local Mail Transfer Protocol (LMTP) is used between the MTA and the message store, the filtering must be invoked from the MTA. It cannot be invoked from the message store. When SMTP is used between the MTA and the message store, it can be invoked from either one.

If you want to use a farm of servers running ClamAV, use a load balancer front of them. The MTA is configured with only one address for the ClamAV server.

Other considerations.

ClamAV is free. Go to http://clamav.net for software and documentation.
ClamAV integration with the MTA can be enabled for a user, a domain, or a channel.
The ClamAV package provides a utility to regularly update virus-signatures. The utility is called freshclam. Refer to the ClamAV package documentation for further information.
The libclamav.so library is included by default with Messaging Server 2006Q4 and above.

14.6.3 Deploying ClamAV

Perform the following steps to deploy ClamAV:

Install and configure ClamAV. Refer to the ClamAV software documentation for installation and configuration information. See also 14.6.5 ClamAV Options.
Load and configure the ClamAV client library. This involves specifying the client library, libclamav.soand a configuration file to the MTA (you must create this file). See 14.2.1 Loading and Configuring the Spam Filtering Software Client Library.
Specify what messages to filter for spam. Messages can be filtered by user, domain, or channel. See 14.2.2 Specifying the Messages to Be Filtered.
Specify what actions to take on virus messages. See 14.2.3 Specifying Actions to Perform on Spam Messages.
Set miscellaneous filter configuration parameters as desired. See 14.6.5 ClamAV Options

To Jettison Virus– or Trojan Horse– Infected Email Using ClamAV

The following example jettisons all messages found to contain a virus or Trojan horse detected by ClamAV. The verdict string is not used.

Create the ClamAV configuration file.

The name and location of this file is specified in Step 2. A good name is clamav.opt. This file contains the following lines:
# more /opt/SUNWmsgsr/config/clamav.opt ! ClamAV Settings debug=1 host=127.0.0.1 port=3310 mode=1
debug=1 turns on debugging in the ClamAV library.

host and port specify the name of the system where clamd is running and the port on which clamd listens for incoming requests.

mode=1 specifies that the ClamAV plug-in return the ClamAV result string as the verdict when a virus infected email is detected.

Modify the option.dat file.

Add the following lines to the option.dat file:
! ClamAV settings spamfilter2_config_file=/opt/SUNWmsgsr/config/clamav.opt spamfilter2_library=/opt/SUNWmsgsr/lib/libclamav.so spamfilter2_string_action=data:,require ["jettison"]; jettison;
spamfilter2_config_file specifies the ClamAV configuration file.

spamfilter2_library specifies the ClamAV shared library.

spamfilter2_string_action specifies the Sieve action to take for a virus infected email.

Specify the messages to be filtered.

To filter all messages coming into the local message store, change the imta.cnf file by adding the destinationspamfilterXoptin virus keywords on the ims-ms channel:

!
! ims-ms 
ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m"
"pt30m" "pt1h" "pt2h" "pt4h" maxjobs 4 pool IMS_POOL fileinto 
$U+$S@$D destinationspamfilter2optin virus 
ims-ms-daemon

Recompile the configuration and restart the server.

Only the MTA needs to be restarted. You do not need to execute stop-msg.
# imsimta cnbuild # imsimta restart

Start the clamd daemon.

14.6.4 Testing ClamAV

To test ClamAV, first set debug=1 in the clamav.opt file. (You do not have to turn on the channel-specific master_debug or slave_debug in the imta.cnf.) Then send a file attachment to a test user which contains the EICAR virus string (http://www.eicar.org/anti_virus_test_file.htm). This string is designed to trigger virus scanners to recognize an email as virus-infected without having an actual virus attached:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Review the test logs. The msg-svr-base/data/log/tcp_local_slave.log* file should have lines similar to these:

