HOWTO: Use SOSDG ClamAV Daemon as Service on hMailServer 4.x

[cgountanis]

Installing SOSDG ClamAV Daemon as Windows Service on hMailServer v4.x
First of all I am assuming you have a working hMailServer 4 or higher already installed and working 100%. I got this going on a Windows 2000 Server machine. I am sure 2003 would be very close to same concept. The reason why I did this: I spent over a week trying ClamWin and other forms of clamscan. I got that working and then noticed a spam of clamscan.exe in my processes. I got this information from SOSDG's Brian Bruns:

There is no way to 'fix' this. If you need to be doing high performance scanning, its best to use clamdscan with clamd as it loads the engine once then passes the data to the engine without needing to load the engine each time.This is not a DoS. Its a fact of how it works. The memory usage is not something I can change either - Cygwin is top heavy as it needs to support all the functionaly that Linux/UNIX provides on Windows (which tends to be lacking badly).

Installing SOSDG ClamAV for Windows

Download installer from http://www.sosdg.org/clamav-win32/. Install with FULL option and DON’T change any of the default folder options. This is very important as some parameters are hard-coded into the program. You also need all the third party tools. So please do a full install and save some time troubleshooting.


Making SOSDG ClamAV run as Windows Service

We need to edit the “C:\clamav-devel\etc\clamd.conf” file. Open this file in Word Pad or favorite editor that recognizes Linux line breaks. I suggest just coping and pasting my example. This example catches all forms of viruses, encrypted files and broken executables. Only thing is can't scan is .rar files (ClamAV can’t scan the new RAR file yet). When done save file and move on to next step.

clamd.conf (copy and paste):

Code: Select all

##START CONF
##
## Example config file for the Clam AV
## Please read the clamd.conf(5) manual before editing this file.
##


# Comment or remove the line below.
#Example

# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log
LogFile /cygdrive/c/clamav-devel/log/clamd.log


# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes

# Maximal size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 1M

# Log time with each message.
# Default: no
LogTime yes

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes

# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL

# Enable verbose logging.
# Default: no
#LogVerbose yes

# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
#PidFile /var/run/clamd.pid
PidFile /cygdrive/c/clamav-devel/clamd.pid

# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
TemporaryDirectory /cygdrive/c/clamav-devel/tmp

# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
DatabaseDirectory /cygdrive/c/clamav-devel/share/clamav

# The daemon works in a local OR a network mode. Due to security reasons we
# recommend the local mode.

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /tmp/clamd
#LocalSocket /cygdrive/c/clamav-devel/clamd.sock

# Remove stale socket after unclean shutdown.
# Default: no
#FixStaleSocket yes



# UNCOMMENT THE FOLLOWING TWO OPTIONS IF YOU WANT
# CLAMAV TO RUN IN TCP/IP MODE, WHICH MAY SOLVE SOME
# STABILITY ISSUES ON SOME VERSIONS OF WINDOWS
# DON'T FORGET TO COMMENT THE LocalSocket and
# FixStaleSocket OPTIONS ABOVE
#====================================================

# TCP port address.
# Default: no
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protectiyes
# from the outside world.
# Default: no
TCPAddr 127.0.0.1

#====================================================

# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximal attachment size.
# Default: 10M
#StreamMaxLength 5M

# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000

# Maximal number of threads running at the same time.
# Default: 10
MaxThreads 10

# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 60

# Waiting for a new job will timeout after this time (seconds).
# Default: 30
IdleTimeout 60

# Maximal depth directories are scanned at.
# Default: 15
MaxDirectoryRecursion 15

# Follow directory symlinks.
# Default: no
FollowDirectorySymlinks yes

# Follow regular file symlinks.
# Default: no
FollowFileSymlinks yes

# Perform internal sanity check (database integrity and freshness).
# Default: 1800 (30 min)
SelfCheck 1800

# Execute a command when virus is found. In the command string %v will
# be replaced by a virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as a selected user (clamd must be started by root).
# Default: don't drop privileges
# User root

# Initialize supplementary group access (clamd must be started by root).
# Default: no
AllowSupplementaryGroups yes

# Stop daemon when libclamav reports out of memory condition.
ExitOnOOM yes

# Don't fork into background.
# Default: no
#Foreground yes

# Enable debug messages in libclamav.
# Default: no
#Debug yes

# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes

##
## Executable files
##

# PE stands for Portable Executable - it's an executable file format used
# in all 32-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
ScanPE yes

