How to greatly improve ClamAV - even zero hour style protection for FREE!
Idea shared by Joe Wolf - April 1, 2015 at 7:24 PM
Completed
Warning:  The below configuration works great for me, but use any of the following information at your own risk.
 
Notice:  The process has somewhat changed (as of June 12, 2015).  Please see  http://portal.smartertools.com/community/a86419/sm-14-clamsup-problems-and-how-to-fix-them-temporarily-at-least.aspx#90480 for the latest configuration updates.  The paths may be different but the file names will remain the same.
 
Problem:  The standard SmarterMail install of ClamAV is very poor at catching viruses, trojans, and other malware.  Currently any .zip file attachment can contain a .exe payload and ClamAV will not catch it.  
 
I originally started at looking for ways to use the SpamAssassin MIMEHeader plugin to check for .exe files inside .zip files, but couldn't make it work.  I've tried to use various command line antivirus scanners and none seemed to work well for me.  I then started to try and write a ClamAV signature rule that would catch these messages, but I happened to find the below solution.  I installed the below solution and then sent myself 18 different examples of .zip attachments with .exe virus / trojan payloads (all verified via VirusTotal).  Before the below solution was installed all 18 were delivered to my Inbox, after the solution all 18 were caught and put into my Virus Quarantine.  Zero false positives to date.
 
The below solution has the ability to stop a lot of spam, but I have disabled most of those tests because I don't believe spam filtering should be done by ClamAV.  I just want to stop the viruses, trojans, phishing, and other malware.  I have left the tests that accomplish this enabled.
 
Solution:  I found that many of the original ClamAV developers and others have developed third party signatures that greatly increase the effectiveness of ClamAV.  I do not take credit for any of the below.  You can investigate all of the below at Sanesecutity http://sanesecurity.com and you can do all of what I've done below yourself if you desire  I've just made installation easier and configured it for use with the standard ClamAV installed by SmarterMail.  Essentially all you're doing is adding thousands of additional signatures to ClamAV and automating hourly updates to catch the newest threats.
 
The below should work with any recent version of SmarterMail and ClamAV.
 
#1  You can download my pre-configured package from this link: https://www.dropbox.com/l/kQfIHSio6bUWk5VcX8o2hr  You will be downloading a file named ClamSup.zip.  It is virus free and you are free to scan it with any scanner you choose.  
 
#2  Extract the contents of ClamSup.zip to the location of your choice.  I used C:\ClamSup but you can use any location you choose, but my instructions will reference C:\ClamSup so if you choose a different location adjust accordingly.
 
#3  If your SmarterMail program files are installed on C:\Program Files (x86).... you don't need to do any editing, etc.  If you've installed SmarterMail on a different drive or path you will need to edit the C:\ClamSup\ClamSup.cfg file to represent the proper paths.  The file is simple to understand and you will need to change the path in four places in the ClamSup.cfg file. (On Edit:  Some SmarterMail installations have the Clamd.conf file in the \etc folder instead of \bin - please verify that the proper path to Clamd.conf in the ClamSup.cfg matches the actual location of your Clamd.conf).  An easy way to find the proper path for the ClamSup.cfg file just find your EXISTING clamd.conf and open it in notepad (or any text editor of you choice).  You will see a line in the clamd.conf that says "Database Directory" and you can use that path for the "LOCALFOLDER" value in the ClamSup.cfg.  The others should be simple to figure out.
 
#4  Run the ClamSup.bat file.  This will download all the signatures to your ClamAV installation.  There is a built in delay in the batch file so ClamAV can validate each new signature.  It may take 10 minutes or so for the batch file to complete (most of this is delay time and adds very little load to your server).  ClamAV will use slightly more RAM after the installation of the additional signatures.  
 
#4  I suggest you add a scheduled task in Windows Task Scheduler to run C:\ClamSup\ClamSup.bat every hour to download any updated signatures (some are updated hourly).  If you stay logged in to your SmarterMail server all the time you can run the ClamSup.bat in loop mode by changing the last line in your ClamSup.cfg from "LOOP_MODE=N" to "LOOP_MODE=Y".  When the batch file is run in loop mode it will automatically download the signatures hourly, but if you log off the computer it will not run and you will need to use the Task Scheduler method.
 
