using clamav on windows - seriously

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
marrco
New user
New user
Posts: 6
Joined: 2011-08-04 16:29

using clamav on windows - seriously

Post by marrco » 2013-12-20 10:38

I had to reinstall a small windows server, run into the usual problems with clamav and spent some time investigating it, reading the messages and found out that most users now (dec.2013) don't have a good config.

first of all there are 2 different ports for windows 32:
http://oss.netfarm.it/clamav/
and the one on sourceforge that's also referenced on clamav.net
http://sourceforge.net/projects/clamav/ ... mav/win32/

main difference is that the pseudo-official sourceforge doesn't demonize. So it doesn't work out of the box for us. Using the netfarm version makes the setup really easy. Most defaults are ok.

hmailserver has an option to use CLAMAV, just set it on localhost, port 3310.

executing form a command prompt "clamd --help" shows the interesting options:
Windows Service:
--daemon Start in Service mode (internal)
--install Install Windows Service
--uninstall Uninstall Windows Service

so all we have to do is install clamd windows service to run as a daemon. And we can do this only with Gianluca Tiesi port. And configure hmail to use CLAMAV on localhost 3310.

now that we have clamav working with windows we can also add a few additional signatures in order to use it as a powerful antispam tool: http://sanesecurity.com/ provides scripts and guide for that setup.

That's it, no need to use third part script, external wrappers or different config. Just oss.netfarm.it/clamav/ version and default hmail server antivirus options are what we need to have the job done.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8528
Joined: 2011-09-08 17:48

Re: using clamav on windows - seriously

Post by jimimaseye » 2014-07-31 11:46

Out of interest, how does this compare to just installing Clamwin from Clamwin.com (a windows version of ClamAV) and just installing and running that? That's what I did and had no problems integrating, setting services or any other faff. So what are the benefits that I am not aware of please?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20791
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: using clamav on windows - seriously

Post by mattg » 2014-07-31 12:40

ClamWIn is NOT multi-threaded, and will stop a busy server.

Use a ClamAv variant that creates a ClamD service where ever you can
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8528
Joined: 2011-09-08 17:48

Re: using clamav on windows - seriously

Post by jimimaseye » 2014-07-31 12:54

Right ok. Thats fair enough.

So ok for little systems that receive emails of a few a minute but large systems that can receive 10 a second or something will grind down.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20791
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: using clamav on windows - seriously

Post by mattg » 2014-07-31 16:22

even a few a minute I wouldn't use it

a couple of large attachments getting scanned, and your server over-loads
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8528
Joined: 2011-09-08 17:48

Re: using clamav on windows - seriously

Post by jimimaseye » 2014-08-01 10:50

Well, I have just experimented with something.....

I looked at this software that Marrco originally pointed to. Short version....

"Whats the difference?

ooh... this has Clamd.exe but clamwin.exe doesnt ... and yet they say that clamwin is based on this port.

Hmmmm.....what if......"


and so I then copied clamd.exe and clamd.conf from this netfarm software and put it in the clamwin program directory (which I already have installed). I changed the clamd.conf to read
LogFile C:\Program Files (x86)\ClamWin\bin\clamd.log
DatabaseDirectory C:\ProgramData\.clamwin\db
(to match the clamwin.conf locations)

and then just ran
clamd.exe --install
This install installed the service called "ClamWin Free Antivirus Scanner Service" running clamd.exe
Go to SERVICES and START this "ClamWin Free Antivirus Scanner Service" (you might want to change to Start type=automatic, as its currently MANUAL)

I then tested HMS. In AntiVirus, disable Clamwin, Enable CLamAV, click TEST and BOOM! Test succeeded!

I did a further test.

I timed how long it takes for the 'eicar' TEST (button) result return for both the clamwin and the clamav (service).
Clamwin = 20 seconds (visible CPU increased to 24% in the system's taskmananger monitor)
ClamAV service = 5 seconds (and strangely no visible CPU increase).

I then tries the tests again but by launching THREE test buttons all at the same time (despite the clamd.conf saying Max Threads =2) and they all performed inline with above tests (all clamav service returned 5 secs and no CPU, clamwin sent CPU to 70odd percent with 3 separate processes being launched).

CONCLUSION:

It does seem that the clamd service is certainly more beneficial in being quicker. And if Matt is right (I have no doubts) it would seem it is a better option (although I would like to have some other REAL virus tests on email to see how it all handles - anyone any idea how to get one?)

I now have one outstanding question? Given we have proved Clamav service is better than Clamwin,m what makes my setup above (clamwin+clamd added) better or worse than just using the initial software in its entirety that Marrco suggested (from Netfarm)? Well, I havent gone thorugh the process but the Netfarm install looks like it involves

a, CHOOSING your relevant flavour (x32, 64 etc) of the software and downloading it
b, Extract and copy the contents to a single standalone directory
c, then downloading the relevant MSCVRT libraries and manually placing them in the same directory
d, changing the config files in that directory to reflect your choice of 'install' directory.

