Virus Scanning¶

Complete guide to Mailborder's antivirus system powered by ClamAV.

Overview¶

Mailborder scans all email attachments and content for viruses, malware, and other threats using ClamAV - an open-source antivirus engine with:

500,000+ virus signatures
Daily signature updates
Archive scanning (ZIP, RAR, 7z, etc.)
Heuristic detection
Malware family identification

Scanning Process¶

Email Arrives
    ↓
Extract All Attachments
    ↓
Decompress Archives (recursive)
    ↓
Scan Each File with ClamAV
    ↓
Check Against Signatures
    ↓
Heuristic Analysis
    ↓
Verdict: Clean / Infected
    ↓
Action: Deliver / Quarantine / Reject

ClamAV Configuration¶

Service Status¶

Check ClamAV status:

sudo systemctl status clamav-daemon

Expected output:

● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded
   Active: active (running) since Mon 2025-01-13 10:23:45 UTC
   Main PID: 1234 (clamd)
   Memory: 512.5M
   CGroup: /system.slice/clamav-daemon.service
           └─1234 /usr/sbin/clamd --foreground=true

View ClamAV version:

sudo clamd --version

Signature Database¶

Check signature version:

sudo sigtool --info /var/lib/clamav/daily.cvd

Example output:

File: daily.cvd
Build time: 13 Jan 2025 10:15 +0000
Version: 27432
Signatures: 2,045,873
Functionality level: 90
Builder: neo
MD5: 8c4a5e9d2b1f3a6e7c8d9e0f1a2b3c4d

Update signatures manually:

sudo freshclam

Expected output:

ClamAV update process started at Mon Jan 13 14:30:15 2025
daily.cvd database is up-to-date (version: 27432, sigs: 2045873)
main.cvd database is up-to-date (version: 62, sigs: 6647427)
bytecode.cvd database is up-to-date (version: 334, sigs: 92)

Automatic Updates¶

Check freshclam configuration:

sudo cat /etc/clamav/freshclam.conf

Key settings:

DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogTime yes
DatabaseOwner clamav
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
Checks 24

Enable automatic updates:

sudo systemctl enable clamav-freshclam
sudo systemctl start clamav-freshclam

Monitor update log:

sudo tail -f /var/log/clamav/freshclam.log

Scan Configuration¶

Mailborder Integration¶

View antivirus settings:

sudo mb-config show antivirus

Enable/disable virus scanning:

sudo mb-config set antivirus.enabled true

Scan action on detection:

# Options: quarantine, reject, discard
sudo mb-config set antivirus.action quarantine

Apply changes:

sudo mb-config reload
sudo systemctl restart mb-filter

File Type Scanning¶

File extensions to scan:

sudo mb-config get antivirus.scan_extensions

Commonly scanned types: - Executables: .exe, .dll, .com, .bat, .cmd, .scr - Scripts: .js, .vbs, .ps1, .sh - Documents: .doc, .docx, .xls, .xlsx, .pdf - Archives: .zip, .rar, .7z, .tar.gz, .bz2 - Images: .jpg, .png (can contain exploits)

Archive Scanning¶

Enable recursive archive scanning:

sudo mb-config set antivirus.scan_archives true
sudo mb-config set antivirus.max_recursion 16
sudo mb-config set antivirus.max_files 10000

Maximum archive size to scan:

sudo mb-config set antivirus.max_archive_size 52428800  # 50 MB

Scan nested archives:

sudo mb-config set antivirus.scan_nested true

Heuristic Detection¶

Enable heuristic scanning:

sudo mb-config set antivirus.heuristic_scan true

Heuristic sensitivity (0-4):

sudo mb-config set antivirus.heuristic_level 3
# 0 = disabled
# 1 = low (fewer false positives)
# 2 = medium (balanced)
# 3 = high (more aggressive)
# 4 = very high (may cause false positives)

Detect potentially unwanted applications (PUA):

sudo mb-config set antivirus.detect_pua true

Blocked File Extensions¶

Default Blocked Extensions¶

View blocked extensions:

sudo mb-antivirus-block-ext list

Common blocked types:

.exe    - Windows executable
.dll    - Windows library
.scr    - Screen saver (often malware)
.com    - DOS executable
.bat    - Batch script
.cmd    - Command script
.pif    - Program Information File
.vbs    - Visual Basic Script
.js     - JavaScript (can be malicious)
.jar    - Java archive

Managing Blocked Extensions¶

Add extension to blocklist:

sudo mb-antivirus-block-ext add .exe
sudo mb-antivirus-block-ext add .scr
sudo mb-antivirus-block-ext add .vbs

Remove extension from blocklist:

sudo mb-antivirus-block-ext remove .pdf

Block with custom message:

sudo mb-antivirus-block-ext add .exe --message "Executable files are blocked by policy"

Extension Blocking Best Practices¶

Balance Security and Usability

Blocking too many extensions can disrupt legitimate business operations. Work with users to identify necessary file types.

Recommended blocks: - High risk: .exe, .scr, .com, .bat, .cmd, .pif, .vbs - Medium risk: .jar, .js (unless required) - Context-dependent: .zip (if used for malware delivery)

Don't block blindly: - .pdf (very common, low risk with modern readers) - .docx, .xlsx (legitimate business documents) - .jpg, .png (images, very common)

Manual Virus Scanning¶

Scan Email File¶

Test single email:

sudo clamdscan /path/to/email.eml

Example output:

/path/to/email.eml: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.045 sec (0 m 0 s)
Start Date: 2025:01:13 14:35:22
End Date:   2025:01:13 14:35:22

Infected email example:

/path/to/infected.eml: Win.Trojan.Agent-1234567 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.052 sec (0 m 0 s)

Scan Directory¶

Scan mailbox directory:

sudo clamdscan --recursive /var/spool/mail/

Scan with file removal:

sudo clamdscan --recursive --remove /var/spool/mail/

Scan and move infected:

sudo clamdscan --recursive --move=/var/quarantine /var/spool/mail/

Test Virus Detection¶

EICAR test file:

# Create EICAR test virus
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt

# Scan it
sudo clamdscan /tmp/eicar.txt

Expected output:

/tmp/eicar.txt: Eicar-Signature FOUND

EICAR Test

EICAR is a safe test file recognized by all antivirus software. Use it to verify scanning is working.

Virus Whitelisting¶

By File Hash¶

Whitelist known-safe file:

# Calculate hash
sha256sum /path/to/safe-file.exe
# Output: d41d8cd98f00b204e9800998ecf8427e

sudo mb-antivirus-whitelist add-hash d41d8cd98f00b204e9800998ecf8427e

Whitelist by MD5:

md5sum /path/to/safe-file.exe
sudo mb-antivirus-whitelist add-hash abc123def456 --type md5

By Sender¶

Whitelist attachments from trusted sender:

sudo mb-antivirus-whitelist add-sender trusted@partner.com
sudo mb-antivirus-whitelist add-sender @corporate-domain.com

Whitelist with reason:

sudo mb-antivirus-whitelist add-sender vendor@company.com \
  --reason "Approved software vendor - ticket #12345"

By Detection Name¶

Whitelist false positive:

sudo mb-antivirus-whitelist add-signature "PUA.Win.Packer.Upx-1"

Use Carefully

Whitelisting by detection name can allow actual malware. Only use for confirmed false positives.

List Whitelist Entries¶

View all whitelist entries:

sudo mb-antivirus-whitelist list

Example output:

Hash Whitelist:
  d41d8cd98f00b204e9800998ecf8427e (SHA256) - Added 2025-01-10

Sender Whitelist:
  trusted@partner.com - Added 2025-01-11
  @corporate-domain.com - Added 2025-01-12

Signature Whitelist:
  PUA.Win.Packer.Upx-1 - Added 2025-01-13

Performance Tuning¶

Scan Limits¶

Maximum file size to scan:

sudo mb-config set antivirus.max_file_size 26214400  # 25 MB

Maximum scan time:

sudo mb-config set antivirus.scan_timeout 120  # 2 minutes

Skip scan for large files:

sudo mb-config set antivirus.skip_large_files true

ClamAV Optimization¶

Edit ClamAV config:

sudo nano /etc/clamav/clamd.conf

Performance settings:

MaxThreads 12              # Match CPU cores
MaxFileSize 25M            # Skip files larger than this
MaxScanSize 100M           # Maximum data to scan
MaxRecursion 16            # Archive recursion depth
MaxFiles 10000             # Maximum files in archive
StreamMaxLength 25M        # Maximum stream size

Restart ClamAV:

sudo systemctl restart clamav-daemon
sudo systemctl restart mb-filter

Memory Management¶

Check ClamAV memory usage:

ps aux | grep clamd

ClamAV typically uses 400-600 MB RAM for signature database.

If memory is constrained:

# Disable bytecode JIT (reduces memory ~100 MB)
sudo nano /etc/clamav/clamd.conf

Add:

Bytecode no

Monitoring and Statistics¶

Real-time Monitoring¶

Watch virus detection log:

sudo tail -f /var/log/mailborder/mb-filter.log | grep VIRUS

Watch ClamAV log:

sudo tail -f /var/log/clamav/clamav.log

Statistics¶

View virus detection statistics:

sudo mb-antivirus-stats

Example output:

Period: Last 30 days
Total scans: 125,430
Infected: 243 (0.19%)
Clean: 125,187 (99.81%)

Top detections:
  Win.Trojan.Agent-12345    45
  Heur.Phishing.Email       32
  Doc.Malware.Macro-678     28
  Win.Ransomware.Bad        18
  PUA.Win.Adware.Generic    15

By sender domain:

sudo mb-antivirus-stats --by-sender

By virus family:

sudo mb-antivirus-stats --by-virus

Signature Update Status¶

Check last update:

sudo grep "Database updated" /var/log/clamav/freshclam.log | tail -n 1

Update frequency:

sudo grep "Downloading" /var/log/clamav/freshclam.log | tail -n 10

Troubleshooting¶

ClamAV Not Starting¶

Check error logs:

sudo journalctl -u clamav-daemon -n 50

Common issues:

