HOW TO run Clamwin and have a ClamAV system SERVICE

[RvdH]

Thanks. Turned off Defender and all OK.
Test Successful.

No need to turn off defender, simple exclude the HMS \Data and \Temp folders from realtime scanner, lots of posts on the forum explaining just that

[RvdH]

FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/

[palinka]

FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/

Sorry for OT, but is clamav 104 working with hmailserver?

[RvdH]

FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/

Sorry for OT, but is clamav 104 working with hmailserver?

Nope (at least the last time I checked, 0.104.1)

[palinka]

FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/

Sorry for OT, but is clamav 104 working with hmailserver?

Nope (at least the last time I checked, 0.104.1)

OK thanks.

[kimboslice]

Followed this guide to a T... ran the test at emailsecuritytester.com and not a single virus is found, only windows defender catches it, after the fact.

so basically my setup of Clam is 100% useless, how could i have possibly screwed this up so poorly lol

what steps should i take to correct this?

[palinka]

Followed this guide to a T... ran the test at emailsecuritytester.com and not a single virus is found, only windows defender catches it, after the fact.

so basically my setup of Clam is 100% useless, how could i have possibly screwed this up so poorly lol

what steps should i take to correct this?

Undo whatever you did. Then read the entire thread twice. Then try again. And if you get hung up on something specific, post it here and we'll try to help.

Overly broad pleas for help are generally ignored because nobody here (to my knowledge, at least) is a mind reader nor plugged into the matrix and able to remotely connect their brains directly to your server.

But I didn't ignore you, buddy.

[kimboslice]

Well, what i did was follow this guide

and yes of course, I've read through the thread multiple times (all pages), I wouldn't bother to waste anyone's time had I not

hMail shows

Code: Select all

"DEBUG"	4792	"2022-02-13 12:22:46.544"	"Connecting to ClamAV virus scanner..."
"DEBUG"	4792	"2022-02-13 12:22:47.620"	"Connecting to ClamAV stream port..."
"DEBUG"	4800	"2022-02-13 12:22:47.634"	"No virus detected: stream: OK"
"DEBUG"	4800	"2022-02-13 12:22:47.644"	"Applying rules"

but then windows defender has a heart attack, just drawing a complete blank on what to do to rectify this, short of using an entirely different scanner

[palinka]

Well, what i did was follow this guide

and yes of course, I've read through the thread multiple times (all pages), I wouldn't bother to waste anyone's time had I not

hMail shows

Code: Select all

"DEBUG"	4792	"2022-02-13 12:22:46.544"	"Connecting to ClamAV virus scanner..."
"DEBUG"	4792	"2022-02-13 12:22:47.620"	"Connecting to ClamAV stream port..."
"DEBUG"	4800	"2022-02-13 12:22:47.634"	"No virus detected: stream: OK"
"DEBUG"	4800	"2022-02-13 12:22:47.644"	"Applying rules"

but then windows defender has a heart attack, just drawing a complete blank on what to do to rectify this, short of using an entirely different scanner

It looks like you need to exclude hmailserver data dir from defender scanning. I also exclude hmailserver service, clamav and other stuff that could have defender interfering.

[kimboslice]

If im not mistaken that was mentioned earlier in the thread (or perhaps it was another), I have already excluded the folders from defender, the test works fine and clam detects it, but in any real world testing it doesnt work

[palinka]

You say "but then windows defender has a heart attack". So of course defender is interfering. You need to exclude more.

Here's what I exclude.

Folders:
* ClamAV program folder - also exclude virus definition folder if not located within ClamAV program folder
* a script folder for downloading sanesecurity virus definitions
* C:\Windows\Temp
* hmailserver data dir

Processes:
ClamD
hMailServer

Basically anything that could possibly touch a virus passing through email flow needs to be excluded.

Try turning off defender and test again.

ClamAV doesn't pick up the virus on your test because defender got to it first. I assume the test you're performing is using EICAR, which vanilla ClamAV will definitely pick up when presented (no special definitions required).

[kimboslice]

So when hMail sends off to clam, is clam just storing it in memory? I suppose my issue is that i need to exclude those processes

my confusion stems from the fact i can watch the log and see the infected email pass right though clam, but i suppose defender could be catching it before clam can, then waiting a minute (just so happens to be after delivery) before notifying a virus was found

I will exclude those processes and see how that goes i suppose

Thanks for the input!

edit; ya correct using an EICAR test... also, my db folder is within appdata\.clamwin\ this needs to excluded aswell?

I can just move it to within clams folder correct?

[SorenR]

So when hMail sends off to clam, is clam just storing it in memory? I suppose my issue is that i need to exclude those processes

my confusion stems from the fact i can watch the log and see the infected email pass right though clam, but i suppose defender could be catching it before clam can, then waiting a minute (just so happens to be after delivery) before notifying a virus was found

I will exclude those processes and see how that goes i suppose

Thanks for the input!

edit; ya correct using an EICAR test... also, my db folder is within appdata\.clamwin\ this needs to excluded aswell?

I can just move it to within clams folder correct?

Not sure if this is a ClamAV issue or a hMailServer issue... I have hMailServer check with ClamAV service directly AND (!) I also have SpamAssassin check with ClamAV.

That means ALL emails are checked TWICE. Same ClamAV instance called by both BUT SpamAssassin find more ?!?!

I have no idea how that can be.

If I forward an email ONLY tagged by SpamAssassin as "Virus" via a relay back to the server hMailServer will find it too.

Now, the funny part is that email is handed to SpamAssassin the second it is received (between OnSMTPData and OnAcceptMessage), hMailServer do not call ClamAV until just before email is delivered to account (between OnDeliveryStart and OnDeliverMessage).

Disclaimer: I don't really find a lot of virus, perhaps 1-2 over a 6 month period BUT I get a lot of the "Junk" and SPAM stuff that ClamAV also check for. ClamAV and SpamAssassin are both running off-server on a Windows 2019 Essential Server. hMailServer is hosted on a Windows 2003 R2 Server.

[kimboslice]

After doing a complete uninstall and reinstall (just to be sure), then adding hMailServer and ClamD to the exclusions seems to have resolved it.

But then removing ClamD and hMailServer from the exclusion results in... clam still picking it up and no interference from defender, unsure about that but whatever, getting consistent detections now.

For future people reading, initially I had only excluded hmails \data and \temp folders which resulted in my issues (test works but no real detections by clam), adding the processes "hMailServer" and "ClamD" is what resolved for me.

Thanks for the help @palinka, much appreciated

[RvdH]

clamav-1.0.0
https://www.clamav.net/

Install as service
clamd --install-service
freshclam --install-service

note change startup-type to automatic, it is manual by default

Uninstall Service
clamd --uninstall-service
freshclam --uninstall-service