This post is more of an follow-up of the previous SpamAssain post so I suggest you read that one first.
For improving the spam and virus detection I decided to add an extra antivirus detection agent to our exchange server. The choice of antivirus software was quite trivial as it had to be a open one so ClamAV was the choice. I did not find a transport agent for exchange but I found quite a few plugins for SpamAssasin.
ClamAV installation is quite simple. Download the 64bit msi and install it. Go to C:\Program Files\ClamAV\conf_examples copy the files to the main folder, rename them to clamd.conf and freshclam.cong. Open them, change some settings and don’t forget to remove the “Example” line at the start. Start flashclam.exe and after that clam.exe
While setting up stuff it is nice to have the daemon working in command line to see the incoming connections. After that use the “clamd.exe –install-service” command to install the service
To improve the detection results some extra definition were also needed. I found a nice post here that explains how to add Sanesecurity definitions with the sigupdate tool.
I won’t bore you with all the implementations, testing, tweaking and will only tell you about the final solution. So as the core plugin I chose the one from bigio but also used some features from the one from pmeulen. Here is my modified fork
Both solutions also require File::Scan::ClamAV plugin or ClamAV::Client. The ClamAV::Client didn’t work as it uses the deprecated STREAM and not INSTREAM function. As I am not fluent in pearl I didn’t bother to fix it and used the other working one. The File::Scan::ClamAV plugin is a bit newer and works great. Here is the version from GitHub I used.
For File::Scan::ClamAV installation just copy the file to your spamassasin folder like this
For the ClamAV plugin installation copy the 3 needed files into here
To check if the configuration is OK use “spamassassin.exe –lint” command. If you get a error you need to fix something.
I also suggest that you disable your spamd service and run “spamd.exe -D” so you get some debug info. Here you will be able to see if the plugins load and work correctly.
If you did everything correctly you will start getting emails like this
Do note that every email gets a antivirus tag so you will be able to make some custom rules, specially for testing in your ecp. The example above got this tag “X-Spam-Virus: Yes (Sanesecurity.Jurlbl.b21234.UNOFFICIAL)”
There is also a nice way of adding some custom scores to the output. The Article describes it by using the X-Spam-Virus header that is always present in the header but in the plugin used here we have a way of doing this with adding some parameters to check_clamav(). I suggest you take a look at the code as it is nicely described there.
shubell's blog 