HOW TO run Clamwin and have a ClamAV system SERVICE

This section contains user-submitted tutorials.
User avatar
RvdH
Senior user
Senior user
Posts: 2052
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by RvdH » 2021-11-03 00:08

madbadger wrote:
2021-10-31 20:48
Thanks. Turned off Defender and all OK.
Test Successful.
No need to turn off defender, simple exclude the HMS \Data and \Temp folders from realtime scanner, lots of posts on the forum explaining just that
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 2052
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by RvdH » 2022-01-23 01:11

FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 3552
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2022-01-23 01:30

RvdH wrote:
2022-01-23 01:11
FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/
Sorry for OT, but is clamav 104 working with hmailserver?

User avatar
RvdH
Senior user
Senior user
Posts: 2052
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by RvdH » 2022-01-23 01:30

palinka wrote:
2022-01-23 01:30
RvdH wrote:
2022-01-23 01:11
FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/
Sorry for OT, but is clamav 104 working with hmailserver?
Nope (at least the last time I checked, 0.104.1)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 3552
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2022-01-23 01:34

RvdH wrote:
2022-01-23 01:30
palinka wrote:
2022-01-23 01:30
RvdH wrote:
2022-01-23 01:11
FYI, another https mirror (for this method) for sanesecurity signatures if the Australian mirror gives you timeouts (it does quite frequently for me)
https://mirror.rollernet.us/sanesecurity/

http only:
http://rsync1.au.gentoo.org/sanesecurity/
Sorry for OT, but is clamav 104 working with hmailserver?
Nope (at least the last time I checked, 0.104.1)
OK thanks.

User avatar
kimboslice
Normal user
Normal user
Posts: 31
Joined: 2022-02-05 16:38

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by kimboslice » 2022-02-13 18:57

Followed this guide to a T... ran the test at emailsecuritytester.com and not a single virus is found, only windows defender catches it, after the fact.

so basically my setup of Clam is 100% useless, how could i have possibly screwed this up so poorly lol

what steps should i take to correct this?

palinka
Senior user
Senior user
Posts: 3552
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2022-02-13 19:30

kimboslice wrote:
2022-02-13 18:57
Followed this guide to a T... ran the test at emailsecuritytester.com and not a single virus is found, only windows defender catches it, after the fact.

so basically my setup of Clam is 100% useless, how could i have possibly screwed this up so poorly lol

what steps should i take to correct this?
Undo whatever you did. Then read the entire thread twice. Then try again. And if you get hung up on something specific, post it here and we'll try to help.

Overly broad pleas for help are generally ignored because nobody here (to my knowledge, at least) is a mind reader nor plugged into the matrix and able to remotely connect their brains directly to your server.

But I didn't ignore you, buddy. :D

User avatar
kimboslice
Normal user
Normal user
Posts: 31
Joined: 2022-02-05 16:38

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by kimboslice » 2022-02-13 19:43

Well, what i did was follow this guide

and yes of course, I've read through the thread multiple times (all pages), I wouldn't bother to waste anyone's time had I not

hMail shows

Code: Select all

"DEBUG"	4792	"2022-02-13 12:22:46.544"	"Connecting to ClamAV virus scanner..."
"DEBUG"	4792	"2022-02-13 12:22:47.620"	"Connecting to ClamAV stream port..."
"DEBUG"	4800	"2022-02-13 12:22:47.634"	"No virus detected: stream: OK"
"DEBUG"	4800	"2022-02-13 12:22:47.644"	"Applying rules"
but then windows defender has a heart attack, just drawing a complete blank on what to do to rectify this, short of using an entirely different scanner

palinka
Senior user
Senior user
Posts: 3552
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2022-02-13 21:49

kimboslice wrote:
2022-02-13 19:43
Well, what i did was follow this guide

and yes of course, I've read through the thread multiple times (all pages), I wouldn't bother to waste anyone's time had I not

hMail shows

Code: Select all

"DEBUG"	4792	"2022-02-13 12:22:46.544"	"Connecting to ClamAV virus scanner..."
"DEBUG"	4792	"2022-02-13 12:22:47.620"	"Connecting to ClamAV stream port..."
"DEBUG"	4800	"2022-02-13 12:22:47.634"	"No virus detected: stream: OK"
"DEBUG"	4800	"2022-02-13 12:22:47.644"	"Applying rules"
but then windows defender has a heart attack, just drawing a complete blank on what to do to rectify this, short of using an entirely different scanner
It looks like you need to exclude hmailserver data dir from defender scanning. I also exclude hmailserver service, clamav and other stuff that could have defender interfering.

