Novell Home

Using Clam AntiVirus to Protect your iFolder 3 Server

Novell Cool Solutions: Tip
By Magnus Hoglund

Digg This - Slashdot This

Posted: 30 Jun 2006
 

Problem:

From the iFolder 3.x Security Administrator Guide:

"Because iFolder is a cross-platform distributed solution, there is a possibility of a virus infection on a platform migrating across the iFolder server to other platforms, and vice versa. You should enforce server-based virus scanning to prevent viruses from entering the corporate network."

Solution:

Use ClamAV as a real-time scanning anti virus solution.

Environment factors:

OES/Linux SP2
iFolder 3
ClamAV

Example:

Install required RPMs:

Start Yast2 and make sure these RPMs are installed.

postfix

clamav

km_antivir (dazuko module)

Execute modprobe dazuko (as root)

Run lsmod and check that dazuko is loaded:

Edit /etc/init.d/boot.local

  • Add:
    modprobe dazuko

Edit /etc/clamav.conf

  • Activate:
    # Path to a local socket file the daemon will listen on.
    LocalSocket /var/lib/clamav/clamd-socket


  • Deactivate:
    # TCP port address.
    #TCPSocket 3310


  • Deactivate:
    # TCP address.
    #TCPAddr 127.0.0.1


  • Activate and edit:
    # Execute a command when virus is found.
    VirusEvent /bin/echo "iFolder VIRUS ALERT: %v" | /bin/mail -s "ClamAV - iFolder" -r ClamAV@server.domain ToUser@domain


  • Deactivate:
    # Run as a selected user (clamd must be started by root).
    #User vscan

    Note:
    If not deaktivating "User vscan" I received the error: "clamuko cannot connect to dazuko" in /var/log/clamd


  • Add these lines:
    # Clamuko RealTime Scanning
    ClamukoScanOnAccess
    ClamukoScanOnOpen
    ClamukoScanOnClose
    ClamukoScanOnExec
    ClamukoIncludePath /YOUR_PATH_TO_IFOLDER/ifolder/simias/SimiasFiles
    ClamukoScanArchive

Change any other settings in the file to reflect your needs (see ClamAV documentation).

Start clamd:
/etc/init.d/clamd start

Check that clamd was started without any errors:
tail -f /var/log/clamd

Download the EICAR test signature from:
http://www.f-secure.com/virus-info/eicar_test_file.shtml

Note!
This is not a real virus.

Run: tail -f /var/log/clamd

Save the test file (eicar.zip and/or eicar.com) in your iFolder and wait for sync.

When the virus pattern is detected you should see this (see below) in the log file
/var/log/clamd.

Check that a mail has been sent: tail /var/log/mail

Update ClamAV:
You can update ClamAV using the command: freshclam

A better way is to use the freshclam daemon for automatic updates.

Settings for freshclam: /etc/freshclam.conf

Edit /etc/freshclam.conf

  • Activate:
    # Path to the log file (make sure it has proper permissions)
    UpdateLogFile /var/log/freshclam.log


  • Activate and provide your country code:
    # Uncomment the following line and replace XY with your country code.
    DatabaseMirror db.se.clamav.net


  • Activate and provide update interval (e.g 24 for every hour):
    # Number of database checks per day.
    Checks 24

Create a log file for freshclam:
touch /var/log/freshclam.log

Set file rights:
chown vscan:vscan /var/log/freshclam.log

Start freshclam:
/etc/init.d/freshclam start

Check the log file:
tail /var/log/freshclam.log

Activate automatic start for clamd, freshclam and postfix:

  • Start Yast2 (or run chkconfig)
  • Choose System -> Runlevel Editor -> Expert Mode
  • Activate clamd for runlevel 3 and 5
  • Activate freshclam for runlevel 3 och 5
  • Activate postfix for runlevel 3 och 5
  • Choose Finish to save your settings.

Now you have a real-time anti-virus scanning for your iFolder3 server.

Note: This solution was tested on OES (Linux) SP2.

For more information

Novell documentation:

ClamAV:
http://www.clamav.net/


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell