Use Exiscan to Scan For Viruses Published: Jul 22, 2004

• Rating

  3/5

This tutorial will explain how to make use of the exiscan patch applied to exim used in cpanel. Many cPanel admins use Mailscanner to protect their clients from viruses, but there IS a better way!

Most responsible system administrators have implemented some form of virus scanning of incoming email to protect their users from getting viruses and to help stem the flow of these resource stealing entities. If you are a cPanel administrator, then about your only option has been Mailscanner. There are a number of HOWTOs out there that have shown people how to install Mailscanner, but just recently we've been given a much more integrated and less resource intensive solution.

Enter Exiscan.

Exiscan is a patch against exim version 4, providing support for content scanning in email messages received by exim. It works after the sending client has completed the SMTP data phase and waits for an answer from the server. Messages containing unwanted content can be rejected at that stage, so the job of generating a bounce message is the job of the sending host. Four different scanning facilities are supported: antivirus, antispam, regular expressions, and file extensions.

The beauty of this is that, as noted above, the email is rejected during the receiving process, so the unwanted message never actually enters your server, and notifies the sending server that this message is not being accepted.  This takes much of the burden of processing off your server and puts it back on the server that is trying to send this to you.

This system even allows for filetype rejection!  .exe, .scr, .pif, whatever you want to exclude and be excluded.

cPanel included this patch in a recent update for Exim, and you probably already have it installed, but it has not been 'plugged in' to your server.

The exiscan-acl patch adds content scanning to the exim4 ACL
system. It supports the following scanning features:

• MIME ACL that is called for all MIME parts in incoming MIME messages.
• Antivirus using 3rd party scanners.
  • generic command line interface
  • Sophie / Sophos
  • Kaspersky's "kavdaemon" Version 4.x
  • DRWeb AntiVirus
• Antispam using SpamAssassin.
• Full support for Brightmail Anti-Spam.
• Support for SPF.
• Regular expression match against headers, bodies, raw
  MIME parts and decoded MIME parts.

These features are hooked into exim by extending exim's ACL
system. The patch adds expansion variables and ACL conditions.
These conditions are designed to be used in the acl_smtp_data
ACL. It is run when the sending host has completed the DATA
phase and is waiting for our final response to his end-of-data
marker. This allows us to reject messages containing
unwanted content at that stage.

Configuring ClamAV for Exim / Exiscan:

cd /usr/src
wget -c http://www.rack911.com/files/clamav-0.72-1.i386.rpm
rpm -Uvh clamav-0.72-1.i386.rpm
/usr/bin/freshclam
ln -s /usr/bin/freshclam /etc/cron.daily/updateclamav
perl -pi -e "s/^Example/#Example/g" /etc/clamav.conf
perl -pi -e "s/^#MaxThreads 10/MaxThreads 5/g" /etc/clamav.conf
perl -pi -e "s/^#ScanMail/ScanMail/g" /etc/clamav.conf
perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket /var/run/clamav/clamd/g" /etc/clamav.conf

Configuring Exim for use with exiscan:

( you should always backup your configuration file before any changes)

find the lines:

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################

Add the following under it:

av_scanner = clamd:/var/run/clamav/clamd

it should now look like

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
av_scanner = clamd:/var/run/clamav/clamd

next find the following

check_message:
require verify = header_sender
accept

modify it so it looks like the following (notice the bold part):

check_message:
require verify = header_sender
######## EXISCAN ACL #########
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
deny message = This message contains an attachment of a type which wedo not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
######## EXISCAN ACL #########
accept

Save the file.

Restart exim

/sbin/service exim restart

It should result with the following:

root@w00t [~]# /sbin/service exim restart
Shutting down clamd: [FAILED]
Shutting down exim: [ OK ]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim: [ OK ]
Starting exim-smtps: [ OK ]
Starting antirelayd: [ OK ]
Starting spamd: [ OK ]
root@w00t [~]#

If something dont work correctly, restore from your backup exim.conf or run /scripts/exim4 and try agian. If you still cannot get it to work contact steve @ rack911

Thanks to: Jon of Got-Management.com and to Steve of Rack911.com