HOW TO run Clamwin and have a ClamAV system SERVICE

This section contains user-submitted tutorials.
User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 14:30

In the latest version of Hmailserver, it has both CLAMAV and CLAMWIN builtin integrated options.

Clamwin doesnt come as a service. ClamAV does, but it doesnt have a usable GUI like Clamwin such as a system tray, on demand Scan in Context Menu and quarantine program.

This procedure details how to easily use Clamwin for its prettiness, but as a service as ClamAV...easily. Running as a service provides the ability to pass threads to it on port 3310. As it is multithreaded it is therefore lower on system resources and faster.

BENEFITS

An example to demonstrate the benefits:
Using the Hmailserver TEST button, the time taken to respond with result:
Clamwin (if chosen as the preferred antivirus option) = 20 seconds (visible CPU increased to 24% in the system's taskmanager monitor)
ClamAV service = 5 seconds (and no visible CPU increase).

I then tried the tests again but by launching THREE test all at the same time and they all performed inline with above tests (all clamav service returned 5 secs and no CPU, clamwin sent CPU to 70odd percent with 3 separate processes being launched).

CONCLUSION

A LOT quicker for mail scanning and with less system resources. A high usage system will crumble using Clamwin alone.

HOW TO IMPLEMENT

You will need:

A, the installation set of Clamwin (if you havent already done it) from clamwin.com and
B, the ported Zip file of "clamav-win32-A.BB.c.7Z" from http://oss.netfarm.it/clamav/ "[Download Binaries]" section (which is an unofficial windows port of Clamav, used to create Clamwin, where A.BB.c is the version number). We need this Zip as we are going to use 2 files from it. Get it from the "Current Stable" under [Download Binaries] and ensure the version number matches the same version of Clamwin.
C, To read the whole of this post for further information on making Clam actually effective (with the use of 3rd party definitions).

BEFORE BEGINNING: It is important to ensure that Clamwin (A) and the Clamd port (B) are of the same version. ie, "v0.99" clamwin is not the same as "v0.98.7" clamd

If not, then you will have to abort this procedure until they do become the same version (or contact someone here to see if they have copies of versions that do match :wink: . Read this full thread for possible contributions where matching versions have already been posted. eg Page 3: viewtopic.php?p=204122#p204122)

PROCEDURE

1, Install Clamwin ((A) above). Run it, be happy. (I will assume all default file locations for the sake of this instruction*).
2, Open the 7Z zip file (downloaded from netfarm (B)- above) and extract CLAMD.EXE and CLAMD.CONF.
3, Copy those 2 files in to the Clamwin program directory (usually: %ProgramFiles(x86)%\ClamWin\bin\)*
4, With text editor (eg notepad) edit CLAMD.CONF and change the following 2 lines (leaving the other lines alone):

LogFile C:\Program Files (x86)\ClamWin\bin\clamd.log
DatabaseDirectory C:\ProgramData\.clamwin\db


(Note: the above reflects default locations and is the representation for ENGLISH language operating systems. You should reword the program directory to reflect your OS language. You can place the log file where you wish, and the 'DatabaseDirectory' must reflect your existing Clamwin DB directory - refer to clamwin.conf locations if unsure whether you have changed it or not).

5, From command line (CMD), cd to the program directory %ProgramFiles(x86)%\ClamWin\bin* and run:
clamd.exe --install

This installs the service called "ClamWin Free Antivirus Scanner Service" running clamd.exe

*Usually the DEFAULT locations for installation is %ProgramFiles(x86)%\ClamWin\bin\ (with anecdotal evidence it might be %ProgramFiles%\ClamWin\bin\ for Win8+). If you choose to change from them then ensure you change CONF files and placement of ClamD.exe consistent with your choice.

6, Go to windows SERVICES ('services.msc') and search for the service, right click and Properties of the service, and change it to

Startup Type = AUTOMATIC.

You may then click START to run the service.

7, In Hmailserver - Settings - Antivirus, Choose ClamAV as the selected antivirus option (do not enable 'Clamwin'!).

8, In Hmailserver - Settings - Antivirus, GENERAL tab, enter 26214 for 'Maximum Message Size To Scan' **

** By default Clamd service will allow an upper limit of 25MB for each mail message being passed to it. If it receives an email message from HMS larger than this (26,214,400 bytes) then HMS will error in this event. 26214 is the HMS equivalent in KB and prevents this scenario (25*1048576/1000). If you wish to lower this File scan size limit in Clamd, then modify CLAMD.CONF (in (4) above) and add the following line:

StreamMaxLength 20M

where '20M' means 20MB ('18M' would be 18MB etc). The same value should then be set in HMS by changing from 26214 to the new rounded down value calculated thus:
  • value (M) * 1048576 / 1000
Done.

(The definition database update that gets performed by Clamwin scheduler (in Preferences) will get loaded and included into the Clamd service within 10 minutes due to the service automatically checking the database for changes every 600 seconds and reloading it if changes are found).

For UPDATING your existing installation, see the foot of this post "UPDATING VERSIONS OF CLAMWIN/CLAMD"


Hope you find this useful.


Now for a gripe (dont worry I still advocate using the service but do read on......)
I performed a test of the system with REAL email viruses recently proliferating around the net. It took me ages, though, to find a virus that Clam recognises - I tried 3 different ones that came in over the last 10 days and none were recognised. I had to go back 3 weeks before I found one with a definition Clam knew about. It kind of makes me wonder really how effective Clam is. 3 weeks before getting updated effective definitions is ridiculous (especially considering the effectiveness of new viruses are in the first 36 hours after which the proliferation usually drops and MOST antivirus definitions get updated to catch them. 36 hours, not 3 weeks!!)