# With this option clamav will try to detect broken executables and mark
# them as Broken.Executable
# Default: no
DetectBrokenExecutables yes


##
## Documents
##

# This option enables scanning of Microsoft Office document macros.
# Default: yes
ScanOLE2 yes

##
## Mail files
##

# Enable internal e-mail scanner.
# Default: yes
ScanMail yes

# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
#	   Never use it on loaded servers.
# Default: no
MailFollowURLs no


##
## HTML
##

# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
ScanHTML yes


##
## Archives
##

# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes

# The options below protect your system against Denial of Service attacks
# using archive bombs.

# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# Default: 10M
ArchiveMaxFileSize 5M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deep the process should be continued.
# Value of 0 disables the limit.
# Default: 8
ArchiveMaxRecursion 9

# Number of files to be scanned within an archive.
# Value of 0 disables the limit.
# Default: 1000
ArchiveMaxFiles 500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio
# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)
# Value of 0 disables the limit.
# Default: 250
#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.
# only affects the bzip2 decompressor.
# Default: no
#ArchiveLimitMemoryUsage yes

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted yes

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)
# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is
# reached.
# Default: no
#ArchiveBlockMax yes
##END CONF

Go to “C:\clamav-devel\thirdparty\runclamd\”. Create a batch file called install.bat and edit with note pad. Enter the following text: runclamd –install. Run the batch file you just created and saved. Now go to Control Panel > Administrative Tools > Services. Find service called “Run Clamd”. Go to the properties on that service. Find the Log On tab. We need to make sure this service runs as Admin with password. Click OK when done entering in the start-up user information for that service. Right click on the service and start. You should see the status change from nothing to STARTED.


Configuring hMailServer 4.x for this Service

In the hMailServer administrator find the Antivirus section. In the general tab select a deletion method. I have mine deleting attachments. SKIP the ClamWin tab. Go to the External Scanner tab. Check use external scanner. Enter in C:\clamav-devel\bin\clamdscan.exe --no-summary --stdout "%FILE%" for the executable section and change the return value to 1. Click Save. You should be ready to test viruses now.


Testing Email Scanner

I use these two sites http://www.aleph-tec.com/eicar/ and http://www.eicar.org/anti_virus_test_file.htm. With those two sites you should be able to send your own virus tests to a specified emails account. Test some cleans emails with attachments as well.


Automatically updating Virus Database using Scheduled Task

I made a batch file and runs that batch file everyday at 1AM. That insures that I have the newest virus definitions for the day everyday. I created the scheduled task in Windows to run a batch file as Administrator. You can figure that part out. The batch file code is below. What this does in a nutshell is updates the virus database and the service. The freshclam.exe should notify the Daemon to refresh definitions since "NotifyClamd /cygdrive/c/clamav-devel/etc/clamd.conf" is in the freshclam.conf. So the stopping and starting of the service is not needed. You can run the batch file without the --quite and with a pause at end to make sure it works before making the scheduled task.

refreshclamd.bat (copy and paste):

Code: Select all

@ECHO OFF
C:\clamav-devel\bin\freshclam.exe --quiet --config-file=C:\clamav-devel\etc\freshclam.conf

This may change in the future as hMailServer might provide support for connecting directly to the Daemon like SmarterMail Mail Server does now. The only thing that should change is the hMailServer configuration section of this post. The fact is I have seen a huge performence increase by doing things this way. I slammed my server with over 200 virus email at same time. I didn't even notice it over the old way I saw a Dual Xeon use 30% CPU to scan viruses in 150+ processes. That should be a good reason to switch. Hope this helps someone

[bruns]

Some problems with the changes you made - I don't know if you realize what all the options you changed do.

First...

#PidFile /cygdrive/c/clamav-devel/clamd.pid

You should leave the pid file option turned on, as certain other programs use the pid file to identify where the clamd daemon is running exactly in memory. Even if its not actively being used now, you should have it on in case hmailserver uses that feature later for checking the status of the daemon.

Second the script for restarting clamd after updating definitions is completely unnecessary and wasteful of resources. Freshclam auto notifies the clamd daemon whenever the updates happen, and clamd auto reloads the database, so you do _not_ need to restart clamd.

[cgountanis]

I made the changes to the how-to. I was having an issue stopping the service after the database was updated and the clamd was notified. Running as service doesn't seem to have this same issue. Might have been a user thing with terminal services. Also, with that being said the freshclam.conf was perfect without making any changes.

