Add ClamAV to Exim4

Simple and quick guide to add ClamAV to Debian 8 Exim4.
Since I added Spamassassin a lot of zip files still skip the filter so a scanner was needed to also suppress these annoying spam mails.

Step 1

1
2
3
apt-get install clamav-daemon clamav-freshclam
dpkg-reconfigure clamav-freshclam
dpkg-reconfigure clamav-daemon

And answer the questions - choose deamon mode, TCP on 127.0.0.1 and port 3301.
For all other stuff you can choose what you like.

If you are going with the unix-socket you need to do Step 2 as well.

Step 2 (unix-socket)

Check /etc/clamav/freshclam.conf and /etc/clamav/clamd.conf for AllowSupplementaryGroups and make it read:

1
AllowSupplementaryGroups true

Fix some right issues:

1
2
3
4
5
adduser clamav Debian-exim
chown Debian-exim.Debian-exim /var/run/clamav
chmod g+rx /var/run/clamav
chown Debian-exim.Debian-exim /var/spool/exim4/scan
chmod g+rwx /var/spool/exim4/scan

Step 3

Configure exim4 /etc/exim4/exim4.conf.template change around line ~912 uncomment:

1
2
3
deny
malware = *
message = This message was detected as possible malware ($malware_name).

And enable clamav around line ~158 uncomment:
unix-socket mode:

1
av_scanner = clamd:/var/run/clamav/clamd.ctl

tcp mode:

1
av_scanner = clamd:127.0.0.1 3310

Step 4

1
2
service exim4 restart
service clamav-daemon restart

Restart all services and you are done.

Issues

On Debian there are a lot of right-issues I ran into while getting it to work. So the TCP solution would solve a lot of issues when you also encounter them with the unix-socket solution. But you can also just run clamav as root (you can change the user when running the dpkg-reconfigure). But this is not considered good practise. So in the end I resolved to the solution listed below:

What I Ended Up With

Another quick fix (the one i’m using now) would be checking what is inside the zip archive (99% of the virus spam consists of a single zip file) and discard the message if it is a common virus (executable) extension.
Here is the script, you will need the unzip package, put it in /usr/local/bin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/bash
# filename: zvscan.sh
# description: scan zip archives on executables which means 99% virus
cd "/var/spool/exim4/scan/${1}"
echo "$(date) scanning mail ${1}" >> /var/log/zvscan.log
for i in $( ls | egrep -i '[.]zip' )
do
if [ $( unzip -l "${i}" | \
egrep -i '[.](js|bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs)$' | \
wc -l ) -gt 0 ]
then
echo "$(date) found virus in ${i}" >> /var/log/zvscan.log
echo 'yes'
exit 1
fi
done
echo 'no'
exit 0

If you are going to log stuff be sure the log file has the right rights

1
2
touch /var/log/zvscan.log
chmod 666 /var/log/zvscan.log

Now add this entry into your /etc/exim4/exim4.conf.template above the virusscanner lines around line ~900

1
2
3
4
5
6
7
8
9
deny
message = This message contains a virus (malware).
demime = zip
condition = ${run{/bin/sh -c '/usr/local/bin/zvscan.sh $message_exim_id'}{no}{yes}}

# Bonus to reject other virus stuff
deny
message = Attachment has unsupported file format .$found_extension. try text, PDF or ODF instead.
demime = bat:btm:cmd:com:cpl:dat:dll:exe:lnk:msi:pif:prf:reg:scr:vb:vbs:js:docm

..and restart exim.
The This message.. line is compatible with fail2ban (exim-spam) but I will explain more about fail2ban later.

In the end this did the trick for me and I removed the virus scanner because of saving resources and right issues :-)