User avatar
kimboslice
Normal user
Normal user
Posts: 31
Joined: 2022-02-05 16:38

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by kimboslice » 2022-02-13 22:52

If im not mistaken that was mentioned earlier in the thread (or perhaps it was another), I have already excluded the folders from defender, the test works fine and clam detects it, but in any real world testing it doesnt work

palinka
Senior user
Senior user
Posts: 3552
Joined: 2017-09-12 17:57

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by palinka » 2022-02-14 14:13

You say "but then windows defender has a heart attack". So of course defender is interfering. You need to exclude more.

Here's what I exclude.

Folders:
* ClamAV program folder - also exclude virus definition folder if not located within ClamAV program folder
* a script folder for downloading sanesecurity virus definitions
* C:\Windows\Temp
* hmailserver data dir

Processes:
ClamD
hMailServer

Basically anything that could possibly touch a virus passing through email flow needs to be excluded.

Try turning off defender and test again.

ClamAV doesn't pick up the virus on your test because defender got to it first. I assume the test you're performing is using EICAR, which vanilla ClamAV will definitely pick up when presented (no special definitions required).

User avatar
kimboslice
Normal user
Normal user
Posts: 31
Joined: 2022-02-05 16:38

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by kimboslice » 2022-02-14 22:23

So when hMail sends off to clam, is clam just storing it in memory? I suppose my issue is that i need to exclude those processes

my confusion stems from the fact i can watch the log and see the infected email pass right though clam, but i suppose defender could be catching it before clam can, then waiting a minute (just so happens to be after delivery) before notifying a virus was found

I will exclude those processes and see how that goes i suppose

Thanks for the input!

edit; ya correct using an EICAR test... also, my db folder is within appdata\.clamwin\ this needs to excluded aswell?

I can just move it to within clams folder correct?

User avatar
SorenR
Senior user
Senior user
Posts: 5364
Joined: 2006-08-21 15:38
Location: Denmark

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by SorenR » 2022-02-15 01:01

kimboslice wrote:
2022-02-14 22:23
So when hMail sends off to clam, is clam just storing it in memory? I suppose my issue is that i need to exclude those processes

my confusion stems from the fact i can watch the log and see the infected email pass right though clam, but i suppose defender could be catching it before clam can, then waiting a minute (just so happens to be after delivery) before notifying a virus was found

I will exclude those processes and see how that goes i suppose

Thanks for the input!

edit; ya correct using an EICAR test... also, my db folder is within appdata\.clamwin\ this needs to excluded aswell?

I can just move it to within clams folder correct?
Not sure if this is a ClamAV issue or a hMailServer issue... I have hMailServer check with ClamAV service directly AND (!) I also have SpamAssassin check with ClamAV.

That means ALL emails are checked TWICE. Same ClamAV instance called by both BUT SpamAssassin find more ?!?!

I have no idea how that can be.

If I forward an email ONLY tagged by SpamAssassin as "Virus" via a relay back to the server hMailServer will find it too.

Now, the funny part is that email is handed to SpamAssassin the second it is received (between OnSMTPData and OnAcceptMessage), hMailServer do not call ClamAV until just before email is delivered to account (between OnDeliveryStart and OnDeliverMessage).

Disclaimer: I don't really find a lot of virus, perhaps 1-2 over a 6 month period BUT I get a lot of the "Junk" and SPAM stuff that ClamAV also check for. ClamAV and SpamAssassin are both running off-server on a Windows 2019 Essential Server. hMailServer is hosted on a Windows 2003 R2 Server.
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
kimboslice
Normal user
Normal user
Posts: 31
Joined: 2022-02-05 16:38

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

Post by kimboslice » 2022-02-15 03:35

After doing a complete uninstall and reinstall (just to be sure), then adding hMailServer and ClamD to the exclusions seems to have resolved it.

But then removing ClamD and hMailServer from the exclusion results in... clam still picking it up and no interference from defender, unsure about that but whatever, getting consistent detections now.

For future people reading, initially I had only excluded hmails \data and \temp folders which resulted in my issues (test works but no real detections by clam), adding the processes "hMailServer" and "ClamD" is what resolved for me.

Thanks for the help @palinka, much appreciated

Post Reply