$_ BSDHowTo.ch
How To... Why not..? Scripts Patches RSS logo

How to build a malware scan server

Last update: 2020-05-16

Introduction

Recently, I got the task to build a malware scan server which supports ICAP at work. Actually we use RedHat Enterprise Linux as OS. But c-icap isn't available as package in one of the trustworthy repositories, so I decided to use OpenBSD for the task.

The malware scan server uses ClamAV as malware scanner and c-icap als ICAP server, providing an interface for other products that support ICAP such as Squid.

Installation of packages

This is a very simple task, one package to rule them all:

$ doas pkg_add -i c-icap-clamav

This package contains the c-icap module for ClamAV which installs c-icap and clamav as dependencies.

Configuration of ClamAV

Two of the three daemons installed by ClamAV are of interest: freshclam and clamd. First you configure freshclam to make sure the malware database of ClamAV stays up to date. The file /etc/freshclam.conf contains the following settings:

LogTime yes
LogSyslog yes
LogFacility LOG_DAEMON
DatabaseMirror db.ch.clamav.net
DatabaseMirror database.clamav.net
NotifyClamd /etc/clamd.conf

Enable and start freshclam now so it has time to update the signature database for ClamAV:

$ doas rcctl enable freshclam
$ doas rcctl start freshclam

Next you confiugre clamd. In /etc/clamd.conf the following lines are set:

LogTime yes
LogSyslog yes
LogFacility LOG_DAEMON
TemporaryDirectory /tmp
LocalSocket /var/clamav/clamd.sock
TCPSocket 3310
TCPAddr 127.0.0.1
User _clamav
DetectPUA yes
AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes
AlertOLE2Macros yes
AlertPhishingSSLMismatch yes
AlertPhishingCloak yes
MaxRecursion 12

The last configuration part is about c-icap. There are two config files which need modifications in order to let c-icap use ClamAV as malware scanner. The first one is /etc/c-icap/c-icap.conf. Append the following lines to the file:

Include /etc/c-icap/clamd_mod.conf
Include /etc/c-icap/virus_scan.conf

You may want to change the following values in this file to something meaningful/different:

ServerAdmin admin@example.org
ServerName scanner.example.org
TmpDir /tmp

There is flaw in the config file regarding to logging. The option Logger is set to sys_logger. But the required module sys_logger is only loaded later in the configuration file. If you want to use sys_loger you have to load the module in the config file before you set the option Logger. This will prevent c-icap from starting, although rcctl(8) will return ok. Either change the option Logger to file_logger or move around the blocks in the config file to use sys_logger.

In the file /etc/c-icap/clamd_scan.conf make the following settings:

clamd_mod.ClamdHost 127.0.0.1
clamd_mod.ClamdPort 3310

Start the services

All the configuration is done. Now it is time to enable and start the services:

$ for s in clamd c_icap ; do
> rcctl enable $s
> rcctl start $s
> done

Be patient with clamd. It takes its time to start because it checks the signature database.

Testing the ICAP server

Testing your setup is easy because c-icap comes along with an ICAP client for this task: c-icap-client. Calling it without arguments will perform simple OPTIONS call to check if the server is running:

$ c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344

OPTIONS:
    Allow 204: Yes
    Preview: 1024
    Keep alive: Yes

ICAP HEADERS:
    ICAP/1.0 200 OK
    Methods: RESPMOD, REQMOD
    Service: C-ICAP/0.5.6 server - Echo demo service
    ISTag: CI0001-XXXXXXXXX
    Transfer-Preview: *
    Options-TTL: 3600
    Date: Sat, 16 May 2020 10:02:03 GMT
    Preview: 1024
    Allow: 204
    X-Include: X-Authenticated-User, X-Authenticated-Groups
    Encapsulated: null-body=0