I installed ClamAV Connector from WHM Addon Modules, but am still unable to configure it for optimum use. I do not see ClamAV changing the header like SPAM Assassin does.

I used a link mentioned on the ClamAV site to send some test virus signatures on my mail address. ClamAV seems to be in action as i did not receive the delivery of those mails (except 2 mails which were delivered, but explanation of this is given at ClamAV site too).

I would like to know how to configure ClamAV on cPanel/WHM to notify the sender and / or recipient about the virus in the message which was dropped?

Are there other conf settings which are recommended after installation of ClamAV?

funny you post this because I recently found this website (http://www.configserver.com/cp/mailscanner.html) offering a service for $35 to do exactly what you are struggling to get done..

It was posted on the cpanel forums so it should not be that dodgy and I will admit I am considering spending the $ to do it..

I will admit I am considering spending the $ to do it..That site is indeed a well known site for its resources.
I somehow dont think, its going to be as difficult to set this up. I'm sure there are others here who have done this on their own too and will be more than glad to offer some tips. Perhaps, I'm not using the right keywords when searching for resources. But I'm quite confident, its gonna be done perfectly fine within a short time...maybe a couple of days.

Edit: Need someone who has implemented ClamAV on their server or who knows linux better than me to tell me if it involves recompiling Exim. If it does, i'm going to keep away from even trying this out for some time.

I used the service from configserver and it was a great experience... For 35$ I had the installation done, the support for 7 days... and a lot of time answering my questions about configurations and hacks... :)

These guys rocks and i recommend them to anyone who do not have the time or the skills to play with this...

You have to edit exim.conf.local or better yet got WHM --> Exim Configuration Editor and switch to advanced mode.

Scroll to the ACL section and in the middle box between
check_message:
require verify = header_sender
and
accept
add the code:

deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

##
# Reject messages attach illegal extension files
##
deny message = We do not accept ".$found_extension" attachments here. If you meant to send this file then please package it up as a zip file and resend it.
# You might need to remove some of these extensions if you want to allow your user get these files
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:ht a:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:pif: reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

##
# Reject email contains Virus
##
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = */defer_ok

##
# Add X-Scanned Header
##
warn message = X-Antivirus-Scanner: Message scanned with ClamAV


That will add X-message to the Headers and creat bounce messages if mail was rejected.

Of course, you can modify above example by your liking.


PS
I'm new here, signed for VPS then 10 ago.

Forgot to tell, if you edit exim.conf.local directly you have to restart Exim.

BTW, I'm still looking for the solution to deny/reject CLSID hidden attachments

Ive been a so busy with other things around that I had almost stopped searching around for this (perhaps also coz i dont have domains using mails yet on my VPS).

btw i just found this...donno for sure if thats what you looking for.
deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

I'll try your code soon. Thanks a lot indeed.

Mark

Thanks for that code. I've inserted the code and it appears to work okay.

Can I just query some things.

Does the code go between
check_message:
require verify = header_sender
and
accept

i.e.
check_message:
require verify = header_sender

[your code here]

accept


Which is how I've done it and it seems okay although I get no bounce email since the exim server just does not accept an infected email (dropping the SMTP session) and my email program (the bat) throws up a rejection message box with the message:-

Message has not been sent. Server reply - then please package it up as a zip file and resend it.

Which is still fine, as I see it, because the message and virus never gets onto the server. :)


Secondly in your code there are some spaces in the extensions such as:-

hlp:ht a:inf:

Is that just a pasting thing and should I remove those spaces?


Thanks again, I wanted the X-header added so your code was just ideal.


--
Norm

Picture of my new dog >> http://img329.imageshack.us/img329/281/janey1circle8ac.jpg

Yes, code goes between those tags.
It'll drop your client session and give you a message. That's how it works between client and MTA. For emails between MTA and MTA it will reject with bounce message. At least it does in my case. All the code is from ClamAV docs.

Yes, for some reason forum script inserts spaces, they should be removed.

You can always check all rejects in /var/log/exim_rejectlog
Same message will be in the bounced email.

I've tested how it works at http://www.webmail.us/testvirus You can specify what exactly you wanna test.

Shahzada, I have same piece of code and it doesn't work. I still get CLSID through when I run tests.

Shahzada, I have same piece of code and it doesn't work. I still get CLSID through when I run tests.Did you put that code in DATA ACL or MIME ACL? Try putting it in MIME ACL and see if that works.

Did you put that code in DATA ACL or MIME ACL? Try putting it in MIME ACL and see if that works.Where exactly is MIME ACL?

Where exactly is MIME ACL?
Changes to the exim.conf would be:
...
...
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
acl_smtp_mime = my_mime_acl
...
...
...
begin acl
...
check_reipient:
...
...
check_message:
...
...
my_mime_acl:
...
deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$
...
...

Excellent! Thank you very much.