clamxav.html

The Apple-supported use of clamav is as a scanner adjunct to it's mail server. See http://developer.apple.com/server/virusfiltering.html for Apple's server suggestions. This article is largely about using clamav for desktop/end user support based on the work of Mark Allan who released ClamXav.

An Anti-Virus Strategy by Steven Kolins
    Use a free scanner to alert and or do some quarantining and a commercial product in a few places to clean (via netboot or portable firewire drive.)
    ClamXav as the free scanner and using it in a systematic way is the subject of this webpage.

First you have to decide how you want to use ClamXav itself and it's options.

You can run ClamXav manually and it can scan (alert or quarantine) anything you have read access to but will reject scanning the entire boot volume which isn't necessary in this age, yet anyway. Given the right permissions (not the default) an admin could scan the entire Users folder. Of course the quarantine folder might need permissions set so that non-admins cannot open it- just a drop folder/write only setting with apple+i will do that. The big advantage of something like this is that it will scan all sub-folders. The big disadvantage is that it's manual - nothing to keep a virus from spreading inbetween manual runs.

You can save a scheduled scan based on the manual scan so that it runs in a cron job. Note the job will not quarantine automatically unless the check box is checked. This command line can also be used by ARD via the "Send a unix command" and note whether it quarantines or not ARD will see an error if clamav reports a virus (not how many, just an error code if one is found.) So at least you know what machines to go clean up. If you quarantine they're all in one place but you may have to figure out where they came from. If the home folders are on servers... well that's another story I've yet to write up.

Lastly you can have ClamXav run in Sentry mode. The situation here is the reverse of the manual scan - it's automatic, but it doesn't scan any subfolders of a defined place to look. So you can have it scan a user's folder but it wont scan nested folders. A good target would be the Microsoft User Data folder in their Documents folder, (where the Normal file is with Office 2004, the first target of macro viruses) which, once it is infected and thus a new file, is caught by Sentry then and an alert pops up on the screen. Perhaps this could be done for teachers and administrators.

Installing by image or rolling it out in a live setup

ClamXav can be had here. If you are adding this as part of an image well and good.

Here's a snippet of our recipe for setting up images - as always such directions must adapt over time to new versions and implementation choices. This is just meant as a guide:

1)    Log onto Tech File Server and get ClamXav 1.0.1 and updated compilations of the engine and fixpermissions.command

a) Install ClamXav 1.0.1, it installs original engine.
b) replace /usr/local/clamXav with engine update
c) adapt freshclam.conf with detailed settings if known
c) set permissions with fixpermissions.command

2)    Make a folder in Applications/Utilities called ClamXav and in that folder make a folder called Quarantine.

3)    Use apple+i to make the privileges on Quarantine <original admin> r/w, <admin> r/w, everyone write only.

4)    Launch ClamXav again, (this launch or next, when prompted to donate, check box already donated.)

a) Confirm engine version on bottom of ClamXav display

5) Set Preferences in original admin:

a) General check both logs, Quarantine (point back to folder set for purpose), alert, and monitor

b) Internet no entries (( see below for explanation)

c) Schedule

(i) unlock with admin pw and set Updates to 6:45am everyday.

(ii) Where necessary set Scan for 7am.

(iii) You must click save schedule settings. If later you wish to change this after unlocking you must click load schedule settings to see them (they aren't automatically viewed.)

d) From File menu, select "Choose what to scan", select place that should be scanned by schedule ( /Users but this depends on permissions; cannot set /Macintosh HD)

6) confirm functionality by updating virus definitions

7) quit

8) later when setting per user set preferences for Sentry to launch on login

especially /Desktop, /Documents, /Documents/Microsoft User Data, /Library/Caches/Firefox/profiles/<funny name>.default/Caches/ and similar locations per User's home folder.

If you are rolling out ClamXav in a live setup there's a different tact to take.
First and foremost you have to have Java 1.4.x loaded - so older OSes than about 10.3.5 need to be updated and OSes newer still have to have 1.4.x loaded.
If you are going to roll out an installation there are some other steps one must take to ARD successfully. If you examine the contents of ClamXav under resources there is a package installer for the back end engine as well as some commands that alter the user list and groups so that clamav can run appropriately in the unix background. That package can be ARDed out as a package install.

It will install an older engine (currently 0.88.2)
To update the engine something like this discussion may prove useful. Here's the current script. If you manually replace the /usr/local/clamXav/ folder with the recompiled version you need to reset the permissions. This script can do that (another version is included with ClamXav's dmg file.) As far as I know a compiled engine is good for that version of OS. Make sure you set the freshclam.conf as needed - see discussion below.

Choose your scheme for scanning - Sentry or cron job or manually. You have to ARD /usr/local/clamXav, the main application and or it's folder, the quarantine folder if needed, and the following per user: the loginwindow.plist, uk.co.markallan.clamxav.plist(for the current version of ClamXav). Note if your ARD mom has already run a scan and you are keeping a log via ClamXav then you must include the log per user in the ARD job as ClamXav will object it can't append to the existing log if it's not there (from a manual scan.)

Handling updating virus definitions
First let me note that there is a potential serious conflict between running ClamXav on a 10.4 server and using the clamav setup included for scanning email with the Apple Server. An iteration of this web page will later try to work out a comfortable way both can be done. But as things stand assume this will BREAK the virus scanning capacity of the email service on Apple Tiger (or newer?) servers.

Now updates - virus definition updates that is.. It's impractical and impolite for a school of computers using a wan connection to get all their updates at the same time. On the other hand getting current definitions can be very important but may not be in every case. So there are a few options here: don't allow for updates, only allow for manually picked updates, or automate most updates. The first two are fairly obvious but the last requires a lot of work. The proper thing to do is have the update pre-positioned ultimately on the school campus LAN. You need a webserver that can run the clam commandline freshen routine. No url need declare the virus definition files. The documentation of clamav recommends running as an alternate user. This is the command line

/usr/local/clamXav/bin/freshclam -u root --datadir=/Library/WebServer/Documents/ --log="/usr/local/clamXav/share/clamav/freshclam.log"

However should an error arise, the log file if kept will enter an inbetween state and stop allowing updates to arrive until that log is reset. And since you are running as root, well it just seems unnecessarily complicated. I have taken to the practice of making the webserver's main document folder w/r for the clamav user by way of the Access Control List (ACL) of Tiger Server. In Panther server I've had to adjust by making the clamav user have r/w access with either owner or group priveledges as prefered in the particular circumstances. If you are running with Open Directory, the clamav user is in the local Netinfo domain - not the LDAP parent domain.
So for that alteration just drop the "-u root" part of the command. It will place two files - main.cvd (typically 4MB), daily.cvd (typically 256KB), and sometimes a marker file to note the success of the process. While the update is running a file of similar name but with a long string of numbers and or letters will br present. This command can be a cron job running from the admin account of the server (it doesn't have to run as root - see the syntax of the freshclam command for details.) See http://www.clamav.net/doc/mirrors/clamav-mirror-howto.pdf for detailed comments on updating - they are speaking specifically of being a public mirror but much of the work applies to a private mirror (though they also get into security issues on making sure the update is legit - probably something good for the head server.) Also read http://wiki.clamav.net/index.php/freshclam about some best practices. Several of these statements are also at http://www.clamav.net/faq.html#pagestart under Faq #10. There is some very specific timing mentioned here http://www.clamav.net/doc/0.85.1/html/node21.html "[updates minutes] should be a number between 3 and 57 of your choice. Please don't choose any multiple of 10, because there are already too many clients using those time slots" I recommend setting an update location per school system, then from there updates are downloaded to each school's server and from there to the clients. Once it's in your school it's a matter of whether your LAN and server can support the downloads for everyone at the same time or if you need to stagger them more.

For the main server, the freshclam.conf file would read

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.XY.clamav.net (so US for the United States,)
MaxAttempts 3
Checks 12

Running say at the 13th minute of every hour or 3 or 5 hour intervals depending how quick you need to be on catching a new viri.

From the School server it would read

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror you.main.server.k12.<state>.us
MaxAttempts 3
Checks 12

Running at about 15th minute of the hour or 3 or 5.

And for the desktops

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror your.school.server (or ipaddress)
MaxAttempts 3
Checks 12

Running about every 23rd minute for some 30-ish machines, then 45th for the next 30... scale the time intervals based on your school's network dynamics. Or just update once a day if you don't need to be updated so often.

If you want to run updates more than at a set hour/minute, as mentioned above - like every 3rd hr - after setting the schedule in ClamXav use Cronnix to set multiple hrs. Note ClamXav may only report the first of such hours, or not at all (only report the application defaults.)

To Proxy or not to Proxy

Above I mention not setting the proxy in ClamXav. This depends heavily on how you are going to handle the updates. If you set the proxy inside ClamXav it'll set the proxy inside freshclam.conf and the freshclam command will dutifully seek it's updates. But if you are updating from a local server setting the ClamXav proxy forces the update from your school to travel back through your proxy to get to your local desktop. Instead what I think makes more sense for the desktop is no proxy in ClamXav, set proxy bypass in system prefs for your server. ClamXav will use the system prefs proxy for checking with the internet on what versions are current and not use the proxy for actually downloading the update! A curious state of affairs but there it is! Of course your servers may require a proxy setting depending on your security profile.

O yes. Since this is a rather complex system ultimately designed to check for viruses might as well pick up one for testing purposes. I suggest http://www.eicar.org/anti_virus_test_file.htm .