There is a sticky thread for how to install ClamAV and use with hMailServer instead of Clamwin. It mentions about using Server Resource kit tools and whatnot, but on the version I just installed - it was easier than that!

After trying to use the server today and Clamwin taking all the CPU, I decided enough was enough and I would pull out the HOWTO and install ClamAV instead. Having uninstalled Clamwin and installing ClamAV, I noticed the installer had created 2 services, one for Clamav and one for freshclam (definitions updater).

So, all I did was add a scheduled task to run freshclam.exe once a day and told hMailServer (on the anti-virus tab) to use ClamWin and pointed the ClamScan executable box to C:\clamav\clamscan.exe and the path to ClamScan database to C:\clamav\data\main.cvd et vola!

Now I have my system resources back and hopefully the red light on my server will stop coming on for no real reason other than the machine was almost always at max CPU usage. I used the GFI Virus Email Test on a mailbox to check it was still doing it's job and it was!

Perhaps this thread should be the new ClamAV howto, it's a lot easier now, and the "old way" might put the less determined off!

SIGH...


You don't have to run FreshClam manually if the FreshClam service runs. If you're using the service you can configure the number of updates per day in the freshclam.conf file. Also, you have to point hMS to ClamDScan.exe, not ClamScan.exe otherwise the process will be not much faster than with ClamWin.


You're right, the informations in the big how-to thread are meanwhile outdated. Actually I've promised to write a new how-to some day but as you've noticed, the installation procedure is now quite simple so I wouldn't even know what to write there. Also the next hMS version will include a native interface to ClamD and (because I doubt Martin will remove the ClamWin integration possibility) will hopefully warn in BIG RED letters what can happen if someone uses ClamWin on a slightly loaded server.

Thanks for your comments and best regards,

Nico

I am also testing this new version of clamAV on my server, along with Kaspersky (i disabled it on c:/clamav and /hMailServer/Data folders).

Not being an expert, I would like to understand: what is the Clamd.exe service for exactly?

I noticed that Fleshclam service actually checks for updates every hour. But i could not understand what Clamd does (it takes 80M or RAM, not a problem at all but just to know).

You should exclude the whole ClamAV folder (including all subdirectories) from scanning. Besides, the ClamAV distribution you're referring to (mine) is not new at all. In fact it exists since about 7 years


ClamD is the resident daemon of ClamAV. It loads all signatures into memory and does the actual scanning. ClamDScan just connects to it by TCP and submits the file, therefore the scanning is much faster than with ClamScan (or ClamWin) which loads all of the signatures every time it scans a file.

Best regards,

Nico

Thanks for your answer Nico.
7 years! I discovered it a few days ago on this forum! You should advertise more! Your product is far better than clamWin, which is absolutely useless on a production server, at least for my experience.

Since you surely know what you talk about, I'd like to ask you (or you can give me a link to some documentation or site): where are signatures coming from, who develops them and how updated they are? Is that an open project?

You're right about the ClamWin integration into hMS. I wish I'd get a beer every time I'm telling this over here I'm not doing any advertising because it's not that I'm selling anything and the rate of people who donate some amount is also exceptionally low to say the least (not even 1 donation per 1000 downloads) hence I'm not really eager to provide 24/7 support.


The ClamAV signatures are not open, means there is a signature team which creates them. Malware is being submitted by several sources. That are pages people send files to for analysis like virustotal.com or virusscan.jotti.org which submit samples to the participating vendors automatically in case the uploader agrees. Then there are several honeypots and http://cgi.clamav.net/sendvirus.cgi where people submit malware which was not detected by ClamAV. ClamAV is clearly specialized at malware which spreads by mail which means such malware has priority over malware that comes with the latest keygen for nero 15438.239.14.1

However, there are a lot of very useful third party signatures for ClamAV too. See http://www.sanesecurity.co.uk/databases.htm and http://www.sanesecurity.co.uk/download_scripts_win.htm. You can also create your own signatures using sigtool.exe. See http://www.clamav.net/doc/latest/signatures.pdf

Best regards,

Nico

Very interesting. Thanks again for your answers.