My conclusion, the Clamd service with Clamwin does work as we want it to and is quick.....but overall Clam simply is pants for stopping REAL threat viruses. So why bother?!

EDIT: HOWEVER....

18 months after writing the above installation and then denouncing the worthiness of Clam, I now have an update that makes all this worth while and Clamwin+clamd as a viable option. I recommend you now implement Sane Security 3rd party definitions - read and action against this post below: viewtopic.php?p=180258#p180258. Consequently I stand by and recommend this as a solution. (More information on Memory Usage of Clam + 3rd party definitions can be found here: http://lists.clamav.net/pipermail/clama ... 03903.html)

I will advise, however, to exercise caution if using on-demand or Scheduled Scans feature with Clam/Clamwin. Experience shows me that Clamwin is unreliable in its default definitions not only being unproductive against actual threats, but also have an extremely (sometimes infeasibly) high level of false positives. Recently, I and many other users had their windows servers effectively disabled overnight due to a signature that effectively quarantined (deleted) a vast amount of genuine windows DLL's during an overnight scan, including removing Hmailserver program/DLL's and its own clamwin DLLs!. :roll: (More info: http://forums.clamwin.com/viewtopic.php?p=18970#18970 and http://forums.clamwin.com/viewtopic.php?t=4371).

MY ADVICE: If you choose to perform on-demand or periodical scans of your disks using Clamwin, I urge you to modify the configuration window ('Clamwin Preferences - General) to ensure you have:
  • "Infected Files" set to "Report Only"
    "Unload Infected Programs From Memory" - UNTICKED
This will prevent false positives from wreaking havoc and will simply report it to you for you to take manual action where you think it is necessary. (There is more chance for a False Positive being identified on your Hmailserver server (I would say GUARANTEED) than a real threat actually in the process of execution/memory.) Note: These settings will not affect the role of Clamwin/ClamD as your Hmailserver email antivirus checker.


UPDATING VERSIONS OF CLAMWIN/CLAMD

Both Clamwin and Clamd need to be at the same version. (eg both at v0.99 or whatever is available at the time). When a new version of Clamwin is released, and the Clamd equivalent version is also available to match, then the following upgrade procedure should be followed:

1, Disable ANTIVIRUS scanning within hmailserver

then as privileged ADMINISTRATOR cmd:

2, type "net stop clamd" (this stops the Clamd service)
3, type "sc delete clamd" (this deletes the existing clamd service)
4, run the install of the latest Clamwin over the top of current installation and reboot if prompted.
TIP: As you are upgrading you may wish to download the program only without the database signatures (8MB instead of 120MB). You can obtain this (and the full included version) from its development page (look for the clamwin-0.9x.x-setup-nodb.exe version) at https://sourceforge.net/projects/clamwin/files/clamwin/

5, Copy over the new Clamd.exe (only) from the http://oss.netfarm.it/clamav/ site (as per installation instructions above in "PROCEDURE" (2) and (3) )
6, Run the "Clamd --install" command (as per instructions above)
7, reset the service (modify the startup options etc) and restart the Clamd service and re-enable Antivirus in HMS and test (as per instructions above)

That should do you.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 14:52

good work.
Whare are you download latest cirus definitions from? Here http://www.clamav.net/lang/en/ or somewhere else?

Why bother? I don't, I use Microsoft Security Essentials which updates when/if there is a new virus definitions file. I figure MS will be pretty proactive in keeping it current but I could be wrong. And it doesn't put any kind of load on my PC as far as I can tell. Runs in real time for PC protection and as external virus scanner for email. Piece of cake.

Code: Select all

"c:\program files\Microsoft Security Client\MpCmdRun.exe" -Scan -ScanType 3 -File "%FILE%" -DisableRemediation
Check for Return code 2

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 15:35

For the record and completeness:

The signatures are updated via the Clamwin scheduler (as standard install). The problem as identified is that the quality (not the frequency) of the updates are inadequate.

This thread still stand for those that wish to use the Clam route.

Personally, I might try your MSE route. I was always keep to have something that works well, free, without killing my server and is easy to integrate into hmailserver (ie, know the scanning command line) and yet doesnt breach any 'cant use for commmercial use' clause. Does MSE satisfy this?

(You might be interested to see what a seasoned Clamwin supporter, helper and moderator says about it on their website where I posted the similar instructions above: http://forums.clamwin.com/viewtopic.php?p=17645#17645). It might surprise you.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 15:59

MSE is free for download and usage.

Windows 7 came with Windows Defender but MSE is better and you should disable Defender and install MSE.

Windows 8 has changed the name of MSE back to Defender (that is, MSE on W7 is same as Defender on W8).

I don't know what MS Server Oses come with or use. I use Windows 7 currently.

The thing is that if you read much of what is written on the web you will find that MSE gets a bad wrap. However, if you look at the tests it gets 5 stars for virus detection of malware/viruses. Its all the other associated crap it isn't so good at. But frankly I don't give a monkeys about all the other bloat that comes with AV software trying to out freak everyone with WMD like brain washing.

MS play it down saying its just "baseline" protection so that all the other AV companies don't cry foul and sue MS for monopolising and putting them out of business.

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2014-08-01 16:26

Not sure I want to put my money on Microsoft either ;-)

Image

http://www.av-comparatives.org/wp-conte ... 14a_en.pdf
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 17:21

you can waste a lot of time on this nonsense.

Good AV software will detect and delete/quaratine Virus at point of entry and prevent it from doing anything.

We are talking about email here so what you need is something that detects and allows hmail to delete the mail before it can do anything.

See http://uk.pcmag.com/security-reviews/81 ... s-for-2014

MSE gets 5 stars for detection and nothing for protection. So whats the difference between detection and protection? Well its all the other crap that these packages contain. IF MSE can detect it them hmail will reject/delete it.

