ClamAV email virus scanner on Debian 11 bullseye

This tutorial installs ClamAV and ClamSMTP on Debian 11.  ClamAV is an open source antivirus engine for detecting Trojans, viruses, malware, adware, rootkits and other malicious threats.

ClamAV includes a multi-threaded scanner daemon, with command-line utilities for on-demand file scanning and automatic signature updates. The main service is the ClamSMTP daemon, which is used on mail servers as a server-side proxy for e-mail virus scanners.

Installation

The prerequisite for this tutorial is a configured SMTP relay (MTA) on Postfix. For the installation we are already root, before the last ClamAV version is to be provided with update.

$ apt update
$ apt-cache policy clamav clamav-daemon
$ apt install clamsmtp clamav clamav-daemon

After installation configure Postfix for which we edit the main configuration main.cf. Postfix with its modular structure, transfers the incoming e-mails to the ClamSMTP daemon before they are spooled into the queue and droped to the user mailbox.

$ vi /etc/postfix/main.cf
...
content_filter = scan:127.0.0.1:10026

If you not familiar in using vi, you can of course use nano or your favorite editor.

Add the services in Postfix at the end of master.cf, which will return the scanned e-mails to Postfix.

$ vi /etc/postfix/master.cf
...
scan unix -      -      n      -      16      smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes
127.0.0.1:10025 inet n      -      n      -      16       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

The new ClamAV virus database updater (clamav-freshclam.service) is not intended to notify Clamd.

$ sed -i -e "s/^NotifyClamd/#NotifyClamd/g" /etc/clamav/freshclam.conf

Load the ClamSMTP-conf file into the editor of your choice.

$ vi /etc/clamsmtpd.conf
OutAddress: 10025
Listen: 127.0.0.1:10026
ClamAddress: /var/run/clamav/clamd.ctl
Header: X-AV-Checked: ClamAV using ClamSMTP
TempDirectory: /var/spool/clamsmtp
PidFile: /var/run/clamsmtp/clamsmtpd.pid
User: clamsmtp

Most values can be adopted, check the listening port 10026, it must be the same port address as in main.cf for content_filter. Activate the comment line on Header: to remove hash (#).

Basically, the installation here is already completed. The following settings for verification, change if necessary, accordingly.

$ chown -R clamsmtp. /run/clamsmtp
$ chown -R clamsmtp. /var/spool/clamsmtp
$ chmod -R 775 /var/spool/clamsmtp

The configuration files belong to ClamAV are clamd.conf
freshclam.conf, which have the following content.

$ vi /etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M

The clamd.conf file can be configured with dpkg-reconfigure clamav-daemon, due default values being suggested.

To configuring clamav-freshclam choose the method for virus database updates using the dpkg-reconfigure clamav-freshclam command.

$ vi /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
#NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.ne

Testing ClamAV ClamSMTP Postfix

The systemd control commands for the ClamAV daemons.

$ systemctl restart clamav-daemon clamsmtp postfix
$ systemctl status clamav-daemon clamsmtp postfix
$ systemctl restart clamav-freshclam.service
$ systemctl status clamav-freshclam.service

If the daemon ClamSMTP and Postfix are configured, the active ports can be checked in the loop with netstat or ss.

$ netstat -tpln | grep 127.0.0.1
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      1513/master
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN      690/clamsmtpd

Save the EICAR test signature to check the email virus scanner to a file, such as eicar-signatur.txt.

From: hostmaster@example.org
To: email@example.org
Subject: test - virus scanner test pattern

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Send the EICAR test signature to yourself using sendmail.

$ echo "Subject: EICAR Test Signature" | sendmail email@example.org < eicar-signatur.txt

In /var/log/mail.log can find 250 Virus Detected; Discarded Email. The e-mail with the EICAR test signature should of course not be delivered.

Nov 21 14:01:41 debian clamsmtpd: 100001: from=root@example.org, to=email@example.org, status=VIRUS:Eicar-Signature
Nov 21 14:01:41 debian postfix/smtp[2077]: D93FA10001A: to=<email@example.org>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.07, delays=0.02/0.02/0.01/0.02, dsn=2.0.0, status=sent (250 Virus Detected; Discarded Email)

Conclusion

The article shows how to install and use of ClamAV on a mail transfer agent, with a final check using test signature. ClamAV is an open-source (GPL) anti-virus engine used in a variety of situations, including email and web scanning, and endpoint security. It provides many utilities for users, including a flexible and scalable multi-threaded daemon, a command-line scanner and an advanced tool for automatic database updates.