Hello,

which (exactly) version did you installed? I installed "ClamAV for Windows x64 - 2.0.17" from www.clamav.net. And I neither have ClamDScan.exe nor ClamScan.exe.

Please help. Thank you!

Best regards,

Thorsten

twaldorf,
Look at Nico/tBB's build:
http://hideout.ath.cx/ClamAV/
Not sure on there being 64bit-specific version though.
Bill

Thank you. That seems to work. BUT I don't have the two services installed. (For sure I checked both services during installation restarted the server once after the installation).

Can someone post me the exactly settings of the two services, so that I can install them manually with sc.exe? Thank you!

Best regards,

Thorsten

Thorsten,
Nico's installer does it all for you.. You sure you used the right one? Are you looking in task manager or in services list? Maybe other clam you installed is causing issues unless you removed 1st?
Bill

Hello Bill,

I saw, that the Installers offers to install these services and I checked both. But the services definitly are not there and also not started. In the meantime I tried to install them manually with these settings:

Daemon: C:\clamav\clamd.exe
FreshClam: C:\clamav\freshclam.exe

But I cannot start them. The clamd shortly starts (in this short time I can use clamdscan.exe. But then I get the Windows error message: 1053 (no answer).

Here are the logfiles:

Sun Nov 07 16:45:05 2010 -> +++ Started at Sun Nov 07 16:45:05 2010
Sun Nov 07 16:45:05 2010 -> clamd daemon 0.96.3 (OS: win32, ARCH: i386, CPU: i386)
Sun Nov 07 16:45:05 2010 -> Log file size limited to 209715200 bytes.
Sun Nov 07 16:45:05 2010 -> Reading databases from c:\clamav\data
Sun Nov 07 16:45:05 2010 -> Not loading PUA signatures.
Sun Nov 07 16:45:09 2010 -> Loaded 848464 signatures.
Sun Nov 07 16:45:09 2010 -> TCP: Bound to address 127.0.0.1 on port 3310
Sun Nov 07 16:45:09 2010 -> TCP: Setting connection queue length to 15
Sun Nov 07 16:45:09 2010 -> Limits: Global size limit set to 104857600 bytes.
Sun Nov 07 16:45:09 2010 -> Limits: File size limit set to 26214400 bytes.
Sun Nov 07 16:45:09 2010 -> Limits: Recursion level limit set to 16.
Sun Nov 07 16:45:09 2010 -> Limits: Files limit set to 10000.
Sun Nov 07 16:45:09 2010 -> Archive support enabled.
Sun Nov 07 16:45:09 2010 -> Algorithmic detection enabled.
Sun Nov 07 16:45:09 2010 -> Portable Executable support enabled.
Sun Nov 07 16:45:09 2010 -> ELF support enabled.
Sun Nov 07 16:45:09 2010 -> Mail files support enabled.
Sun Nov 07 16:45:09 2010 -> OLE2 support enabled.
Sun Nov 07 16:45:09 2010 -> PDF support enabled.
Sun Nov 07 16:45:09 2010 -> HTML support enabled.
Sun Nov 07 16:45:09 2010 -> Self checking every 600 seconds.

Sun Nov 07 17:32:51 2010 -> ClamAV update process started at Sun Nov 07 17:32:51 2010
Sun Nov 07 17:32:51 2010 -> main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
Sun Nov 07 17:32:51 2010 -> daily.cvd is up to date (version: 12213, sigs: 144965, f-level: 53, builder: arnaud)
Sun Nov 07 17:32:51 2010 -> bytecode.cvd is up to date (version: 89, sigs: 10, f-level: 53, builder: edwin)

Thanks,

Thorsten

Very strange.. Did you uninstall the other clam build you tried? Otherwise Nico might drop in & have an idea because every time I've installed (granted on clean machine without prior clam or any AV) it has installed right up. I manually ran freshclam to ensure it was set & tested from command-line & with hmail so not sure what is different on your end.
Bill

Hmm, perhaps insufficient user rights for the account which runs the installer/service? Maybe blocked by some security software? Is the service created if you open a CMD shell in the ClamAV folder and enter "clamd --install"? Does ClamD work if you start it manually (from the CMD prompt)? Questions over questions

Best regards,

Nico