Using Clam AntiVirus to Protect your iFolder 3 Server

Novell Cool Solutions: Tip
By Magnus Hoglund

Digg This - Slashdot This Posted: 30 Jun 2006

Problem:

From the iFolder 3.x Security Administrator Guide:

"Because iFolder is a cross-platform distributed solution, there is a possibility of a virus infection on a platform migrating across the iFolder server to other platforms, and vice versa. You should enforce server-based virus scanning to prevent viruses from entering the corporate network."

Solution:

Use ClamAV as a real-time scanning anti virus solution.

Environment factors:

OES/Linux SP2
iFolder 3
ClamAV

Example:

Install required RPMs:

Start Yast2 and make sure these RPMs are installed.

postfix

clamav

km_antivir (dazuko module)

Execute modprobe dazuko (as root)

Run lsmod and check that dazuko is loaded:

Edit /etc/init.d/boot.local

• Add:
  modprobe dazuko

Edit /etc/clamav.conf

• Activate:
  # Path to a local socket file the daemon will listen on.
  LocalSocket /var/lib/clamav/clamd-socket



• Deactivate:
  # TCP port address.
  #TCPSocket 3310



• Deactivate:
  # TCP address.
  #TCPAddr 127.0.0.1



• Activate and edit:
  # Execute a command when virus is found.
  VirusEvent /bin/echo "iFolder VIRUS ALERT: %v" | /bin/mail -s "ClamAV - iFolder" -r ClamAV@server.domain ToUser@domain



• Deactivate:
  # Run as a selected user (clamd must be started by root).
  #User vscan
  
  Note:
  If not deaktivating "User vscan" I received the error: "clamuko cannot connect to dazuko" in /var/log/clamd



• Add these lines:
  # Clamuko RealTime Scanning
  ClamukoScanOnAccess
  ClamukoScanOnOpen
  ClamukoScanOnClose
  ClamukoScanOnExec
  ClamukoIncludePath /YOUR_PATH_TO_IFOLDER/ifolder/simias/SimiasFiles
  ClamukoScanArchive

Change any other settings in the file to reflect your needs (see ClamAV documentation).

Start clamd:
/etc/init.d/clamd start

Check that clamd was started without any errors:
tail -f /var/log/clamd

Download the EICAR test signature from:
http://www.f-secure.com/virus-info/eicar_test_file.shtml

Note!
This is not a real virus.

Run: tail -f /var/log/clamd

Save the test file (eicar.zip and/or eicar.com) in your iFolder and wait for sync.

When the virus pattern is detected you should see this (see below) in the log file
/var/log/clamd.

Check that a mail has been sent: tail /var/log/mail

Update ClamAV:
You can update ClamAV using the command: freshclam

A better way is to use the freshclam daemon for automatic updates.

Settings for freshclam: /etc/freshclam.conf

Edit /etc/freshclam.conf

• Activate:
  # Path to the log file (make sure it has proper permissions)
  UpdateLogFile /var/log/freshclam.log



• Activate and provide your country code:
  # Uncomment the following line and replace XY with your country code.
  DatabaseMirror db.se.clamav.net



• Activate and provide update interval (e.g 24 for every hour):
  # Number of database checks per day.
  Checks 24

Create a log file for freshclam:
touch /var/log/freshclam.log

Set file rights:
chown vscan:vscan /var/log/freshclam.log

Start freshclam:
/etc/init.d/freshclam start

Check the log file:
tail /var/log/freshclam.log

Activate automatic start for clamd, freshclam and postfix:

• Start Yast2 (or run chkconfig)
• Choose System -> Runlevel Editor -> Expert Mode
• Activate clamd for runlevel 3 and 5

• Activate freshclam for runlevel 3 och 5

• Activate postfix for runlevel 3 och 5

• Choose Finish to save your settings.

Now you have a real-time anti-virus scanning for your iFolder3 server.

Note: This solution was tested on OES (Linux) SP2.

For more information

Novell documentation:

• http://www.novell.com/documentation/oes/
• http://www.novell.com/documentation/sles9/

ClamAV:
http://www.clamav.net/

Reader Comments

• Great !
• Excellent!
• Excellent!
• Excellent tip, thanks !
• Very nice

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com