ClamAV Management#

This section contains directions to manage the ClamAV Anti-Virus engine.

ClamAV Signatures Updater#

ClamAV abilities include loading external signatures, which are lists of hashes or fingerprints of viruses organised into so-called signature database, used to recognise a broader range of possible threats sent by e-mail.

There are many signatures provider that ClamAV can use, most of them licenced as Open Source; however using multiple signature databases may not always result in a higher precision of the ClamAV engine. Indeed, using too many signature databases may in some circumstances lead to false positive, therefore marking legitimate e-mails as as virus and send them to the quarantine or deleted. Moreover, since the signatures are loaded in RAM to allow for faster checks, this can lead to high CPU usage and, in case of a DB or a signature is corrupted or not 100% compatible, to the failure of the whole ClamAV engine.

For this reasons, Carbonio receives its signatures by a security partner, which are guaranteed to be 100% compatible with ClamAV and reduce the risk of false positives. In order to keep the signatures updated, Carbonio implements a system service, carbonio-avdb-updater.

To install it, login to the Proxy Node, then update the list of packages to make sure the latest version is picked up, and install the updater

# apt-get update && apt-get install carbonio-avdb-updater

Verify Signature Status#

In order to verify that the service is working and signatures are updated, you can check the service’s log.

# journalctl -u carbonio-avdb-updater.service

If the signatures are updated, you will find in the log a block similar to:

Oct 18 09:28:25 srv2.example.com systemd[1]: Started Carbonio anti-virus updater
..
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.028 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* S T A R T I N G ********************
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.039 [pool-1-thread-1] INFO  c.z.a.client.networking.Downloader - download starting : /md5list.txt
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.343 [pool-1-thread-1] INFO  c.z.a.client.networking.Downloader - download finished : /md5list.txt
Oct 18 09:28:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:28.361 [ForkJoinPool.commonPool-worker-2] INFO  c.z.a.client.networking.Downloader - download starting : /securiteinfopdf.hdb
Oct 18 09:28:29 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:29.594 [ForkJoinPool.commonPool-worker-2] INFO  c.z.a.client.networking.Downloader - download finished : /securiteinfopdf.hdb
..
Oct 18 09:28:44 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:44.383 [pool-2-thread-1] INFO  c.z.a.client.networking.Downloader - download finished : /javascript.ndb
Oct 18 09:28:51 srv2.example.com carbonio-avdb-updater[2628063]: 09:28:51.582 [AVDB Scheduler_Worker-1] INFO  c.z.a.c.processing.ProcessExecutor - Added entry [/opt/zextras/bin/zmprov mcf +carbonioClamAVDat>
..
Oct 18 09:29:48 srv2.example.com carbonio-avdb-updater[2628063]: 09:29:48.930 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* F I N I S H E D ********************

Note

The above snippet it shortened for clarity.

The important information here are the S T A R T I N G and F I N I S H E D messages, which sign the start and successful termination of the signature update process. The same two messages are present if no update is available and downloaded:

Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.017 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* S T A R T I N G ********************
Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.019 [pool-21-thread-1] INFO  c.z.a.client.networking.Downloader - download starting : /md5list.txt
Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.035 [pool-21-thread-1] INFO  c.z.a.client.networking.Downloader - download finished : /md5list.txt
Oct 18 09:34:28 srv2.example.com carbonio-avdb-updater[2628063]: 09:34:28.039 [AVDB Scheduler_Worker-1] INFO  com.zextras.avdb.jobs.AvdbJob - ********************* F I N I S H E D ********************
The update process in detail

The signature update service maintains a list of the files/databases it downloads and their md5 checksums (md5sum) in file /opt/zextras/av_signatures/md5list.txt, which is also referenced from the LDAP. All the downloaded databases are stored under the same /opt/zextras/av_signatures/ directory.

The first task that the updater carries out is to download the md5list.txt file and verify the md5sums of the signature databases; a new signature database is downloaded only when the md5sum in the file does not match the one of the local file. This also means that if a signature database is not present (e.g., because it was deleted by mistake), it will be automatically downloaded.

A new database can be added by simply adding a new database and its md5sum in the /opt/zextras/av_signatures/md5list.txt file, while removing an entry from that file will make it unavailable to ClamAV.

Disable ClamAV#

There are scenarios in which an Administrator wants to or needs to disable Carbonio’s internal anti-virus engine, ClamAV, for example when using an external, company-wide anti-virus engine or for troubleshooting some MTA’s issue in a test environment. To disable ClamAV, first disable amavis (which is invoked by ClamAV to check e-mails). Both tasks must be executed from the CLI.

Disable amavis

Execute the following commands as the zextras user to disable amavis from the CLI

zextras$ carbonio prov mcf carbonioAmavisDisableVirusCheck TRUE

Restart the service to make sure the new value is picked up by the system

zextras$ zmamavisdctl restart

You can check at any time the status of the variable and of the service with

zextras$ carbonio prov gcf carbonioAmavisDisableVirusCheck

Note

If you never modified the value of the variable, this command may return no output, meaning that amavis is running.

Disable ClamAV

To disable ClamAV, execute the following commands as the root user to mask the service

# systemctl mask carbonio-clamav-sidecar.service

Since the systemd unit is masked, it will not be restarted during future upgrades. You need to explicitly unmask it before enabling it again.

Now, restart system-discovery to let it pick up the change

# systemctl restart service-discover

Finally, as the zextras user, let Carbonio make sure that the antivirus service is disabled.

zextras$ zmprov ms $(zmhostname) -zimbraServiceEnabled antivirus

Optionally, you can also remove the ClamAV definition file for service-discover (this will be restored during future ClamAV upgrades, though)

# rm /etc/zextras/service-discover/carbonio-clamav.hcl