SV: Good solution for antivirus

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
K F
Reply | Threaded
Open this post in threaded view
|

SV: Good solution for antivirus

K F
Ok, it looks like there is a clamav-milter available in the EPEL, that seems to be the simplest solution.

So I've installed clamav-milter-systemd clamav-scanner-systemd

I've corrected the config for clamd:

cp /usr/share/doc/clamav-server-0.98.4/clamd.conf /etc/clamd.d/clamd.conf
LogSyslog yes
DatabaseDirectory /var/lib/clamav
TCPSocket 3310
TCPAddr 127.0.0.1
User clamscan
AllowSupplementaryGroups yes

I then corrected the milter config

vi /etc/mail/clamav-milter.conf
# Example
MilterSocket inet:8894
User clamilt
AllowSupplementaryGroups yes
ClamdSocket tcp:127.0.0.1:3310
LogSyslog yes
OnClean Accept
OnInfected Reject
OnFail Defer

As it seems to be Postfix 2.10, that part should be ok, now I just need to find out how to test it before activating it in postfix?





Den 14:16 torsdag den 30. november 2017 skrev K F <[hidden email]>:


Hi All

Ok, got the postfix/dovecot solution up and running, and it's performing nicely. It's a definite upgrade from the Windows 2003+SMTP server solution that was there before, performance is not comparable, and management with the postfixadmin is just simply nice. Again, thankyou very much to everybody that helped with that.

I would like to add a solution for antivirus, we have Symantec corporatewise, but compiling the SEP on CentOS doesn't really work well, so I was thinking about going with ClamAV.

Now the integration to postfix is the question, I JUST need the antivirus, not spam filtering or anything like that, so I guess something like Amavis-new is overkill.

But what else is good, and maintained out there, and easy to keep updated?

Best regards
Kenneth


Reply | Threaded
Open this post in threaded view
|

Re: SV: Good solution for antivirus

lists@lazygranch.com
FWIW, I've had amavisd-new "stall", for lack of a better description. Some describe it as locking up. I decided to pull it since I can't always get to a PC to get it going again. My problem is not unique as others have posted complaints on serverfault and similar websites. 

I look forward to your progress and hope you write a summary. 

Regarding testing, amavisd-new is tested with a message that triggers clamav. It is like a test virus. 

https://serverfault.com/questions/484082/how-should-i-test-clam-anti-virus

Sent: November 30, 2017 6:04 AM
Reply-to: [hidden email]
Subject: SV: Good solution for antivirus

Ok, it looks like there is a clamav-milter available in the EPEL, that seems to be the simplest solution.

So I've installed clamav-milter-systemd clamav-scanner-systemd

I've corrected the config for clamd:

cp /usr/share/doc/clamav-server-0.98.4/clamd.conf /etc/clamd.d/clamd.conf
LogSyslog yes
DatabaseDirectory /var/lib/clamav
TCPSocket 3310
TCPAddr 127.0.0.1
User clamscan
AllowSupplementaryGroups yes

I then corrected the milter config

vi /etc/mail/clamav-milter.conf
# Example
MilterSocket inet:8894
User clamilt
AllowSupplementaryGroups yes
ClamdSocket tcp:127.0.0.1:3310
LogSyslog yes
OnClean Accept
OnInfected Reject
OnFail Defer

As it seems to be Postfix 2.10, that part should be ok, now I just need to find out how to test it before activating it in postfix?





Den 14:16 torsdag den 30. november 2017 skrev K F <[hidden email]>:


Hi All

Ok, got the postfix/dovecot solution up and running, and it's performing nicely. It's a definite upgrade from the Windows 2003+SMTP server solution that was there before, performance is not comparable, and management with the postfixadmin is just simply nice. Again, thankyou very much to everybody that helped with that.

I would like to add a solution for antivirus, we have Symantec corporatewise, but compiling the SEP on CentOS doesn't really work well, so I was thinking about going with ClamAV.

Now the integration to postfix is the question, I JUST need the antivirus, not spam filtering or anything like that, so I guess something like Amavis-new is overkill.

But what else is good, and maintained out there, and easy to keep updated?

Best regards
Kenneth


Reply | Threaded
Open this post in threaded view
|

Re: SV: Good solution for antivirus

Dominic Raferd
On 30 November 2017 at 16:28, Gary <[hidden email]> wrote:
>
> FWIW
> ...
>
> From: [hidden email]
> Ok, it looks like there is a clamav-milter available in the EPEL, that seems to be the simplest solution.
> So I've installed clamav-milter-systemd clamav-scanner-systemd

If you use clamav you should add the Sanesecurity
(http://sanesecurity.com/) signatures - in my experience these are
responsible for all clamav's real-world virus trapping. See the readme
at https://github.com/extremeshok/clamav-unofficial-sigs/tree/dev.
K F
Reply | Threaded
Open this post in threaded view
|

SV: SV: Good solution for antivirus

K F
Hi Guys

I think I got it working, I just tried sending the Eicar line to a mailbox, and got this message:

Dec  1 13:57:52 bounce postfix/cleanup[21255]: B17C5403B316: milter-reject: END-OF-MESSAGE from sonic306-19.consmr.mail.ir2.yahoo.com[77.238.176.205]: 5.7.1 Command rejected; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<sonic306-19.consmr.mail.ir2.yahoo.com>

WEEEHEEE


So it's a CentOS 7 with postfix 2.10, and now also ClamAV as milter
First of, install the product
yum install clamav-milter-systemd clamav-scanner-systemd clamav-update

Create a config file by


cp /usr/share/doc/clamav-server-0.98.4/clamd.conf /etc/clamd.d/clamd.conf

Edit the config file, adding a # in front of Example, and change the rest of the lines to reflect these

# Example LogSyslog yes DatabaseDirectory /var/lib/clamav TCPSocket 3310 TCPAddr 127.0.0.1 User clamscan AllowSupplementaryGroups yes

Start and enable the service with
systemctl restart [hidden email]
systemctl enable [hidden email]

Edit clamav-milter config, again with the # in front of Example

# Example MilterSocket inet:8894 User clamilt AllowSupplementaryGroups yes ClamdSocket tcp:127.0.0.1:3310 LogSyslog yes OnClean Accept OnInfected Reject OnFail Defer

SELinux needs to be configured for the port

semanage port -a -t milter_port_t -p tcp 8894

(of course, that is not necessary if you disable SElinux entirely)

The milter needs a restart and enable as well
systemctl restart clamav-milter
systemctl enable clamav-milter

In postfix main.cfg, I've added the line
smtpd_milters = inet:127.0.0.1:8894

In Freshclam /etc/sysconfig/freshclam, comment the line out

# FRESHCLAM_DELAY=disabled-warn # REMOVE ME

In /etc/freshclam.conf comment the Example line

# Example

Then run the

freshclam

to have all the sigs updated

That's it.
To test it I emailed an EICAR line to an account and in the /var/log/maillog it shows a 'milter-reject' (tail -f /var/log/maillog | grep milter-reject)

Now I just have to look into adding the sanesecurity sigs as well.

Best regards
Kenneth



Den 17:47 torsdag den 30. november 2017 skrev Dominic Raferd <[hidden email]>:


On 30 November 2017 at 16:28, Gary <[hidden email]> wrote:

>
> FWIW
> ...
>
> From: [hidden email]
> Ok, it looks like there is a clamav-milter available in the EPEL, that seems to be the simplest solution.
> So I've installed clamav-milter-systemd clamav-scanner-systemd


If you use clamav you should add the Sanesecurity
(http://sanesecurity.com/) signatures - in my experience these are
responsible for all clamav's real-world virus trapping. See the readme
at https://github.com/extremeshok/clamav-unofficial-sigs/tree/dev.



K F
Reply | Threaded
Open this post in threaded view
|

SV: SV: Good solution for antivirus

K F
Btw. we're using PRTG to monitor how the system fares, so far I can monitor most things, but how about ClamAV? Anybody that has an idea on how monitor the milter?


Den 14:16 fredag den 1. december 2017 skrev K F <[hidden email]>:


Hi Guys

I think I got it working, I just tried sending the Eicar line to a mailbox, and got this message:

Dec  1 13:57:52 bounce postfix/cleanup[21255]: B17C5403B316: milter-reject: END-OF-MESSAGE from sonic306-19.consmr.mail.ir2.yahoo.com[77.238.176.205]: 5.7.1 Command rejected; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<sonic306-19.consmr.mail.ir2.yahoo.com>

WEEEHEEE


So it's a CentOS 7 with postfix 2.10, and now also ClamAV as milter
First of, install the product
yum install clamav-milter-systemd clamav-scanner-systemd clamav-update

Create a config file by


cp /usr/share/doc/clamav-server-0.98.4/clamd.conf /etc/clamd.d/clamd.conf

Edit the config file, adding a # in front of Example, and change the rest of the lines to reflect these

# Example LogSyslog yes DatabaseDirectory /var/lib/clamav TCPSocket 3310 TCPAddr 127.0.0.1 User clamscan AllowSupplementaryGroups yes

Start and enable the service with
systemctl restart [hidden email]
systemctl enable [hidden email]

Edit clamav-milter config, again with the # in front of Example

# Example MilterSocket inet:8894 User clamilt AllowSupplementaryGroups yes ClamdSocket tcp:127.0.0.1:3310 LogSyslog yes OnClean Accept OnInfected Reject OnFail Defer

SELinux needs to be configured for the port

semanage port -a -t milter_port_t -p tcp 8894

(of course, that is not necessary if you disable SElinux entirely)

The milter needs a restart and enable as well
systemctl restart clamav-milter
systemctl enable clamav-milter

In postfix main.cfg, I've added the line
smtpd_milters = inet:127.0.0.1:8894

In Freshclam /etc/sysconfig/freshclam, comment the line out

# FRESHCLAM_DELAY=disabled-warn # REMOVE ME

In /etc/freshclam.conf comment the Example line

# Example

Then run the

freshclam

to have all the sigs updated

That's it.
To test it I emailed an EICAR line to an account and in the /var/log/maillog it shows a 'milter-reject' (tail -f /var/log/maillog | grep milter-reject)

Now I just have to look into adding the sanesecurity sigs as well.

Best regards
Kenneth



Den 17:47 torsdag den 30. november 2017 skrev Dominic Raferd <[hidden email]>:


On 30 November 2017 at 16:28, Gary <[hidden email]> wrote:

>
> FWIW
> ...
>
> From: [hidden email]
> Ok, it looks like there is a clamav-milter available in the EPEL, that seems to be the simplest solution.
> So I've installed clamav-milter-systemd clamav-scanner-systemd


If you use clamav you should add the Sanesecurity
(http://sanesecurity.com/) signatures - in my experience these are
responsible for all clamav's real-world virus trapping. See the readme
at https://github.com/extremeshok/clamav-unofficial-sigs/tree/dev.





Reply | Threaded
Open this post in threaded view
|

Re: SV: Good solution for antivirus

Dominic Raferd
On 1 December 2017 at 13:54, K F <[hidden email]> wrote:
> Btw. we're using PRTG to monitor how the system fares, so far I can monitor
> most things, but how about ClamAV? Anybody that has an idea on how monitor
> the milter?

You can check clamav's log file(s) thus:
grep -a "clamd.*FOUND$" /path/to/logfile