ClamAV setup in XWall

SERVER Partition Manager

\
Do you suffer from a 4 gig C:drive partition? Partition Manager can elliminate your problem.

ClamAV setup for XWall
By Forum user Tremelai

ClamAV has been a fast and reliable mail server virus scanner for the Unix/Linux world for some time now. Clamwin offers only half of the ClamAV functionality. The Summit Open Source Development Group has ported all of ClamAV over to win32 to include the Clamd server daemon and the clamdscan client. I have found that ClamAV is faster than F-prot in my environment.

(scan tests of a 21k text file - best of 3 runs)
F-Prot: fpcmd.exe - 0.394 seconds
ClamWin ClamAV: Clamscan.exe - 1.070 seconds
SOSDG ClamAV: Clamd.exe / clamdscan.exe - 0.181 seconds

Here is the setup:

---

Download the SOSDG Clamav build: http://www.sosdg.org/clamav-win32/
Download notepad2
http://www.flos-freeware.ch/notepad2.html

Install clamav into the default location: (There might be issues with installing into other than default)
Install notepad2: (needed only to edit the .conf files. ClamAV has UNIX text files)

Insert the tempdir system variable:
Enter 'System properties' --> advanced tab --> environment variables
click on the New button under the "System Variables"
Variable name: TMPDIR
Variable value: /cygdrive/c/clamav-devel/tmp

Setup freshclam: (This utility is used to get virus pattern updates)

running C:\clamav-devel\bin\freshclam.exe will update the virus pattern.
Edit the C:\clamav-devel\etc\freshclam.conf if you need to use a HTTP proxy server. (use notepad2)

execute: C:\clamav-devel\bin\freshclam.exe -d -c 12
This will run freshclam as a daemon that will check for updates 12 times a day.

Load the clamd server service:
In the start menu, run 'start clamd'

xwall setup:

Options - Virus
Virus scanner: Custom
Executable: C:\clamav-devel\bin\clamdscan.exe
Arguments: <FILE>

Check everything EXCEPT 'Scanner needs to be serialized'

----

I have tested the above setup in Windows 2003 server and Windows 2003 Server x64. Both work good

Known bugs:

ClamAV for win32 does not support .rar files.
The Cygwin .dll libraries, that clamav depends on, has a known bug where return codes always return 0. This only occurs under x64 2003/XP and only inside a batch program.
If you use an external batch file for multiple virus scans, it only works in 32-bit windows. ClamAV properly sends return codes back to XWall when not run in a batch file. (some sort of weirdness stemming from running in a WOW64 environment) bug resolution is pending patching from cygwin.

Some systems may have issues using the default 'local socket' mode that clamd uses. In that case, you can switch to using IP sockets.

Go to C:\clamav-devel\etc
Then change the following in clamd.conf...
Comment out The following with #:

# LocalSocket /cygdrive/c/clamav-devel/clamd.sock
# FixStaleSocket yes

Uncomment:
TCPSocket 3310
TCPAddr 127.0.0.1
Restart clamd.

Advantanges of this setup are:

Faster SMTP transmissions (clamdscan allows for non-serialized scans)
I found, on my hardware, that this has lower utilization than f-prot
ClamAV has patterns out faster than most commercial offerings.
ClamAV filters phishing emails

Disadvantages:

No GUI interface
requires the use of notepad2 to edit/read the conf and log files
I have not tested Parsereport.vbs with this setup
(clamd has its own log file)
I have not tested on other than 2003 server platforms