HOW TO run Clamwin and have a ClamAV system SERVICE

This section contains user-submitted tutorials.
sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sanesecurity » 2016-05-26 12:05

Nime wrote:I set scheduled updates hourly. However official sigupdate.bat couldn't help. I googled for latest signatures and found
one site where the signatures publicly hosted, tons of signatures: http://ftp.swin.edu.au/sanesecurity/

Firstly I'm aware of http://ftp.swin.edu.au/sanesecurity/ but it's an unofficial mirror probably for their
local use only but it's been left "open" to the net.

The mirror is also 4 hours out of date compared to the current set of signatures...

ie:

Current Official Mirrors:
Signature files generated: 26/05/2016-10:56:22.15

Unofficial http://ftp.swin.edu.au/sanesecurity/
Signature files generated: 26/05/2016- 6:58:06.39

*4 hours behind* :(

What I'm really curious is why sigupdate.bat didn't help but the ones from the ftp mirror did.

Did you use the same signatures names?
Did sigupdate.bat actually stop anything, if it didn't maybe it wasn't setup correctly?

There could be a bug somewhere in sigupdate with the update process but I'd need to look at logs

Bit of an odd one...

Cheers,

Steve
Sanesecurity.com

User avatar
Nime
Normal user
Normal user
Posts: 169
Joined: 2009-03-12 11:50
Contact:

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by Nime » 2016-05-26 15:57

Hi Steve, it was a big suprise to see you here : )


I didn't test the official sigupdate.bat too much, just scheduled hourly and the next day I found js viruses again then I've panicked.

If donation will help; I would like to get a private mirror. I'm just evaluating the ClamAv + Foxhole signatures.

I'll update you later when I'll be ok.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2016-05-26 16:16

Nime wrote: If donation will help; I would like to get a private mirror. I'm just evaluating the ClamAv + Foxhole signatures.
Good idea, its worth the money.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Nime
Normal user
Normal user
Posts: 169
Joined: 2009-03-12 11:50
Contact:

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by Nime » 2016-05-26 16:19

I'm not sure, I fired the batch manually and then scheduled, etc... I need time to understand it works or not. I'll give it another try.

dcol
New user
New user
Posts: 2
Joined: 2016-05-30 18:59

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by dcol » 2016-05-30 19:04

Clamwin 0.99.2 is not available yet. I have to use 0.99.1. Where can I obtain netfarm version 0.99.1 or Clamwin 0.99.2?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2016-05-30 19:08

5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

dcol
New user
New user
Posts: 2
Joined: 2016-05-30 18:59

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by dcol » 2016-06-06 21:11

Thanks but that download is only the clamd.exe and not the conf file. Also, I am looking for the x64 version.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2016-06-06 21:15

The CONF file is the same as the OSS.netfarm (get it from there, as per the instructions). And clamwin is 32 bit.

Thems your choices.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sew
New user
New user
Posts: 7
Joined: 2016-03-18 11:26

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sew » 2016-06-28 16:22

I am trying to install versions 0.99.1 on windows server 2012 but , when running the clamd.exe --install I get a 'The application was unable to start correctly (0xc000007b). Click OK to close the application.' error.

Has anyone come across this?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2016-06-28 16:26

5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sew
New user
New user
Posts: 7
Joined: 2016-03-18 11:26

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sew » 2016-06-28 17:20

Thanks - thought I had same versions but downloaded your clamd.exe version instead and now works.....

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2016-06-28 17:26

:) Yep, that would do it.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2017-05-15 17:13

Yara ruleset... Does it work with Clamd 0.99.2 ??

