It seems that Apple has abandoned any updates to 10.7.5 server ( I haven't seen a need to upgrade ... my server does everything I need and has been stable for years) ... but ClamAV is way behind.
I have not found any instructions on the net on how to switch 10.7.5 to a later version of ClamAV versus the fork that Apple was upgrading, which is stuck on a version from 2 plus years ago.
Any help?
David
Mac mini, OS X Server, 10.7.5
As far as I know this still works Updating ClamAV on OS X Server >= 10.5.6.
As far as I know this still works Updating ClamAV on OS X Server >= 10.5.6.
I read that section, but would love to hear from someone who actually did it to confirm the instructions did work.
David
Do you know of any consultants that would provide the service?
Although I'm very familiar with installing ClamAV, I don't have access to nor ever used Lion, let alone Lion Server, so I don't feel qualified.
You might try to contact Alex who wrote the tutorial to see if he could at least tell you if he knows of any changes to his method.
I don't recall what version of ClamAV came with Lion Server, but there have not been many substitutive changes from an OS X stand point. There's a very long Change Log which shows everything added/fixed since 2002 that might indicate whether updating is even worth the effort. The most important aspect of detecting malware comes from the signature database, and for the most part, all versions of ClamAV use the same data.
Thank you ... my Lion Server is running 97.8 which was released on 4/14/2013 ... and the current release version is 98.7 ... my logs show the signature database consistently being updated. The only reason I started asking is due to one customer who receives regular email with Word Doc attachments that are being caught, I'm assumed because of a Macro turned on in the word doc ... other word docs pass thru all the time without issue from other mailers.
Since the mail is coming from a national organization, and I host the mail for that state organization, they want to know why my anti-virus is marking it, while other state associations are not having any issues at all.
Thought there might be something in ClamAV that had been updated to deal with newer versions of Word Docs, or possibly correct any issues.
Personally, I don't know why an organization is sending word attachments anyway, instead of outputting to a PDF.
The last time I looked into a macro virus definition it seemed to me to be rather generic. I suspect most word documents that contain any type of macros would have been flagged by it.
Here's what I would do. Upload one or more of these to VirusTotal. That will tell you whether the current version of ClamAV is still identifying them as infected with the same signature as well as whether other A-V scanners identify it as infected.
If it isn't identified by any scanners as infected, then it's your version of ClamAV.
If only ClamAV identifies the infection, that should be all you need to justify submitting it to ClamAV's Report False Positive site. If accepted, that's another indicator that the current engine is the same as yours in this respect. If you want to be notified about it's resolution you will have to join their clamav-virusdb mailing-list. If you don't hear from them in a reasonable length of time then pester them on the clamav-users mailing list. You will need to give them the MD5 of the submitted file(s) when inquiring about it.
Thank you for the reply ... I finally had some more files caught .... tried your suggestion. One of the files was tagged by one of the MacAfee products, but passed clean on all of the ClamAV tests ... so something about these doc files are not liked by my version of ClamAV.
Since I'm finding that updating ClamAV on OS X is not the "easiest" thing to do, and I do not feel that I have the expertise, is there something I can turn "off" in ClamAV to let these files pass?
David
You can add a local.ign2 or local.fp (ignore or false positive) file to the database containing the infection name which will whitelist that signature on your server.
As I said before, the best way would be to upload it to the Cisco/ClamAV Report False Positive site and let them take care of whitelisting it.
Thank you ... I was going to follow your suggestion, but this is the error message I'm getting in the SMTP bounce back, which makes me think it is a virus now.
554 5.7.0 Reject, id=95728-16 - BANNED: .exe,.exe-ms,[trash]/0002.dat
Am I looking in the wrong place to fix this problem? Would ClamAv being doing this and putting it in my spam folder with the infected files, or just deleting it ... seems strange that the word documents ( both .doc and .docx ) from this one company are Banned with a .exe extension rule.
Never mind the question above, found a link on the web on how to prevent the problem with docx/.dat files and amazes ... it seems that it is catching them
Appreciate all the help and time.
David
ClamAV on Server 10.7.5