We can trade opinions and statistics all year on which is the "Best" but neither of us or anyone else has the faintest idea whether any of the statistics produced are pure bull or reliable. But bear in mind they are ALL about influencing buying decisions which is why they all don't like MSE. It's FREE and IMO all OSes should come with built in virus protection. Plain common sense and ALL the third party companies would be very fearfull of trying to sue MS for including very good AV with its operating systems because their argument would have to be that MS should NOT be allowed to protect its customers from Viruses. So we have to play stupid games with third party vendors slating MS for being insecure and now whining about it when they provide protection. So now lets continue to say MS protection is no good because we want to sell our software which is bloatware and probably no better IMO. That's why they all claim MSE is baseline and tell us how much better their software is. Baseline to me means can detect a virus and delete or qaurantine it. MSE does that.

If you want something that cleans up infected machines then MSE is crap but that isn't what email server virus protection requires. It just needs to stop incoming virus which I believe MSE will do quite adequately.

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2014-08-01 17:51

percepts wrote:you can waste a lot of time on this nonsense.
True...

I'm going to give MSE a shot, it can't get any worse than clamav. My client AV protection catches about 500% more "problems" than clamav, may they be PUP's or viruses...
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 18:05

Let me tell you the experience of my past hour (stay with me)....

I went out to the shops for an hour since reading Percepts comment on using MSE. But whilst I was driving back, something hit my (not literally)... I regularly see 'Windows Defender' updates coming in to my Windows Server 2008 R2 (running my HMS) and suddenly it dawned on me that maybe its ACTUALLY running on the box already. But how can it be? I mean, I was doing loads of virus testing on it this morning sending viruses, opening Zip files, emailing them etc) and not once did I hit a restriction. So I just checked. And you know what? It IS running on my box! :shock: And yet, despite all the 'near the knuckle' testing I did this morning with old viruses (3 weeks old) and recent viruses, it didnt stop me once! I even did a forced customer scan on the folder containing the viruses. Even Clamwin recognised one of them! And Ive ruled that useless already. So what does this make Windows Defender? (Just to confirm, I just did all the testing again by making sure the Windows Defender options are all enabled (archive, heuristics etc etc)).

A few months ago I looked into AV software for our PC's and looked at many different 'reviews' from so-called independent tests (similar to the on Soren posted). One thing that stood out on most of them was that Bitdefender was also within the top 2 or 3. So I went for that. As for where Microsoft, well, that depended on who was doing the testing it seems because its positioning varied widely (some tests put it extremely high and reliable, others put it like to post Soren shown).

I have decided: as I am the only one dealing on the server, and I consider myself cute enough to not open links or go to hooky websites without checking first, Im not going to fuss any more about the efficacy of the server AV solution. HMS does a good job of stripping dodgy extensions, and if anything else gets through, and happens to get clicked as well (bearing in mind my users have been educated in the hazards), they all now have Bitdefender on their machines. And if the virus is that new that it even gets past that (which is possible - I think all new viruses have the highest success rate as soon as its released due to no definitions being supplied) then bugger. Maybe I shouldnt have gotten out of bed. Frankly there was nothing I could have done anyway even if there was the top AV solution on the server.

So I'll leave windows defender running (for whatever benefit that gives?!) and leave the clamwin service going. Harmless, even if useless.


EDIT: I was typing this before I saw Sorens last post. How interesting.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 18:17

You should never have two AV systems running on one machine. They will very likely conflict.

So was/is defender set to exclude hmailserver/data folder when you did your tests ?

I assume your tests were email tests. If it was excluding hmailserver/data folder then obviously it would NOT pickup the viruses coming in on email. If it wasn't excluding them then it quite possibly has been deleting eml files and leaving entries in your DB since whenever you have had it running.

And how often have you updated the defender virus definitions? Did you do that before running your tests?

AND

note that many senders of viruses will be in DNS Blacklists so spamassassin will kick them out if you let it do external dns lookups.

AND

I wonder how many servers, ISPs and routers reject/delete virus email without telling anyone.
Last edited by percepts on 2014-08-01 18:22, edited 2 times in total.

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2014-08-01 18:18

jimimaseye wrote:EDIT: I was typing this before I saw Sorens last post. How interesting.
Yeah... A friend of mine from Audi club Denmark is Sales Director Europe at BitDefender... I suspect the topic of our next chat is givven already :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 18:31

Im aware of the 2 AV simultaneous problem, but that doesnt apply here. Reasons:

a, I only have ONE (supposedly!) 'realtime' protection running, and that is Defender
b, Clam is called upon ONLY by HMS when it parses a mail to it for checking and it has proven to detect (so the Defender cant be interfering here).

As it happens, the test I did for Defender, as I said, was purely to do a forced customer scan on a particular folder containing viruses and nothing to do with Hmailserver or clam. See screen shot

The windows defender updates come in every day (in the microsoft automatic updates.) And I think a virus that was released 3 weeks ago, and even been identified by Clam, is very worthy of also being detected by Defender.

These 2 virus made it through the intenet, into my domain hosts mail system, through their SMTP servers and my router (when POP'd), past Windows Defender and only got noticed when Hmailserver stripped them off the email due to being a Zip file.

Percepts, if you want me to send them to you for testing then just let me know. :-) (I have a repository you can pick them up from if you want). Or I could email them directly to you - see if your system detects them.
Attachments
WDScanResults.png
Last edited by jimimaseye on 2014-08-01 18:41, edited 1 time in total.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 18:39

SorenR wrote:
jimimaseye wrote:EDIT: I was typing this before I saw Sorens last post. How interesting.
Yeah... A friend of mine from Audi club Denmark is Sales Director Europe at BitDefender... I suspect the topic of our next chat is givven already :mrgreen:
Send him my address if he fancies gifting me a free license for the server (as reward for promoting.). ;-)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 19:00

I would rather keep viruses off my machine thanks.

