ClamAV on Mailhubs and SMTP Servers

ClamAV is used on the mailhubs and SMTP servers for content scanning of email messages. It is called via ACLs in the Exim configuration. The daemon is installed as a binary using yum. We also use additional unofficial signature definitions from SaneSecurity. The main files of interest are –

  • /var/clamav – directory containing signature definitions
  • /etc/clamd.d/scan.conf – main configuration file
  • /etc/freshclam.conf – signature update configuration
  • /etc/clamav-unofficial-sigs/master.conf – additional signatures

Configuration changes will require a restart of clamd using the command –

# systemctl restart clamd

Freshclam:

The main signature file is updated by the freshclam daemon according to the instructions in the /etc/freshclam.conf file. The daemon is set to use the default of checking for new signatures every two hours. The signature file is daily.cld located in the /var/clamav directory. There is also a main.cvd file that is no longer updated. It has been left in place as it does not seem to be causing any problems.

Unofficial Signatures:

The additional signatures are visible in the /var/clamav directory in various database formats. The ones to be used are defined in the file /etc/clamav-unofficial-sigs/master.conf. These should be reviewed frequently as some signatures become too aggressive. Check the signature listings at SaneSecurity. They list the signatures as low, medium or high risk of false positives. We only use low and medium risk signatures.

New signature files are checked for and downloaded hourly. This process is controlled by the clamav-unofficial-sigs and clamav-update scripts in /etc/cron.d.

Whitelisting:

Rules can be whitelisted by adding the definition to the file /var/clamav/local.ign2. This file is regularly rsync’d from mx1.qub.ac.uk to the other three mailhubs, so it only requires a single edit. The file on the SMTP servers needs to be updated separately.

Updates:

Updates to the Clam installation are made available via yum. Be cautious when updating Clam as changes may have been made to the configuration options. It is wise to update on one server and test before completing the others.