setup for XWall
By Forum user Tremelai
ClamAV has been a fast and reliable mail
server virus scanner for the Unix/Linux world for some
time now. Clamwin offers only half of the ClamAV functionality.
The Summit Open Source Development Group has ported
all of ClamAV over to win32 to include the Clamd server
daemon and the clamdscan client. I have found that ClamAV
is faster than F-prot in my environment.
(scan tests of a 21k text file - best of 3 runs)
F-Prot: fpcmd.exe - 0.394 seconds
ClamWin ClamAV: Clamscan.exe - 1.070 seconds
SOSDG ClamAV: Clamd.exe / clamdscan.exe - 0.181 seconds
Here is the setup:
Download the SOSDG Clamav build: http://www.sosdg.org/clamav-win32/
Install clamav into the default location: (There might
be issues with installing into other than default)
Install notepad2: (needed only to edit the .conf files.
ClamAV has UNIX text files)
Insert the tempdir system variable:
Enter 'System properties' --> advanced tab -->
click on the New button under the "System Variables"
Variable name: TMPDIR
Variable value: /cygdrive/c/clamav-devel/tmp
Setup freshclam: (This utility is used to get virus
running C:\clamav-devel\bin\freshclam.exe will update
the virus pattern.
Edit the C:\clamav-devel\etc\freshclam.conf if you need
to use a HTTP proxy server. (use notepad2)
execute: C:\clamav-devel\bin\freshclam.exe -d -c 12
This will run freshclam as a daemon that will check
for updates 12 times a day.
Load the clamd server service:
In the start menu, run 'start clamd'
Options - Virus
Virus scanner: Custom
Check everything EXCEPT 'Scanner needs to be serialized'
I have tested the above setup in Windows 2003 server
and Windows 2003 Server x64. Both work good
ClamAV for win32 does not support .rar files.
The Cygwin .dll libraries, that clamav depends on, has
a known bug where return codes always return 0. This
only occurs under x64 2003/XP and only inside a batch
If you use an external batch file for multiple virus
scans, it only works in 32-bit windows. ClamAV properly
sends return codes back to XWall when not run in a batch
file. (some sort of weirdness stemming from running
in a WOW64 environment) bug resolution is pending patching
Some systems may have issues using the default 'local
socket' mode that clamd uses. In that case, you can
switch to using IP sockets.
Go to C:\clamav-devel\etc
Then change the following in clamd.conf...
Comment out The following with #:
# LocalSocket /cygdrive/c/clamav-devel/clamd.sock
# FixStaleSocket yes
Advantanges of this setup are:
Faster SMTP transmissions (clamdscan allows for non-serialized
I found, on my hardware, that this has lower utilization
ClamAV has patterns out faster than most commercial
ClamAV filters phishing emails
No GUI interface
requires the use of notepad2 to edit/read the conf and
I have not tested Parsereport.vbs with this setup
(clamd has its own log file)
I have not tested on other than 2003 server platforms