david_dodell

Q: ClamAV on Server 10.7.5

It seems that Apple has abandoned any updates to 10.7.5 server  ( I haven't seen a need to upgrade ... my server does everything I need and has been stable for years) ... but ClamAV is way behind.

 

I have not found any instructions on the net on how to switch 10.7.5 to a later version of ClamAV versus the fork that Apple was upgrading, which is stuck on a version from 2 plus years ago.

 

Any help?

 

David

Mac mini, OS X Server, 10.7.5

Posted on Aug 16, 2015 7:56 AM

Close

Q: ClamAV on Server 10.7.5

  • All replies
  • Helpful answers

  • by MadMacs0,Helpful

    MadMacs0 MadMacs0 Aug 16, 2015 10:25 AM in response to david_dodell
    Level 5 (4,791 points)
    Aug 16, 2015 10:25 AM in response to david_dodell

    As far as I know this still works Updating ClamAV on OS X Server >= 10.5.6.

  • by david_dodell,

    david_dodell david_dodell Aug 16, 2015 10:29 AM in response to MadMacs0
    Level 1 (8 points)
    Wireless
    Aug 16, 2015 10:29 AM in response to MadMacs0

    I read that section, but would love to hear from someone who actually did it to confirm the instructions did work.

     

    David

  • by david_dodell,

    david_dodell david_dodell Aug 16, 2015 4:44 PM in response to MadMacs0
    Level 1 (8 points)
    Wireless
    Aug 16, 2015 4:44 PM in response to MadMacs0

    Do you know of any consultants that would provide the service?

  • by MadMacs0,Solvedanswer

    MadMacs0 MadMacs0 Aug 16, 2015 6:57 PM in response to david_dodell
    Level 5 (4,791 points)
    Aug 16, 2015 6:57 PM in response to david_dodell

    Although I'm very familiar with installing ClamAV, I don't have access to nor ever used Lion, let alone Lion Server, so I don't feel qualified.

     

    You might try to contact Alex who wrote the tutorial to see if he could at least tell you if he knows of any changes to his method.

     

    I don't recall what version of ClamAV came with Lion Server, but there have not been many substitutive changes from an OS X stand point. There's a very long Change Log which shows everything added/fixed since 2002 that might indicate whether updating is even worth the effort. The most important aspect of detecting malware comes from the signature database, and for the most part, all versions of ClamAV use the same data.

  • by david_dodell,

    david_dodell david_dodell Aug 16, 2015 7:18 PM in response to MadMacs0
    Level 1 (8 points)
    Wireless
    Aug 16, 2015 7:18 PM in response to MadMacs0

    Thank you ... my Lion Server is running 97.8 which was released on 4/14/2013 ... and the current release version is 98.7 ... my logs show the signature database consistently being updated.    The only reason I started asking is due to one customer who receives regular email with Word Doc attachments that are being caught, I'm assumed because of a Macro turned on in the word doc ... other word docs pass thru all the time without issue from other mailers.

     

    Since the mail is coming from a national organization, and I host the mail for that state organization, they want to know why my anti-virus is marking it, while other state associations are not having any issues at all.

     

    Thought there might be something in ClamAV that had been updated to deal with newer versions of Word Docs, or possibly correct any issues.

     

    Personally, I don't know why an organization is sending word attachments anyway, instead of outputting to a PDF.

  • by MadMacs0,

    MadMacs0 MadMacs0 Aug 16, 2015 10:55 PM in response to david_dodell
    Level 5 (4,791 points)
    Aug 16, 2015 10:55 PM in response to david_dodell

    The last time I looked into a macro virus definition it seemed to me to be rather generic. I suspect most word documents that contain any type of macros would have been flagged by it.

     

    Here's what I would do.  Upload one or more of these to VirusTotal. That will tell you whether the current version of ClamAV is still identifying them as infected with the same signature as well as whether other A-V scanners identify it as infected.

     

    If it isn't identified by any scanners as infected, then it's your version of ClamAV.

     

    If only ClamAV identifies the infection, that should be all you need to justify submitting it to ClamAV's Report False Positive site. If accepted, that's another indicator that the current engine is the same as yours in this respect. If you want to be notified about it's resolution you will have to join their clamav-virusdb mailing-list.  If you don't hear from them in a reasonable length of time then pester them on the clamav-users mailing list. You will need to give them the MD5 of the submitted file(s) when inquiring about it.

  • by david_dodell,

    david_dodell david_dodell Sep 9, 2015 7:25 PM in response to MadMacs0
    Level 1 (8 points)
    Wireless
    Sep 9, 2015 7:25 PM in response to MadMacs0

    Thank you for the reply ... I finally had some more files caught .... tried your suggestion.   One of the files was tagged by one of the MacAfee products, but passed clean on all of the ClamAV tests ... so something about these doc files are not liked by my version of ClamAV.

     

    Since I'm finding that updating ClamAV on OS X is not the "easiest" thing to do, and I do not feel that I have the expertise, is there something I can turn "off" in ClamAV to let these files pass?

     

    David

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 9, 2015 9:07 PM in response to david_dodell
    Level 5 (4,791 points)
    Sep 9, 2015 9:07 PM in response to david_dodell

    You can add a local.ign2 or local.fp (ignore or false positive) file to the database containing the infection name which will whitelist that signature on your server.

     

    As I said before, the best way would be to upload it to the Cisco/ClamAV Report False Positive site and let them take care of whitelisting it.

  • by david_dodell,

    david_dodell david_dodell Sep 10, 2015 5:46 AM in response to MadMacs0
    Level 1 (8 points)
    Wireless
    Sep 10, 2015 5:46 AM in response to MadMacs0

    Thank you ... I was going to follow your suggestion, but this is the error message I'm getting in the SMTP bounce back, which makes me think it is a virus now.

     

      554 5.7.0 Reject, id=95728-16 - BANNED: .exe,.exe-ms,[trash]/0002.dat


    Am I looking in the wrong place to fix this problem?   Would ClamAv being doing this and putting it in my spam folder with the infected files, or just deleting it ... seems strange that the word documents  ( both .doc and .docx ) from this one company are Banned with a .exe extension rule.



  • by david_dodell,

    david_dodell david_dodell Sep 10, 2015 6:14 AM in response to david_dodell
    Level 1 (8 points)
    Wireless
    Sep 10, 2015 6:14 AM in response to david_dodell

    Never mind the question above, found a link on the web on how to prevent the problem with docx/.dat files and amazes  ... it seems that it is catching them

     

    Appreciate all the help and time.

     

    David