AND

viruses have to be executable and as you have noted, your attachment blocker will deal with the vast majority of those.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 19:05

Indeed they do. (I more or less implied that earlier in my post).
HMS does a good job of stripping dodgy extensions, and if anything else gets through, and happens to get clicked as well (bearing in mind my users have been educated in the hazards), they all now have Bitdefender on their machines.
Keeping it off your machine, I understand. No worries. (They are Zip files though, not executable, and of course surely would have been picked up by your MSE anyway. Wouldnt they? Or......) :?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 19:26

:P :P :P :P :P :P :P :P
"APPLICATION" 3732 "2014-08-01 18:17:17.237" "SMTPDeliverer - Message 15: Delivering message from fromyou@yahoo.com to me@mydomain.com. File: c:\program files (x86)\hMailServer\Data\{9024FEA4-221D-462B-95D4-D875B293534E}.eml"
"APPLICATION" 3732 "2014-08-01 18:17:17.346" "SMTPDeliverer - Message 15: Message deleted (contained virus Unknown)."
"APPLICATION" 3732 "2014-08-01 18:17:17.346" "SMTPDeliverer - Message 16: Delivering message from to me@mydomain.com File: c:\program files (x86)\hMailServer\Data\{39C14355-4D2B-47E5-A9EE-FEF74CE844AA}.eml"
"APPLICATION" 3732 "2014-08-01 18:17:17.393" "SMTPDeliverer - Message 16: Message delivery thread completed."
And mailer-daemon notification I got
The message below contained a virus and did not
reach some or all of the intended recipients.

From: jimimaseye <fromyou@yahoo.com>
To: me@mydomain.com
Sent: Fri, 01 Aug 2014 19:15:56 +0200
Subject: example files as discussed.

hMailServer
And spamassassin timed out and gave return code 0 so reject was by MSE latest version with latest definitions file.

Have you told Defender to scan inside archive files ?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 19:39

Yep. (see screen shot). (And although not showing, there are NO items in the 'exclude' list)

I stand bemused.
Attachments
WDOptions.png
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 19:45

upgrade defender to latest version for your OS

MSE is on version 4.5.x now

I think defender on MS Servers may be 6.5 or higher, not sure about that.

and then update definitions file making sure the green button for virus and spyware definitions says upto date after the download and install of definitions file.

AND

if defender on your version has a command line executable, untick scan email (as shown in your screenshot) and put the command line scanner into hmail so that hmail deals with it.

None of your email will be scanned as it is now if you are excluding hmailserver/data folder ( I think )

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 20:01

ALSO

defender on windows server is known as being basic. They want you to pay for their more advanced protection since you are using an enterprise level OS

MSE doesn't run on windows servers (apparently) although I did see one person say they got it to run. However, since its running at low level OS I wouldn't trust it not to cause problems even if you did get it to install and start up.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 20:05

Im not actually excluding any folder at all on my system. None. I also have 'scan attachments' ticked as well (as you can see) but unticking it and forcing a commanline scan I dont think will make any difference. If a forced on demand custom scan of a known virus isnt working, then I doubt a parsing of a file from HMS will be any more successful. So yes its true none of my emails will be scanned now by Defender....on account it doesnt seem to be scanning fullstop! (Emails only being done by Clam).

I will have to look in to if or how the standard install of Defender can be made to work (its a mystery why it isnt). MY OS is Windows Server 2008 R2 and it comes with it preinstalled.

I will research and if I find anything or conclude something then I will do you the courtesy and report it here for in formation.

"defender on windows server is known as being basic."

"BASIC", as defined by you earlier, means to just detect and prevent running (minimum) - no fancy 'clean up your system' required. As this isnt even 'detecting' a known virus, it doesnt even qualify as basic. (more of a squatter software 'wasting disk space').
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2014-08-01 20:30

percepts wrote:ALSO

defender on windows server is known as being basic. They want you to pay for their more advanced protection since you are using an enterprise level OS

MSE doesn't run on windows servers (apparently) although I did see one person say they got it to run. However, since its running at low level OS I wouldn't trust it not to cause problems even if you did get it to install and start up.
Image
:mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 20:33

And you haven't had any problems with it Soren ?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 20:41

So jimimaseye, you could try unistalling defender and installing MSE and it might work (or might not). You can but try I guess and see how it goes.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 20:45

This is a lost cause!

Code: Select all

C:\Program Files\Windows Defender>MpCmdRun.exe -Scan -ScanType 0 -File "D:\DecroData\ACCESS tests\!!! VIRUSES !!! for submitting\Incident_6256120.zip"

C:\Program Files\Windows Defender>echo %errorlevel%
0

C:\Program Files\Windows Defender>
(-scantyope 3 doesnt exist for this version)

Taken from you command line parameter earlier, I ran the scan manually (instead of via the Defender GUI). The result is the same.

Nada!

MSE not allowed for Server Editions apparently. (Ive looked)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2014-08-01 21:00

percepts wrote:And you haven't had any problems with it Soren ?
Nope... Installed just after my post about giving it a try... Googled MSE, found Microsoft, clicked download (32 bit Vista/Windows 7 version), ran the installer and told it to update.
I found your post about what to put in hMail, did that, test OK...

If I had known that there could be a problem, I would probably have been more observant.. :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 21:08

jimimaseye wrote:This is a lost cause!

Code: Select all

C:\Program Files\Windows Defender>MpCmdRun.exe -Scan -ScanType 0 -File "D:\DecroData\ACCESS tests\!!! VIRUSES !!! for submitting\Incident_6256120.zip"

C:\Program Files\Windows Defender>echo %errorlevel%
0

C:\Program Files\Windows Defender>
(-scantyope 3 doesnt exist for this version)

Taken from you command line parameter earlier, I ran the scan manually (instead of via the Defender GUI). The result is the same.

