anomy-list

Re: Calling ClamAV

From: tickticker (137086@xyz.molar.is)
Date: Tue 18 Jan 2005 - 03:10:57 GMT

  • Next message: Jack Raats: "Scanning all attachements"

    Of course, this is assuming he has Procmail installed (I have the exact same
    setup, just no procmail).

    I adjusted the advosys script to call CLAMSCAN and scan the whole email. this
    leaves a blank email if positive, if the email is blank, i drop it. If it's
    not, it gets passed through anomy for further filtering. (it's not that i
    don't trust clamav, i don't trust any antivirus system 100%). And believe it
    or not, it's FAST.

    it's simple, clean (one script with options for piping to a directory for
    further review if need be) and easily is handling an avg of 25k to 45k emails
    a day for 3k users on a server that also gets over 3 million web hits a
    month. and it's just a dual 1GHz with 2 gigs ram and a sucky drive system.
    we are in the middle of seperating out the web services to 4 load balanced
    web servers, an email server, and an AV/Spamassassin server. Not due to
    slowness mind you, but to bring the OS up to date and we were running out of
    drive space.

    I have 11 instances of spamd running at all times, and four have less than 10
    seconds of CPU time in the last month:

      8:59pm up 33 days, 4:43, 2 users, load average: 0.37, 0.45, 0.82
    143 processes: 141 sleeping, 1 running, 1 zombie, 0 stopped
    CPU0 states: 2.0% user, 4.0% system, 0.0% nice, 93.0% idle
    CPU1 states: 0.0% user, 0.0% system, 0.0% nice, 100.0% idle
    Mem: 2064828K av, 1806196K used, 258632K free, 0K shrd, 204368K buff
    Swap: 2040212K av, 77424K used, 1962788K free 1134668K cached

      PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
     1137 filter 9 0 22800 1372 448 S 0.0 0.0 0:07 spamd
    25285 filter 9 0 30660 25M 1712 S 0.0 1.2 1:39 spamd
     8759 filter 9 0 31424 25M 1772 S 0.0 1.2 0:49 spamd
    12278 filter 9 0 30228 24M 1784 S 0.0 1.2 0:34 spamd
    16183 filter 9 0 32492 26M 1784 S 0.0 1.3 0:29 spamd
    20004 filter 9 0 34624 29M 1784 S 0.0 1.4 0:22 spamd
    20158 filter 9 0 28972 23M 1792 S 0.0 1.1 0:15 spamd
    21057 filter 9 0 30052 24M 1792 S 0.0 1.2 0:14 spamd
    22470 filter 9 0 27036 21M 1776 S 0.0 1.0 0:07 spamd
    22570 filter 9 0 27976 22M 1760 S 0.0 1.1 0:06 spamd
    23002 filter 9 0 27364 21M 1764 S 0.0 1.0 0:05 spamd

    with an uptime of 33 days

    It should be simple to setup here's a snippet of my filter.sh:

    # Exit codes from <sysexits.h>
    EX_TEMPFAIL=75
    EX_UNAVAILABLE=69

    cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

    # Clean up when done or when aborting.
    trap "rm -f out.$$" 0 1 2 3 15

    # Pipe message through SA to a temp file:
    cat | $SPAMC -f -d localhost -p 783 -u filter > out.$$

    # Are there more than $SPAMLIMIT stars in X-Spam-Level header? :
    if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
    then
            # Option 1: Move high scoring messages to sideline dir so a human can
    look at them later:
            # mv out.$$ $SIDELINE_DIR
            # Option 2: Divert to an alternate e-mail address:
            # (Comment out the above, then uncomment next line to use this option)
            # $SENDMAIL 137176@xyz.molar.is < out.$$
            # Option 3: Delete the message
              rm -f out.$$
    else
    #run through clamav and dump to a directory for further review?
            #$CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --move=/tmp/quarentine
    -l /var/log/avmail < out.$$
            #run through clamav and delete(default)
            $CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --remove -l /var/log/avmail
    < out.$$

    And you can probably set up a better removal tool, in fact i'm embarrased to
    show it, as i have the scripting prowess of a speedbump, any offers for a
    clean solution to removing the empty emails in a line or two would be HIGHLY
    appreciated.