#5  If you want to verify that your ClamSup installation is working properly take a look at your C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav folder (or whatever your path may be).  You should see a total of 20 files and one folder called "SIG_TMP" (this temp folder holds the new verified signatures to be integrated into ClamAV and can be ignored).
 
That's all there is to it and you've turned ClamAV into one of the best antivirus solutions possible.  I suggest you enable the Virus Quarantine and monitor the results.  The signatures I enabled will catch a lot more than the stock ClamAV.  
 
NOTES:  I have only enabled the signatures I feel are appropriate.  You can add or remove them as desired.  This is done by editing the C:\ClamSup\ClamSup.ini file.  The description of the various signatures are at: http://sanesecurity.com/usage/signatures/   All of the signatures preceded by a "-" in the ClamSup.ini are disabled.  All of the signatures enabled in my installation have a LOW false positive rate.  If you decide to disable a signature add the "-" in from of that line in the ClamSup.ini and delete the associated file from the C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav folder and the "SIG_TMP" folder.
 
I believe you'll see how good ClamAV can be.  The above does increase memory usage slightly, but I see no additional load on my server.  The ClamSup.bat file will only download new signatures when they are newer than those currently installed so it's very efficient.  If you choose to use more aggressive signatures monitor your Virus Quarantine regularly.
 
I know everyone has different levels of abilities to make such changes.  This is not a difficult process and I can implement it on a SmarterMail server in less than 4 minutes and never have to stop the SmarterMail service (it's transparent and just works great).  The Path values are the most important part.  Verify your path values!  Also install it as an Administrator.
 
-Joe
Thanks,
-Joe

102 Replies

Reply to Thread
0
Fantastic Joe! Thank you! It just so happens I have a little free time later today so I will complete the changes as above and confirm the outcome. We've been getting so many viruses going through the email servers lately and have tried external AV scanners with little to no success as you have. Again, really appreciate you sharing this solution!
0
Great job, Joe.  Thanks for putting in all of the time and sharing this resource!
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks a lot for this!!
 
I got an error:
 
ERROR: The configured ClamD.conf file (C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\bin\clamd.conf) was not found.
 
 
But after I changed the last folder in the path to etc instead of bin, everything worked fine.
0
That's interesting, the batch worked fine for me in the testing.
0
Not sure why my clamd.conf is in a different folder, I have never touched it. But it was an easy fix and is working fine now.
0
Actually, that's even weirder...I have just checked and the clamd.conf is indeed within/etc and not /bin. I will rerun the batch just in case!
0
Perhaps different versions of SmarterMail install clamd.conf in different locations. Please verify your paths! Thanks for letting me know and I've noted this issue in the original post.
Thanks,
-Joe
0
I'm very impressed with the results. My system has caught 37 .zip with an .exe payload just since I posted the above message. I'm confident that ClamAV alone would have caught none of them.
Thanks,
-Joe
1
I would like to test the effectiveness of this update... How were you testing it?
0
Since any messages it finds go into the Virus Quarantine I had nothing to lose by going live with it after I sorted thru the various signatures I wanted to use. So even if it went bad I'd still have the messages in the Quarantine. The results so far have been ZERO false positives and not a single .zip with a .exe payload has made it thru to a user. I tested by sending 18 known infected files thru ClamAV before activating the new signatures and all were delivered, then sending the same 18 known infected files thru ClamAV after the new signatures were online and all 18 were sent to the Virus Quarantine. It also catches a lot more phishing attempts. No false positives to date. Since there are no real system changes if you don't like it you simply delete the ClamSup folder and delete the associated signatures in your ClamAV folder.
Thanks,
-Joe
1
Just carrying out some testing.
 
Using Email Security Check (http://www.emailsecuritycheck.net/) pre Clam AV Signature update all 7 tests get through.  After the update 6 out of the 7 still get through.  I will keep testing.
0
I know the work you put into figuring this all out. So there is no chance I will not like it, lol.
0
All of those are variants of the EICAR test and I doubt that any of the new signatures have any interest in EICAR.
Thanks,
-Joe
0
Thanks for that. I can confirm that whilst testing on a live server (yeah...shhhh!) it has caught 6 live and real viruses! That is just in an hour or so! I checked the quarantine and no false positives. All other tests have been successful and no real change in resources too. So...thank you again Joe....you have already made a difference with the work you have shared.
0
Getting the following error:
 
Date: Thu 04/02/2015 
Time: 18:40:21.41 
 
ERROR: The configured local folder does not exist! 
 
ClamSup directory is on the "D" drive, along with SmarterMail
 
Been a very long day.  Am I missing something?
 
Here's the batch file, modified to show the ETC folder and "D" drive for SmarterMail:
 
#
# - [ ClamSup Updater options ] - #
#

# - [ The local path where updates should be downloaded/extracted to ] - #

LOCALFOLDER=D:\PROGRA~2\SmarterTools\SmarterMail\Service\Clam\share\clamav

# - [ Filename/Location of Clamscan.exe ] - #
# - [ Needed if the testing of downloaded signatures is enabled ] - #

CLAMSCAN=D:\PROGRA~2\SmarterTools\SmarterMail\Service\Clam\bin\clamscan.exe

# - [ Filename/Location of ClamDscan.exe ] - #
# - [ Needed if ClamD should be signaled to reload it's signatures ] - #
# - [ Leave empty to disable ] - #

CLAMDSCAN=D:\PROGRA~2\SmarterTools\SmarterMail\Service\Clam\bin\clamdscan.exe

# - [ Filename/Location of ClamDscan's config file (clamd.conf) ] - #
# - [ Only needed if ClamD should reload it's signatures (See above) ] - #

CLAMD_CONFIGFILE=D:\PROGRA~2\SmarterTools\SmarterMail\Service\Clam\etc\clamd.conf

# - [ What errors should be logged to the error log file ] - #
# - [ 1: Only critical errors ] - #
# - [ 2: All errors (recommended) ] - #

LOG_LEVEL=2

# - [ Lets the scrip run infinitely ] - #

LOOP_MODE=N
Thanks!
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
thanks for this. it works but not on windows 2012. Seems to be patch problem. Even put "" on path does not work. Have error 'Files was unexpected at this time.'
0
Bruce, do you have SmarterMail in Program Files (x86) or Program Files? If it's just Program Files (not (x86) change the path to: D:\PROGRA~1\SmarterTools\ ... in other words PROGRA~1 instead of PROGRA~2). If you open your existing clamd.conf you will see a line giving you the proper path to the "LOCAL FOLDER" path in the ClamSup.cfg. Here's my example: "DatabaseDirectory C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav"
Thanks,
-Joe
0
I have noticed that the number of failed connections to ClamAV increased since installing ClamSup and I was monitoring what was going on.  I found two things.  First that the version of ClamAV installed by SmarterMail is outdated and only a  32-bit process.  The additional signatures were taking longer than SmarterMail allowed and the file was moved from the spool before ClamAV finished scanning.  I found two ways to help this problem.
 
Solution #1:  In SmarterMail | Settings | General Settings | Spool | Delivery Delay have at least 3 seconds for the Delivery Delay. This is probably a good idea even if you decide to implement Solution #2 below.
 
NOTICE:  Several people running Windows Server 2012 have reported problems running the 64-bit version of ClamAV.  I'm not having any problems but Server 2012 adds additional risk. (4/10/15 UPDATE: Apparently Windows Server 2012 need to have C++ Redistributable Package 2010 x64 package installed for proper operation).
 
Solution #2  I decided to update my ClamAV install to ClamAV 0.98.60 64-bit instead of the default SmarterMail installed version of 0.97.1.0 32-bit.  Keep in mind that you can't do this unless you're on a 64-bit OS.  The 64-bit version runs much faster than the 32-bit version of ClamAV.
 
If you want to do this it's rather simple to do.  I've packaged the proper files here (it's a clean .zip file) https://www.dropbox.com/s/ns4k2jml0zpc8d5/ClamAV-x64.zip?dl=0  
 
Download the file and unzip it in any temporary folder you desire.
Locate your existing ClamAV "bin" folder (for example on my system is at: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\clam\bin ).  Make a backup of this folder.
 