Nada!

MSE not allowed for Server Editions apparently. (Ive looked)
start windows command prompt and change directory to

C:\Program Files\Windows Defender\

then type in

MpCmdRun /?

and you should see the options available
Last edited by percepts on 2014-08-01 21:12, edited 1 time in total.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 21:12

SorenR wrote:
percepts wrote:And you haven't had any problems with it Soren ?
Nope... Installed just after my post about giving it a try... Googled MSE, found Microsoft, clicked download (32 bit Vista/Windows 7 version), ran the installer and told it to update.
I found your post about what to put in hMail, did that, test OK...

If I had known that there could be a problem, I would probably have been more observant.. :wink:
I'm sure this virus software is essentially the same on all MS OS versions BUT as I say, because it operates a t a low system level their may be differences. On the other hand it may just be MS saying you can't have it free if you are using entreprise level server software.

Let us know how it works for you.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 21:58

I had already done the /? parameter check when I ran it (thats how I knew type 3 didnt exist). For you info:

Code: Select all

-Scan [-ScanType]

        0  Default, according to your configuration
        1  Quick scan
        2  Full system scan

   -Trace [-Grouping value] [-Level value]
        Begins tracing Windows Defender's actions.
        You can specify the components for which tracing is enabled and
        how much information is recorded.
        If no component is specified, all the components will be logged.
        If no level is specified, the Error, Warning and Informational levels
        will be logged. The data will be stored in the support directory
        as a file having the current timestamp in its name and bearing
        the extension BIN.

        [-Grouping]
        0x1    Service
        0x2    Malware Protection Engine
        0x4    User Interface
        0x8    Real-Time Protection
        0x10   Scheduled actions

        [-Level]
        0x1    Errors
        0x2    Warnings
        0x4    Informational messages
        0x8    Function calls
        0x10   Verbose

   -GetFiles
        Gathers the following log files and packages them together in a 
        compressed file in the support directory

        - Any trace files from Windows Defender
        - The Windows Update history log
        - All WinDefend or WinDefendRtp events from the 
          System and Application event log
        - All relevant Windows Defender registry locations
        - The log file of this tool
        - The log file of the signature update helper tool

   -RemoveDefinitions
        Restores the last set of signature definitions

        [-All]
        Removes any installed signature and engine files.Use this 
        option if you have difficulties trying to update signatures.

   -RestoreDefaults
        Resets all configuration options to their default values; this is the 
        equivalent of running Windows Defender setup
        unattended.
Seems a lot less in options that perhaps you have. Not even a 'file' option suggesting that maybe individual file scanning is not possible. :?: (Im guessing you have 'scantype 3 - File and directory custom scan'

Soren: what OS you installing it on?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 22:09

yes there is an option 3 as you guess. i.e. custome file scan with option for no remediation

Sorens screen shot shows Windows Server 2003 R2

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 22:12

Oops. I missed that post or screenshot. I see it now.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 22:25

security essentials doesn't provide options for email or attachments in the way your version of defender does.

It just appears to treat all files the same except for archive type files (zip etc) which it will look inside of.

So anything getting written to disk (and probably memory too but there is nothing said about it) gets scanned.

How would defender know what is email unless its aware of your email program being an email program and the file type its using. Maybe it tracks by protocol.

have you upgraded it to most recent version ?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 22:49

Ok first, my thoughts on what I have researched (before I reply directly to your post):

It seems CATEGORICALLY that MSE is not *supported* on any edition of Server: that means, at a push, you might get it to load and SEEMS ok and you think its doing it's job, but there is no guarantee the software is actually performing fully and providing 100% of its intended operation (and some say it would be foolish to assume your server is protected by the product that hasnt been designed or certified for or in fact, moreover, has been certified NOT to be for. I guess this is like putting farmyard red diesel in your car and saying its diesel, it goes in the hole the same, and the engine sounds like its running alright so therefore it must be ok. In reality, you dont know what damage it is doing to your high-performance Audi engine.) Secondly they say that actually loading and running MSE on Server in a commercial environment is also a breach of license rules (basically, MS say NO YOU CANT! - even if you think you can). (Thats like Daddy telling Mummy "No! I forbid you to put red diesel in the Audi! It ain't right and I will not allow it."

So I am not sure I want to use it. Its true it MIGHT well work fine, but I also need to keep legal for the sake of the business. And breaching that license just isnt cricket.

Percepts: How does it know its an email? It probably doesnt. My experience is that MS only talk about 'emails' and really mean referring to MS Exchange traffic. Anything else it would just be 'a file' that has been parsed to it by some other calling procedure (in our case the HMS AV parser). I might be a little mean there on MS, maybe they have lightened up a little bit and do things properly (using MIME or mail protocol recognition). But I doubt it. :twisted:
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 23:01

how many users do you have on your server and what volume of email do have in and out each day on average?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 23:09

I think the simple solution would be to do your research on whats available and how upto date it keeps its definitions and buy it. My bet is that MS is as good if not better than most AV companies at doing that. i.e. just buy whatever the current MS security system is for your server OS. Jobs a good un.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-01 23:21

We have about 12 staff and about 60 incoming emails a day (and as many out again)- but it really depends if you want to count how many times one of our users are being asked to Verify His iTunes Account every day. :) Its a small business but the email system is the key to the office running (all enquiries, orders and dealings are by email only).

Of course I could simply have bought another license of my chosen solution (used by the PC's) of Bitdefender. But this whole thing started before when I was looking a free solution (hence the Clamwin). Its only really been today that such indepth analysis of it;s effectiveness is being questioned, or any other solution's effectiveness - it wasn't really about money. So the whole thing has gone from "its about money" to "its about effectiveness and not the money" to "its about effectiveness at the right cost".

So, for me: to buy or not to buy. That is the question. I could stay with free ClamAV knowing it isnt catching any real threats as they are released to the world (for the first 3 weeks) or I could pay for proven top performing Bitdefender...knowing it isnt going to catch any real threats as they would have just been released and it still wont have any working definitions for a day or two (by which time the proliferation of the threat would have stopped reduced to nothing.)

But it was a good thread though, eh, chaps. :-D
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2520
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2014-08-01 23:37

jimimaseye...

My server is for my home, ergo not commercial...
It catches the Eicar virus in an e-mail...

I've been in the Telco/ISP/VoIP business almost 30 years - technical stuff - I've seen how things can go wrong - terribly wrong - like 5 minutes downtime on a server rating close to 1.000.000 VoIP tickets per minute due to a misconfigured index on an Oracle database - Scary !!

Oh and engines... I sold my Audi S4 2.7 Twin Turbo Stage I last year - 290.000 km on 3 sets of turbos (3 x 2 turbos) - but it was fun while it lasted 8) - I still have my "slightly tweaked" 1982 Audi Quattro though :wink:

Oh, anyone driving on diesel is a wuss :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 23:57

You could always downgrade to windows 7/8 and run MSE since email usage is very light :mrgreen:

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-01 23:58

SorenR wrote:Oh, anyone driving on diesel is a wuss :mrgreen:
Back off, I drive a Defender 90 :evil:

( that's a Land Rover Defender not Microsoft Defender :lol: )

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-02 00:22

The server AS A server was bought for a reason (instead of buying just a PC with win7 on). Its server technology (so faster than a PC) and its role is to act as a server (login scripts, disk shares, printer server, storage mirroring etc - the usual 'being a server' stuff. And not to mention handling concurrent user and TCP connections which PC versions of Windows have restricted). It isnt just for the email. And even with this 'light user' appearance of emails this server still takes a LONG time deleting thousands of emails (using an email client) (ie, hightlight 5000 emails, click delete) so heaven knows how long it would take a PC. And it came with Windows Server 2008 R2 preloaded (I chose Foundation version rather than the other flavours as I thought the limits on the resource sharing would still be sufficient - so far so good. And Foundation allows 15 users bu the next one up, Standard, you have to BUY user licenses in blocks of 5! (Let me think: Foundation with 15 for free, or Standard where I have to BUY 15 licenses to run it? Wheres the sense?!) Anyway, I diverse....

I think the scale and effectivity of the system in terms of size, OS, software chosen etc satisfy perfectly. Nothing over-stretched, nothing under-powered. And consequently the price was right. Our email usage is small compared to the corporation(s) I worked for that have 10's of thousands of users around the world but probably a lot more than, say, Percepts and his single user environment. Its all relative. (If my server system was too small tto handle the demand then the quantity of emails would be considered too many. See what Im saying? Its all relative.

Soren: home use cant be denied by MS unless of course you class it as your business machine used in the duties of earning an income. Then it becomes classed as commercial. (I wont tell ;-) ) Of course this doesnt negate the question of its reliability IF we are to believe what MS say about it actually performing properly or not. (Personally I think its ok).

Oh, I drive a humble Ford Focus. Diesel. The fuel costs are lower than petrol (where I live) and thats the only reason why. (Ooh look, Im all about efficiency with a balance of value for money again).

Some say diesels are noisy. I find a good radio system fixes a myriad of noise-related problems in cars. ;-)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-08-02 00:35

I always thought diesel is far more polluting than petrol. Its only benefit was that its so much cheaper to produce since its far less refined. But the UK govt being what it is, have taxed it to or above the price of petrol. It used to be the case that on mainland europe diesel was half the price petrol. Don't know what the situation is now.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-08-02 00:40

Im a Brit, with a Brit car living in mainland Europe. Here the diesel is about 11 cents a litre less than petrol. When I go back to England I will reconsider and re-evaluate the cost implications of running a diesel compared to petrol. (Im not one for bothering about the pollution factor. But more how much its costing to run. Each to their own.)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-09-18 10:29

jimimaseye wrote:I performed a test of the system with REAL email viruses recently proliferating around the net. It took me ages, though, to find a virus that Clam recognises - I tried 3 different ones that came in over the last 10 days and none were recognised. I had to go back 3 weeks before I found one with a definition Clam knew about. It kind of makes me wonder really how effective Clam is. 3 weeks before getting updated effective definitions is ridiculous (especially considering the effectiveness of new viruses are in the first 36 hours after which the proliferation usually drops and MOST antivirus definitions get updated to catch them. 36 hours, not 3 weeks!!!)

My conclusion, the spamd service with Clamwin does work as we want it to and is quick.....but overall Clam simply is pants for stopping REAL threat viruses. So why bother?!
On Tuesday 16th September, I received a conformation notification from CLAMAV virus team saying that they have finally added my submitted virus definition report for 2 viruses quoted above that I tried testing with but had no definition - TEN WEEKS after submitting them for adding and first receiving the virus. And to confirm, the very next scan of my system finally found them (I had them stored on disk for referal) and quarantined them.

I will repeat, CLAMAV added the virus definition for a virus that was submitted to them for adding TEN WEEKS AFTER THE VIRUS had been released (and probably done its damage to the worlds computers and since faded away again).

Conclusion: Clam works as an antivirus solution to new viruses...as long as you dont actually use your system for 3 months giving it time to be updated (assuming you personally can be arsed to send it to them in the first place)...otherwise dont bother! Oh, and I have just scanned the same 2 files with my 'Windows Defender' as supplied by Windows Server 2008 R2 and that STILL doesnt recognise them.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-09-24 20:59

Today a new virus was released. It got sent out at 2:30ishpm (my time).