    Anthony

    On Monday 17 January 2005 05:21 pm, you wrote:
    > # rpm -qa | grep clam
    > clamav-0.70-1
    >
    > file_list_6_scanner = 0:2:3:/usr/local/anomy/bin/clamavd.sh %FILENAME
    > file_list_6_policy = accept:save:drop:drop
    > file_list_6 = (?i)(.*\@.*\.com)$
    >
    > /usr/local/anomy/bin/clamavd.sh
    > #!/bin/sh
    >
    > # Script for the Sanitizer (procmail filter)
    > # Using ClamAV
    > # Version: 1.02, Xavier Roche/Serianet
    > # Usage: /etc/procmail/clamavd.sh <filename>
    > # Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
    > # Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
    > # This script is under GPL
    >
    > ###########################################################################
    >## #
    > # Instructions (copied from e-mail from Xavier by Bjarni):
    > #
    > # I tested various AV systems (avp, f-prot..) and attached to this mail
    > # a simple script which recognizes the four most used av scanners on
    > # linux systems (the script can be freely used and spread, of course).
    > #
    > # The use is simple: check_for_virus <filename>
    > # which will return 0 (OK), 2 (warning), or 3 (danger)
    > #
    > # For example, I use the main policy:
    > #
    > # file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
    > # file_list_1_policy = unknown:mangle:save:save
    > # file_list_1 = (?i).*
    > #
    >
    > logger -p mail.notice "check $1"
    >
    > if test -n "$1"; then
    > if test -f "$1"; then
    >
    >
    > RET=0
    >
    > # ClamAV (Clam AntiVirus)
    > if test -x /usr/bin/clamdscan; then
    > STATUS=
    > /usr/bin/clamdscan --quiet "$1"
    > RETURNCODE=$?
    > if test $RETURNCODE -eq 1; then
    > STATUS="virus found"
    > RET=3
    > fi
    > if test -n "$STATUS"; then
    > INFO=`/usr/bin/clamdscan --disable-summary --stdout
    > "$1"|cut -f2 -d' '`
    > logger -i -p mail.notice "virus check for $1: VIRUS FOUND!!
    > - $INFO"
    > echo "VIRUS : $INFO"
    > else
    > logger -i -p mail.notice "virus check for $1: ok"
    > echo "CLEAN : OK"
    > fi
    > fi
    > exit $RET
    >
    > fi
    > fi
    > echo "ERROR"
    > exit 0
    >
    >
    > ________________________________
    >
    > From: Alan Munday [mailto:137213@xyz.molar.is]
    > Sent: Mon 1/17/2005 2:35 PM
    > To: 137125@xyz.molar.is
    > Subject: [anomy-list]: Calling ClamAV
    >
    >
    >
    > I'm looking to add ClamAV to my system (RH9) where I have Anomy configured
    > with Postfix pretty much as per the Advosys document.
    >
    > Having done some searching I thought the easiest way to add clamav to the
    > system is to use the rpm's produced by Dag Wieers. I'm assuming that I
    > would only need to instal clamav-db and clamav rpm's (at least initially).
    >
    > While I found a couple of references to calling clamav from Anomy they were
    > not clear to me. One required editing the sanitizer.pl which I would like
    > to clarify as a requirement so I can remember this at upgrade time.
    >
    > Any how, does anyone have any clear advice on the set-up of Anomy to call
    > clamav please?
    >
    > Thanks
    >
    > Alan
    >
    >
    >
    >
    >
    >
    > Attachments:
    > +
    > http://mailtools.anomy.net/archives/anomy-list//b6/41/ec5638/01.unnamed.htm
    >l
    >



    hosted by molar.is