Code: Select all

rule Wanna_Cry_Ransomware_Generic {

       meta:

              description = "Detects WannaCry Ransomware on Disk and in Virtual Page"

              author = "US-CERT Code Analysis Team"

              reference = "not set"                                        

              date = "2017/05/12"

       hash0 = "4DA1F312A214C07143ABEEAFB695D904"

       strings:

              $s0 = {410044004D0049004E0024}

              $s1 = "WannaDecryptor"

              $s2 = "WANNACRY"

              $s3 = "Microsoft Enhanced RSA and AES Cryptographic"

              $s4 = "PKS"

              $s5 = "StartTask"

              $s6 = "wcry@123"

              $s7 = {2F6600002F72}

              $s8 = "unzip 0.15 Copyrigh"

              $s9 = "Global\\WINDOWS_TASKOSHT_MUTEX"        

              $s10 = "Global\\WINDOWS_TASKCST_MUTEX"   

             $s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}

             $s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}

             $s13 = "WNcry@2ol7"

             $s14 = "wcry@123"

             $s15 = "Global\\MsWinZonesCacheCounterMutexA"

       condition:

              $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15

}

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.*/

rule MS17_010_WanaCry_worm {

       meta:

              description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"

              author = "Felipe Molina (@felmoltor)"

              reference = "https://www.exploit-db.com/exploits/41987/"

              date = "2017/05/12"

       strings:

              $ms17010_str1="PC NETWORK PROGRAM 1.0"

              $ms17010_str2="LANMAN1.0"

              $ms17010_str3="Windows for Workgroups 3.1a"

              $ms17010_str4="__TREEID__PLACEHOLDER__"

              $ms17010_str5="__USERID__PLACEHOLDER__"

              $wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"

              $wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"

              $wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"

       condition:

              all of them

}
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2017-05-15 17:49

SorenR wrote:Yara ruleset... Does it work with Clamd 0.99.2 ??
Well, Yara rules apparently do work on 0.99.2, yes - the ability/functionality was introduced in 0.99.2. (Note that currently the latest Clamwin is on 0.99.1).

If you are asking with *this* specific yara rule you quoted works with 0.99.2 then I dont know.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2017-05-15 17:57

jimimaseye wrote:
SorenR wrote:Yara ruleset... Does it work with Clamd 0.99.2 ??
Well, Yara rules apparently do work on 0.99.2, yes - the ability/functionality was introduced in 0.99.2. (Note that currently the latest Clamwin is on 0.99.1).

If you are asking with *this* specific yara rule you quoted works with 0.99.2 then I dont know.
I'm using ClamAV 0.99.2 directly from the horses mouth :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

captainproton
New user
New user
Posts: 1
Joined: 2017-06-24 03:23

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by captainproton » 2017-06-24 04:29

I know this thread is old but I wanted to add my 10 cents worth.

I've had problems getting Clamd and Clamwin to work as services or as anything else. My solutions was to write a windows service that loads clamd and calls freshclam on a regular basis.

It works on windows 10 and windows server 2012.

I also wrote a windows app that runs in a window just to make me feel good, but I settled on running as a background service. I configured hmailserver to use clamd and not clamwin - I don't have clamwin installed at all.

If anyone wanted to try it, you can download it from http://craigedgar.com/clamwind.html

It's simple and it works well for me. If it works for you then that's good, if not - oh well :)

gianniskapouekei
Normal user
Normal user
Posts: 66
Joined: 2017-09-29 13:09

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by gianniskapouekei » 2017-10-04 00:10

hi...i can't find this service...(Go to windows SERVICES ('services.msc') and search for the service, right click and Properties of the service, and change it to

Startup Type = AUTOMATIC.))) how i can find???? thanks!!!