Clamwin install involves:
a, Download (the only availbable version of) Clamwin from their website
b, Run the install
c, Download the win32 version of the netfarm clamav
d, Steal the clamd.exe (and clad.conf) from that download and copy to the C:\Program Files (x86)\ClamWin\bin program directory
e, change the config file to reflect the location changes

Hmmm.. its tricky. Second option involves and extra download BUT you get the benefit of the whole software being properly installed and registered into your system (which also get automatically updated when new releases are installed). The netfarm version seems to be a standalone program directory floating about somewhere unofficially recognised by your system. But then again, the clamAv software is one less download. And what Icant say is how the GUI of clamAV looks or operates (I havent tried it) but it seems to not really have one. Clamwin, however, has a tray, on demand Scan in Context Menu and quarantine program.

I think for me the Clamwin install PLUS the service install is betters (looks and feels nicer). The extra step that is needed only has to be done once. (Its a shame clamwin doesnt supply the clamd.exe service).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8528
Joined: 2011-09-08 17:48

Re: using clamav on windows - seriously

Post by jimimaseye » 2014-08-01 11:28

UPDATE:

Just performed a test with a real virus attached to an email and it did get stripped as per HMS rules. (Took me an age, though, to find a virus that ClamAV recognises - tried 3 different ones that came in over the last 10 days and none were recognised. I had to go back 3 weeks before I found one with a definition ClamAV knew about. Kind of makes me wonder really how effective Clam is. 3 weeks before getting updated effective definitions is ridiculous. (especially considering the effectiveness of new viruses are in the first 36 hours after which the proliferation usually drops and MOST antivirus definitions get updated to catch them. 36 hours, not 3 weeks!!!)

My conclusion, the spamd service with Clamwin does work as we want it to.....but overall Clam simply is pants for stopping REAL threat viruses. So why bother?!
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

mago.barca
New user
New user
Posts: 14
Joined: 2015-02-11 15:23

Re: using clamav on windows - seriously

Post by mago.barca » 2015-02-27 02:24

marrco wrote:I had to reinstall a small windows server, run into the usual problems with clamav and spent some time investigating it, reading the messages and found out that most users now (dec.2013) don't have a good config.

first of all there are 2 different ports for windows 32:
http://oss.netfarm.it/clamav/
and the one on sourceforge that's also referenced on clamav.net
http://sourceforge.net/projects/clamav/ ... mav/win32/

main difference is that the pseudo-official sourceforge doesn't demonize. So it doesn't work out of the box for us. Using the netfarm version makes the setup really easy. Most defaults are ok.

hmailserver has an option to use CLAMAV, just set it on localhost, port 3310.

executing form a command prompt "clamd --help" shows the interesting options:
Windows Service:
--daemon Start in Service mode (internal)
--install Install Windows Service
--uninstall Uninstall Windows Service

so all we have to do is install clamd windows service to run as a daemon. And we can do this only with Gianluca Tiesi port. And configure hmail to use CLAMAV on localhost 3310.

now that we have clamav working with windows we can also add a few additional signatures in order to use it as a powerful antispam tool: http://sanesecurity.com/ provides scripts and guide for that setup.

That's it, no need to use third part script, external wrappers or different config. Just oss.netfarm.it/clamav/ version and default hmail server antivirus options are what we need to have the job done.
Note that the clamav file does not have an install. Just uncompress it and move the folder to your liking, for example to C:\Program Files\ClamAV. Make sure to install the Microsoft Visual C++ 2005 Redistributable. It is picky about the version. I run Microsoft Update to get the latest version. If you don't do so, you will get an error when you run clamd.exe or freshclam.exe

I want to add a couple of things:
  1. Edit the configuration file clamd.conf to reflect your settings, for example:

    TCPSocket 3310
    MaxThreads 2
    LogFile "C:\Program Files\ClamAV\clamd.log"
    DatabaseDirectory "C:\Program Files\ClamAV\db"

    For more info about the format of clamd.conf file, check out http://linux.die.net/man/5/clamd.conf. This is the conf file for unix/linux systems. Be careful about the paths. Here is an example for Unix/Linux http://www.hostbird.com/beta/projects/q ... clamd.conf
  2. Edit the configuration file freshclam.conf and add an entry for log files, for example:

    DatabaseMirror database.clamav.net
    DNSDatabaseInfo current.cvd.clamav.net
    UpdateLogFile "C:\Program Files\ClamAV\freshclam.log"

    For more info about the format of freshclam.conf file, check outhttp://linux.die.net/man/5/freshclam.conf. Here is an example for Unix/Linux http://www.opensource.apple.com/source/ ... hclam.conf
  3. Create a folder called db to store the database and run the command freshclam.exe to download and update the virus database. You may have to be a little patient in this part and try several times. My download got interrupted several times.
  4. Install both clamd.exe and freshclam.exe as windows services:

    clamd.exe --install
    freshclam.exe --install
  5. Go to Services under Administrative Tools and start both of services and change their startup to Automatics.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8528
Joined: 2011-09-08 17:48

Re: using clamav on windows - seriously

Post by jimimaseye » 2015-02-27 10:57

FYI: viewtopic.php?f=21&t=26829

Simplified on the HOW TO.

In essence, install Clamwin as a product- it does all the work for you so no messing with Redistributables etc, and then add the clamav service (as this gives the multithreading). Simples.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply