hpn01 | hpn02

ClamAV Guide - Part I : Setting Up ClamAV Anti-virus for ORF

Introduction - What Is This About?

ClamAV is a free, open-source anti-virus, originally developed for Unix/Linux (a Windows port is also available). In addition to being a very capable anti-virus, it also offers certain anti-spam features.

This guide provides step-by-step instructions for installing and configuring the ClamAV anti-virus as an ORF External Agent. This is the first part of a two-part series and this part focuses on setting up ClamAV for virus filtering. The second part is dedicated to extending ClamAV with anti-phising and anti-spam capabitilies.

1

Getting Started - Downloading Required Packages

  1. Download the latest version of ClamAV (as of writing this, v0.95.3) from http://hideout.ath.cx/clamav/
  2. Download the ClamAV External Agent definition for ORF (this is required to connect ORF and ClamAV). Extract the ZIP file to a directory.
2

Installing ClamAV for Windows

Extract and run the installer of ClamAV for Windows, it will guide you to the setup process.

WARNING: If you install ClamAV to any directory other than the default (C:\clamav), you will have to manually edit a few configuration files after installation (see below). To avoid this, we strongly recommend to install it to the default directory (C:\clamav).

3

Installing FreshClam

Freshclam is responsible for updating the official ClamAV virus signatures. To install freshclam as a Windows service, go to command prompt and run the following command from the ClamAV installation directory:

freshclam --install

4

Configuring and Starting FreshClam

  1. Start the Services console (Start > Run > services.msc)
  2. Right-click on ClamWin Free Antivirus Database Updater, select Properties.
  3. Change the Startup type to Automatic (so it will start every time Windows starts)
  4. FreshClam Service configuration
  5. Start the service, click Apply and OK.

IMPORTANT: You should run freshclam at least once to download the official signature files before proceeding with the installation of ClamD. If you have a 64-bit system, please read the notes below before running freshclam for the first time.

5

Installing ClamD

Clamd is the virus filtering server of ClamAV. Clients (like the clamdscan command-line tool that ORF uses as External Agent) connect to the clamd server to filter emails. Install clamd from command prompt by run the following command from the ClamAV installation directory:

clamd --install

6

Configuring and Starting ClamD

  1. Start the Services console (Start > Run > services.msc)
  2. Right click on ClamWin Free Antivirus Scanner Service, select Properties.
  3. Change the Startup type to Automatic (so it will start every time Windows starts)
  4. FreshClam Service configuration
  5. Start the service, click Apply and OK.

NOTES
On 64-bit systems (we experienced this on Windows Server 2008 R2), the freshclam and clamd services may not work properly, because of an issue with registry redirection used under 64-bit Windows. To fix this problem, please download

http://www.vamsoft.com/downloads/clamav-x64-registry-fix.zip

and extract clamav-x64-registry-fix.reg from the archive. Double-click on the .reg file to import the fix. What the fix really does is inserting the ClamAV registry keys under HKEY_LOCAL_MACHINE\Software\Clamav, where freshclam and clamd looks for them. Back

7

Importing the External Agent

ClamAV can be attached to ORF using External Agents. The External Agent definition you downloaded describes how ORF can work with ClamAV. Import this definition by following the steps below:

  1. Start the ORF Administration Tool
  2. Select Configuration | Import | External Agent definitions... from the main menu
  3. Select the clamav.xml file from the definition pack you downloaded earlier and click Open
  4. Click OK
  5. Enable the new ClamAV for Windows agent.

To make sure the External Agents test is enabled and configured properly:

  1. Expand Configuration / Tests / Tests in the left navigation tree
  2. Check if the External Agent test is enabled. If it is not enabled, enable now
  3. Expand Configuration / Filtering – On Arrival / External Agents in the left navigation tree
  4. Make sure that Path for the temporary email files points to a valid and existing directory. This is where ORF will store a temporary copy of the email during testing. This can be any directory, just make sure to exclude it from any resident anti-virus filtering, otherwise your anti-virus product may remove/lock the file before it could be scanned.

The definition is shipped with a few defaults, you may want to review these:

  1. Double-click the ClamAV for Windows agent in the list.
  2. By default the agent is configured to drop emails on hit. If you want to tag or redirect them, click the Exit codes tab, then the Actions button and configure a different action.
  3. When you are finished, click OK.
  4. Save your settings to apply the changes by pressing Ctrl + S in the Administration Tool. If you have an older version (pre-4.3), restarting the ORF Service is also necessary to apply the changes: press Ctrl + U in this case instead.

NOTE
If you have installed ClamAV to any directory other than C:\clamav\, adjust the Path of the Agent Executable and Parameters field on the Run tab.

Wait, There Is More...

ClamAV is now set up for virus protection with ORF on your system – but ClamAV can do more for you. Third-party signatures extend ClamAV with the ability to detect phising, scams and spam. The second part of this guide explains how to set up ClamAV for extended protection:

ClamAV Guide - Part II : Using ClamAV 3rd Party Signatures with ORF

For more tips on fine-tuning ORF, read the Getting The Most Out of ORF Guide
Article by: Krisztián Fekete, Vamsoft Ltd.
Published: February 15, 2010

Questions? Comments? Contact our Technical Support