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2017-10-04 00:13

gianniskapouekei wrote:hi...i can't find this service...(Go to windows SERVICES ('services.msc') and search for the service, right click and Properties of the service, and change it to

Startup Type = AUTOMATIC.))) how i can find???? thanks!!!
If you follow the instructions in the first post correctly you will find everything in order.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

jacko
Normal user
Normal user
Posts: 35
Joined: 2017-10-25 22:24

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jacko » 2017-10-26 22:24

I followed your tuto and got your clamd 099.1 file, on my lame little virtual server the difference of speed is amazing !! I also added sanesecurity. thanks a lot.

tester02
Normal user
Normal user
Posts: 33
Joined: 2016-04-09 23:28

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by tester02 » 2018-01-26 23:51

To whom it may concern: a few CVE within clamav were patched as a malicious pdf can create an attac vector into your system.
source: http://blog.clamav.net/2018/01/clamav-0 ... eased.html

I guess I need to wait until the new version is posted there -> http://oss.netfarm.it/clamav/
He did update his github https://github.com/clamwin/clamav-win32/tree/0.99.3

Until them have a close look at *.pdf or better not :wink:

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-01-27 00:29

I read aware of the issue and been watching myself. But you are right in your assumption that as users we are at the mercy of Sherpya et al creating an updated version of clamwin (hopefully to 0.99.3).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

adrianmihai83
New user
New user
Posts: 26
Joined: 2018-01-26 17:19

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by adrianmihai83 » 2018-01-30 20:11

Is there something I'm missing? This is what I get when pressing test:
Screen Shot 2018-01-30 at 18.28.26.png
clamd service is running, it is allowed through firewall and clamd.conf is:

Code: Select all

TCPAddr 127.0.0.1
TCPSocket 3310
MaxThreads 2
LogFile C:\Program Files (x86)\ClamWin\bin\clamd.log
DatabaseDirectory C:\ProgramData\.clamwin\db
StreamMaxLength 20M

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-01-30 20:35

I don't know. Except many have followed my guide successfully. I'm afraid i cannot offer any more advice except start again line by line.

How do you know the clamd service is running? Is the software on the same machine? (Turn off Windows firewall completely whilst testing? )
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

adrianmihai83
New user
New user
Posts: 26
Joined: 2018-01-26 17:19

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by adrianmihai83 » 2018-01-30 20:57

I will go again line by line...

Clamd service is running, I see it in task manager and in services.msc that it is started. Just now did turn off firewall completely and restarted, but when pressing test I get the same error. I was using clamWin 0.9.1 to scan emails and the only difference is that I copied clamd.exe in the same folder, created clamd.conf, installed service and put it on Auto in services and checked that tickbox there.

When I click on test I get that error but in the same time I get the popup from Microsoft Security Essentials, it visible in screenshot, every time I press test button...

Will redo every step tomorrow...

edit:
port seems to be open:

C:\Users\Administrator>netstat -an | find "3310"
TCP 0.0.0.0:3310 0.0.0.0:0 LISTENING
TCP [::]:3310 [::]:0 LISTENING
TCP [::1]:49214 [::1]:3310 TIME_WAIT

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-01-30 21:37

Completely disable ms security essentials and try again.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

adrianmihai83
New user
New user
Posts: 26
Joined: 2018-01-26 17:19

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by adrianmihai83 » 2018-01-30 21:41

you are a hero!!!

it worked... will see next how to take on this

edit: seems that excluding clamd.exe process from Security Esentials does not work

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-01-30 21:52

You need to stop MS Essentials altogether if possible or at least exclude the hms DATA directory. The problem is that MSE may also be monitoring protocol traffic (such as SMTP traffic) and not just folders (so you may need to disable it). Does it have an 'Email Monitor'/SMTP function?

In essence, it is always a bad idea to have 2x AV solutions running against each other....and you have perfectly demonstrated why.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

adrianmihai83
New user
New user
Posts: 26
Joined: 2018-01-26 17:19

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by adrianmihai83 » 2018-01-30 21:57

True, clamav + sanesecurity >>> microsoft essentials

I'm not a big fan of Microsoft but I learn as things evolve, thank you again

edit: I've told you that I read line by line :) but this, i think, it has to go into the tutorial

edit2: no, there is no email monitor in Essentials

Mbecker
New user
New user
Posts: 27
Joined: 2009-04-07 12:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by Mbecker » 2018-02-08 10:21

