DOCUMENTATION Non-Debian documentation has been removed (I.e how to install on UnixXXX etc.) The original documentation is still available in the source package. Download the source using the command 'apt-get source clamav'. CONFIGURATION There are several changes made to the default configuration provided by upstream. Both the autogenerated configuration files and the ones shipped under examples/ have been edited to provide FHS compliant paths for things like logfiles, pidfiles, and sockets. The autogenerated configuration files additionally contain some non-default values, as I feel the upstream defaults do not provide the 'out of the box' arrangement most suited to the average user. In particular, I believe the following choices are more suited to most default configurations than the upstream defaults: FixStaleSocket This removes a socket file left over from a previous clamd that had an unclean shutdown. This allows for easier restarting LogFileMaxSize Setting this to 0 disables truncation of the logfile. As the default Debian configuration uses logrotate, this is not an issue except on severely disk constrained systems. DetectBrokenExecutables This will pick up many viral fragments that are likely not harmful in and of themselves, but may cause end users to worry that they received something their A/V scanner identifies. ArchiveBlockMax This makes the assumptions that if you are setting the various Archive* options, you would rather block than pass through if one of those conditions is met. All ClamAV configuration files (in other words, all files under /etc/) are handled by ucf, as they are dynamically generated. If you want to affect ucf's behavior with regard to conffile handling, please see /etc/ucf.conf or ucf(1). CLAMAV-DAEMON CONFIG FILE HANDLING Configuration handling for clamav-daemon has debconf support. During install the default values stored in debconf-template are used to create a configuration file. Due to the complexity of configuring the daemon no questions are asked during install. If you want to change this configuration you have two options: 1. 'point-and-click' re-configuration using debconf The vast majority of options can be accessed by running 'dpkg-reconfigure clamav-daemon' Clamav-daemon's configuration is quite complex. However its full complexity shouldn't be felt by users since the majority of the questions already have sensible defaults. 2. The package also handles manual editing of its configuration file, /etc/clamav/clamd.conf, gracefully. While it's possible to mix debconf and manual editing, it isn't recommended, since it can lead to confusing results. Debconf attempts to respect any changes you have done manually in /etc/clamav/clamd.conf. Every care has been taken to make sure your changes are preserved over upgrade, but if you are going to manage your conf file manually, please take a moment and run dpkg-reconfigure clamav-daemon, and answer no to debconf management. Just running dpkg-reconfigure clamav-daemon won't reset /etc/clamav/clamd.conf to a debconf generated configuration file. If you want to discard all your manual changes just run 'ucf -p /etc/clamav/clamd.conf;dpkg-reconfigure clamav-daemon' WARNINGS The ScanMail option has stabilized somewhat over previous releases, and is now enabled by default. However, this is where the bulk of libclamav's bugs lie. This is largely due to the arms race nature of trying to keep up with virus writers interesting ideas about MIME, and certain MUA's willingness to go along with those ideas. Caveat emptor, you have been warned. As of version 0.71-1, clamd will no longer run as root by default. This decision was made due to the fact that it is still pre-1.0 software, and there are still many bugs to be worked out. This decision can be overridden by editing /etc/clamav/clamd.conf, and changing User to the value desired. This decision will help isolate your system from any flaws in clamd (see http://bugs.debian.org/247574 for an example of a problem caused by clamd following symlinks in an archive), but will mean some compromises in functionality. In case you happen to have the TMPDIR variable set in your root environment, please make sure that TemporaryDirectory is set to something sane in /etc/clamav/clamd.conf (the Debian packages default to /tmp), as otherwise clamd will fail to operate after changing its user id as noted above. MTA INTEGRATION SENDMAIL So long as sendmail can write to clamav-milter's socket, the rest of the communication is handled between the milter and clamd, and permissions are not a problem. apt-get install clamav-milter, and see the configuration instructions for CLAMAV-MILTER found below. EXIM4 Exim4 users will want to either run clamd as User Debian-exim, so clamd has read and write permissions on the scan/ diretory, or (better) add clamav to group Debian-exim. You may also need to ensure the scan/ directory is group writable (on Debian systems, this is /var/spool/exim4/scan) To enable clamav in the Debian exim4 packages, add av_scanner = clamd:/var/run/clamav/clamd.ctl (or if you've chosen tcp sockets) av_scanner = clamd:127.0.0.1 3310 to the main configuration settings (a new file under /etc/exim4/conf.d/main/ if split config is being used) Then add the following to your data time acl: deny message = This message contains a virus: ($malware_name) please scan your system. demime = * malware = * (The data acl is defined in /etc/exim4/conf.d/acl/40_exim4-config_check_data by default if split config is being used) AMAVIS Amavis variants can achieve the same functionality by adding the clamav user to the amavis group. POSTFIX Recent versions of postfix have support for milters. This allows clamav-milter to be used reasonably well with postfix, although the problem of group permissions on the actual socket can be a problem. See the end of the CLAMAV-MILTER section below for some details. Other MTAs I am not as familiar with, but the same principles apply - clamav needs read and write access to the diretory where messages are unpacked (as is the case with amavis and exim4), and the MTA needs read/write permissions to clamav's socket file, if it is run listening to a unix socket rather than a network socket. ERRATA For those who use clamav-daemon primarily for system scans (although since clamd detects largely MS viruses, the utility of doing this on a regular basis is somewhat limited in most linux-only environments), there is probaly no alternative but to run clamd as User root or use clamscan (see below). If you are doing this, I highly suggest running it listening on a Unix socket, and restricting read/write permissions to it to prevent unauthorized access. In these circumstances, running clamscan instead is probably safer as the overhead of per-instance database loading is vastly outweighed by the length of the scan, and it eliminates running a daemon as root. As of 0.75-1, there is support for running both clamd and clamav-milter under daemon. Just install daemon, and add Foreground to clamd.conf. Beware that this affects both clamd and clamav-milter, it is not either or. Note also that the clamd package contains an empty directory /etc/clamav/virusevent.d/ Admins and other packagers are encouraged to use this directory to store scripts that should be executed after a virus is detected. To enable the feature, you will have to add: VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/ to /etc/clamav/clamd.conf CLAMSCAN It has the same flaws as clamav-daemon when it comes to handling mbox attachments (the code with the bugs are in the library). The result of such bugs are not as heavy in clamscan since it is completely restarted on each invocation, and clamd may be taken down by the same bug. If you do a high number of scans (for example, a separate scan for each received email), then clamd may better suit your needs. If you are doing full system scans, then there is no noticeable performance benefit to the daemon, and you can easily substitute clamscan, and eliminate the need to run clamd as root. CLAMAV-FRESHCLAM Clam Antivirus doesn't support the oav-database anymore. The freshclam auto updating setup is much simpler than the oav counterpart. The clamav-freshclam package includes virus databases, but these are only used if fresh ones cannot be downloaded directly from the database servers, or if you do not have them already in place (e.g., from the clamav-data package) If you don't have Internet access you should install the clamav-data package, which contains a static database. You can even (re)create a clamav-data package yourself from an Internet connected computer using the clamav-getfiles package. Note that this feature will likely be phased out in the future - freshclam already verifies digital signatures on the databases, and it may refuse to load an unsigned one. Hopefully at that point, though, there will be a better mechanism to self-sign databases, and feed the correct signature to freshclam. Note also that the freshclam package contains the empty directories /etc/clamav/onupdateexecute.d and /etc/clamav/onerrorexecute.d. Admins and other packagers are encouraged to use this directory to store scripts that should be executed after an update or an error. To enable the feature, you will have to add to /etc/clamav/freshclam.conf: OnUpdateExecute /bin/run-parts --lsbsysinit /etc/clamav/onupdateexecute.d/ OnErrorExecute /bin/run-parts --lsbsysinit /etc/clamav/onerrorexecute.d/ CLAMAV-MILTER Configuration instructions: Installations for Debian: New option, contributed by Elrond : Add to /etc/mail/sendmail.mc: include(`/etc/mail/m4/clamav-milter.m4')dnl and run sendmailconfig. Otherwise: Add to /etc/mail/sendmail.mc: INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clamav') Check entry in /etc/clamav/clamd.conf of the form: LocalSocket /var/run/clamav/clamd.ctl If you already have a filter (such as spamassassin-milter from http://savannah.nongnu.org/projects/spamass-milt) add it thus: INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, T=S:4m;R:4m')dnl INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m') define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl and run sendmailconfig. You may find INPUT_MAIL_FILTERS is not needed on your machine, however it is recommended by the Sendmail documentation and I recommend going along with that. I suggest putting SpamAssassin first since you're more likely to get spam than a virus/worm sent to you. As of 0.96, clamav-milter will take care of making the socket writable for a group. This is done by setting MilterSocketGroup and MilterSocketMode to useful values in your /etc/clamav/clamav-milter.conf (for instance, "postfix" and "0664", respectively). APPARMOR PROFILES If your system uses apparmor, please note that the shipped enforcing profile works with the default installation, and changes in your configuration may require changes to the installed apparmor profile. Please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this software. In particular, clamav-daemon runs as it's own user and is confined from accessing all but a limited set of files. These include the home directory of the user calling clamav-daemon, but not system files. If you want to scan files outside of your home directory, the apparmor profile will need to be updated. The freshclam utility is also protected by an enforcing profile. If you want to add files to the /etc/clamav/onerrorexecute.d, /etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories, appropriate rules need to be added to the apparmor profile. Please see https://wiki.debian.org/AppArmor for information and documentation on modifying apparmor profiles.