I know this because the spambots had used an email address that points to our mail server. The USER part was invented by the spambot and isnt a REAL user in our domain but we do have a CATCHALL account set up. At 2:40pm I had a flood of undeliverable emails 'being returned' to this address from systems that have rejected the original email due to being unknown user or deemed as risky. All emails had our address and the same invented user as the 'return path' (but all other sending servers and address completely different).

From these undeliverable emails I was able to identify the attachment of the new virus, so at 15:40 I submitted it to:

AVIRA (for my home pc)
CLAMAV (for the server)
for them to identify and create a definition for it.

At 20:30 on the same day (4hr 50 mins later) I have received the acknowledgement from AVIRA that they have now created a definition against it. (I proved it by updating my PC, and then scanning the attachment and confirmed it is now identified).

I am now going to wait and see how long from today, 15:40 on 24th September, it takes before CLAMAV take my submitted report and include in their database. (My nightly system scan should identify it once updated).

(For your information, the attachment was called "contention_111924953056769_6STQZ57.rar", containing "contention_111924953056769_6STQZ57.exe", and Avira have now called it TR/Crypt.Xpack.89608 Trojan
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

jesyjes
New user
New user
Posts: 1
Joined: 2014-12-18 21:09

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jesyjes » 2014-12-18 21:11

The newest version clamav-win32-0.98.4-2-gec232b6.7z doesn't include SPAMD.EXE and SPAMD.CONF. Could you please update the guide how to do it now?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-12-18 21:27

jesyjes wrote:The newest version clamav-win32-0.98.4-2-gec232b6.7z doesn't include SPAMD.EXE and SPAMD.CONF. Could you please update the guide how to do it now?
I'm not surprised and I'd be very surprised if it ever did. SPAMD.EXE and SPAMD.CONF are nothing to do with CLAM. They are part of spamasassin.

You find what you're looking for at:

viewtopic.php?f=7&t=26029&hilit=spamass ... ca#p165590

OR

maybe you are looking for for CLAMD.EXE and CLAMD.CONF

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-12-18 22:18

Hi jesyjes

The answer you want is obviously I have made a typo/mistake in my original write up (a little bit of personalised auto-correction going on that I didnt spot).

Follow the original instructions but look for CLAMD (instead of 'spamd') in the point (2).

I am now currently running 0.98.4.1 so you shouldnt have any problems hopefully.

(note: if you are upgrading from an existing installation of this service, you will stiull have to obtain the latest CLAMD again from http://oss.netfarm.it/clamav/ as per the original instructions)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-12-20 15:54

(I have had the typo/mistake changed so now the original instruction should read correct)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Frogger80
New user
New user
Posts: 8
Joined: 2014-06-12 10:11

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by Frogger80 » 2014-12-31 13:19

Hello,
unfortunately my installation (ClamAV / ClamWIN) does not seem to be working correctly.

I installed ClamWin and also ClamAV to scan viruses through Hmailserver.
I have installed ClamWin first then ClamAV (64Bit AMD Version form oss.netfarm.it/clamav/). Both programs have access to C:\PrgramData\.clamwin\db.
My installation is similiar to yours resp. the following post: viewtopic.php?f=8&t=25310&p=170262&hilit=clam#p170262

The hmailserver configuration is tested with ClamAV and ClamWIN. Both detected viruses (Stream Detection) if you push the test button. As written in your first post ClamAV is much faster and creates less CPU load.

After the setup I tried to send EICAR test virus to my email adress / hmailserver. As example I tried with "http://www.heise.de/security/dienste/em ... ies/eicar/"
But the virus was not found by Hmailserver / Clam AV or ClamWin. The logging shows no virus detection.

Any idea whats wrong or how I can begin to find the problem?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-12-31 16:42

Frogger, I have not read or been involved in that other thread and its instructions. I wrote the installation procedure on THIS thread (first post) and proved that it is simple and it works. If you follow this then hopefully you will not have any problems. If you havent followed my posting then I personally cannot advise and maybe you should ask your question on that other thread. If you HAVE followed my instructions then please advise and I will do a similar test to you.

Cheers.

EDIT:

I used that page (in German, thanks for that! :shock: ) to send a test email. After entering my email address I immediately received an email from them with something like "...you must click this link to have the test file sent to you" written in it. I then clicked the link which took me to another webpage saying something like "...we have sent you the file by email"....but as yet that 2nd email (with virus) has not been received. Are you sure that webpage/service is actually sending out the test email?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2014-12-31 17:47

Frogger, I have just managed to get a test message from a web-provider containing the EICAR attachment.

The test needed BLOCK ATTACHMENTS turnings off to do a true test of the AV (otherwise the zip file simply gets stripped anyway).

The attachment got blocked and the following was reported (due to being set as 'Delete Attachments' in my settings)
Virus found:
The attachment(s) of this message was removed since a virus was detected in at least one of them.

Hmailserver
You receive this email because you registered for the Byteplant Email Security Check.

This mail contains a harmless virus test file named "eicar.zip".

It should have been detected and deleted by your virus filter.
Find out more here on how to protect yourself against unwanted email attachments:
http://www.byteplant.com/cleanmail
I also got this in my log file:

Code: Select all

"APPLICATION"	3992	"2014-12-31 15:42:53.359"	"SMTPDeliverer - Message 226722: Message attachments stripped (contained virus Eicar-Test-Signature)."
"APPLICATION"	3992	"2014-12-31 15:42:53.437"	"SMTPDeliverer - Message 226722: Message delivery thread completed."
So my ClamAV feature is working. (Remeber in Hmailserver it's 'ClamAV' that you need enabled and NOT 'Clamwin')
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by percepts » 2014-12-31 18:11

just for future reference you can send it to yourself from hmailserver so you don't need to test it from an outside service provider.

