Re: Adding ClamAV

From: Chris (
Date: Sat 22 May 2004 - 18:41:05 GMT

  • Next message: Mark Janssen: "Re: Adding ClamAV"

    On Sat, 2004-05-22 at 11:16, Josh Berry wrote:
    > I never was able to get ClamAV working either. They below configuration
    > deletes every single attachment on my system whether is has a virus or
    > not.

    I've had ClamAV running for almost a year now it works great with Anomy.

    I went about it by adding support for ClamAV to the script
    "check_for_virus". That makes things easier. I have a patch, which is
    available here:

    Note: The patch uses the ClamAV daemon. Look at the bottom of the
    message for the reason why.

    For my filters, first I have it quarantine exe's, pif's, scr's, etc. The
    second rule sets a few allowed data types such as gif, jpeg, etc. The
    third rule scans files that have legitimate uses but can carry viruses,
    such as doc, xls, zip, etc. If something scans positive it gets
    quarantined. Anything that doesn't meet the above gets passed though
    ClamAV and gets quarantined if infected. Here's my config:

    # quarantine attachments that are not safe
    file_list_1 = (?i)(winmail.dat)|
    file_list_1 += (\.(exe|com|vb[se]|dll|ocx|cmd|bat|pif|lnk|hlp
    file_list_1 += |ms[ip]|reg|sct|inf|asd|cab|sh[sb]|scr|cpl|chm
    file_list_1 += |ws[fhc]|hta|vcd|vcf|eml|nws))$
    file_list_1_policy = save
    file_list_1_scanner = 0

    # allow certain file types through
    file_list_2 = (?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps
    file_list_2 += |p(df|cx)|bmp
    file_list_2 += |mp[32]|wav|au|ram?
    file_list_2 += |avi|mov|mpe?g
    file_list_2 += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
    file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
    file_list_2 += |[ja]sp
    file_list_2 += |patch|diff
    file_list_2 += |can|pos|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$
    file_list_2_policy = accept
    file_list_2_scanner = 0

    # scan potentially dangerous files for viruses and quarantine
    # if infected
    file_list_3 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|html
    file_list_3 += |class|swf|upd|wp\d?|m?db
    file_list_3 += |z(ip|oo)|ar[cj]|lha|[tr]ar|pdf|rpm|deb|slp|tgz
    file_list_3 += )(\.g?z|\.bz\d?)*$
    file_list_3_policy = accept:accept:save:save
    file_list_3_scanner = 0:2:3:/opt/anomy/bin/check_for_virus %FILENAME

    # scan everything else and quarantine if infected
    file_list_4 = (?i)(.*)
    file_list_4_policy = defang:defang:save:save
    file_list_4_scanner = 0:2:3:/opt/anomy/bin/check_for_virus %FILENAME

    This is why I use ClamAV's daemon. The first is the standalone scanner
    and the second is the daemon scanner.

    $ time clamscan --disable-summary att-data.doc.exe-40ad317a.ZA
    att-data.doc.exe-40ad317a.ZA: Worm.SomeFool.P FOUND

    real 0m2.661s
    user 0m2.450s
    sys 0m0.200s

    $time clamdscan --disable-summary att-data.doc.exe-40ad317a.ZA
    att-data.doc.exe-40ad317a.ZA: Worm.SomeFool.P FOUND

    real 0m0.013s
    user 0m0.000s
    sys 0m0.010s

    hosted by