To install the new 64-bit ClamAV you will need to Stop the SmarterMail service, then end the "clamd.exe *32" process in the Task  Manager.  Then delete all the files in your ClamAV "bin" folder EXCEPT the clamd.conf and freshclam.conf files if they are present. Once you've done that then simply copy the files from the download above into the ClamAV bin folder (but keeping the existing clamd.conf and freshclam.conf if they were already present in that folder if not we'll take care of that in the next step).  Open the clamd.conf file and remove the line near the bottom that says: "MailFollowURLs no" (even if it says MailFollowURLs yes).  The MailFollowURLs value is no longer valid in ClamAV.
 
If you do NOT have a clamd.conf and freshclam.conf in the \bin folder you will need to find them in the \etc and COPY them to the \bin folder (remove the MailFollowURLs line from the clamd.conf first or just remove it from both copies).  It's fine for you to have the .conf files in both locations as long as they're identical.  Make sure to remove the "MailFollowURLs no" or "MailFollowURLs yes" from all your clamd.conf files.
 
Verify that your ClamAV can update the signature files.  To do this open a command prompt in your ClamAV /bin folder (while viewing that folder in Windows Explorer just hold down the Shift key and right click on any whitespace (not on a file or with a file selected) and select "Open command window here".  Verify the command window is open in the \bin folder (in my example I would be located at: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\bin> ).  At the command prompt enter "freshclam.exe" (without the quotes) and hit enter.  You should see ClamAV either verifying or downloading the latest signature files.  Once finished you can close the command window.  You can navigate to the \clam\log folder and open the freshclam.log in notepad or text editor of your choice and you can verify that freshclam.exe ran properly.
 
Once the new files are copied all you need to do is Start the SmarterMail service.  SmarterMail will automatically use the newer ClamAV version in 64-bit mode.  You can verify this in your Task Manager by noting that is now listed as "clamd.exe" instead of "clamd.exe *32".  You can also verify that SmarterMail will update the ClamAV signatures by going to Security | Antivirus Administration | ClamAV tab | select Update ClamAV.  All SmarterMail does is open an instance of freshclam.exe.  If you think you have a problem you can take a look at the clam\log\freshclam.log and look for any errors.  Please note that SmarterMail will show "updating" and will not show the update was successful until you navigate to a different area in SmarterMail and then go back into Security | Antivirus Administration | ClamAV tab (it doesn't update the status real-time)
 
NOTE:  If you don't stop the SmarterMail service and end the clamd.exe *32 process you won't be able to delete all the files (but again make sure to KEEP the existing clamd.conf file).
 
Also note that if you upgrade, update, or re-install SmarterMail you will have to do all of the above over again because it will overwrite the newer 64-bit version with the older 32-bit version of ClamAV.
 
I've not encountered any problems by using the newer 64-bit ClamAV, but if you have any problems you can simply restore your backup, or simply re-install SmarterMail.
 
I know everyone has various skill levels.  I can easily implement the above changes on any recent version of SmarterMail in under 2 minutes.  This is not a complicated process.  Just stop the SmarterMail service, end the spamd *32 process, delete all the \bin folder files EXCEPT clamd.conf and then just copy the files from the download to the \bin folder and restart the SmarterMail service.  It's really that easy.
 
-Joe
 
Thanks,
-Joe
0
It works fine in Windows Server 2012.... you just have a path issue. I've updated the original post to help you find the proper path.
Thanks,
-Joe
0
The http://www.emailsecuritycheck.net/ sends a bunch of .bat attachments which are of little interest unless you want to block .bat extensions. If you want to do that it's pretty simple, but the problem is in .zip extensions with .exe payloads and ClamSup takes care of that. Ignore the http://www.emailsecuritycheck.net/ results. Only one of the 7 sent should be caught. The rest are .bat files which are of little interest.
Thanks,
-Joe
0
I've updated the original post to help everyone get the proper path corrected.
Thanks,
-Joe
0
I will keep the download link updated with the latest version of ClamAV 64-bit as new versions are released. Just make sure you're using a 64 bit OS (Windows Server 8r2 and 2012, etc.). There is no way for me to test this on ALL versions of SmarterMail, but since all of the above can easily be reversed you have little to lose by giving it a try. I've updated several servers and not one had any issues of any kind. The newer 64-bit ClamAV seems to work better with .zip attachements with .exe payloads than the older 32-bit version. Please keep in mind that NONE of the above is official from SmarterTools or endorsed by them in any way. I'm just using all my abilities to protect my customers. The added benefit is that most compromised accounts will no longer be able to send out messages with dangerous payloads because ClamSup will quarantine them. It really is a very good solution to date. Most people seem to be having path problems in the ClamSup.cfg. I wasn't aware that SmarterMail installed the ClamAV in so many different ways. Just take your time and you'll get it running. Check the original post for updates on how to find the proper paths for ClamSup.cfg.
Thanks,
-Joe
0
The SERVER name is "SmarterMail Server" The "D" drive, on which SmarterMail is installed, is named, "SmarterMail" The path for the ClamSup drive is "D:\ClamSup\" The path for the SmarterMail installation is, "D:\Program Files (x86)\SmarterTools\SmarterMail\MRS\
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Here's the output if I list the entire path in the INI file: ClamSup/1.3.1.1 - tBB 2o1o - tbb@hideout.ath.cx Using [ D:\ClamSup\ClamSup.ini ] as url configuration file. 'FILES' is not recognized as an internal or external command, operable program or batch file. 'FILES' is not recognized as an internal or external command, operable program or batch file. 'FILES' is not recognized as an internal or external command, operable program or batch file. Removing D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\share\clamav\INetMsg-SpamDomains-2w.ndb The system cannot find the path specified. Removing D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\share\clamav\SIG_TMP\INetMsg-SpamDomains-2w.ndb The system cannot find the path specified. Removing D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\share\clamav\winnow_phish_complete_url.ndb The system cannot find the path specified. Removing D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\share\clamav\SIG_TMP\winnow_phish_complete_url.ndb The system cannot find the path specified. -------------------------------------------------------- Updating winnow_malware.hdb -------------------------------------------------------- \SmarterTools\SmarterMail\Service\Clam\share\clamav\ was unexpected at this time. D:\ClamSup>
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
You should not be changing the path in the ClamSup.ini, but rather in the ClamSup.cfg. Just look at the file existing clamd.conf for the proper path for ClamSup.cfg. I'm sorry that I didn't better explain the path situation. I was not aware of so many different SmarterMail paths to ClamAV. If you use the path in your existing Clamd.conf you'll be on the right path. I promise!
Thanks,
-Joe
0
I am changing the CFG file: # # - [ ClamSup Updater options ] - # # # - [ The local path where updates should be downloaded/extracted to ] - # LOCALFOLDER=D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\share\clamav # - [ Filename/Location of Clamscan.exe ] - # # - [ Needed if the testing of downloaded signatures is enabled ] - # CLAMSCAN=D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\bin\clamscan.exe # - [ Filename/Location of ClamDscan.exe ] - # # - [ Needed if ClamD should be signaled to reload it's signatures ] - # # - [ Leave empty to disable ] - # CLAMDSCAN=D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\bin\clamdscan.exe # - [ Filename/Location of ClamDscan's config file (clamd.conf) ] - # # - [ Only needed if ClamD should reload it's signatures (See above) ] - # CLAMD_CONFIGFILE=D:\PROGRAM FILES (x64)\SmarterTools\SmarterMail\Service\Clam\etc\clamd.conf # - [ What errors should be logged to the error log file ] - # # - [ 1: Only critical errors ] - # # - [ 2: All errors (recommended) ] - # LOG_LEVEL=2 # - [ Lets the scrip run infinitely ] - # LOOP_MODE=N If I leave the shortened path, it doesn't run at all. If I put the full path in, then it runs, and ends in the error I previously showed.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
I really DISLIKE the COMMENT editor and display!
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Open your existing clamd.conf you will see a line giving you the proper path to the "DatabasDirectory="and that should match the path to to the "LOCALFOLDER=" path in the ClamSup.cfg. Then it shouldn't be hard to figure out the other three paths. Once you have the paths correct it WILL work.
Thanks,
-Joe
0
And yes I really dislike the Post Comment option. Makes it a jumbled mess. I wish SmarterTools would ELIMINATE Post Comment and only allow Reply to Tread (like the rest of the world does).
Thanks,
-Joe
1
Thanks for all the work Joe.  This solution has been far far better even overnight!
 
