Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Domino Antivius powered by ClamAV

Daniel Nashed – 31 May 2020 21:03:04

This project was only on hold for 12 years. -- LOL. When I wrote SpamGeek, I always wanted a matching anti-virus.
But I never found a good and free integration for Linux. Two weeks ago I discovered that "clamd" the service behind ClamAV offers a nice TCP/IP interface.
It doesn't provide channel encryption but should be OK when invoked on 127.0.0.1 (port 3310) like the Tika server used by Notes/Domino 10 and higher to index attachments.

See the ClamAV website for details:
https://www.clamav.net/

First implementation & ClamAV

Clamd is native available on Linux and also for Windows so I wrote a native integration on TCP/IP level.

For now it is a servers for W32/W64/Linux64 which can scan databases. If all works well, I will integrate it with my SpamGeek application.

Beside scanning attachments it can send the full MIME stream to clamd. I am still experimenting with the different clamd scan options like heuristics.
The task by default skips larger attachments to scan whole databases. The limit can be increased.

And you can also use a remote clamd server specifying an IP address via notes.ini or command-line for testing.
The task prints the virus name along with a Notes:// link. And also generates a SHA1 used for a link to VirusTotal lookups.
You can move potentially infected mails from inbox to a virus Notes folder.

I am planning to give this away for free for smaller environments with up to 20 user. And I am not sure yet if I want to make this available for larger environments.
This has been build for my own needs first. But I am sure this would be a great fit for many small customer or business partner environments.


Beta available on request

Installing the servertask is pretty simple and by default it just scans and reports.

The more complex part is the clamd configuration. And there isn't a systemd service for clamd. I might write one.

But for testing the servertask would be already available by mail.


Here is the current syntax and a scan example from my info mail account.

What do you think? Would this be helpful?

-- Daniel



Syntax:

-f   Move infected from Inbox to Virus Folder

-m   Also scan MIME (sent complete EML to Clamd)

-e   Try to scan encrypted documents (will only work for owner of mail-file)

-v   Verbose

-s Remote Server to scan

-a   Maximum scan size per attachment  a=KB, A=MB (Default 1 MB)

-b   Maximum scan size for MIME stream b=KB, B=MB (Default 1 MB)



nnshdomav.exe mail/nashcom5.nsf -c 127.0.0.1

31.05.2020 22:41:29   nshdomav: Domino Antivius 0.5.1 using Clamd: [127.0.0.1:3310]

31.05.2020 22:41:29   nshdomav: ClamAV 0.102.3/25828/Sat May 30 14:36:41 2020

31.05.2020 22:41:29   nshdomav: [mail/nashcom5.nsf] Scanning 335 documents

31.05.2020 22:41:30   nshdomav: [DHL_Label_da882.zip] -> [Win.Trojan.Agent-35842] (79 ms)  [
notes:///mail/nashcom5.nsf/0/8AC7E8B7F5F9A4A7C12576850069BACA] [https://www.virustotal.com/gui/search/426023D4635B71873C4399C4795CA065EA6E9691]
31.05.2020 22:41:31   nshdomav: [DHL_INVOICE_TR.NR.3992-332241.zip] -> [Win.Trojan.Generic-42] (187 ms)  [
notes:///mail/nashcom5.nsf/0/15BAA48400CFC7DCC125772B00796FA5] [https://www.virustotal.com/gui/search/97644CCC22260CDA8F0C4FBBB956D8BB62F0972F]
31.05.2020 22:41:32   nshdomav: [Details-From-Booking-Com_Reservation-04241225193.zip] -> [Win.Trojan.Bublik-23] (546 ms)  [
notes:///mail/nashcom5.nsf/0/EB27A50C0325766EC12579EA003C1839] [https://www.virustotal.com/gui/search/F8BBDDB4E58EDCAB2BCA0F3CDB3E60584B974214]
31.05.2020 22:41:32   nshdomav: [Details-From-Booking-Com_Reservation-04241276732.zip] -> [Win.Trojan.Bublik-23] (454 ms)  [
notes:///mail/nashcom5.nsf/0/9633B7A3A0D41D58C12579EA003BE637] [https://www.virustotal.com/gui/search/F8BBDDB4E58EDCAB2BCA0F3CDB3E60584B974214]
31.05.2020 22:41:33   nshdomav: [Details-From-Booking-Com_Reservation-04241272586.zip] -> [Win.Trojan.Bublik-23] (468 ms)  [
notes:///mail/nashcom5.nsf/0/9A4A7171E3EA8529C12579EA003AE57B] [https://www.virustotal.com/gui/search/F8BBDDB4E58EDCAB2BCA0F3CDB3E60584B974214]
31.05.2020 22:41:33   nshdomav: [465790cbe311.zip] -> [Win.Trojan.Agent-1138832] (422 ms)  [
notes:///mail/nashcom5.nsf/0/6C54495460287EC022228391C9073494] [https://www.virustotal.com/gui/search/79B7814D7560854A96E91F985FE60EF0579FAEA1]
31.05.2020 22:41:35   nshdomav: [VERSANDDETAILS 12-05-2020·pdf.zip] -> [Win.Trojan.Fareit-7784794-0] (453 ms)  [
notes:///mail/nashcom5.nsf/0/0F4CC616428497B7BCFA697A41FAB71E] [https://www.virustotal.com/gui/search/B8DC3E04C6E073E2086DF244CD808BAEAD44DF03]
31.05.2020 22:41:35

31.05.2020 22:41:35   nshdomav: Virus Attachments  :          7

31.05.2020 22:41:35   nshdomav: Virus Att Warn     :          0

31.05.2020 22:41:35   nshdomav: Virus MimeStream   :          0

31.05.2020 22:41:35   nshdomav: Databases          :          1

31.05.2020 22:41:35   nshdomav: DatabaseOpenErrors :          0

31.05.2020 22:41:35   nshdomav: Attachment Erorrs  :          0

31.05.2020 22:41:35   nshdomav: Attachments        :        623

31.05.2020 22:41:35   nshdomav: Skipped Large      :         10

31.05.2020 22:41:35   nshdomav: Docs with Attm     :        335

31.05.2020 22:41:35   nshdomav: Docs No Attm       :          0

31.05.2020 22:41:35   nshdomav: Docs encrypted     :          0

31.05.2020 22:41:35   nshdomav: Socket resets      :          0

31.05.2020 22:41:35   nshdomav: Runtim   (sec)     :          5

31.05.2020 22:41:35   nshdomav: ScanTime (sec)     :          4

31.05.2020 22:41:35   nshdomav: Total Size Attm    :    73.5 MB

31.05.2020 22:41:35   nshdomav: Total size scanned :    45.2 MB

31.05.2020 22:41:35   nshdomav: Total size skipped :    28.3 MB

31.05.2020 22:41:35   nshdomav: Shutdown

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]