Categories
clamav e-mail Linux procmail virus

Even Linux needs to scan for Windows Viruses

What! you say. Why would Linux need to scan for Windows viruses, surely they don’t affect Linux. Well, yes it is true that a standard Linux O/S setup cannot be affected by Windows viruses. However, almost all setups I read about with Linux involve either acting as a server for Windows machines or as a dual boot/wine host.

In these cases it is essential to run a antivirus tool to prevent your Windows machines from being infected by files sitting on a samba share, shared e-mail server or wine. In my case, my office server stores Windows documents on samba shares and shares e-mail via dovecot IMAP server. The e-mails are fetched from various sources using fetchmail and passed through procmail for delivery to the correct mail folder.

The most common antivirus package on Linux is ClamAV. There are others available from:

I will be speaking about my setup with ClamAV. ClamAV is the most common anti-virus you will find on a Linux setup. This is because it is completely open source and free and available as part of the major Linux distributions. I use Ubuntu throughout my business and ClamAV is included in the main repositories.

To get started the simplest thing to do is install:

sudo apt-get install clamav-base freshclam-daemon clamav-daemon clamassassin

let’s go through this. We install the base tools and software (clam-base), then a daemon to download the latest virus and malware signatures (freshclam-daemon), the clamav daemon  – very useful for scanning e-mail and a script for processing e-mail virus scans (clamassassin).

There are two ways to scan your files, with clamscan or with clamdscan which uses the daemon. Using clamdscan is usually faster as all the virus definitions are loaded in memory. However, the daemon runs under its own user (clamav) and you need to add it to any groups necessary to scan your files.

I use clamscan within a script file which is then invoked through cron to provide a nightly scan with a e-mail summary.

To scan e-mail I needed to add in a procmail recipe. Procmail is a wonderful piece of software which could use a better web page. Procmail delivers mail based on a set of rules/patterns which are set in a global and user’s rules file.

My current setup I have fetchmail bringing down e-mail from my ISP and various other sources. Procmail which is dropping the e-mails into the correct folders. Exim which is currently only acting as a local and forwarding e-mail server. There is a way to tie in ClamAV into Exim but this would only catch outgoing e-mails which I’m not worried about. The only place appropriate was in Procmail.

After some looking around I came up with this procmail recipe:

MAILDIR=/var/spool/mail
DEFAULT=$MAILDIR/$LOGNAME/
SUBJ_=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`

# check if there is a virus and indicate in subject, don't actually delete it!
:0fw
| /usr/bin/clamassassin

:0
* ^X-Virus-Status: Yes
{
  :0: fhw
   | formail -I"Subject: [**VIRUS**] ${SUBJ_}"
  :0: fhw
   | formail -A"X-VIRUS-INFO: BLOCKED BY CLAMASSASSIN"
  LOG="VIRUS "
  :0:
  $DEFAULT/.virus
}

To test it go to http://eicar.org/anti_virus_test_file.htm where you can download a sample virus and then send it to yourself. The e-mail should be trapped and dropped into your virus folder with the subject altered.

My colleagues appreciated not having to worry any longer about e-mails with suspect viruses coming through the e-mail system. I also have made some adjustments to our Windows e-mail clients for any remote accounts accessed by IMAP (like info and enquiries). Some e-mail clients like to cache the e-mails and attachments from these accounts and this bypasses our e-mail scanner. I have turned off that caching because as you can imagine these accounts get a lot of spam and malicious attachments.

We here at chameeya now feel much more secure. We are even improving in other areas by removing local admin rights for many users and ensuring everyone is logging in with domain accounts.

Now to see if I can get a proxy server to keep out all the porn!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.