File: README.Debian

package info (click to toggle)
clamav 0.101.4+dfsg-0+deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 29,564 kB
  • sloc: ansic: 158,978; sh: 8,178; cpp: 5,173; makefile: 2,088; yacc: 1,351; lex: 714; python: 120; perl: 17
file content (290 lines) | stat: -rw-r--r-- 13,077 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
DOCUMENTATION

  Non-Debian documentation has been removed (I.e how to install on UnixXXX
  etc.)  The original documentation is still available in the source
  package. Download the source using the command 'apt-get source clamav'.

CONFIGURATION
  There are several changes made to the default configuration provided by
  upstream.  Both the autogenerated configuration files and the ones
  shipped under examples/ have been edited to provide FHS compliant paths
  for things like logfiles, pidfiles, and sockets.  The autogenerated
  configuration files additionally contain some non-default values, as I
  feel the upstream defaults do not provide the 'out of the box'
  arrangement most suited to the average user.

  In particular, I believe the following choices are more suited to most
  default configurations than the upstream defaults:
    FixStaleSocket
      This removes a socket file left over from a previous clamd that had
      an unclean shutdown.  This allows for easier restarting
    LogFileMaxSize
      Setting this to 0 disables truncation of the logfile.  As the default
      Debian configuration uses logrotate, this is not an issue except on
      severely disk constrained systems.
    DetectBrokenExecutables
      This will pick up many viral fragments that are likely not harmful
      in and of themselves, but may cause end users to worry that they
      received something their A/V scanner identifies.
    ArchiveBlockMax
      This makes the assumptions that if you are setting the various
      Archive* options, you would rather block than pass through if one of
      those conditions is met.

  All ClamAV configuration files (in other words, all files under /etc/)
  are handled by ucf, as they are dynamically generated.  If you want
  to affect ucf's behavior with regard to conffile handling, please see
  /etc/ucf.conf or ucf(1).

CLAMAV-DAEMON

  CONFIG FILE HANDLING

   Configuration handling for clamav-daemon has debconf support. During
   install the default values stored in debconf-template are used to
   create a configuration file. Due to the complexity of configuring the
   daemon no questions are asked during install. If you want to change this
   configuration you have two options:

   1. 'point-and-click' re-configuration using debconf
      The vast majority of options can be accessed by running
      'dpkg-reconfigure clamav-daemon'

      Clamav-daemon's configuration is quite complex. However its full
      complexity shouldn't be felt by users since the majority of the
      questions already have sensible defaults.

   2. The package also handles manual editing of its configuration file,
      /etc/clamav/clamd.conf, gracefully.

   While it's possible to mix debconf and manual editing, it isn't
   recommended, since it can lead to confusing results. Debconf attempts to
   respect any changes you have done manually in /etc/clamav/clamd.conf.
   Every care has been taken to make sure your changes are preserved over
   upgrade, but if you are going to manage your conf file manually, please
   take a moment and run dpkg-reconfigure clamav-daemon, and answer no to
   debconf management.

   Just running dpkg-reconfigure clamav-daemon won't reset
   /etc/clamav/clamd.conf to a debconf generated configuration
   file. If you want to discard all your manual changes just run 'ucf -p
   /etc/clamav/clamd.conf;dpkg-reconfigure clamav-daemon'

  WARNINGS

   The ScanMail option has stabilized somewhat over previous releases, and
   is now enabled by default.  However, this is where the bulk of libclamav's
   bugs lie.  This is largely due to the arms race nature of trying to keep
   up with virus writers interesting ideas about MIME, and certain MUA's
   willingness to go along with those ideas.  Caveat emptor, you have been
   warned.

   As of version 0.71-1, clamd will no longer run as root by default.  This
   decision was made due to the fact that it is still pre-1.0 software, and
   there are still many bugs to be worked out.  This decision can be
   overridden by editing /etc/clamav/clamd.conf, and changing User to the
   value desired.  This decision will help isolate your system from any
   flaws in clamd (see http://bugs.debian.org/247574 for an example of a
   problem caused by clamd following symlinks in an archive), but will mean
   some compromises in functionality.

   In case you happen to have the TMPDIR variable set in your root environment,
   please make sure that TemporaryDirectory is set to something sane in
   /etc/clamav/clamd.conf (the Debian packages default to /tmp), as otherwise
   clamd will fail to operate after changing its user id as noted above.

  MTA INTEGRATION

   SENDMAIL

   So long as sendmail can write to clamav-milter's socket, the rest
   of the communication is handled between the milter and clamd, and
   permissions are not a problem.  apt-get install clamav-milter, and
   see the configuration instructions for CLAMAV-MILTER found below.

   EXIM4

   Exim4 users will want to either run clamd as User Debian-exim, so clamd
   has read and write permissions on the scan/ directory, or (better)
   add clamav to group Debian-exim. You may also need to ensure the scan/
   directory is group writable (on Debian systems, this is
   /var/spool/exim4/scan)

   To enable clamav in the Debian exim4 packages, add
   av_scanner = clamd:/var/run/clamav/clamd.ctl
   (or if you've chosen tcp sockets)
   av_scanner = clamd:127.0.0.1 3310
   to the main configuration settings (a new file under
   /etc/exim4/conf.d/main/ if split config is being used)

   Then add the following to your data time acl:

   deny  message = This message contains a virus: ($malware_name) please scan your system.
         malware = *

   (The data acl is defined in /etc/exim4/conf.d/acl/40_exim4-config_check_data
   by default if split config is being used)

   AMAVIS

   Amavis variants can achieve the same functionality by adding the clamav
   user to the amavis group.

   POSTFIX

   Recent versions of postfix have support for milters.  This allows
   clamav-milter to be used reasonably well with postfix, although the
   problem of group permissions on the actual socket can be a problem.
   See the end of the CLAMAV-MILTER section below for some details.

   Other MTAs I am not as familiar with, but the same principles apply -
   clamav needs read and write access to the directory where messages are
   unpacked (as is the case with amavis and exim4), and the MTA needs
   read/write permissions to clamav's socket file, if it is run listening
   to a unix socket rather than a network socket.

   By default, Postfix in Debian runs in a chroot, so the default Unix socket
   location for clamav-milter will not work together.  To resolve this issue,
   either unchroot Postfix, change the clamav-milter socket to an inet socket,
   or change the Unix socket path to the location in the chroot (/var/spool/
   postfix).

  ERRATA

   For those who use clamav-daemon primarily for system scans (although
   since clamd detects largely MS viruses, the utility of doing this on
   a regular basis is somewhat limited in most linux-only environments),
   there is probably no alternative but to run clamd as User root or
   use clamscan (see below).  If you are doing this, I highly suggest
   running it listening on a Unix socket, and restricting read/write
   permissions to it to prevent unauthorized access.  In these
   circumstances, running clamscan instead is probably safer as the
   overhead of per-instance database loading is vastly outweighed by the
   length of the scan, and it eliminates running a daemon as root.

   As of 0.75-1, there is support for running both clamd and clamav-milter
   under daemon.  Just install daemon, and add Foreground to clamd.conf.
   Beware that this affects both clamd and clamav-milter, it is not either
   or.

   Note also that the clamd package contains an empty directory
   /etc/clamav/virusevent.d/  Admins and other packagers are encouraged to
   use this directory to store scripts that should be executed after a virus
   is detected.  To enable the feature, you will have to add:

   VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/

   to /etc/clamav/clamd.conf

CLAMSCAN

  It has the same flaws as clamav-daemon when it comes to handling mbox
  attachments (the code with the bugs are in the library).  The result of
  such bugs are not as heavy in clamscan since it is completely restarted on
  each invocation, and clamd may be taken down by the same bug.  If you do
  a high number of scans (for example, a separate scan for each received
  email), then clamd may better suit your needs.  If you are doing full
  system scans, then there is no noticeable performance benefit to the daemon,
  and you can easily substitute clamscan, and eliminate the need to run clamd
  as root.


CLAMAV-FRESHCLAM

  Clam Antivirus doesn't support the oav-database anymore. The freshclam
  auto updating setup is much simpler than the oav counterpart.

  The clamav-freshclam package includes virus databases, but these
  are only used if fresh ones cannot be downloaded directly from the
  database servers, or if you do not have them already in place (e.g.,
  from the clamav-data package)

  If you don't have Internet access you should install the clamav-data
  package, which contains a static database. You can even (re)create
  a clamav-data package yourself from an Internet connected computer
  using the clamav-getfiles package.  Note that this feature will likely
  be phased out in the future - freshclam already verifies digital
  signatures on the databases, and it may refuse to load an unsigned one.
  Hopefully at that point, though, there will be a better mechanism to
  self-sign databases, and feed the correct signature to freshclam.

  Note also that the freshclam package contains the empty directories
  /etc/clamav/onupdateexecute.d and /etc/clamav/onerrorexecute.d.
  Admins and other packagers are encouraged to use this directory to store
  scripts that should be executed after an update or an error.  To enable
  the feature, you will have to add to /etc/clamav/freshclam.conf:

  OnUpdateExecute /bin/run-parts --lsbsysinit /etc/clamav/onupdateexecute.d/
  OnErrorExecute /bin/run-parts --lsbsysinit /etc/clamav/onerrorexecute.d/

CLAMAV-MILTER

  Configuration instructions:

  Installations for Debian:
  New option, contributed by Elrond <elrond+bugs.debian.org@samba-tng.org>:

  Add to /etc/mail/sendmail.mc:
  include(`/etc/mail/m4/clamav-milter.m4')dnl

  and run sendmailconfig.

  Otherwise:

  Add to /etc/mail/sendmail.mc:
  INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl
  define(`confINPUT_MAIL_FILTERS', `clamav')

  Check entry in /etc/clamav/clamd.conf of the form:
  LocalSocket /var/run/clamav/clamd.ctl

  If you already have a filter (such as spamassassin-milter from
  http://savannah.nongnu.org/projects/spamass-milt) add it thus:
  INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl
  INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
  define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl

  and run sendmailconfig.

  You may find INPUT_MAIL_FILTERS is not needed on your machine, however it
  is recommended by the Sendmail documentation and I recommend going along
  with that.

  I suggest putting SpamAssassin first since you're more likely to get spam
  than a virus/worm sent to you.

  As of 0.96, clamav-milter will take care of making the socket
  writable for a group.  This is done by setting MilterSocketGroup and
  MilterSocketMode to useful values in your /etc/clamav/clamav-milter.conf
  (for instance, "postfix" and "0664", respectively).

APPARMOR PROFILES
  
  If your system uses apparmor, please note that the shipped enforcing profile
  works with the default installation, and changes in your configuration may
  require changes to the installed apparmor profile. Please see
  https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
  software.

  In particular, clamav-daemon runs as it's own user and is confined from
  accessing all but a limited set of files.  These include the home directory
  of the user calling clamav-daemon, but not system files.  If you want to
  scan files outside of your home directory, the apparmor profile will need to
  be updated.

  The freshclam utility is also protected by an enforcing profile. If you
  want to add files to the /etc/clamav/onerrorexecute.d,
  /etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories,
  appropriate rules need to be added to the apparmor profile.

  If you prefer to fully disable AppArmor confinement for
  clamav-daemon or freshclam, run respectively:

    aa-disable /usr/sbin/clamd

  or:

    aa-disable /usr/bin/freshclam

  Please see https://wiki.debian.org/AppArmor for information and
  documentation on modifying apparmor profiles.