anomy-list

Re: Calling ClamAV

From: Joerg Mertin (137440@xyz.molar.is)
Date: Tue 18 Jan 2005 - 10:46:04 GMT

  • Next message: Joerg Mertin: "Re: Re: Feature request - adding Virus-Header tag ?"

    well - as I have users not having physical accounts on my machine - but
    rather have an entry in LDAP on my system - that is a no go situation for
    me.

    Just testing a setup - where I'm sing the same stream of data through
    anomy_filter.sh to try to put clamav X-Antivirus: Header into the mail -
    _without_ the use of temporary files I dump the E-Mail into.

    If I manage to et it to work reliably - I'll post a little description.
    Migt take on or 2 more weeks (as I'm travalling around at the moment.

    Cheers

    Joerg

    <quote who="tickticker">
    >
    > Of course, this is assuming he has Procmail installed (I have the exact
    > same
    > setup, just no procmail).
    >
    > I adjusted the advosys script to call CLAMSCAN and scan the whole email.
    > this
    > leaves a blank email if positive, if the email is blank, i drop it. If
    > it's
    > not, it gets passed through anomy for further filtering. (it's not that i
    > don't trust clamav, i don't trust any antivirus system 100%). And believe
    > it
    > or not, it's FAST.
    >
    > it's simple, clean (one script with options for piping to a directory for
    > further review if need be) and easily is handling an avg of 25k to 45k
    > emails
    > a day for 3k users on a server that also gets over 3 million web hits a
    > month. and it's just a dual 1GHz with 2 gigs ram and a sucky drive
    > system.
    > we are in the middle of seperating out the web services to 4 load balanced
    > web servers, an email server, and an AV/Spamassassin server. Not due to
    > slowness mind you, but to bring the OS up to date and we were running out
    > of
    > drive space.
    >
    > I have 11 instances of spamd running at all times, and four have less than
    > 10
    > seconds of CPU time in the last month:
    >
    > 8:59pm up 33 days, 4:43, 2 users, load average: 0.37, 0.45, 0.82
    > 143 processes: 141 sleeping, 1 running, 1 zombie, 0 stopped
    > CPU0 states: 2.0% user, 4.0% system, 0.0% nice, 93.0% idle
    > CPU1 states: 0.0% user, 0.0% system, 0.0% nice, 100.0% idle
    > Mem: 2064828K av, 1806196K used, 258632K free, 0K shrd, 204368K
    > buff
    > Swap: 2040212K av, 77424K used, 1962788K free 1134668K
    > cached
    >
    > PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
    > 1137 filter 9 0 22800 1372 448 S 0.0 0.0 0:07
    > spamd
    > 25285 filter 9 0 30660 25M 1712 S 0.0 1.2 1:39
    > spamd
    > 8759 filter 9 0 31424 25M 1772 S 0.0 1.2 0:49
    > spamd
    > 12278 filter 9 0 30228 24M 1784 S 0.0 1.2 0:34
    > spamd
    > 16183 filter 9 0 32492 26M 1784 S 0.0 1.3 0:29
    > spamd
    > 20004 filter 9 0 34624 29M 1784 S 0.0 1.4 0:22
    > spamd
    > 20158 filter 9 0 28972 23M 1792 S 0.0 1.1 0:15
    > spamd
    > 21057 filter 9 0 30052 24M 1792 S 0.0 1.2 0:14
    > spamd
    > 22470 filter 9 0 27036 21M 1776 S 0.0 1.0 0:07
    > spamd
    > 22570 filter 9 0 27976 22M 1760 S 0.0 1.1 0:06
    > spamd
    > 23002 filter 9 0 27364 21M 1764 S 0.0 1.0 0:05
    > spamd
    >
    > with an uptime of 33 days
    >
    > It should be simple to setup here's a snippet of my filter.sh:
    >
    > # Exit codes from <sysexits.h>
    > EX_TEMPFAIL=75
    > EX_UNAVAILABLE=69
    >
    > cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL;
    > }
    >
    > # Clean up when done or when aborting.
    > trap "rm -f out.$$" 0 1 2 3 15
    >
    > # Pipe message through SA to a temp file:
    > cat | $SPAMC -f -d localhost -p 783 -u filter > out.$$
    >
    > # Are there more than $SPAMLIMIT stars in X-Spam-Level header? :
    > if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
    > then
    > # Option 1: Move high scoring messages to sideline dir so a human
    > can
    > look at them later:
    > # mv out.$$ $SIDELINE_DIR
    > # Option 2: Divert to an alternate e-mail address:
    > # (Comment out the above, then uncomment next line to use this
    > option)
    > # $SENDMAIL 137518@xyz.molar.is < out.$$
    > # Option 3: Delete the message
    > rm -f out.$$
    > else
    > #run through clamav and dump to a directory for further review?
    > #$CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --move=/tmp/quarentine
    > -l /var/log/avmail < out.$$
    > #run through clamav and delete(default)
