How do I configure ClamAV?
Question asked by Michael Cummins - September 18, 2014 at 10:40 PM
Answered
Brand new install of 2008 R2 server, brand new install of the latest version of SmarterMail.  I get it rolling without much fuss.
 
I look in the delivery logs and I see this:
 
Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at MailStore.Spam.ClamDClient.CheckScan()
 
Is there something extra I have to do to configure ClamAV?
 
Thanks!

11 Replies

Reply to Thread
0
First:
 
 
Second:
 
 
Then click SAVE and it should start working.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Those parts were already accomplished.  :)  I also tossed a 3310 firewall rule in for good measure.
 
Is there anything else I can inspect?
 
Thanks for you kind assistance!
0
Just make certain your definitions are updating throughout the day.
 
You can also go to REPORTS ====> SYSTEM TREND REPORTS ====> TRAFFIC REPORTS ====> CLAMAV and see the connections made by CLAMAV
 
You should also make certain that you are NOT scanning any part of SmarterMail with anything on the server.  Nothing should ever touch any SmarterMail file directly. 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Steve Reid Replied
Unless you see all messages with this note in the log then it's normal.
 
I see a few errors like this throughout the day.
0
Neither Viviotech, nor I, are seeing anything in the log files that show bounces. SmarterMail reports bounces in its mailing list roster of email addresses, and some folks are complaining. But I feel like I have optimized email server setup to maximize delivery rates.
 
I am grateful for any other advice. I have a querulous crew of mailing list subscribers to keep happy. =)

Thanks as always.
 
Eric
0
I don't believe viruses are logged.
 
Check your reports.
 
I've seen CLAMAV catch hundreds of viruses per day on a couple of the larger servers I maintain.  Here's a report from a smaller server.
 
They've seen two viruses within the last 9 days.  This report is for the last week:
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
 
My reports tell me that it caught 2 viruses in the last 24 hours; ClamAV had 8121 connections but 18468 failed connections.
 
How do I improve/affect those 18,468 failed connections?
 
How do you post those png/base64 pics with this interface?
 
Thanks!
0
Regarding the graphics question.
 
I use a product called, "Print Screen."  It allows me to select and capture the area I want to copy.  It can then be saved to a graphics file or copied into a document.
 
When using screen shots to respond to these questions, I select the screen region to copy, copy it into Print Screen, and paste it into the response.
 
Once the graphic is in the composition box, you can double click on the graphic and it will open an IMAGE PROPERTIES box:
 
SmarterTrack Graphics Image Properties popup box
SmarterTrack Graphics Image Properties popup box
 
The IMAGE PROPERTIES box will allow you to enter alternate text, left, right, or center, justify the graphic in the response editor, and add a caption.  Click OK when you have completed your graphic properties modifications.
 
 
Regarding your CLAMAV errors:

CLAMAV error connection levels of that magnitude are definitely indicative of an issue.
 
The first thing I would do is recheck the CLAMAV settings.  Here are my settings.  There are other options within those settings, too,  If you enable "REAL TIME A/V, you can select to IMMEDIATELY DELETE the infected messages or store them for 15 days so they can be inspected and verified.  We don't use the real time feature:
 
CLAMAV OPTIONS tab
CLAMAV OPTIONS tab
In the configuration tab, shown below, make certain you DO NOT have REMOTE SERVER checked.
CLAMAV CONFIGURATION tab
CLAMAV CONFIGURATION tab
 
You should also check your FIREWALL.  Remember, outbound ports are randomly assigned, to connect with the appropriate ports for well known services, and, if you are unnecessarily blocking outbound ports this could be creating connection issues for you. 
 
If that doesn't clear the problems, then try rebooting the server on which SmarterMail is installed.  It might just clear the issue by resetting and clearing everything.
 
Failing that, and while I don't believe it will make a difference in the CLAMAV effectiveness, the latest version of SmarterMail 12.X is 12.4.5364.  So the question begs: are you on that version?  Your original post only indicated, "brand new install of the latest version of SmarterMail."
 
So, I have a couple of things for your to check:
 
1.  Make certain you DO NOT have DNS CACHING enabled:
SmarterMail PROTOCOL SETTINGS
SmarterMail PROTOCOL SETTINGS
 
2. Make certain you are not running major DNS servers - while your choice of DNS servers will not necessarily affect the ability of CLAMAV to connect and download new virus definitions, running busy DNS servers can cause other problems, especially with antivirus.
 
3. When you did your last major version upgrade, did you uninstall the prior major version before doing the major version upgrade? 

If not, then you may have some of the prior version's files still installed on your server. 
 
If that's the case, the situation is easily resolved by:
  • uninstalling the current version (all of your files and data will be preserved);
  • rebooting the server, to unlock any locked files;
  • reinstalling the most current version, making certain to use the same path you used in the original install;
  • stopping, and disabling, the SmarterMail web services - they are used only for initial setup and you should be running under IIS.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
CCC Replied
Any other items to check aside from the aforementioned? 
 
I'm seeing an average of 12k failed connections versus 31k total connections.
 
Using local Microsoft DNS server with remote ISC BIND server as a secondary
 
After a clean boot it runs good for a day and then the failures start on day 2.
 
I'm running 13.1.5457
0
Andrea Rogers Replied
Employee Post
You can also post images using the Image button (next to the hyperlink buttons) from the WYSIWYG editor. When you're composing a new thread or reply, click on the Image icon to open the pop up window Bruce refers to below. If you hover over the icons the name will show.

Andrea Rogers
Communications Specialist
SmarterTools Inc.
877-357-6278

www.smartertools.com

0
Rajhans Raut Replied
Hello, IP address should be MX record IP or local host IP?

Best regards

Reply to Thread