Sun Java System Messaging Server 6.3 Administration Guide

14.6 Using ClamAV

Messaging server supports the use of the popular and freely available third-party virus scanner ClamAV for the detection of virus- and Trojan horse- infected messages. Virus signatures used by ClamAV to detect newly created viruses can be automatically updated using the freshclam utility provided with the ClamAV software package.

Further information on ClamAV can be found at the ClamAV website.

14.6.1 ClamAV/Messaging Server Theory of Operations

ClamAV integration in Messaging Server makes use of the clamd daemon that is provided as part of the ClamAV package. clamd is a multi-threaded process that listens on a socket for requests to process messages. After processing the message, it sends back a response and closes the connection. The client portion, clamdscan from the ClamAV installation, is not used. This function is done by a shared library called, which is part of Messaging Server. is loaded the same way as the Brightmail SDK is loaded.

14.6.2 ClamAV Requirements and Usage Considerations

ClamAV can run on a separate system of its own, on the same system as the Messaging Server in a single system deployment, or on the same system as the MTA in a two-tier deployment. If Local Mail Transfer Protocol (LMTP) is used between the MTA and the message store, the filtering must be invoked from the MTA. It cannot be invoked from the message store. When SMTP is used between the MTA and the message store, it can be invoked from either one.

If you want to use a farm of servers running ClamAV, use a load balancer front of them. The MTA is configured with only one address for the ClamAV server.

Other considerations.

14.6.3 Deploying ClamAV

Perform the following steps to deploy ClamAV:

ProcedureTo Jettison Virus– or Trojan Horse– Infected Email Using ClamAV

The following example jettisons all messages found to contain a virus or Trojan horse detected by ClamAV. The verdict string is not used.

  1. Create the ClamAV configuration file.

    The name and location of this file is specified in Step 2. A good name is clamav.opt. This file contains the following lines:

    # more /opt/SUNWmsgsr/config/clamav.opt
    ! ClamAV Settings

    debug=1 turns on debugging in the ClamAV library.

    host and port specify the name of the system where clamd is running and the port on which clamd listens for incoming requests.

    mode=1 specifies that the ClamAV plug-in return the ClamAV result string as the verdict when a virus infected email is detected.

  2. Modify the option.dat file.

    Add the following lines to the option.dat file:

    ! ClamAV settings 
    spamfilter2_string_action=data:,require ["jettison"]; jettison;

    spamfilter2_config_file specifies the ClamAV configuration file.

    spamfilter2_library specifies the ClamAV shared library.

    spamfilter2_string_action specifies the Sieve action to take for a virus infected email.

  3. Specify the messages to be filtered.

    To filter all messages coming into the local message store, change the imta.cnf file by adding the destinationspamfilterXoptin virus keywords on the ims-ms channel:

    ! ims-ms 
    ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m"
    "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 4 pool IMS_POOL fileinto 
    $U+$S@$D destinationspamfilter2optin virus 
  4. Recompile the configuration and restart the server.

    Only the MTA needs to be restarted. You do not need to execute stop-msg.

     # imsimta cnbuild
    # imsimta restart
  5. Start the clamd daemon.

14.6.4 Testing ClamAV

To test ClamAV, first set debug=1 in the clamav.opt file. (You do not have to turn on the channel-specific master_debug or slave_debug in the imta.cnf.) Then send a file attachment to a test user which contains the EICAR virus string ( This string is designed to trigger virus scanners to recognize an email as virus-infected without having an actual virus attached:


Review the test logs. The msg-svr-base/data/log/tcp_local_slave.log* file should have lines similar to these:

10:39:00.85: ClamAV callout debugging enabled; 
config /opt/SUNWmsgsr/config/clamav.opt
10:39:00.85: IP address specified 
10:39:00.85: Port 3310 selected 
10:39:00.85: Mode 1 selected 
10:39:00.85: Field "Virus-Test: " selected 
10:39:00.85: Verdict "" selected 
10:39:00.85: Initializing ClamAV message context
10:39:00.85: Creating socket to connect to clamd server 
10:39:00.85: Binding clamd socket 
10:39:00.85: Connecting to clamd server 
10:39:00.85: Sending ClamAV STREAM request 
10:39:00.85: Retrieving ClamAV STREAM response 
10:39:00.85: STREAM response: PORT 2003 
10:39:00.85: Creating socket to connect to clamd server data port 
10:39:00.85: Binding clamd data socket 
10:39:00.85: Connecting to clamd server data port 
10:39:00.85: Sending ClamAV the message 
10:39:00.85: Closing ClamAV data connection 
10:39:00.85: Reading ClamAV result 
10:39:00.87: Result line: stream: Eicar-Test-Signature FOUND 
10:39:00.87: Scan result: Message is infected 
10:39:00.87: Verdict line: Virus-Test: True ; Eicar-Test-Signature 
10:39:00.87: Closing connection to ClamAV 
10:39:00.87: Mode 1 verdict of Virus-Test: True ; Eicar-Test-Signature 
10:39:00.87: Mode 1 verdict of Virus-Test: True ; Eicar-Test-Signature
10:39:00.87: Freeing ClamAV message context  

If your log file does not contain lines similar to these, or if clamd is not running, the following error message is returned in your SMTP dialog after the last period (.) is sent to the SMTP server:

452 4.4.5 Error writing message temporaries - Error 
connecting to ClamAV server

14.6.5 ClamAV Options

The ClamAV option file is a typical messaging server-style option file consisting of lines of the form option=value. The one required option is HOST. It must be set to the name of the system where clamd is running. This option must be set even if clamd is running on the local host.

Further additional options are available for this options file are shown below.

Table 14–7 ClamAV Options





Enables or disables debug output from the ClamAV interface module. (Debug output from clamd itself is controlled by options on the clamd command line.) The larger the value, the more debugging output will be produced. 0 produces no output. 1 provides basic debugging. 2 adds logging of TCP traffic from clamd.


Specifies the ClamAV result string prefix. ClamAV result strings generally look something like one of the following:  

Virus-Test: False 
Virus-Test: True ; Worm.Mydoom.I

The FIELD option provides the means for changing the Virus-Test part of the result. Note that the ": " will also be removed if an empty FIELD value is specified.



Due to the nature of the clamdscan/clamd interface the ClamAV plugin has to buffer the message in memory before sending to ClamAV. The size of the memory buffer is controlled by this option. It defaults to 1,048,576 characters. Messages longer than this will be truncated and not sent in their entirety to ClamAV. In order to ensure that every message is scanned fully, this value should reflect the maximum message size the MTA will accept. Reducing this value may help to speed up virus scanning times, but may let through viruses undetected.



Controls the translation of ClamAV results to verdict information. Four different modes are available: 

0 - Return the verdict string specified by the VERDICT option if the message is found to contain a virus; return a default verdict if it does not. A null verdict is returned if the VERDICT option is empty or unspecified.

1 - Return the ClamAV result as a verdict if the message is found to contain a virus; return a default verdict if not.  

2 - Return a ClamAV result string as the verdict unconditionally; no default or null verdict is ever returned and the VERDICT option is never used.

3 - Return the ClamAV result as a verdict if the message is found to contain a virus; return the verdict string specified by the VERDICT option if it is not.


Specifies the port clamd is running on.



Specifies the name of an intermediate SOCKS server. If this option is specified the clamd connection is made through the specified SOCKS server and not directly.



Specifies the port the intermediate SOCKS server is running on. 



Specifies the verdict string used in modes 0 and 3.