And you can put the eicar string in a .txt file so you don't have to mess with attachment block changes to test it.

Frogger80
New user
New user
Posts: 8
Joined: 2014-06-12 10:11

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by Frogger80 » 2015-01-02 11:15

Hello jimimaseye,
happy new year to you. Now it runs correctly.
It was my fault, because I am using hmailserver as pop3 collector. So it was also neccessary to activate the check box "Anti Virus" for each external account under Domains.
Thanks for your help and sorry for wasting your time.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2015-01-02 12:22

Hi Frogger

Ah yes, an easy oversight - always helps to have the feature 'turned on' for it to work :-)

(FYI I have all my emails collected by External Download rather than direct delivery too - it gives a range of advantages over direct deliveries such as extra builtin backup protection and spamassassin backup service).

Happy New Year to you too.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
PCE|Christian
Normal user
Normal user
Posts: 56
Joined: 2015-02-12 18:32
Location: Germany
Contact:

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by PCE|Christian » 2015-03-27 16:59

Great tutorial, thanks! I was using forti client, worked fine but it really slows down my systems.
Regards, Christian

hMailserver 5.6-B2145 on Windows Server 2012 R2 Datacenter

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2015-03-27 17:14

Cheers.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

SecuriteInfo
New user
New user
Posts: 1
Joined: 2015-03-29 16:27

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SecuriteInfo » 2015-03-29 17:41

For Clamav, Clamwin user, this information could be interesting :

SecuriteInfo.com provides additional signatures for Clamav. Here are the
features :

* 0-day malware signatures, based on real malwares on the wild.
* More than 500.000 signatures !
* Detection rate increase up to 80% on 0-day malwares.
* We detect any kind of malwares : exe, html, android, mac, and even spam !
* Daily updated
* The signatures are quite generic and each signature can detect several
malwares
* Works with freshclam, you don't need a thrid party update script
* Very few false positives
* Typical usage : web servers (scan your hosted websites), mail server
(antispam signatures), proxy (catch malwares during surf), and of course
workstations.

More information at :
https://www.securiteinfo.com/services/i ... amav.shtml

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2015-03-29 19:07

We also have one of our senior users using similar:
SorenR wrote: I have extended ClamAV functionality by installing ClamSup from SaneSecurity http://sanesecurity.com/usage/windows-scripts/ and it seems that the "viruses" I find are tagged 99:1 in SaneSecurity's favor.

Quick Start guide here.. http://www.dataenter.com/doc/xwall_sanesec.htm
(I would normally flag up that last post as against website rules but as it is in favour of this thread/discussion in favour of our users and the software used with HMS I suppose it could be allowed to pass IMO)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2015-06-21 15:45

This week my nightly system virus scans have started throwing up an email in someones Inbox archive that contains a virus.

Now, this is good, you might say. Clam is actually detecting viruses correctly. Well yes, but consider this..... my system does the same nightly scan on the mailboxes and this email, with this attachment, has existed on this same system since January 14th 2014! And only NOW, some 17 months later, has it finally got round to having the correct definitions to identify it. SEVENTEEN MONTHS later. And for the avoidance of doubt, this is not a strange 'one off' virus that may never have been seen before - its one of those "UPS Missed package delivery - Dear Customer...print this label (open the dodgy Zip file attached)" emails.

And just when you think it couldnt get worse? I saved the attachment, double checked it gets identified by Clam (it does), and then did a direct scan of it with Windows Defender (as supplied with Server 2008) - the same software that is *supposedly* protecting my system realtime. And it STILL didnt recognise it!

Conclusion of worthiness: Defender: BOTTOM. Clam: 2nd from bottom!
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2015-11-06 10:53

Heres an update:

This week I was doing some tests with 3rd party definitions for Clam from 'sanesecurity' (which involves a super-easy installation for Clamwin). The results were staggering in that they actually work, including excellent Zero-hour coverage, but more importantly actually makes using Clam useful and effective. Even on the first day, 2 things happened:

1, within 60 minutes of setting up I received a newly-released virus email and it was blocked immediately! Yes, blocked. And I didnt even have to wait years or months. It was blocked with 60 minutes of it being released.

2, The first night I scanned my system and it discover many emails and viruses that over the last 4 years has simply slipped through normal Clam fingers and were sitting on disk (never being detected despite weekly clam disk scans). But now, with definitions that actually work, they were finally identified.

For further reading refer to: viewtopic.php?p=180020#p180020

So now, with these definitions, + Clamwin, + the Clamd service as described, is a very effective solution.

(Who'd have thought?!)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

alescan
Normal user
Normal user
Posts: 43
Joined: 2014-11-11 17:29
Location: Italy
Contact:

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by alescan » 2015-11-24 16:17

I tried the procedure but when i tell him to install the service an errore appear:
"Can not find ordinal 44214 in the dynamic link library C:\ClamWin\bin\clamd.exe"

Can anyone help me?
Thanks
HMS 5.6.7 B2425 on Win Server 2012 R2 Standard with SQL Server 2014 SP2

User avatar
jimimaseye
Moderator
Moderator
Posts: 7360
Joined: 2011-09-08 17:48

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by jimimaseye » 2015-11-24 16:22

MY advice is to uninstall whatever you have done and start again carefully following it. I know the procedure works.

HINT: if you are not using default directories (as I see you are not because you quote "C:\ClamWin\bin\clamd.exe") then make sure you are consistant and these directories are reflected accordingly in whatever CONFig file the instructions tell you to use - in particular part (3).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply