Use Exiscan to Scan For Viruses Published: Jul 22, 2004
  • Rating

    3/5

This tutorial will explain how to make use of the exiscan patch applied to exim used in cpanel. Many cPanel admins use Mailscanner to protect their clients from viruses, but there IS a better way!

Most responsible system administrators have implemented some form of virus scanning of incoming email to protect their users from getting viruses and to help stem the flow of these resource stealing entities. If you are a cPanel administrator, then about your only option has been Mailscanner. There are a number of HOWTOs out there that have shown people how to install Mailscanner, but just recently we've been given a much more integrated and less resource intensive solution.

Enter Exiscan.

Exiscan is a patch against exim version 4, providing support for content scanning in email messages received by exim. It works after the sending client has completed the SMTP data phase and waits for an answer from the server. Messages containing unwanted content can be rejected at that stage, so the job of generating a bounce message is the job of the sending host. Four different scanning facilities are supported: antivirus, antispam, regular expressions, and file extensions.

The beauty of this is that, as noted above, the email is rejected during the receiving process, so the unwanted message never actually enters your server, and notifies the sending server that this message is not being accepted.  This takes much of the burden of processing off your server and puts it back on the server that is trying to send this to you.

This system even allows for filetype rejection!  .exe, .scr, .pif, whatever you want to exclude and be excluded.

cPanel included this patch in a recent update for Exim, and you probably already have it installed, but it has not been 'plugged in' to your server.

The exiscan-acl patch adds content scanning to the exim4 ACL
system. It supports the following scanning features:

  • MIME ACL that is called for all MIME parts in incoming MIME messages.
  • Antivirus using 3rd party scanners.
  • Antispam using SpamAssassin.
  • Full support for Brightmail Anti-Spam.
  • Support for SPF.
  • Regular expression match against headers, bodies, raw
    MIME parts and decoded MIME parts.


These features are hooked into exim by extending exim's ACL
system. The patch adds expansion variables and ACL conditions.
These conditions are designed to be used in the acl_smtp_data
ACL. It is run when the sending host has completed the DATA
phase and is waiting for our final response to his end-of-data
marker. This allows us to reject messages containing
unwanted content at that stage.

 

Configuring ClamAV for Exim / Exiscan:

cd /usr/src
wget -c http://www.rack911.com/files/clamav-0.72-1.i386.rpm
rpm -Uvh clamav-0.72-1.i386.rpm
/usr/bin/freshclam
ln -s /usr/bin/freshclam /etc/cron.daily/updateclamav
perl -pi -e "s/^Example/#Example/g" /etc/clamav.conf
perl -pi -e "s/^#MaxThreads 10/MaxThreads 5/g" /etc/clamav.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamav.conf
perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamav.conf

Configuring Exim for use with exiscan:

( you should always backup your configuration file before any changes)

find the lines:

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################

Add the following under it:

av_scanner = clamd:/var/run/clamav/clamd

it should now look like

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
av_scanner = clamd:/var/run/clamav/clamd

next find the following

check_message:
require verify = header_sender
accept

modify it so it looks like the following (notice the bold part):

check_message:
require verify = header_sender
######## EXISCAN ACL #########
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which we
do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
######## EXISCAN ACL #########

accept

Save the file.

Restart exim

/sbin/service exim restart

It should result with the following:

root@w00t [~]# /sbin/service exim restart
Shutting down clamd: [FAILED]
Shutting down exim: [ OK ]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim: [ OK ]
Starting exim-smtps: [ OK ]
Starting antirelayd: [ OK ]
Starting spamd: [ OK ]
root@w00t [~]#

 

If something dont work correctly, restore from your backup exim.conf or run /scripts/exim4 and try agian. If you still cannot get it to work contact steve @ rack911

Thanks to: Jon of Got-Management.com and to Steve of Rack911.com

  • Rating

    3/5

Related Articles

Comments (7)

  • Gravatar - Chris
    Chris 10:15, July 24, 2004
    Got a bit messy for me around the last perl -pi line, has anyone else managed to get this working?<br />
    [/usr/src]# perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamav.conf<br />
    Bareword found where operator expected at -e line 1, near "s/^LocalSocket /tmp/clamd"<br />
    syntax error at -e line 1, near "s/^LocalSocket /tmp/clamd"<br />
    Execution of -e aborted due to compilation errors.<br />
  • Gravatar - jane doe
    jane doe 06:02, July 30, 2004
    this tutorial isn't accurate enough for new admin,<br />
    where's the path of exim conf?<br />
    how to uninstalled the mailscanner first?<br />
  • Gravatar - steve
    steve 22:03, July 30, 2004
    same problem for me, rack911 please help
  • Gravatar - John Doe
    John Doe 23:25, August 4, 2004
    locate exim.conf
  • Gravatar - pixel
    pixel 13:33, September 20, 2004
    wow, this is like trying to explain war and peace in four words or less. There is SO much more to this method! Especially if your host has played with the ACLs at all.
  • Gravatar - Aditya
    Aditya 19:45, August 21, 2005
    @ Chris:<br />
    <br />
    perl -pi -e "s/^LocalSocket \/tmp\/clamd\/LocalSocket /\/var\/run\/clamav\/clamd/g" /etc/clamav.conf<br />
    <br />
    HTH
  • Gravatar - makan
    makan 09:02, January 1, 2006
    01-01-2006<br />
    for ClamAV 0.87.1<br />
    you just need to perform these steps:<br />
    1. rpm -Uvh clam*<br />
    2. /usr/bin/freshclam<br />
    3. ln -s /usr/bin/freshclam /etc/cron.daily/updateclamav<br />
    4. perl -pi -e "s/^#MaxThreads 20/MaxThreads 5/g" /etc/clamd.conf<br />
    5. Add the following under "MAIN CONFIGURATION SETTINGS" of your exim.conf:<br />
    av_scanner = clamd:127.0.0.1 3310<br />
    6. add "EXISCAN ACL" as mention on this article<br />
    7. save exim.conf<br />
    8. restart exim<br />
    <br />
    it works for me

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2017 WebHostGear.com