First of all I am assuming you have a working hMailServer 4 or higher already installed and working 100%. I got this going on a Windows 2000 Server machine. I am sure 2003 would be very close to same concept. The reason why I did this: I spent over a week trying ClamWin and other forms of clamscan. I got that working and then noticed a spam of clamscan.exe in my processes. I got this information from SOSDG's Brian Bruns:
There is no way to 'fix' this. If you need to be doing high performance scanning, its best to use clamdscan with clamd as it loads the engine once then passes the data to the engine without needing to load the engine each time.This is not a DoS. Its a fact of how it works. The memory usage is not something I can change either - Cygwin is top heavy as it needs to support all the functionaly that Linux/UNIX provides on Windows (which tends to be lacking badly).
Installing SOSDG ClamAV for Windows
Download installer from http://www.sosdg.org/clamav-win32/. Install with FULL option and DON’T change any of the default folder options. This is very important as some parameters are hard-coded into the program. You also need all the third party tools. So please do a full install and save some time troubleshooting.
Making SOSDG ClamAV run as Windows Service
We need to edit the “C:\clamav-devel\etc\clamd.conf” file. Open this file in Word Pad or favorite editor that recognizes Linux line breaks. I suggest just coping and pasting my example. This example catches all forms of viruses, encrypted files and broken executables. Only thing is can't scan is .rar files (ClamAV can’t scan the new RAR file yet). When done save file and move on to next step.
clamd.conf (copy and paste):
Code: Select all
##START CONF
##
## Example config file for the Clam AV
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log
LogFile /cygdrive/c/clamav-devel/log/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximal size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 1M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
#PidFile /var/run/clamd.pid
PidFile /cygdrive/c/clamav-devel/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
TemporaryDirectory /cygdrive/c/clamav-devel/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
DatabaseDirectory /cygdrive/c/clamav-devel/share/clamav
# The daemon works in a local OR a network mode. Due to security reasons we
# recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /tmp/clamd
#LocalSocket /cygdrive/c/clamav-devel/clamd.sock
# Remove stale socket after unclean shutdown.
# Default: no
#FixStaleSocket yes
# UNCOMMENT THE FOLLOWING TWO OPTIONS IF YOU WANT
# CLAMAV TO RUN IN TCP/IP MODE, WHICH MAY SOLVE SOME
# STABILITY ISSUES ON SOME VERSIONS OF WINDOWS
# DON'T FORGET TO COMMENT THE LocalSocket and
# FixStaleSocket OPTIONS ABOVE
#====================================================
# TCP port address.
# Default: no
TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protectiyes
# from the outside world.
# Default: no
TCPAddr 127.0.0.1
#====================================================
# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximal attachment size.
# Default: 10M
#StreamMaxLength 5M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximal number of threads running at the same time.
# Default: 10
MaxThreads 10
# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 60
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
IdleTimeout 60
# Maximal depth directories are scanned at.
# Default: 15
MaxDirectoryRecursion 15
# Follow directory symlinks.
# Default: no
FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
FollowFileSymlinks yes
# Perform internal sanity check (database integrity and freshness).
# Default: 1800 (30 min)
SelfCheck 1800
# Execute a command when virus is found. In the command string %v will
# be replaced by a virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as a selected user (clamd must be started by root).
# Default: don't drop privileges
# User root
# Initialize supplementary group access (clamd must be started by root).
# Default: no
AllowSupplementaryGroups yes
# Stop daemon when libclamav reports out of memory condition.
ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
ScanPE yes
# With this option clamav will try to detect broken executables and mark
# them as Broken.Executable
# Default: no
DetectBrokenExecutables yes
##
## Documents
##
# This option enables scanning of Microsoft Office document macros.
# Default: yes
ScanOLE2 yes
##
## Mail files
##
# Enable internal e-mail scanner.
# Default: yes
ScanMail yes
# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
MailFollowURLs no
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# Default: 10M
ArchiveMaxFileSize 5M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deep the process should be continued.
# Value of 0 disables the limit.
# Default: 8
ArchiveMaxRecursion 9
# Number of files to be scanned within an archive.
# Value of 0 disables the limit.
# Default: 1000
ArchiveMaxFiles 500
# If a file in an archive is compressed more than ArchiveMaxCompressionRatio
# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)
# Value of 0 disables the limit.
# Default: 250
#ArchiveMaxCompressionRatio 300
# Use slower but memory efficient decompression algorithm.
# only affects the bzip2 decompressor.
# Default: no
#ArchiveLimitMemoryUsage yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted yes
# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)
# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is
# reached.
# Default: no
#ArchiveBlockMax yes
##END CONF
Go to “C:\clamav-devel\thirdparty\runclamd\”. Create a batch file called install.bat and edit with note pad. Enter the following text: runclamd –install. Run the batch file you just created and saved. Now go to Control Panel > Administrative Tools > Services. Find service called “Run Clamd”. Go to the properties on that service. Find the Log On tab. We need to make sure this service runs as Admin with password. Click OK when done entering in the start-up user information for that service. Right click on the service and start. You should see the status change from nothing to STARTED.
Configuring hMailServer 4.x for this Service
In the hMailServer administrator find the Antivirus section. In the general tab select a deletion method. I have mine deleting attachments. SKIP the ClamWin tab. Go to the External Scanner tab. Check use external scanner. Enter in C:\clamav-devel\bin\clamdscan.exe --no-summary --stdout "%FILE%" for the executable section and change the return value to 1. Click Save. You should be ready to test viruses now.
Testing Email Scanner
I use these two sites http://www.aleph-tec.com/eicar/ and http://www.eicar.org/anti_virus_test_file.htm. With those two sites you should be able to send your own virus tests to a specified emails account. Test some cleans emails with attachments as well.
Automatically updating Virus Database using Scheduled Task
I made a batch file and runs that batch file everyday at 1AM. That insures that I have the newest virus definitions for the day everyday. I created the scheduled task in Windows to run a batch file as Administrator. You can figure that part out. The batch file code is below. What this does in a nutshell is updates the virus database and the service. The freshclam.exe should notify the Daemon to refresh definitions since "NotifyClamd /cygdrive/c/clamav-devel/etc/clamd.conf" is in the freshclam.conf. So the stopping and starting of the service is not needed. You can run the batch file without the --quite and with a pause at end to make sure it works before making the scheduled task.
refreshclamd.bat (copy and paste):
Code: Select all
@ECHO OFF
C:\clamav-devel\bin\freshclam.exe --quiet --config-file=C:\clamav-devel\etc\freshclam.conf
This may change in the future as hMailServer might provide support for connecting directly to the Daemon like SmarterMail Mail Server does now. The only thing that should change is the hMailServer configuration section of this post. The fact is I have seen a huge performence increase by doing things this way. I slammed my server with over 200 virus email at same time. I didn't even notice it over the old way I saw a Dual Xeon use 30% CPU to scan viruses in 150+ processes. That should be a good reason to switch. Hope this helps someone