Version 0.99.3 from ClamAV is in the meanwhile for Windows also downloadable from the Official ClamAV Website

https://www.clamav.net/downloads#otherversions

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-02-08 11:29

Mbecker wrote:Version 0.99.3 from ClamAV is in the meanwhile for Windows also downloadable from the Official ClamAV Website

https://www.clamav.net/downloads#otherversions
Yes it is and it is there for people to choose. This thread is about something else and the ClamAV windows version is of no use to it.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-02-20 00:23

Just compiled 0.99.3 from his github sources (mingw build). I haven't yet tested heavily so use with caution. I think you should be able to directly replace the clamwin binaries with these, but I don't use clamwin so I haven't tried.
http://s000.tinyupload.com/index.php?fi ... 1983710671

If anyone wants to build it themselves, use the MinGW build environment linked on http://oss.netfarm.it/clamav/
http://sourceforge.net/projects/mplayer ... z/download
The download the source with

Code: Select all

git clone --recurse-submodules --branch 0.99.3 -j8 https://github.com/clamwin/clamav-win32.git
Move the clamav-win32 folder into the mingw folder, then open the mingw enviroment, cd to clamav-win32/mingw and run

Code: Select all

make all
make llvm
-*

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-02-20 00:38

sprint wrote:Just compiled 0.99.3 from his github sources (mingw build). I haven't yet tested heavily so use with caution. I think you should be able to directly replace the clamwin binaries with these, but I don't use clamwin so I haven't tried.
http://s000.tinyupload.com/index.php?fi ... 1983710671
*
Doubt it. My experience is that you have merely compiled the equivalent of ClamAV Win32 which is provided by him and downloadable from the Clamav official website. Further more they do not replace clamwin executables as this doesn't have the same interface as clamwin. Nor will the Clamd.exe work with clamwin 0.99.1.

I'm afraid we need to wait for the official clamwin 0.99.3 release before they will integrate nicely.

However of course no one is forcing anyone to use clamwin - You can go ahead and continue to use the version you have compiled quite successfully within windows. It just won't be clamwin and it's interface.

If I'm wrong and it does work then please do let me know.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-02-20 07:16

It is from the same port that Clamwin uses. Why do you assume it won't work?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-02-20 09:45

1, Ive tried similar in the past (but maybe I didnt do things quite right or try hard enough.)

2, If he has already done the port 'as found in Clamwin', and therefofer the hard work is done, why didnt he then just recompile/reoffer a new updated version of clamwin on the clamwin website given that hardwork has already been done?

I for one would love to see Clamwin updated to the latest version (its on 0.99.1 and there is a new Beta Version 0.100.0 that I expect to make production release very soon making it at least 3 releases behind). Meantime, if you find that a direct copy/replacement if the executables released from this site in to the Clamwin program directory (after an initial install of Clamwin) sufficiently upgrades the import bits and gives it 0.99.3 functionality then I will be happy with that in the short term.

Please try it and let us know.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-02-21 05:38

jimimaseye wrote:1, Ive tried similar in the past (but maybe I didnt do things quite right or try hard enough.)
I'm pretty sure I've done similar in the past, but I can't remember the details.
jimimaseye wrote:2, If he has already done the port 'as found in Clamwin', and therefofer the hard work is done, why didnt he then just recompile/reoffer a new updated version of clamwin on the clamwin website given that hardwork has already been done?
I can think of a few possible reasons. Regardless, I can confirm that the build I did does contain the additional patches found in the clamwin version.
jimimaseye wrote:I for one would love to see Clamwin updated to the latest version (its on 0.99.1 and there is a new Beta Version 0.100.0 that I expect to make production release very soon making it at least 3 releases behind). Meantime, if you find that a direct copy/replacement if the executables released from this site in to the Clamwin program directory (after an initial install of Clamwin) sufficiently upgrades the import bits and gives it 0.99.3 functionality then I will be happy with that in the short term.

Please try it and let us know.
As I said, I am not using Clamwin, but I prefer that port of ClamAV for a number of reasons. Since I had compiled it anyway, I thought I would share it here. It would be good if someone who uses Clamwin could test, otherwise it will have to wait a bit for me to test as it's not a priority for me.

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-03-09 14:28

Well I found some time to check this and yes my build of 0.99.3 is working with ClamWin 0.99.1

I have done a fresh compile of 0.99.4 http://s000.tinyupload.com/?file_id=360 ... 3847535689

and also integrated it into the ClamWin install (including service installation) http://s000.tinyupload.com/?file_id=005 ... 3825521957

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-03-09 14:51

Thanks for testing.

So to confirm and for clarity: In line with this how to, are you saying that someone can download from your "ClamWin install (including service installation)" link above and when running it will install Clamwin from scratch (as standard) but with 0.99.4 engine and Clamd service builtin? and does that run 0.99.4 functionality for both the service (clamd) and the on-demand 'freshclam' clamscan (that standard clamwin calls)?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-03-09 15:00

Yes, that is correct. Everything is using the 0.99.4 engine. ClamWin confirms this in the scan results and the About dialog.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-04-07 13:22

Hello. I followed the instructions here and I think I got everything working. I set up sane security update and edited sigupdate.bat for the paths required. Now I have a couple of questions.

* Is it necessary to open port 873 to get rsync to work?

* Is it necessary to stop/start clamd service every time the database updates? "reload clamd databases" in the sigupdate.bat results in this error:

Code: Select all

Reloading ClamD....
'reload' is not recognized as an internal or external command,
operable program or batch file.
However, the stop/start service commands appear to work fine - they just take a while (~15 seconds). If that's every hour (as recommended), there is a good chance that emails won't not be scanned? Actually I'm not sure what would happen. Would hmailserver stop processing the message?

Thanks!

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-04-07 14:32

jimimaseye wrote:
2016-03-19 01:13
sew wrote:Seems though that it doesn't scan certain files such as compressed files eg .zip. Did a test via http://www.emailsecuritycheck.net/ and 6/7 got through. Do my results reflect other users? I have set ScanArchive yes in clamd.conf
Im not sure what you are expecting to see.

GTUBE test:
was identified correctly by Spamassassin (email 3) - has nothing to do with Antivirus

ZIP file with eicar inside: was identified correctly (email 2)

(Only 1 Zip file is sent.)

There is only the one that is the responsibility of Antivirus (Clam) and it has performed correctly.

The rest is about the ability of Hmailserver ATTACHMENT BLOCKER (which we know has some flaws):

2x 'attached.bat' : was identified and stripped correctly. (email 1 and 4)

the others (with various random symbols to disguise it): failed complete strip and replacement - a fault of Hmailserver (emails 5, 6 and 7).

Rest assured that the Zips ARE being scanned inside by default especially is you have sane security 'foxhole' databases included.

I'm having trouble understanding this. in my case, #3 was deleted (spam), #2 was correctly identified and attachment blocked with message sent per virus found settings. However, all the others made it through with the attachments included. All of the attachments contain eicar. Is clamd not able to scan them because of the funky file extensions?

By the way, windows defender did the same (when i had it as external virus scanner).

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-04-08 16:55

palinka wrote:
2018-04-07 13:22
* Is it necessary to open port 873 to get rsync to work?

* Is it necessary to stop/start clamd service every time the database updates?
Well I figured both of these out. Answer: no and no. I thought it wasn't working because of the firewall, but actually it was just a setup error; and clamd checks every 10 minutes for new signature databases and force reloads if it finds new databases.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-04-08 19:06

jimimaseye wrote:
2014-08-01 14:30
(The definition database update that gets performed by Clamwin scheduler (in Preferences) will get loaded and included into the Clamd service within 10 minutes due to the service automatically checking the database for changes every 600 seconds and reloading it if changes are found).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-04-09 01:02

jimimaseye wrote:
2018-04-08 19:06
jimimaseye wrote:
2014-08-01 14:30
(The definition database update that gets performed by Clamwin scheduler (in Preferences) will get loaded and included into the Clamd service within 10 minutes due to the service automatically checking the database for changes every 600 seconds and reloading it if changes are found).
Yes, I saw that after. I swear I read the entire thread, but lots of stuff goes in one ear and out the other until I had a chance to put it to practice. :-)

Any ideas about the other thing? Should clamd be scanning within files with malformed file extensions?

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by mattg » 2018-04-09 02:50

palinka wrote:
2018-04-09 01:02
Any ideas about the other thing? Should clamd be scanning within files with malformed file extensions?
I don't know that Clam could scan those, I think that clam would need to be able to open an attachment to check it.

My ClamAV (On Ubuntu) has a configuration variable 'DetectBrokenExecutables' which is set to false on my system. Would this type of thing achieve what you need? Check your clam config file for likely options
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-04-09 03:06

Clamd config is blank except for those items listed in the instructions in this thread. But I did find a full set of config options:

https://www.systutorials.com/docs/linux ... lamd.conf/
DetectBrokenExecutables BOOL
With this option clamd will try to detect broken executables (both PE and ELF) and mark them as Broken.Executable.
Default: no
What happens when something is "marked'?

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-04-09 05:13

palinka wrote:
2018-04-07 13:22
* Is it necessary to stop/start clamd service every time the database updates? "reload clamd databases" in the sigupdate.bat results in this error:

Code: Select all

Reloading ClamD....
'reload' is not recognized as an internal or external command,
operable program or batch file.
However, the stop/start service commands appear to work fine - they just take a while (~15 seconds). If that's every hour (as recommended), there is a good chance that emails won't not be scanned? Actually I'm not sure what would happen. Would hmailserver stop processing the message?
From memory, hMailServer will log an error and pass the message through as clean if the service is being restarted. Instead you can use the command clamdscan.exe --reload to tell ClamD to reload its databases immediately. ClamD will then queue up and incoming requests and process them once reloaded. Or you can just wait for ClamD to detect the changes and reload itself.
palinka wrote:
2018-04-09 01:02
I'm having trouble understanding this. in my case, #3 was deleted (spam), #2 was correctly identified and attachment blocked with message sent per virus found settings. However, all the others made it through with the attachments included. All of the attachments contain eicar. Is clamd not able to scan them because of the funky file extensions?
In my case attachments #5-7 came through, but none of them had the .bat extension and thus are fairly innocuous. ClamD should be scanning all files regardless of extension (unless hMailServer blocks them first), but in this case the files did not have any malicious content, nor a dangerous extension so there was really nothing for ClamD to pick up.
Of course that test site is trying to sell you their service so it is in their interests to make benign failures seem like a problem.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by mattg » 2018-04-09 06:58

sprint wrote:
2018-04-09 05:13
palinka wrote:
2018-04-09 01:02
I'm having trouble understanding this. in my case, #3 was deleted (spam), #2 was correctly identified and attachment blocked with message sent per virus found settings. However, all the others made it through with the attachments included. All of the attachments contain eicar. Is clamd not able to scan them because of the funky file extensions?
In my case attachments #5-7 came through, but none of them had the .bat extension and thus are fairly innocuous. ClamD should be scanning all files regardless of extension (unless hMailServer blocks them first)
Yes you are correct. I got it wrong earlier.
hMailserver saves all attachments as {ID}.tmp, and then passes that to the AV for scanning
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-04-09 12:31

Thanks guys. Looks like I don't have much to worry about (in this department at least).

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-04-11 11:04

Latest ClamWin/ClamAV updates:

***Removed ***

***Removed ***

***Removed ***

The version number 0.100.0 breaks ClamWin's update check so it will ask you to 'update' to 0.94.0 unless you turn off 'Notify About New ClamWin Releases'
Last edited by mattg on 2018-05-03 22:55, edited 1 time in total.
Reason: upload removed

scottys
New user
New user
Posts: 7
Joined: 2018-01-29 16:47

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by scottys » 2018-05-03 16:43

sprint wrote:
2018-04-11 11:04
Latest ClamWin/ClamAV updates:

***Removed ***

***Removed ***

***Removed ***

The version number 0.100.0 breaks ClamWin's update check so it will ask you to 'update' to 0.94.0 unless you turn off 'Notify About New ClamWin Releases'
your builds contain a backdoor Backdoor.Win32.Agent!O

I need to get my service running correctly again since I updated, but you are sending out malware and passing it off as good. I would be wary for anyone who has downloaded and installed his builds. They all contain the backdoor
Last edited by mattg on 2018-05-03 22:56, edited 1 time in total.
Reason: downloads removed

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-05-11 20:09

UPGRADED TO 0.99.4

I have just upgraded my Clamwin from the official Clamwin website, as per the instructions in this thread (1st post), from 0.99.1 to 0.99.4. Trouble free - it took 5 minutes. Follow the "UPGRADE" instructions at the foot of the 1st post.

Note: the Clamd.exe for version 0.99.4 is here (as required in the Procedure stage (2)" of the instructions):

clamd_099_4.zip
Clamd.exe for 0.99.4
(44.56 KiB) Downloaded 1185 times

(I have been in touch with author of oss.Netfarm who will make efforts to get Clamwin updated to the latest current offering of 0.100.0 so that it matches his current Clamd v0.100.0)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sprint
Normal user
Normal user
Posts: 31
Joined: 2018-01-31 01:36

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by sprint » 2018-05-28 02:13

scottys wrote:
2018-05-03 16:43
your builds contain a backdoor Backdoor.Win32.Agent!O

I need to get my service running correctly again since I updated, but you are sending out malware and passing it off as good. I would be wary for anyone who has downloaded and installed his builds. They all contain the backdoor
Um, what? No it doesn't. Do you have any evidence? Anyway the builds at http://oss.netfarm.it/clamav/ have now been updated so just use those.
jimimaseye wrote:
2018-05-11 20:09
UPGRADED TO 0.99.4

I have just upgraded my Clamwin from the official Clamwin website, as per the instructions in this thread (1st post), from 0.99.1 to 0.99.4. Trouble free - it took 5 minutes. Follow the "UPGRADE" instructions at the foot of the 1st post.

Note: the Clamd.exe for version 0.99.4 is here (as required in the Procedure stage (2)" of the instructions):

clamd_099_4.zip

(I have been in touch with author of oss.Netfarm who will make efforts to get Clamwin updated to the latest current offering of 0.100.0 so that it matches his current Clamd v0.100.0)
Why not use ClamAV 0.100.0? It will work fine with ClamWin 0.99.4 . There have been some fixes with pdf parsing which IMO is pretty important for a mailserver.

tunis
Senior user
Senior user
Posts: 351
Joined: 2015-01-05 20:22
Location: Sweden

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by tunis » 2018-05-28 10:52

sprint wrote:
2018-05-28 02:13
Why not use ClamAV 0.100.0? It will work fine with ClamWin 0.99.4 . There have been some fixes with pdf parsing which IMO is pretty important for a mailserver.
It not work for me.
Copy only clamd.exe, error libclamav.dll is wrong version.
Copy over all files clamd --install works but the service cannot start.
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-05-28 11:11

sprint wrote:
2018-05-28 02:13
Why not use ClamAV 0.100.0? It will work fine with ClamWin 0.99.4
Because
  • It doesn't fit with the initial thread instructions (ensuring they match) and
  • To make an exception will cause confusion and
  • Such exception cannot be guaranteed to work for other upgrades (i have proven that mismatches have failed in the past)
  • And i would prefer to know that the features and
  • to be sure that functions publicised apply without risking whether clamd service relies certain matching elements in the install.
So best to keep things together and official.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-08-18 20:20

Code: Select all

"DEBUG"	5748	"2018-08-18 00:34:17.463"	"Virus detected: Sanesecurity.Junk.20758.UNOFFICIAL"
"APPLICATION"	5748	"2018-08-18 00:34:17.478"	"SMTPDeliverer - Message 272051: Message deleted (contained virus Sanesecurity.Junk.20758.UNOFFICIAL)."
"DEBUG"	5748	"2018-08-18 00:34:17.478"	"Deleting message"
Hourly sane update doing its job and working overtime lately. I've been getting pounded with virus laden bot spam for the past few days and the pace is continuing to pick up. I'm up to about 20/hour, which may not seem like a lot, but its about 30 times more than I ever received before. I had to disable auto virus notification because I was getting so many notices. Just wanted to let you know that sane security is EFFECTIVE.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-08-18 20:49

Yep, its good aint it.

I have had some zero hour threats that came in this week that were just too zero hour even for Sane to catch (UK HMRC Tax Refund claims). Unfortunately the girls in the office arent switched on enough and simply cant recognise the signs of when these things are dodgy (ie, they fail to click that the same identical email comes to 3 different email address at the same time, in the same office, all of which they have visibility to and handle AND that none of them have anything to do the HMRC or accounts! Sometimes you can ONLY rely in technology.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-08-18 21:25

I probably wouldn't be aware unless a false positive came to my account. Nobody tells me anything and they don't care a whit about mail administration! :P

As it happens, its my main personal account that is the subject of these spammy viruses, so I know for sure that they are ALL being dealt with swiftly, efficiently and with extreme prejudice. But yeah, the pace is really picking up. I dumped the contents of clamd.log into excel and sorted the hits, then counted the average time. Yesterday: 44 viruses averaging 28 min 45 sec apart. Today so far (midnight to 2:30 pm): 82 viruses averaging 10 min 18 sec apart. Some kind of spam worm seems to be spreading. Of those 126 virus laden messages, there were 15 different viruses attached.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10053
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2018-08-18 21:35

I have this bit in my backup email giving me figures:
Backup Start: 17/08/2018 20:00:00.33

HMS Server Start Time: 2018-08-16 20:00:59
HMS Daily Spam Reject count: 0
HMS Daily Viruses Removed count: 0


20:00:01.34 Stopping Hmailserver service
.
.
.
...

Create a VBS (eg, 'ServerStatusBlockReport.vbs') with this:

Code: Select all

   Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate("Administrator", "secretpassword" )

   wscript.echo vbCrLf
   wscript.echo "HMS Server Start Time: " & oApp.status.StartTime
   wscript.echo "HMS Daily Spam Reject count: " & oApp.status.RemovedSpamMessages
   wscript.echo "HMS Daily Viruses Removed count: " & oApp.status.RemovedViruses & vbCrLf
Then call it as the top of your BackupMailData,bat script:

eg

Code: Select all

echo Backup Start: %date% %time% > %BackLog%

cscript C:\Users\Administrator\Documents\BatchFiles\ServerStatusBlockReport.vbs //nologo //T:600   >> %BackLog%

REM :: Perform backup to temporary directory

:1st
set section=1st
.
.
.
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2018-08-18 23:34

Cool.

vortexofhate
New user
New user
Posts: 13
Joined: 2014-09-17 20:23
Location: Corona, CA

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by vortexofhate » 2018-10-13 00:49

I have everything set up and it is working. I went to go change the definitions to use sanesecurity and they require rsync and recommend using cwRsync, well they no longer offer a free version by the looks of it so I was wondering if anyone had a recommended rysnc version to use?

Post Reply