Signature database missing:

sudo freshclam
sudo systemctl restart clamav-daemon

Permission issues:

sudo chown -R clamav:clamav /var/lib/clamav
sudo chmod 755 /var/lib/clamav

Port conflict:

sudo lsof -i :3310
# Kill conflicting process or change ClamAV port

Signature Updates Failing¶

Test connectivity:

ping database.clamav.net
dig database.clamav.net

Manual download:

cd /var/lib/clamav
sudo wget http://database.clamav.net/daily.cvd
sudo wget http://database.clamav.net/main.cvd
sudo chown clamav:clamav *.cvd
sudo systemctl restart clamav-daemon

Check freshclam config:

sudo freshclam --debug

Scan Timeout Issues¶

Symptoms: - Emails stuck in queue - Timeout errors in logs

Solutions:

Increase timeout:

sudo mb-config set antivirus.scan_timeout 300  # 5 minutes

Reduce scan depth:

sudo mb-config set antivirus.max_recursion 8
sudo mb-config set antivirus.max_files 5000

Skip large attachments:

sudo mb-config set antivirus.max_file_size 10485760  # 10 MB
sudo mb-config set antivirus.skip_large_files true

False Positives¶

Symptoms: - Legitimate files detected as malware - Specific software always blocked

Solutions:

Verify detection:
```
sudo clamdscan /path/to/file
```

Check detection name:

# If PUA (Potentially Unwanted Application), may be false positive

Whitelist by hash:

sha256sum /path/to/file
sudo mb-antivirus-whitelist add-hash <hash>

Report false positive: Visit: https://www.clamav.net/reports/fp

High Memory Usage¶

Check ClamAV memory:

ps aux | grep clamd

If using >1GB:

Disable bytecode:

sudo nano /etc/clamav/clamd.conf
# Add: Bytecode no

Reduce signature types:

sudo nano /etc/clamav/freshclam.conf
# Add: ExcludeDatabase pua

Consider upgrading RAM (ClamAV needs 512MB minimum, 1GB+ recommended)

Best Practices¶

Initial Setup¶

Update signatures immediately:
```
sudo freshclam
```

Test with EICAR file:

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt
sudo clamdscan /tmp/eicar.txt

Configure appropriate actions:
Quarantine for review (recommended)
Reject for high-security environments
Never use "discard" (no notification)
Enable automatic updates:
```
sudo systemctl enable clamav-freshclam
```

Ongoing Maintenance¶

Monitor signature updates daily:

sudo grep "Database updated" /var/log/clamav/freshclam.log | tail -n 1

Review detections weekly:
```
sudo mb-antivirus-stats
```
Check for false positives:
```
sudo mb-quarantine-list --reason virus
```

Update ClamAV monthly:

sudo apt update
sudo apt upgrade clamav clamav-daemon clamav-freshclam

Security Recommendations¶

Always scan archives - Malware often hidden in ZIP files
Enable heuristics - Catches unknown threats
Block dangerous extensions - .exe, .scr, .vbs, etc.
Keep signatures updated - New threats appear daily
Monitor quarantine - Review what's being caught

Performance Optimization¶

Match MaxThreads to CPU cores
Set reasonable file size limits (25 MB is typical)
Use scan timeouts to prevent stalls
Enable caching for frequently-scanned content
Consider skipping images (low risk, high volume)

Integration with Other Systems¶

With Spam Detection¶

Virus scanning runs after spam detection:

Spam Check (Score < reject threshold)
    ↓
Virus Scan
    ↓
Final Verdict

Both must pass for email delivery.

With Quarantine System¶

Infected emails automatically quarantined:

sudo mb-quarantine-list --reason virus

Review and manage:

sudo mb-quarantine-extract <message-id> /tmp/for-analysis.eml
sudo mb-quarantine-delete <message-id>

With Reporting¶

Include in daily reports:

sudo mb-report --virus-stats --daily --email admin@example.com

Virus Scanning¶

Overview¶

Scanning Process¶

ClamAV Configuration¶

Service Status¶

Signature Database¶

Automatic Updates¶

Scan Configuration¶

Mailborder Integration¶

File Type Scanning¶

Archive Scanning¶

Heuristic Detection¶

Blocked File Extensions¶

Default Blocked Extensions¶

Managing Blocked Extensions¶

Extension Blocking Best Practices¶

Manual Virus Scanning¶

Scan Email File¶

Scan Directory¶

Test Virus Detection¶

Virus Whitelisting¶

By File Hash¶

By Sender¶

By Detection Name¶

List Whitelist Entries¶

Performance Tuning¶

Scan Limits¶

ClamAV Optimization¶

Memory Management¶

Monitoring and Statistics¶

Real-time Monitoring¶

Statistics¶

Signature Update Status¶

Troubleshooting¶

ClamAV Not Starting¶

Signature Updates Failing¶

Scan Timeout Issues¶

False Positives¶

High Memory Usage¶

Best Practices¶

Initial Setup¶

Ongoing Maintenance¶

Security Recommendations¶

Performance Optimization¶

Integration with Other Systems¶

With Spam Detection¶

With Quarantine System¶

With Reporting¶

See Also¶