CLAMAV

 [mike@Kaitain etc]$ sudo freshclam ClamAV update process started at Mon Sep 19 16:04:22 2005 main.cvd is up to date (version: 34, sigs: 39625, f-level: 5,  builder: tkojm) Downloading daily.cvd [*] daily.cvd updated (version: 1090, sigs: 581, f-level: 6, builder:  ccordes) Database updated (40206 signatures) from db.us.clamav.net (IP:  216.24.174.245) 

It probably cannot be stressed enough that Clamav, even though it runs on Unix systems, scans for viruses that affect any operating system. This can be welcome news for mail server administrators who often must deal with high-volume traffic using low-cost solutions. Consider this scenario, in which Sarah the administrator combines Clamav with the exim (http://www.exim.org) mail server.

Fortunately, exim is designed to interface with an anti-virus scanner. This means that updating the server's configuration file.exim.conf only requires two simple modifications:

 av_scanner = clamd:/var/run/clamd.sock acl_check_data: deny     malware = *          message = This message contains a virus ($malware_name). 

The first line defines the type of anti-virus engine and its interface. In this case, Sarah chose to run clamd locally on the e-mail server. Since exim and clamd are on the same physical system, they can communicate via a socket. This socket is defined in the clamd.conf file under the LocalSocket directive:

 LocalSocket /var/run/clamd.sock 

The acl_check_data entry in the exim.conf file instructs exim how to react when malware is found. In other words, when clamd reports a virus match in an e-mail, then it will block the message (deny it) and report the name of the virus to the logfile. The $malware_name variable is expanded by the name of the virus reported to exim from clamd. This is the only variable related to viruses that can be included in the exim.conf file. However, there are many other variables that might contain useful information. They can be found in the documentation or by examining the expand.c file in the src directory of the exim source tree.

Once the changes have been made to the exim.conf file, then it can be tested . Rather than use a "live" virus, Sarah retries the test viruses that Clamav provides in its test directory. The test files are also compressed in different formats to more fully test the anti-virus capabilities.

 clam-v2.rar   clam-v3.rar   clam.cab   clam.exe   clam.exe.bz2   clam.zip 

There's one catch: How to quickly test an e-mail that contains a malicious binary attachment. Normally, it's a trivial matter to interact with a mail server via a command-line interface like Netcat. In fact, any binary file must first be encoded in a special format before a mail server can accept it. The uuencode utility makes this step easy. Sarah runs the following command to obtain the encoded form of the clam.exe file. (Uuencode takes two arguments; the first one is the name of the file to encode and the second one is the name to call the file in the encoded output.)

 $ uuencode.exe clam.exe clam.exe begin 644 clam.exe M35I0``(````$``\`__\``+@````A````0``:```````````````````````` M``````````````````````$``+MQ$$``,\!04(OS4U-0L"E`,`1FK'GYNC$` M>`VM4/]F<`X?OC$`Z>7_M`G-(;1,S2%B#`H!`G!V%P(>3@P$+]K,$``````` M````````````P!```(`0``````````````````#:$```]!`````````````` M````````````````2T523D5,,S(N1$Q,``!%>&ET4')O8V5S<P!54T52,S(N M1$Q,`$-,04UE<W-A9V5";WA!`.80````````/S\_/U!%``!,`0$`84-A0@`` M````````X`".@0L!`AD`!`````8```````!`$````!```$```````$```!`` M```"```!``````````,`"@```````"`````$`````````@``````$```(``` M```0```0````````$```````````````A!```(`````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M````````````6T-,04U!5ET`$````!`````"```!```````````````````` $````P``` ` end 

Now Sarah has a test payload. She runs an exim test connection. The bh option initiates an SMTP (the protocol used to send e-mail) connection from the IP address used as an argument. Not only could this be used to test e-mail relay and access controls, but it can be used to test filters.

 $ exim -bh 10.0.1.5 **** SMTP testing session as if from host 10.0.1.5 **** but without any ident (RFC 1413) callback. **** This is not for real! 220 Kaitain ESMTP Exim 4.52 Wed, 21 Sep 2005 12:40:22 -0700 mail from:<> 250 OK rcpt to:<istari@kaitain> 250 Accepted data 354 Enter message, ending with "." on a line by itself Subject: virus test begin 644 clam.exe M35I0``(````$``\`__\``+@````A````0``:```````````````````````` M``````````````````````$``+MQ$$``,\!04(OS4U-0L"E`,`1FK'GYNC$` M>`VM4/]F<`X?OC$`Z>7_M`G-(;1,S2%B#`H!`G!V%P(>3@P$+]K,$``````` M````````````P!```(`0``````````````````#:$```]!`````````````` M````````````````2T523D5,,S(N1$Q,``!%>&ET4')O8V5S<P!54T52,S(N M1$Q,`$-,04UE<W-A9V5";WA!`.80````````/S\_/U!%``!,`0$`84-A0@`` M````````X`".@0L!`AD`!`````8```````!`$````!```$```````$```!`` M```"```!``````````,`"@```````"`````$`````````@``````$```(``` M```0```0````````$```````````````A!```(`````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M````````````6T-,04U!5ET`$````!`````"```!```````````````````` $````P``` ` end . >>> using ACL "acl_check_data" >>> processing "deny" >>> check malware = * >>> deny: condition test succeeded 550 This message contains a virus (ClamAV-Test-File). LOG: IN6MPZ-0000V4-FK H=[10.0.1.5] F=<> rejected after DATA: This message contains a virus (ClamAV-Test-File). 

The best administrators automate or simplify tasks whenever possible. In order to make this virus test easier, Sarah creates a text file that contains the necessary commands to interact with the server:

 mail from:<> rcpt to:<istari@Kaitain> data Subject: test begin 644 clam.zip M4$L#!!0````(`+P,)C']/`?O``$``"`"```(`!4`8VQA;2YE>&555`D``U2C M.T$EZ$U!57@$`.@#Z`/SC0I@8&)@8&!AX&?X_Y^!80>0K0C$#@Q2#`0!(P/# M[D(!!P;C`P$!W9^#@P,V:#H8L*2MJ?RYRY"A@G=MP/^T`C[Y?88,+Y_^W\)Y M5G&+SUG%)!XN1J:",G$F.3\>%OU;9P10C3P`Y#>@B=T"\K^@B<&`MVN0GZN/ ML9&>BX\/`X-K169)0%%^<FIQ,4-HL&L05-S9Q]*)28GNJ47^'(\`QJECT0 M!+@R,/@P,C(D.B<ZP<Q\P-#7R,W()`D,%`8&-HB8`TB/`"A<P#PP&Q1PC%`] MS`Q<$(8".##!@`E,"D# 
 mail from:<> rcpt to:<istari@Kaitain> data Subject: test begin 644 clam.zip M4$L#!!0````(`+P,)C']/`?O``$``"`"```(`!4`8VQA;2YE>&555`D``U2C M.T$EZ$U!57@$`.@#Z`/SC0I@8&)@8&!AX&?X_Y^!80>0K0C$#@Q2#`0!(P/# M[D(!!P;C`P$!W9^#@P,V:#H8L*2MJ?RYRY"A@G=MP/^T`C[Y?88,+Y_^W\)Y M5G&+SUG%)!XN1J:",G$F.3\>%OU;9P10C3P`Y#>@B=T"\K^@B<&`MVN0GZN/ ML9&>BX\/`X-K169)0%%^<FIQ,4-HL&L05-S9Q]$7*)28GNJ47^'(\`QJECT0 M!+@R,/@P,C(D.B<ZP<Q\P-#7R,W()`D,%`8&-HB8`TB/`"A<P#PP&Q1PC%`] MS`Q<$(8".##!@`E,"D#$0#347F2OM(#\BS>0:0.B06'B&!;+`/47LE^0P`$` M4$L!`A<#%`````@`O`PF,?T\!^\``0``(`(```@`#0```````````*2!```` L`&-L86TN97AE550%``-4HSM!57@``%!+!08``````0`!`$,````[`0`````` ` end . 
 #347F2OM(#\BS>0:0.B06'B&!;+`/47LE^0P`$` M4$L!`A<#%`````@`O`PF,?T\!^\``0``(`(```@`#0```````````*2!```` L`&-L86TN97AE550%``-4HSM!57@``%!+!08``````0`!`$,````[`0`````` ` end . 

Now the test requires a single command line:

 $ cat nudge2.txt  exim -bh 10.0.1.5 2>/dev/null **** SMTP testing session as if from host 10.0.1.5 **** but without any ident (RFC 1413) callback. **** This is not for real! 220 Kaitain ESMTP Exim 4.52 Wed, 21 Sep 2005 12:49:09 -0700 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself 550 This message contains a virus (ClamAV-Test-File). 421 Kaitain lost input connection 

Now Sarah is confident that the Clamav and exim combination will find viruses in .exe and .zip files. With a few more tests, she can verify how well it performs against other compressed files.

Finally, in order to close the loop and verify that all of the events have been logged properly, Sarah checks out clamd's output:

 $ tail /var/log/clamd.log /var/spool/exim/scan/IN6KH8-0000HC-D3/IN6KH8-0000HC-D3.eml:  ClamAV-Test-File FOUND /var/spool/exim/scan/IN6MPZ-0000V4-FK/IN6MPZ-0000V4-FK.eml:  ClamAV-Test-File FOUND /var/spool/exim/scan/IN6MVX-0001J8-9D/IN6MVX-0001J8-9D.eml:  ClamAV-Test-File FOUND 

There will not be any entries in exim's logfile (exim_main.log) because the bh option only initiated a test connectionno e-mail was actually sent.