10:39:00.85: ClamAV callout debugging enabled; 
config /opt/SUNWmsgsr/config/clamav.opt
10:39:00.85: IP address 127.0.0.1 specified 
10:39:00.85: Port 3310 selected 
10:39:00.85: Mode 1 selected 
10:39:00.85: Field "Virus-Test: " selected 
10:39:00.85: Verdict "" selected 
10:39:00.85: Initializing ClamAV message context
 ... 
10:39:00.85: Creating socket to connect to clamd server 
10:39:00.85: Binding clamd socket 
10:39:00.85: Connecting to clamd server 
10:39:00.85: Sending ClamAV STREAM request 
10:39:00.85: Retrieving ClamAV STREAM response 
10:39:00.85: STREAM response: PORT 2003 
10:39:00.85: Creating socket to connect to clamd server data port 
10:39:00.85: Binding clamd data socket 
10:39:00.85: Connecting to clamd server data port 
10:39:00.85: Sending ClamAV the message 
10:39:00.85: Closing ClamAV data connection 
10:39:00.85: Reading ClamAV result 
10:39:00.87: Result line: stream: Eicar-Test-Signature FOUND 
10:39:00.87: Scan result: Message is infected 
10:39:00.87: Verdict line: Virus-Test: True ; Eicar-Test-Signature 
10:39:00.87: Closing connection to ClamAV 
10:39:00.87: Mode 1 verdict of Virus-Test: True ; Eicar-Test-Signature 
10:39:00.87: Mode 1 verdict of Virus-Test: True ; Eicar-Test-Signature
 ... 
10:39:00.87: Freeing ClamAV message context

If your log file does not contain lines similar to these, or if clamd is not running, the following error message is returned in your SMTP dialog after the last period (.) is sent to the SMTP server:

452 4.4.5 Error writing message temporaries - Error 
connecting to ClamAV server

14.6.5 ClamAV Options

The ClamAV option file is a typical messaging server-style option file consisting of lines of the form option=value. The one required option is HOST. It must be set to the name of the system where clamd is running. This option must be set even if clamd is running on the local host.

Further additional options are available for this options file are shown below.

Table 14–7 ClamAV Options

Option

Description

Default

DEBUG

Enables or disables debug output from the ClamAV interface module. (Debug output from clamd itself is controlled by options on the clamd command line.) The larger the value, the more debugging output will be produced. 0 produces no output. 1 provides basic debugging. 2 adds logging of TCP traffic from clamd.

FIELD

Specifies the ClamAV result string prefix. ClamAV result strings generally look something like one of the following:

Virus-Test: False 
Virus-Test: True ; Worm.Mydoom.I

The FIELD option provides the means for changing the Virus-Test part of the result. Note that the ": " will also be removed if an empty FIELD value is specified.

“Virus-Test”

MESSAGE_BUFFER_SIZE

Due to the nature of the clamdscan/clamd interface the ClamAV plugin has to buffer the message in memory before sending to ClamAV. The size of the memory buffer is controlled by this option. It defaults to 1,048,576 characters. Messages longer than this will be truncated and not sent in their entirety to ClamAV. In order to ensure that every message is scanned fully, this value should reflect the maximum message size the MTA will accept. Reducing this value may help to speed up virus scanning times, but may let through viruses undetected.

1048576

MODE

Controls the translation of ClamAV results to verdict information. Four different modes are available:

0 - Return the verdict string specified by the VERDICT option if the message is found to contain a virus; return a default verdict if it does not. A null verdict is returned if the VERDICT option is empty or unspecified.

1 - Return the ClamAV result as a verdict if the message is found to contain a virus; return a default verdict if not.

2 - Return a ClamAV result string as the verdict unconditionally; no default or null verdict is ever returned and the VERDICT option is never used.

3 - Return the ClamAV result as a verdict if the message is found to contain a virus; return the verdict string specified by the VERDICT option if it is not.

PORT

Specifies the port clamd is running on.

3310

SOCKS_HOST

Specifies the name of an intermediate SOCKS server. If this option is specified the clamd connection is made through the specified SOCKS server and not directly.

3310

SOCKS_PORT

Specifies the port the intermediate SOCKS server is running on.

1080

VERDICT

Specifies the verdict string used in modes 0 and 3.