    > $CLAMSCAN -v --mbox --unzip=/usr/bin/unzip --remove -l
    > /var/log/avmail
    > < out.$$
    >
    >
    > And you can probably set up a better removal tool, in fact i'm embarrased
    > to
    > show it, as i have the scripting prowess of a speedbump, any offers for a
    > clean solution to removing the empty emails in a line or two would be
    > HIGHLY
    > appreciated.
    >
    > Anthony
    >
    > On Monday 17 January 2005 05:21 pm, you wrote:
    >> # rpm -qa | grep clam
    >> clamav-0.70-1
    >>
    >> file_list_6_scanner = 0:2:3:/usr/local/anomy/bin/clamavd.sh %FILENAME
    >> file_list_6_policy = accept:save:drop:drop
    >> file_list_6 = (?i)(.*\@.*\.com)$
    >>
    >> /usr/local/anomy/bin/clamavd.sh
    >> #!/bin/sh
    >>
    >> # Script for the Sanitizer (procmail filter)
    >> # Using ClamAV
    >> # Version: 1.02, Xavier Roche/Serianet
    >> # Usage: /etc/procmail/clamavd.sh <filename>
    >> # Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
    >> # Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
    >> # This script is under GPL
    >>
    >> ###########################################################################
    >>## #
    >> # Instructions (copied from e-mail from Xavier by Bjarni):
    >> #
    >> # I tested various AV systems (avp, f-prot..) and attached to this mail
    >> # a simple script which recognizes the four most used av scanners on
    >> # linux systems (the script can be freely used and spread, of course).
    >> #
    >> # The use is simple: check_for_virus <filename>
    >> # which will return 0 (OK), 2 (warning), or 3 (danger)
    >> #
    >> # For example, I use the main policy:
    >> #
    >> # file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
    >> # file_list_1_policy = unknown:mangle:save:save
    >> # file_list_1 = (?i).*
    >> #
    >>
    >> logger -p mail.notice "check $1"
    >>
    >> if test -n "$1"; then
    >> if test -f "$1"; then
    >>
    >>
    >> RET=0
    >>
    >> # ClamAV (Clam AntiVirus)
    >> if test -x /usr/bin/clamdscan; then
    >> STATUS=
    >> /usr/bin/clamdscan --quiet "$1"
    >> RETURNCODE=$?
    >> if test $RETURNCODE -eq 1; then
    >> STATUS="virus found"
    >> RET=3
    >> fi
    >> if test -n "$STATUS"; then
    >> INFO=`/usr/bin/clamdscan --disable-summary --stdout
    >> "$1"|cut -f2 -d' '`
    >> logger -i -p mail.notice "virus check for $1: VIRUS
    >> FOUND!!
    >> - $INFO"
    >> echo "VIRUS : $INFO"
    >> else
    >> logger -i -p mail.notice "virus check for $1: ok"
    >> echo "CLEAN : OK"
    >> fi
    >> fi
    >> exit $RET
    >>
    >> fi
    >> fi
    >> echo "ERROR"
    >> exit 0
    >>
    >>
    >> ________________________________
    >>
    >> From: Alan Munday [mailto:137555@xyz.molar.is]
    >> Sent: Mon 1/17/2005 2:35 PM
    >> To: 137606@xyz.molar.is
    >> Subject: [anomy-list]: Calling ClamAV
    >>
    >>
    >>
    >> I'm looking to add ClamAV to my system (RH9) where I have Anomy
    >> configured
    >> with Postfix pretty much as per the Advosys document.
    >>
    >> Having done some searching I thought the easiest way to add clamav to
    >> the
    >> system is to use the rpm's produced by Dag Wieers. I'm assuming that I
    >> would only need to instal clamav-db and clamav rpm's (at least
    >> initially).
    >>
    >> While I found a couple of references to calling clamav from Anomy they
    >> were
    >> not clear to me. One required editing the sanitizer.pl which I would
    >> like
    >> to clarify as a requirement so I can remember this at upgrade time.
    >>
    >> Any how, does anyone have any clear advice on the set-up of Anomy to
    >> call
    >> clamav please?
    >>
    >> Thanks
    >>
    >> Alan
    >>
    >>
    >>
    >>
    >>
    >>
    >> Attachments:
    >> +
    >> http://mailtools.anomy.net/archives/anomy-list//b6/41/ec5638/01.unnamed.htm
    >>l
    >>
    >
    >
    >
    >

    -- 
    ------------------------------------------------------------------------
    | Joerg Mertin              :  137440@xyz.molar.is                (Home)|
    | in Forchheim/Germany      :  137657@xyz.molar.is                  (Alt1)|
    | Stardust's LiNUX System   :                                          |
    | Web: http://www.solsys.org                                           |
    ------------------------------------------------------------------------
    PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
    



    hosted by molar.is