Using ClamAV with ORF - Part I


ClamAV is a free, open-source anti-virus, originally developed for Unix/Linux (a Windows port is also available). In addition to being a very capable anti-virus, it also offers certain anti-spam features.

This guide provides step-by-step instructions for installing and configuring ClamAV anti-virus as an ORF External Agent . This is the first part of a two-part series and this part focuses on setting up ClamAV for virus filtering. The second part is dedicated to extending ClamAV with anti-phising and anti-spam capabitilies.

Setting up ClamAV with ORF


Getting Started - Downloading Required Packages

Download the 'current stable' version of ClamAV Antivirus Native Win32 Port from (as of writing this 0.101.2). You will also need 7zip to extract the archive contents.

Download the ClamAV External Agent definition for ORF (this is required to connect ORF and ClamAV).


Installing ClamAV

Extract the contents of the directory residing in the .7z file to c:\clamav. The rest of the guide assumes you installated ClamAV to this folder.

IMPORTANT If you install ClamAV to any directory other than the default (C:\clamav), you will have to manually edit the configuration files and registry entries after installation. To avoid this, we strongly recommend installing it to C:\clamav.

To reinstall ClamAV, first run the following commands as Administrator to remove the previous installation:

sc delete "FreshClam"
sc delete "ClamD"
rmdir /q /s "C:\clamav"

Creating the FreshClam Service

ClamAV relies on two services: the first is the FreshClam service, which keeps the anti-virus definitions up-to-date, the second is the ClamD service, which keeps the definitions loaded, so files can be checked against them quickly by the command line tool clamdscan, which the External Agent relies on. The configuration files of these services reside in c:\clamav by default and they are called freshclam.conf and clamd.conf, respectively.

If outbound connections from the ORF box go through a proxy server, you should open freshclam.conf in the text editor of your choice (e.g., Notepad) and add the following lines (replacing the parameters according to your setup):

HTTPProxyServer proxy.server.root
HTTPProxyPort 3128
HTTPProxyUsername myusername
HTTPProxyPassword mypass

The update frequency is controlled by the following parameter:

Checks 12

Where 12 means the database is updated 12 times a days (in every two hours). This is the recommended value.

Once you are done editing the file, create a sub-folder called "db" in c:\clamAV, then proceed with creating the Freshclam service by running the following command as Administrator from the ClamAV directory:

freshclam --install

You should get a Service FreshClam successfully created message.

Start the Services snap-in and configure the FreshClam Service (display name: ClamWin Free Antivirus Database Updater ) to start automatically. Finally, start the service:

FreshClam Service

You can verify that definitions are downloaded and updated without problems by checking the contents of the c:\clamav\db directory.


Creating the ClamD Service

Create the ClamD service by running the following command as Administrator from the ClamAV directory:

clamd --install

You should get a Service ClamD successfully created message.

Start the Services snap-in and configure the ClamD Service (display name: ClamWin Free Antivirus Scanner Service) to start automatically. Finally, start the service:

ClamD Service

Importing the External Agent

ClamAV can be attached to ORF using External Agents. The External Agent definition you downloaded describes how ORF can work with ClamAV. Import this definition by following the steps below:

  1. Start the ORF Administration Tool
  2. Select File | Import | External Agent definitions... from the main menu
  3. Select the clamav.xml file from the definition pack you downloaded earlier and click Open
  4. Click OK
  5. Enable the new ClamAV for Windows agent.

To make sure the External Agents test is enabled and configured properly:

  1. Select Filtering / Tests in the navigation
  2. Check if the External Agent test is enabled. If it is not enabled, enable now
  3. Select Blacklists / External Agents in the navigation
  4. Make sure that Path for the temporary email files points to a valid and existing directory. This is where ORF will store a temporary copy of the email during testing. This can be any directory, just make sure to exclude it from any resident anti-virus filtering, otherwise your anti-virus product may remove/lock the file before it could be scanned.

The definition is shipped with a few defaults, you may want to review these:

  1. Double-click the ClamAV for Windows agent in the list.
  2. By default the agent is configured to drop emails on hit. If you want to tag or redirect them, click the Exit codes tab, then the Actions button and configure a different action.
  3. When you are finished, click OK.
  4. Save your settings to apply the changes by pressing Ctrl + S in the Administration Tool.

Wait, there is more!

ClamAV is now set up for virus protection with ORF on your system – but ClamAV can do more for you . Third-party signatures extend ClamAV with the ability to detect phising, scams and spam. The second part of this guide explains how to set up ClamAV for extended protection:

ClamAV Guide - Part II: Using ClamAV 3rd Party Signatures with ORF

hnp1 | hnp2