I will update to ClamAVx64 shortly.  I am wondering why SmarterTools have not used, or given the option of using, the x64 version.....very weird.
 
One thing to note, when using the Loop Mode within ClamSup.cfg it shows the following error ever hour:
 
 
I ran it overnight with output to a .txt file and saw the above.
 
There are no errors shown within the ClamSup.error file.  But it looks like it hasn't run as the text output file only shows the last manual run...so the first run.  It looks like there is an old bit of code within the config file.  I will take a look at the line 25 later.  Might be worth removing just to clean it up a bit.
0
I have now made the ClamAV change, however there is an issue.  ClamAV shows as 'updating' constantly within SmarterMail and no clamd.exe is running within Task Manager:
 
 
This is on a 2008 R2 x64 machine running SM13.3 Enterprise.
1
Unfortunately the change did not work.  When trying to revert back to the x86 folder the webmail failed to load with the whoops admin page.  The clamd.exe *32 did show as running after the procedure (stop service, remove/rename old bin folder and move/rename original folder).
 
I have had to complete a reboot of the server for the service to start back correctly within IIS.  Unsure of the issue.
 
After reverting back to the 32bit \bin folder and the reboot then clamd *32 process is running normally and the Virus definitions are now updating.
 
I think I will take another look at this later.
0
Check your SmarterMail clamd.conf line 25. Mine is set as "MailFollowURLs no" and I'm not seeing that error. As far as I know MailFollowURLs is not supported in the Windows port of ClamAV so if it's set to "yes" that might be causing the error.
Thanks,
-Joe
0
That means the main signature files in ClamAV are missing. Some versions of SmarterMail wouldn't update them properly if they're missing. Not sure how that may have happened, but I'll put up a copy of the latest ClamAV pattern files soon.
Thanks,
-Joe
0
Quick note (I'm curently configuring this package): I had to install Microsoft Visual C++ 2010 Redistributable Package (x64) (http://www.microsoft.com/en-us/download/details.aspx?id=14632) to make x64 ClamAV on my Windows Server.
0
Thanks Joe. Just checked and it is set to 'no'.
1
Thanks for the resource, Joe!

Andrea Rogers
 Communications Specialist
 SmarterTools Inc.
 (877) 357-6278

www.smartertools.com

0
Interesting that you agree this is a resource and I am sure you agree helpful to others....we had many like this in the old forum......
0
CCWH: ours was updating all night, too - and we received no e-mail during that period. I had to uninstall and reinstall SmarterMail to get it to work again. I have no doubt that Joe has a great solution here, but, given the fact that there are so many different versions of Windows Server; that Server 2012 does things a whole lot differently (and we're running it); and, as Joe found out, SmarterMail is installed differently on some machines - for whatever reason, I'll wait till this is a bit more proven.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
I use a localized version (IT) of Win Server 2012 R2 foundation and I get command syntax error when running ClamSup.bat - Tried with cmd /c same error... checked paths 12 times.
0
rechecked paths... the 13 time finally worked. Im using the short path with LOCALFOLDER=C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
0
I just found others reporting the same problem. Apparently "MailFollowURLs" is a depreciated value in ClamAV so you can either delete that line from clamd.conf or comment it out.
Thanks,
-Joe
0
If you want to try and populate the ClamAV stock signature (which is all the SmarterMail update does you can download them here: https://www.dropbox.com/s/77slyczypzj3aih/clamavsignatures.zip?dl=0 I've seen several cases where SmarterMail won't update properly if the files are not populated.
Thanks,
-Joe
0
Thanks Andrea. Obviously I don't have every version of SmarterMail to test on, and I didn't realize the various changes in default ClamAV install locations. I'm very happy with the results I'm getting. Not a single infected file has made it past ClamAV with ClamSup installed.
Thanks,
-Joe
0
Thanks for the info. I suppose I already had it installed on my system. I was just picking out the minimal files needed to get it running x64. You solution may be why some are having problems with the x64 issue. I did have one person contact me that was trying to install it on a 32-bit OS which obviously didn't work.
Thanks,
-Joe
0
Just to note, this isn't the issue with my tests. The server has already got the C++ 2010 redist. I will be retrying the x64 AV parts a little later now the servers are getting quieter!
0
I have just done a file comparison of the four files contained within the download you have linked and the ones already within C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\share\clamav - All are already the same. So guessing it cannot be that issue for the updates after changing to the x64 version.
0
Please note that I've updated the post on updating to ClamAV 64-bit above. You need to make sure you have a copy of both clam.conf and freshclam.conf in your clam\bin folder. You also need to remove one line from your clam.conf (described above).
Thanks,
-Joe
0
Please note that I've updated the post on updating to ClamAV 64-bit above. You need to make sure you have a copy of both clam.conf and freshclam.conf in your clam\bin folder. You also need to remove one line from your clam.conf (described above).
Thanks,
-Joe
0
Please note that I've updated the post on updating to ClamAV 64-bit above. You need to make sure you have a copy of both clam.conf and freshclam.conf in your clam\bin folder. You also need to remove one line from your clam.conf (described above).
Thanks,
-Joe
0
Please note that I've updated the post on updating to ClamAV 64-bit above. You need to make sure you have a copy of both clam.conf and freshclam.conf in your clam\bin folder. You also need to remove one line from your clam.conf (described above).
Thanks,
-Joe
0
Joe,
 
Thank you for a resolution for an issue that has been bothering me for a couple of months. Your solution caught over 300 viruses in the past 24 hours where the built-in version of ClamAV was down to catching only an average of 5 per day. I manually checked for false-positives and had none!
 
EXCEPT...and this is certainly odd...we have SmarterMail Event to email the administrator when a Virus is detected and a message is moved to the Virus Quarantine. Those Virus Notifications are being caught in the Virus Quarantine instead of being delivered. Apparently it is something in the body causing this. We have the following:
 
"The message from #fromaddress# to #toaddress#, titled '#subject#', contained the #virusname# virus. It has been deleted."
 
I assume that either the #fromaddress#, #subject# or #virusname# fields is triggering the new ClamAV signatures.
 
I'm certainly willing to live without those Virus Quarantine Events for a 6000% increase in the effectiveness of ClamAV, but I thought it was worth noting in case anyone else relies on those notifications.
0
Just as an update with this one, unfortunately even with the new procedure (copying clamd.conf and freshclam.conf to \bin) SM still does not run the clamd.exe x64 process.
 
I did do a test AV update using the comand line outlined above using 'freshclam.exe' and that was successful so I don't think this has anything directly to do with the x64 files.  SM simply isn't running the new executable and this might well be to do with the original location of the clamd.conf / freshclam.conf files.
 
On this test both the clamd.conf and freshclam.conf files are in the \etc folder (alone).  They were both copied to the new x64 \bin folder.  The clamd.conf already was edited re the line 25 deprecated issue.  Also, I stopped the SM IIS instance along with the service just in case on the second test, both ended with no clamd.exe process.
 
I have tried this so far on a 2008 R2 and not 2012 but I will try tomorrow.
 
It is pretty easy to revert.  No reboot needed now as long as the service AND site within IIS are stopped before reverting the folder structure back.
 
Also, the mail DOES stop flowing when the x64 clamd.exe process is not running.....so test carefully!
 
So, the solution whilst still using the built-in 32-bit ClamAV is FAR superior to out of the box....so...for the time being I think I will stick with that.  I will still test on the test server the x64 update though!  It is really weird that the .conf files are in different locations as I would suspect most stating 2008 R2 have either Web or Standard.  Might well be the difference.  Just to add....our 2008 R2 servers are R2 Web OS and our 2012 R2 are just Standard.
0
Thanks for the update. You can still use ClamSup with the built-in ClamAV used by SmarterMail. I could upload the latest 32-bit ClamAV files if you wanted to try those. I find it strange that I have this running on both 2008r2 and 2012 servers with no problems, but I did try a fresh install of SmarterMail on Windows 8.1 (mostly to see the default installation locations) and I couldn't get the 64-bit ClamAV to run properly on 8.1 (but I didn't work with it very long). Thanks for the update!
Thanks,
-Joe
2
Matt Petty Replied
Employee Post
We are actually working on support for ClamSup and 64bit support with ClamAV in SmarterMail after reading all the recent success. Thanks Joe!
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Sounds good Matt. ClamSup seems to work fine on any recent version of SmarterMail on any OS, but the 64-bit ClamAV seems to be a problem for some using Windows Server 2012. Before installing ClamSup I averaged about 15 ClamAV failed connections per day (these are usually when ClamAV is updating signature files... I manually update every hour). When I implemented ClamSup I jumped up to 174 failed connections, but most of these were because I had my spool delay set at zero and the file was removed from the spool before ClamAV finished. I then increased my spool delay to 3 seconds and installed the 64-bit ClamAV and my failed connections today were only 3. I can't say for sure if the rapid drop in ClamAV failed connections was due to the increased spool delay or the 64-bit ClamAV (probably a combination of the two). In any case ClamSup greatly increased the effectiveness of ClamAV. My spam trap address was getting about 8 - 10 infected files per day that ClamAV didn't detected (I verified all as infected via VirusTotal), but since implementing ClamSup I have had zero infected files made it to my spam trap Inbox. I'm very happy with those results. One thing I'd like to see is if there's any way to parse the infection name out of ClamAV and display that on the Virus Quarantine control panel. That would allow us to tune ClamSup much easier. We're using nearly 100,000 signatures and we could probably cut that in half and still maintain the effectiveness. I'm sure many of the signatures are duplicates.
Thanks,
-Joe
0
That's great news! To add, the x64 can be found on both 2008 R2 Web & 2012 R2 Standard.
0
I'm wondering does all messages are being scanned by SmarterMail ClamAV? Or maybe there is a message size limit (I thought that I saw it somewhere but I could not find it) where if message is bigger it is not being scanned?
 
I'm asking because when I was testing Avast it was finding messages which size was about 1-3MB and for about 18 hours of ClamAV working (I know this is not a too big period of time) biggest message placed in Virus Quarantine is 14KB.
0
The only file size option I have seen is for Antispam (Antispam > Options > 'Max message size to content scan' - However I wouldn't have thought that would have any bearing on the AV. Hopefully someone else can confirm.
0
It would be nice to have this clarified by someone from SmarterTools devs. Also IMHO setting: StreamMaxLength should be higher than 5M From docs: StreamMaxLength SIZE Clamd uses FTP-like protocol to receive data from remote clients. If you are using clamav-milter to balance load between remote clamd daemons on firewall servers you may need to tune the Stream* options. This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTA's limit for a maximum attachment size. Default: 10M
0
Yes all messages both in and out are run thru ClamAV (unless you disable it). You can define the maximum messages sizes in clamd.conf with entries such as the following: MaxScanSize = "157286400" MaxFileSize = "104857600"
Thanks,
-Joe
0
Great. Thanks
0
After copying the config files to bin and installing C++ Redistributable Package 2010 x64, my server seems to be functioning well.
 
Updates work, clamd loads, no errors.
 
Thanks again Joe!!
1
Many thanks for your time and this great solution.
 
Had no problem installing it (just changed the clamd.conf path from bin to etc), I'll see tomorrow how it worked during the night.
 
I resent a mail with a zip virus I received last week, it was detected this time.
 
0
Joe, thank you very much for this great tip!
0
I just want to let you know that so far biggest spam/virus message had 3.7MB so it catches also bigger messages too. One more thing and maybe this is obvious but I didn't found clarification for that: after X days in virus quarantine messages which was not resend are being just removed right?
0
Viruses / Malware are placed in the Virus Quarantine. You set it for either 15 or 30 days. You can resend them as long as you're on the latest versions of SM. Some versions didn't resend properly so update to the latest version. That's unrelated to the changes I suggest, but rather a bug in SM.
Thanks,
-Joe