Antivirus Configuration¶
Configure ClamAV virus and malware scanning to protect your organization from email-borne threats.
Overview¶
Mailborder integrates ClamAV for comprehensive virus and malware detection:
- Real-time virus signature database
- Archive scanning (ZIP, RAR, 7z, TAR, etc.)
- Office document macro detection
- Executable analysis
- PDF scanning
- Heuristic detection for unknown threats
Accessing Antivirus Settings¶
Via Web Interface: Navigate to Email Security → Antivirus
Via Command Line:
Enable/Disable Virus Scanning¶
Enable Antivirus¶
Default: Enabled
Disable Antivirus¶
Only disable if you have alternative virus protection:
Virus Detection Actions¶
What to do when a virus is detected.
Quarantine (Recommended)¶
Hold virus-infected email for review.
Advantages: - Can review false positives - Can release if needed - Maintains evidence
Reject¶
Block at SMTP level with error message.
Advantages: - No storage used - Immediate feedback to sender - Clear rejection reason
Error message sent to sender:
Delete (Discard)¶
Accept but silently discard.
Advantages: - No bounce to sender (prevent Joe Job bounces) - No quarantine storage
Disadvantages: - No notification to recipient - No evidence retained
Deliver with Warning¶
Deliver with X-Virus header (not recommended).
Not recommended - Risks delivering actual malware to users.
Scan Settings¶
Scan Archives¶
Scan compressed files (ZIP, RAR, 7z, TAR, GZ, BZ2, etc.).
Default: Enabled
Recursion Depth
How deep to scan nested archives (archives within archives).
Default: 15 levels
Example: - malware.zip - archive.rar - nested.7z - virus.exe ← detected at depth 3
Max Archive Size
Maximum size of archive to scan.
Default: 100 MB
# 100 MB
sudo mb-config set antivirus.max_archive_size 104857600
# 50 MB (smaller, faster)
sudo mb-config set antivirus.max_archive_size 52428800
Archives larger than this are skipped (not scanned).
Scan Office Documents¶
Scan Microsoft Office documents for macros and exploits.
Default: Enabled
Formats scanned: - Word (.doc, .docx, .docm) - Excel (.xls, .xlsx, .xlsm) - PowerPoint (.ppt, .pptx, .pptm) - Access (.mdb, .accdb) - OneNote (.one)
Macro Detection:
# Alert on ANY macros (strict)
sudo mb-config set antivirus.office.alert_macros true
# Or only alert on suspicious macros (default)
sudo mb-config set antivirus.office.alert_macros false
Scan PDFs¶
Scan PDF files for embedded malware and exploits.
Default: Enabled
PDF Exploits Detected: - JavaScript exploits - Embedded executables - Form field exploits - Malformed PDF structure
Scan Executables¶
Scan executable files (.exe, .dll, .so, etc.).
Default: Enabled
Block All Executables:
Can also block ALL executables regardless of virus:
Useful for organizations that never receive legitimate executables via email.
Encrypted Archives¶
Handle password-protected archives.
Options:
-
Block (recommended) - Reject encrypted archives
-
Allow - Let through without scanning
-
Quarantine - Hold for manual review
Rationale for blocking: Can't scan contents, common malware delivery method.
File Type Blocking¶
Block dangerous file types regardless of virus detection.
Default Blocked Extensions¶
Default blocked: - Executables: .exe, .com, .scr, .bat, .cmd, .pif - Scripts: .vbs, .js, .jse, .wsf, .wsh, .ps1 - System files: .sys, .dll, .drv - Other: .hta, .reg, .msi, .cpl
Add Blocked Extension¶
sudo mb-antivirus-block-ext add .scr
sudo mb-antivirus-block-ext add .vbs
sudo mb-antivirus-block-ext add .jar
Remove Blocked Extension¶
List Blocked Extensions¶
Block by MIME Type¶
Block by MIME type instead of extension:
sudo mb-antivirus-block-mime add "application/x-executable"
sudo mb-antivirus-block-mime add "application/x-dosexec"
Signature Updates¶
ClamAV signatures are updated regularly to detect new threats.
Automatic Updates¶
Default: Enabled, every 4 hours
sudo mb-config set antivirus.auto_update true
sudo mb-config set antivirus.update_interval 14400 # 4 hours
Manual Update¶
Update Schedule¶
Configure when updates occur:
# Update at specific times (cron format)
sudo mb-config set antivirus.update_schedule "0 */4 * * *" # Every 4 hours
Update Source¶
Default: Official ClamAV servers
Private Mirror:
For air-gapped environments, set up private mirror:
Signature Database Location¶
Default: /var/lib/clamav/
Contains: - main.cvd - Main signature database - daily.cvd - Daily updates - bytecode.cvd - Bytecode signatures
Check database version:
Performance Settings¶
Scan Timeout¶
Maximum time to scan a single email.
Default: 120 seconds (2 minutes)
If timeout exceeded: - Email delivery deferred (retry later) - Error logged - May indicate large archive or performance issue
Max File Size¶
Maximum size of individual file to scan.
Default: 25 MB
Files larger than this are skipped (not scanned).
Concurrent Scans¶
Parallel scanning processes.
Default: Number of CPU cores
More concurrent = higher throughput but more CPU/memory usage.
Resource Limits¶
Memory Limit per Scan:
I/O Priority:
Heuristic Detection¶
Detect unknown threats using behavioral analysis.
Enable Heuristics¶
Default: Enabled
Heuristic Sensitivity¶
Low - Fewer false positives, may miss some threats Medium - Balanced (default) High - More false positives, catches more threats
Heuristic Scanning Options¶
Detect Phishing:
Detect Broken Executables:
Detect Encrypted Malware:
Algorithmic Detection:
Notifications¶
Alert on Virus Detection¶
Email Notifications:
sudo mb-config set antivirus.alert.enabled true
sudo mb-config set antivirus.alert.recipients "security@example.com,admin@example.com"
Alert Contents: - Timestamp - Sender and recipient - Virus name - File name - Action taken - Message ID
Alert Frequency¶
Prevent alert spam:
# Maximum alerts per hour
sudo mb-config set antivirus.alert.max_per_hour 10
# Minimum time between alerts (seconds)
sudo mb-config set antivirus.alert.throttle 300 # 5 minutes
False Positive Handling¶
Whitelist Files¶
Exclude files from scanning (false positive workaround):
By Hash (MD5):
By Signature:
By Sender:
By File Name:
Report False Positive¶
To ClamAV team:
# Extract file from quarantine
sudo mb-quarantine-extract <message-id> /tmp/false-positive.zip
# Submit to ClamAV
# Visit: https://www.clamav.net/reports/fp
Custom Signatures¶
Add your own virus signatures.
Add Custom Signature¶
Hash-based (MD5):
echo "d41d8cd98f00b204e9800998ecf8427e:68:CustomMalware.Variant" | \
sudo tee -a /var/lib/clamav/custom.hdb
Pattern-based:
Reload signatures:
Signature Format¶
Hash Signature (.hdb):
Pattern Signature (.ndb):
See ClamAV documentation for advanced signature creation.
Testing and Validation¶
Test Virus Detection¶
Use EICAR test file (safe, recognized by all AV):
# Create EICAR test file
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt
# Test scan
sudo clamdscan /tmp/eicar.txt
Expected result:
Test via email:
Send email with EICAR file as attachment. Should be quarantined/rejected.
Check ClamAV Status¶
# Service status
sudo systemctl status clamav-daemon
# Scan statistics
sudo clamdscan --version
sudo clamdscan --stat
# Database info
sudo sigtool --info /var/lib/clamav/daily.cvd
View Virus Detection Logs¶
# Recent virus detections
sudo grep "FOUND" /var/log/clamav/clamav.log | tail -20
# Mailborder virus logs
sudo tail -f /var/log/mailborder/filter.log | grep virus
Troubleshooting¶
ClamAV Not Running¶
Check service:
Start service:
Check logs:
Common issues: - Database not updated (run freshclam) - Insufficient memory (increase memory limit) - Corrupt database (delete and re-download)
Virus Not Detected¶
Update signatures:
Check if file scanned:
Verify settings:
False Positives¶
Whitelist temporarily:
Report to ClamAV: https://www.clamav.net/reports/fp
Check signature details:
Performance Issues¶
Reduce scan depth:
sudo mb-config set antivirus.max_recursion 10
sudo mb-config set antivirus.max_file_size 10485760 # 10 MB
Increase timeout:
Increase memory:
Reduce concurrent scans:
Signature Update Failures¶
Check connectivity:
Manual update:
Check freshclam config:
Use alternative mirror:
Advanced Configuration¶
ClamAV Daemon Config¶
Edit /etc/clamav/clamd.conf:
# TCP Socket (instead of Unix socket)
TCPSocket 3310
TCPAddr 127.0.0.1
# Memory limits
MaxThreads 20
MaxQueue 200
MaxFileSize 100M
MaxScanSize 500M
# Heuristics
HeuristicScanPrecedence yes
StructuredDataDetection yes
Restart after changes:
Integration with External AV¶
Use multiple AV engines:
# Enable external AV scanner
sudo mb-config set antivirus.external.enabled true
sudo mb-config set antivirus.external.command "/usr/local/bin/custom-av-scan"
sudo mb-config set antivirus.external.timeout 60
Script should return: - Exit 0: Clean - Exit 1: Virus found - Exit 2: Error
Statistics and Reporting¶
View Virus Statistics¶
# Overall virus detections
sudo mb-antivirus-stats
# By virus name
sudo mb-antivirus-stats --by-virus
# By sender
sudo mb-antivirus-stats --by-sender
# Date range
sudo mb-antivirus-stats --since "2025-01-01" --until "2025-01-31"
Generate Report¶
# Daily report
sudo mb-report --antivirus --daily
# Email report
sudo mb-report --antivirus --daily --email admin@example.com
Export Detections¶
# Export to CSV
sudo mb-antivirus-stats --export csv > virus-detections.csv
# Export to JSON
sudo mb-antivirus-stats --export json > virus-detections.json
Best Practices¶
- Keep Signatures Updated
- Enable automatic updates
- Monitor update logs
-
Test after updates
-
Quarantine Don't Delete
- Allows false positive review
- Maintains evidence
-
Can release if needed
-
Block Dangerous File Types
- Executables
- Scripts
-
Encrypted archives
-
Monitor Detections
- Review virus logs daily
- Investigate patterns
-
Update policies based on threats
-
Test Regularly
- Use EICAR test file
- Send test emails
-
Verify alerts work
-
Performance Monitoring
- Watch scan times
- Monitor resource usage
-
Adjust limits as needed
-
Report False Positives
- Help improve ClamAV
- Benefits entire community
Next Steps¶
- Spam Filter Configuration - Configure spam detection
- Email Processing Settings - Email flow configuration
- Quarantine Management - Handle quarantined email
- Virus Scanning Details - Deep dive into virus detection