Thanks for the advice and help!

[kermitfla3640]

cgountanis.. Nice job

FYI: The pid line is incorrect (form display issue)
PidFile /cygdrive/c/clamav-devel/clamd.pid[/color ]
Drop the & [/color ]

Very important: The StreamMaxLength option needs to be customized to each MTA's setting. This will cause, as it stands, any message over 5mb to be droped. You may want to chage it back to the default.
Same goes for the ArchiveMaxFileSize

Otherwise, very good job.

[bruns]

Actually, all that StreamMaxLength means is that files over that size aren't scanned for viruses - its up to the MTA to either let it through or drop it. I set it to 5MB because people were reporting hangs when large files were being scanned.

[rodolfor]

thanks and sorry for my low comprension.

[cgountanis]

I removed the orange color tag from example config. OPPS

StreamMaxLength: I left the same as default from SOSDG since you have to customize for your mail servers MTA anyway. 5MB should be OK for the majority.

ArchiveMaxFileSize: I don't wan't my server scanning files over 5MB. That could be a problem if someone slams you with 1000 emails incuding 10MB files. OUCH! If you think about it not many viruses come through at more than a few KB.


Great points for everyone to consider though. Thanks!

[FAWTS]

I installed SOSDG following your How TO and it works very well. I have just one question :
Is it normal that after the refresh DB task is executed, I have 0X1 as result in stead of 0x0 ?

I got a smal problem too. As I use dxgettext to compile PO to MO files, and as it use Cygwin too, after installing SOSDG, it didn't work anymore. This is because SOSDG use Cygwin and install is own cygwin1.dll that is even most recent that the one of the "official" site. To make gettext work again, you will need to fing cygwin1.dll from SOSDG and copy it and replace the cygwin1.dll from gettext with it.

[jimmyu]

I'm having an issue with virusscanning but I don't know if it's ClamAV or hMailserver that's behaving strange.

I've installed SOSDG ClamAV using the HowTo in this thread.

I'm testing it by sending mails with EICAR test files attached and it seems to detect the files because it edits the subject line with something like [virus Eicar test file] but the attachments aren't removed if I configure hMailserver to do that and it won't delete the mail if I set hMailserver to do that.
When I check the statistics in hMailserver it says that it hasn't detected any virusmails.

I'm running the following setup:
Windows Server 2003
hMailserver v4.2-B195 MySQL
ClamAV 0.88-2

Does anyone have a suggestion?

[Bram]

Thanks for the good HowTo.
I had cpu problems using clamscan.exe. Followed your howto and installed clamd.exe and use clamdscan.exe now instead. CPU problems are gone!!

[rebus]

I know this is an old thread, but since there has been recent activity.......

I've installed ClamAV on a half dozen Windows 2000 and 2003 servers, and have a real dilemma. On Win 2000, clamd works just fine. I can start, stop, restart, no problem.

On every Server 2003 machine, however, I can only start the service ONCE. If I stop it, it cannot be restarted. EVER. It will begin to load, shows up in Task Manager, then as soon as it's loaded it terminates. The only way to get clamd running again is to uninstall and reinstall. (reboots have no effect)

It does not matter how the service is started:
-command line starting it manually using start-clamd.bat (and stop-clamd.bat)

-runclamd -start (from /thirdparty directory)

-running as a service using FireDaemon

The method does not matter.

Server event logs show nothing. Appended below is the clamd.log logfile, which appears to show nothing useful. Nothing is logged when clamd abrputly terminates.

Anyone else have this problem, and know of a workaround? Like I said, it's only on Server 2003 machines.

Code: Select all

Wed Aug 30 21:16:11 2006 -> +++ Started at Wed Aug 30 21:16:11 2006
Wed Aug 30 21:16:11 2006 -> clamd daemon devel-20060711 (OS: cygwin, ARCH: i386, CPU: i686)
Wed Aug 30 21:16:11 2006 -> Log file size limited to 1048576 bytes.
Wed Aug 30 21:16:11 2006 -> Reading databases from /cygdrive/c/clamav-devel/share/clamav
Wed Aug 30 21:16:15 2006 -> Protecting against 67328 viruses.

[rebus]

In case anyone having the same problem finds this thread, there was another discussion in http://www.hmailserver.com/forum/viewtopic.php?t=5599 and the solution was to install the officially supported ClamAV for Windows available from http://w32.clamav.net . This cured the problems with clamd running on Windows Server 2003.

 

[rebelo]

Hi.
Is this a good update log of the freshclam ?
Wondering as it ends on the Retrieving http://database.clamav.net/daily-2164.cdiff

Code: Select all

Current working dir is /cygdrive/c/clamav-devel/share/clamav
Max retries == 3
ClamAV update process started at Fri Nov 10 19:24:53 2006
Querying current.cvd.clamav.net
TTL: 882
Software version from DNS: 0.88.6
main.cvd version from DNS: 41
main.inc is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm)
daily.cvd version from DNS: 2185
Retrieving http://database.clamav.net/daily-2164.cdiff

[chanas]

Check the C:\clamav-devel\log folder for freshclam.log. You should see either an "updated" message or a "database is up to date".

[chanas]

Just to let you know I just used this setup today and it works perfectly. CPU usage dropped from 100% spikes to below 5%.

[rebelo]

Tks chanas.
Did not suceeded and have returned to clamwin.
All looks good.

[dedisoft]

Many thanks for this great article.

Very helpful.

Regards

[g0yjs0]

How is this HOWTO impacted with the recent release of a native Win32 ClamAV?

(See thread here: General Discussions | ClamAV For Windows)

[racman]

Hi All,

I am trying to get this installed as per the posted HOWTO but can't get it going. After I install runclamd as a service and try to start it, I get the following error:

Error 1069: The service did not start due to a logon failure

In the runclamd.ini file I have:

User=".\Administrator"
Password=xxxxx

This error is not covered in this HOWTO so can someone please advise me as to why am getting this error and what to do?

Many thanks ...

[cgountanis]

Hi long time for activity on this tread. I recommend not use Clam I stopped using it. When you get many emails with attachments it will bring your server to it's knees. I personally have found great sucess in using SPAM blacking which is built into hMailServer and extension blocking which easily covers all virus type emails. If you still need a virus scanner look into Sophos as Symantec (Norton), McAfee and other like Clam do not catch much.


As far as your issue sounds like a WIndows permisions issue to the directory.

Good luck.

[^DooM^]

Are you talking about Clamwin or ClamAV? Clamwin will bring your server to it's knees if it is busy. ClamAV however does not.

[cgountanis]

I personally have had performance issues and a low catch rate with Clam anything. This is still a great solution for less than 100 users.

[^DooM^]

Well upto you but configured correctly it's been working fine for me for years.

[maggiore81]

Hello
I have installed in my production env
the latest 0.95 clamAV release and all the extra signatures

Now it suddenly hangs.
I have a lot of clamdscan.exe processes hung there.
and mails wont be sent, they remain in the outgoing queue forever. the only thing I can do is to
net stop clamd
manually send now the messages in the outgoing list
then restart clamd

can someone help me?

hmail 5.1 latest stable
Win 2003 x64 Std SP2

[^DooM^]

I'm still using the old ClamAV 0.92 iirc, nothing wrong with it

[maggiore81]

Hello
So you indirectly suggest me to keep using 0.92 with the new signatures...

sinche the 0.92 has always been stable also for me...

[PeterK2003]

anyone running the latest version "clamav-0.95-1a.exe"? It didn't seem to work form me. The "clamav-0.94.2-1a.exe" version did however.

Just wondering.

Thanks,
Peter

[maggiore81]

Well I have found the problems that I had on the latest release of clam av. The problem on the conf was the Thread number. I set to 8, it works when set to 1 or 2.

[a.cirri]

Unfortunately version 0.95-1 doesn't works due to a problem on finding file to be scan.

If you run this test:

"C:\clamav-devel\bin\clamdscan.exe" --no-summary --stdout "C:\clamav-devel\test\clam-nsis.exe"

you obtain that File Not Found and that there are zero virus!!!

In hmail seem that all works well.... but isn't it

I confirm that version 0.94.2-1 is ok.

[maggiore81]

Well.
Thank you for you info, however I noticed (at least on the debug log) that there are a lot of mails marked as virus, and both the logfile logs the virus found, and the hmail virus count raises.

So I think it works. BUT if I send to a mailbox the eicar test virus, it passes.

why ?

I also use the sanesecurity scam signatures, and they really blocks a lot of mails

[PeterK2003]

i get this message when i run an update:

Code: Select all

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 38, recommended = 43

how can i update clamAV?