Scan emails for Viruses
We are looking into replacing Forefront Protection for Exchange with a 3rd party appliance that scans emails at the gateway for viruses and spam.
My one concern is that FPE scanned emails internally as well and this solution wouldn't address that.
On the clients, we currently use System Center 2012 Endpoint Protection and by default email scanning is disabled.
Is this something we should enable when we migrate away from FPE?
Heath
Hi,
Based on my understanding, if you wanted to prevent FPE from scanning emails, you can configure FPE to disable or bypass transport scanning of all e-mail messages. In addition, after you disable transport scanning, you need to stop and then
start the Exchange Transport service in order for changes to this setting to take effect. For more detailed information, please refer to the link below:
Configuring the transport scan
Best regards,
Susie
Similar Messages
-
When Scan email for junk mail, or virus's is enabled, sending mail fails
When I configure mail to scan email for either junk or virus's, i get the following in my SMTP log:
Sep 6 17:44:59 eve postfix/smtp[28412]: D60C89D66D: to=<[email protected]>, relay=none, delay=0.02, delays=0.01/0/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]: Connection refused)
If I disable both junk and virus's I am able to send normally
Any ideas?when I run:
ps U _amavisd
The only processes are:
PID TT STAT TIME COMMAND
3308 ?? Ss 0:01.32 clamd
3593 ?? Rs 0:03.79 clamd
I then ran amavisd, and did not get any errors at the terminal, but here are my logs
soundchristian.org /usr/bin/amavisd[7979]: Module Digest::MD5 2.36
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module IO::Socket::INET6 2.51
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module MIME::Entity 5.420
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module MIME::Parser 5.420
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module MIME::Tools 5.420
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Mail::Header 1.74
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Mail::Internet 1.74
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Mail::SPF::Query 1.999001
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Mail::SpamAssassin 3.002001
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Net::DNS 0.60
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Net::Server 0.87
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Time::HiRes 1.86
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module URI 1.35
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Module Unix::Syslog 0.99
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Amavis::DB code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Amavis::Cache code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: SQL base code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: SQL::Log code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: SQL::Quarantine NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Lookup::SQL code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Lookup::LDAP code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: AM.PDP-in proto code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: SMTP-in proto code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Courier proto code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: SMTP-out proto code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Pipe-out proto code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: BSMTP-out proto code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Local-out proto code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: OS_Fingerprint code NOT loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: ANTI-VIRUS code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: ANTI-SPAM code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: ANTI-SPAM-SA code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Unpackers code loaded
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found $file at /usr/bin/file
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No $dspam, not using it
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No $altermime, not using it
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .mail
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .asc
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .uue
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .hqx
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .ync
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .F tried: unfreeze, freeze -d, melt, fcat
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found decoder for .Z at /usr/bin/uncompress
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found decoder for .gz at /usr/bin/gzip -d
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .lzo tried: lzop -d
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .rpm tried: rpm2cpio.pl, rpm2cpio
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found decoder for .cpio at /bin/pax
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found decoder for .tar at /bin/pax
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .deb tried: ar
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .zip
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .7z tried: 7zr, 7za, 7z
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .rar tried: rar, unrar
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .arj tried: arj, unarj
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .arc tried: nomarch, arc
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .zoo tried: zoo, unzoo
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .lha tried: lha
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .cab tried: cabextract
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .tnef tried: tnef
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Internal decoder for .tnef
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: No decoder for .exe tried: rar, unrar; lha; arj, unarj
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Using primary internal av scanner code for ClamAV-clamd
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Aug 28 12:40:53 eve.southsoundchristian.org /usr/bin/amavisd[7979]: Creating db in /var/amavis/db/; BerkeleyDB 0.29, libdb 4.2
Sep 7 16:41:17 mail.southsoundchristian.org /usr/bin/amavisd[3659]: logging initialized, log level 2, logfile: /var/log/amavis.log
Sep 7 16:41:17 mail.southsoundchristian.org /usr/bin/amavisd[3659]: starting. /usr/bin/amavisd at mail.southsoundchristian.org amavisd-new-2.5.1 (20070531), Unicode aware
Sep 7 16:41:17 mail.southsoundchristian.org /usr/bin/amavisd[3659]: user=, EUID: 0 (0); group=, EGID: 0 5 80 4 9 3 29 8 2 20 1 0 (0 5 80 4 9 3 29 8 2 20 1 0)
Sep 7 16:41:17 mail.southsoundchristian.org /usr/bin/amavisd[3659]: Perl version 5.008008
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3659]: INFO: SA version: 3.2.5, 3.002005, no optional modules: DBD::mysql Mail::SpamAssassin::BayesStore::PgSQL NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d Mail::SpamAssassin::Plugin::DKIM Razor2::Client::Agent IP::Country::Fast Mail::DKIM Mail::DKIM::Verifier Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF Mail::SPF::Server Mail::SPF::Request Mail::SPF::Mech Mail::SPF::Mech::A Mail::SPF::Mech::PTR Mail::SPF::Mech::All Mail::SPF::Mech::Exists Mail::SPF::Mech::IP4 Mail::SPF::Mech::IP6 Mail::SPF::Mech::Include Mail::SPF::Mech::MX Mail::SPF::Mod Mail::SPF::Mod::Exp Mail::SPF::Mod::Redirect Mail::SPF::SenderIPAddrMech Mail::SPF::v1::Record Mail::SPF::v2::Record Crypt::OpenSSL::RSA auto::Crypt::OpenSSL::RSA::newpublickey auto::Crypt::OpenSSL::RSA::newkey_fromparameters auto::Crypt::OpenSSL::RSA::getkeyparameters auto::Crypt::OpenSSL::RSA::importrandomseed Digest::SHA Error
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3659]: SpamControl: initprechroot done
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: Process Backgrounded
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: 2008/09/07-16:41:18 Amavis (type Net::Server::PreForkSimple) starting! pid(3661)
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: Binding to TCP port 10026 on host 127.0.0.1
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: Setting gid to "83 83"
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: Net::Server: Setting uid to "83"
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: (!!)FATAL: It is possible to change EUID from 83 to root, ABORTING!
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: (!!)FATAL: Please use the most recent Net::Server
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: (!!)FATAL: or start as non-root, e.g. by su(1) or using option -u user
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: (!!)TROUBLE in preloophook: SECURITY PROBLEM, ABORTING at /usr/bin/amavisd line 7763.
Sep 7 16:41:18 mail.southsoundchristian.org /usr/bin/amavisd[3661]: (!)_DIE: Suicide () TROUBLE in preloophook: SECURITY PROBLEM, ABORTING at /usr/bin/amavisd line 7763.\n
eve.southsoundchristian.org and mail.southsoundchristian.org are the same server, with different NICs and IPs
I was thinking about upgrading to amavisd-new I found a tutorial at http://osx.topicdesk.com/content/view/138/41/
Do think that may help?
I did update clamd after my first post on this, and it looks like clamd is running, just nothing else.
Thanks -
Thunderbird fails to send email when "Scan email for junk mail" option is checked in Server Admin
I have 2 clients that need to send mail through my server, one Mac and one Windows. The Mac uses apple mail and the Windows machine uses Thunderbird.
Apple Mail will send fine, it is set up for "Use Default ports 25, 465, 587" and "Use SSL" and "Authentication: MD5 Challenge-response".
Thunderbird refuses to send and I don't even see any errors showing up in the Console on the OS X server under smtpd entries.
If I uncheck the "Scan email for junk mail" option on the server, then Thunderbird will send fine.
Thunderbird is set up as: "smtp port 587 (default)" "connection security: STARTTLS" "Authentication method: Encrypted Password"
May or may not be relevant: I use virtual domains as well as aliases.
Server: Mac OS X Server version 10.5.8Solved it, looks like maybe the smtpd settings for sasl authentication may not have been correct. I followed everything in http://osx.topicdesk.com/content/view/38/41/ the "Frontline Spam Defense for OS X server" guide and now can send mail just fine from Thunderbird Winodws and from Apple Mail.
-
Can ClamXav scan incoming email for viruses?
Hi,
I'm new switching from windows to imac and I've insalled ClamXav antivirus, which from what I have heard others say on this forum, is a fine antivirus program for an iMac.
The program seems more manually oriented than windows' antivirus programs - meaning that I choose what and when to scan.
That's all fine but I am wondering if it automatically scans incoming email, or if I can set it up to automatically scan incoming email.
I appreciate any light anyone could shed on this program for me. Of course, if you all prefer that I contact ClamXav, I can do that and sorry for any inconvenience.
Many Thanks, Frank B.I use ClamXav, yes it does scan email.
However, may I suggest that you configure ClamXav in the Preferences/General preference pane to scan and alert you to found viruses and to not move infected files to a quarantine folder. Because of the structure of the Mail.app, ClamXav sees the mailbox as a file and will quarantine the entire mailbox if just one email is infected. It is a pain to get the mailbox back to the Mail.app.
HELP! ClamXav deleted all my email. What can I do?
I like the ClamXav app and recommend it for you with this one configuration suggestion. -
Scan Portaldocuments for viruses using an external product.
Hello,
I'm in search for a possibility to automatically scan uploaded documents on the server for viruses using an external anti-virus product.
When anybody has experience in this area and could share it with me that would be great.
Kind regards,
Niels de BruijnHi Niels: I agree with Fortunato. Since the documents are saved as database objects, a traditional virus scanner isn't going to do the trick. Expanding on his idea, if you are willing to use Oracle's WebDAV client called Oracle Drive rather than the inherent client built into Windows, you can actually map portal as a network drive where folder=pagegroups and pages and files =items on each page. You can then use any virus scanner just like it was a "normal" network drive. If you want to scan the files before they are uploaded to portal, the only solution I can envision would be using a custom file upload procedure probably in Java and scanning the file there before it is even added to the portal repository.
The Oracle Drive download link is at the bottom of: http://www.oracle.com/technology/software/htdocs/devlic.html?url=http://www.oracle.com/technology/software/products/cs/htdocs/clientsoft.html
Rgds/Mark M. -
I'm not sure if this 's the right place for my question, but anyway....
anyone knows a program like amavis to scan incoming mails - but without the need of a mailserver software like exim, qmail etc...
I'm fetching mails with fetchmail - pass them to spamassassin (via procmail) - and afterwards I want to pass them to the virusscan (antivir) before delivering the messages to the mailbox.
thanks in advanceI finally got something rolling with regard to this.
I installed amavisd-new, got it "mostly" configured.
Installed Clam-AV, got it "mostly" configured.
Same with spamassassin.
I am finally getting some results! yay..after bonking my head on the table for a while (must have done the trick), I got things working...
I sent myself the EICAR and GTUBE test strings
EICAR -- Virus test string
GTUBE -- Spam test string (it auto assigns a bayesian score of 1000!! lol)
And log messages started spitting out! yay.
Now..if only I had documented my steps.
Well, I can likely recall enough of what I did to whip up a wiki page that will thoroughly confuse everyone, including myself..I can only hope.
Oh..here is the "virus warning" sent to the virus admin..
I need to modify it to send the stripped mail to the user..so they can deal with it themselves... :twisted:
A virus was found: Eicar-Test-Signature
Scanner detecting a virus: ClamAV-clamd
The mail originated from:
First upstream SMTP client IP address:
According to the 'Received:' trace, the message originated at:
(SquirrelMail authenticated user)
Notification to sender will not be mailed.
The message WAS NOT delivered to:
250 2.7.1 Ok, discarded, id=14682-02 - VIRUS: Eicar-Test-Signature
Virus scanner output:
p001: Eicar-Test-Signature FOUND
The message has been quarantined as:
virus-20050129-011845-14682-02
------------------------- BEGIN HEADERS -----------------------------
Return-Path:
Received: from
by (Postfix) with ESMTP id
for ; Sat, 29 Jan 2005 01:18:44 -0800 (PST)
Received: from with local (Exim 4.44)
id
for; Sat, 29 Jan 2005 01:19:51 -0800
Received: from 127.0.0.1 ([127.0.0.1])
(SquirrelMail authenticated user );
by with HTTP;
Sat, 29 Jan 2005 01:19:51 -0800 (PST)
Message-ID:
Date: Sat, 29 Jan 2005 01:19:51 -0800 (PST)
Subject: EICAR virus checker test.
From:
To:
Reply-To:
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse
report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID -
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
-------------------------- END HEADERS ------------------------------
Note: Removed user data and ip dilineations.
*yawn*
Time for sleepy now. ZZZzzz -
ClamAV fails to scan for viruses in emails [CLAWS MAIL]
I've recently switched from Thunderbird to Claws Mail and ran into one small, but annoying, problem.
I want to use ClamAV + the clamav extension for claws mail to scan for viruses, however it does seem to have permission problems.
clamd is running, user and group clamav all have the relevant permissions as far as I can tell, however upon scanning my mail, I always end up with the following error:
Scanning error:
/home/username/.claws-mail/mimetmp/0000000e.mimetmp: lstat() failed: Permission denied. ERROR
Here's my clamd.conf:
## Please read the clamd.conf(5) manual before editing this file.
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /run/clamav/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
OfficialDatabaseOnly yes
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/lib/clamav/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
LocalSocketGroup clamav
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
#CommandReadTimeout 5
# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
# Initialize supplementary group access (clamd must be started by root).
# Default: no
#AllowSupplementaryGroups no
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
## Executable files
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
## Documents
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
## Mail files
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#PhishingAlwaysBlockCloak no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
# Default: no
#HeuristicScanPrecedence yes
## Data Loss Prevention (DLP)
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
## HTML
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
## Archives
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no
## Limits
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
## Clamuko settings
# Enable Clamuko. Dazuko must be configured and running. Clamuko supports
# both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
# is the preferred option. For more information please visit www.dazuko.org
# Default: no
#ClamukoScanOnAccess yes
# The number of scanner threads that will be started (DazukoFS only).
# Having multiple scanner threads allows Clamuko to serve multiple
# processes simultaneously. This is particularly beneficial on SMP machines.
# Default: 3
#ClamukoScannerCount 3
# Don't scan files larger than ClamukoMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#ClamukoMaxFileSize 10M
# Set access mask for Clamuko (Dazuko only).
# Default: no
#ClamukoScanOnOpen yes
#ClamukoScanOnClose yes
#ClamukoScanOnExec yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line. (Dazuko only)
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students
# Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
# Default: disabled
#ClamukoExcludePath /home/bofh
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files.
# This option can be used multiple times (one per line).
# Default: disabled
#ClamukoExcludeUID 0
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Set bytecode timeout in miliseconds.
# Default: 5000
# BytecodeTimeout 1000
My freshclam.conf:
## Please read the freshclam.conf(5) manual before editing this file.
# Comment or remove the line below.
#Example
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/clamav/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav
# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
#DatabaseMirror db.XY.clamav.net
# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
NotifyClamd /etc/clamav/clamd.conf
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# Freshclam will connect to clamd in order to get recent statistics.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf
# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code
# This option enables support for our "Personal Statistics" service.
# When this option is enabled, the information on malware detected by
# your clamd installation is made available to you through our website.
# To get your HostID, log on http://www.stats.clamav.net and add a new
# host to your host list. Once you have the HostID, uncomment this option
# and paste the HostID here. As soon as your freshclam starts submitting
# information to our stats collecting service, you will be able to view
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
# http://www.clamav.net/support/faq/faq-cctts/
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it's mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://code.google.com/support/bin/answer.py?answer=70015
# and http://safebrowsing.clamav.net for more information.
# Default: disabled
#SafeBrowsing yes
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes
# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors. Here you can find a list of available databases:
# http://www.clamav.net/download/cvd/3rdparty
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
Any help is much appreciated.MatejLach wrote:
clamd is running, user and group clamav all have the relevant permissions as far as I can tell, however upon scanning my mail, I always end up with the following error:
Scanning error:
/home/username/.claws-mail/mimetmp/0000000e.mimetmp: lstat() failed: Permission denied. ERROR
Seems like a permissions error to me... maybe check the actual file it is attempting to scan... I know it is in your home folder, but just to be sure, you might want to check that everything is sane. -
Ways to scan for viruses on macs?
I want to scan and check for viruses.
1. This comment applies to malicious software ("malware") that's installed unwittingly by the victim of a network attack. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the victim's computer. That threat is in a different category, and there's no easy way to defend against it. If you have reason to suspect that you're the target of such an attack, you need expert help.
2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user, but internally Apple calls it "XProtect." The malware recognition database is automatically checked for updates once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
The following caveats apply to XProtect:
It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets (see below.)
It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
3. Starting with OS X 10.7.5, there has been another layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't actually been tested by Apple (unless it comes from the Mac App Store), but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. For most practical purposes, applications recognized by Gatekeeper as signed can be considered safe.
Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
It can easily be disabled or overridden by the user.
A malware attacker could get control of a code-signing certificate under false pretenses, or could find some other way to evade Apple's controls.
4. Beyond XProtect and Gatekeeper, there’s no benefit, in most cases, from any other automated protection against malware. The first and best line of defense is always your own intelligence. All known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the malware attacker. If you're smarter than he thinks you are, you'll win.
That means, in practice, that you never use software that comes from an untrustworthy source. How do you know whether a source is trustworthy?
Any website that prompts you to install a “codec,” “plug-in,” "player," "extractor," or “certificate” that comes from that same site, or an unknown one, is untrustworthy.
A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
Pirated copies or "cracks" of commercial software, no matter where they come from, are unsafe.
Software of any kind downloaded from a BitTorrent or from a Usenet binary newsgroup is unsafe.
Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. If it comes from any other source, it's unsafe.
5. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style "virus" affecting OS X. Merely loading a page with malicious Java content could be harmful. Fortunately, Java on the Web is mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other inessential uses of Java.
Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers. In Safari, this is done by unchecking the box marked Enable Java in the Security tab of the preferences dialog.
Currently, when you install the Apple-supplied Java runtime (but not the Oracle runtime), a "Malware Removal Tool" (MRT) is also installed. MRT runs automatically in the background and appears to scan your files for installed malware that may have evaded XProtect. Like XProtect, MRT is probably effective against known attacks, but not against unknown attacks. There is no user interface to MRT.
Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a specific task, enable Java only when needed for the task and disable it immediately when done. Close all other browser windows and tabs, and don't visit any other sites while Java is active. Never enable Java on a public web page that carries third-party advertising. Use it, when necessary, only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
Follow the above guidelines, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself from malware.
6. Never install any commercial "anti-virus" or "Internet security" products for the Mac, as they all do more harm than good, if they do any good at all. If you need to be able to detect Windows malware in your files, use the free software ClamXav — nothing else.
Why shouldn't you use commercial "anti-virus" products?
Their design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere.
In order to meet that nonexistent threat, the software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
By modifying the operating system, the software itself may create weaknesses that could be exploited by malware attackers.
7. ClamXav doesn't have these drawbacks. That doesn't mean it's entirely safe. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
ClamXav is not needed, and should not be relied upon, for protection against OS X malware. It's useful only for detecting Windows malware. Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else.
A Windows malware attachment in email is usually easy to recognize. The file name will often be targeted at people who aren't very bright; for example:
♥♥♥♥♥♥♥♥♥♥♥♥♥♥!!!!!!!H0TBABEZ4U!!!!!!!.AVI♥♥♥♥♥♥♥♥♥♥♥♥♥♥.exe
ClamXav may be able to tell you which particular virus or trojan it is, but do you care? In practice, there's seldom a reason to use ClamXav unless a network administrator requires you to run an anti-virus application.
8. The greatest harm done by anti-virus software, in my opinion, is in its effect on human behavior. It does little or nothing to protect people from emerging threats, but they get a false sense of security from it, and then they may behave in ways that expose them to higher risk. Nothing can lessen the need for safe computing practices.
9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default. -
How do I scan jump drive for virus on a Mac Pro?
How do I scan a jump drive for a virus on a Macbook Pro?
Kat52 wrote:
Does a new Macbook Pro come with a virus program?
OS X already includes everything it needs to protect itself from viruses and malware. Keep it that way with software updates from Apple. Robust anti-virus and anti-malware protections have been integrated in OS X since its inception, and have only improved in the many years since then. Mavericks represents the beneficiary of all that experience. There is no separate program to install, but there are features you can use and practices you can observe to customize or augment those protections:
OS X Mavericks: Protect your Mac
OS X Mavericks: Protect your Mac from malware
OS X Mavericks: Keep your information safe
OS X About Gatekeeper
About file quarantine in OS X
If you install Windows on your Mac using Boot Camp or virtualization software, Windows requires its own anti-virus measures. That's nothing new.
The following principles are intended specifically for OS X but can be adapted for any operating system or device.
Never install any product that claims to "speed up", "clean up", "optimize", or "accelerate" your Mac. Without exception, they will do the opposite.
Never install pirated or "cracked" software, software obtained from dubious websites, or other questionable sources. Illegally obtained software is almost certain to contain malware.
Don’t supply your password in response to a popup window requesting it, unless you know what it is and the reason your credentials are required.
Don’t open email attachments from email addresses that you do not recognize, or click links contained in an email:
Most of these are scams that direct you to fraudulent sites that attempt to convince you to disclose personal information.
Such "phishing" attempts are the 21st century equivalent of a social exploit that has existed since the dawn of civilization. Don’t fall for it.
Apple will never ask you to reveal personal information in an email. If you receive an unexpected email from Apple saying your account will be closed unless you take immediate action, just ignore it. If your iTunes or App Store account becomes disabled for valid reasons, you will know when you try to buy something or log in to this support site, and are unable to.
Don’t install browser extensions unless you understand their purpose. Go to the Safari menu > Preferences > Extensions. If you see any extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone.
Don’t install Java unless you are certain that you need it:
Java, a non-Apple product, is a potential vector for malware. If you are required to use Java, be mindful of that possibility.
Java can be disabled in System Preferences.
Despite its name JavaScript is unrelated to Java. No malware can infect your Mac through JavaScript. It’s OK to leave it enabled.
Block browser popups: Safari menu > Preferences > Security > and check "Block popup windows":
Popup windows are useful and required for some websites, but popups have devolved to become a common means to deliver targeted advertising that you probably do not want.
Popups themselves cannot infect your Mac, but many contain resource-hungry code that will slow down Internet browsing.
If you ever see a popup indicating it detected registry errors, that your Mac is infected with some ick, or that you won some prize, it is 100% fraudulent. Ignore it.
Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them:
The most serious threat to your data security is phishing. To date, most of these attempts have been pathetic and are easily recognized, but that is likely to change in the future as criminals become more clever.
OS X viruses do not exist, but intentionally malicious or poorly written code, created by either nefarious or inept individuals, is nothing new.
Never install something without first knowing what it is, what it does, how it works, and how to get rid of it when you don’t want it any more.
If you elect to use "anti-virus" software, familiarize yourself with its limitations and potential to cause adverse effects, and apply the principle immediately preceding this one.
Most such utilities will only slow down and destabilize your Mac while they look for viruses that do not exist, conveying no benefit whatsoever - other than to make you "feel good" about security, when you should actually be exercising sound judgment, derived from accurate knowledge, based on verifiable facts.
Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.
Summary: Use common sense and caution when you use your Mac, just like you would in any social context. There is no product, utility, or magic talisman that can protect you from all the evils of mankind. -
I am looking for a (free, ideally) virus scan/check for my MacBook Pro -- any suggestions?
I am looking for a (free, ideally) virus scan/check for my MacBook Pro -- any suggestions?
Mac users often ask whether they should install "anti-virus" software. The answer usually given on ASC is "no." The answer is right, but it may give the wrong impression that there is no threat from what are loosely called "viruses." There is a threat, and you need to educate yourself about it.
1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to log in to it remotely. That threat is in a different category, and there's no easy way to defend against it.
The comment is long because the issue is complex. The key points are in sections 5, 6, and 10.
OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
The following caveats apply to XProtect:
☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.
3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
☞ It can easily be disabled or overridden by the user.
☞ A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
Apple has so far failed to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. These failures don't involve App Store products, however.
For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.
4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, and a technological fix is not going to solve it. Trusting software to protect you will only make you more vulnerable.
The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the scam artists. If you're smarter than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
Software from an untrustworthy source
☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.
☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software.
☞ Rogue websites such as Softonic and CNET Download distribute free applications that have been packaged in a superfluous "installer."
☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
Software that is plainly illegal or does something illegal
☞ High-priced commercial software such as Photoshop is "cracked" or "free."
☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission.
Conditional or unsolicited offers from strangers
☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
☞ You win a prize in a contest you never entered.
☞ Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
☞ Anything online that you would expect to pay for is "free."
Unexpected events
☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.
☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack. Any of the above scenarios should, at the very least, make you uncomfortable.
6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
7. Never install any commercial "anti-virus" (AV) or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
Why shouldn't you use commercial AV products?
☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
☞ Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
☞ By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
☞ Most importantly, a false sense of security is dangerous.
8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in everyemail attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It's as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices. -
Norton Internet Security cannot scan emails the use SSL. How do I insure that I do not get a virus or malware by opening an email in Thunderbird? I have read that you don't have to click on a link to get malware but that some email can trigger malware just by opening and reading. Any suggestions to keep my emails from triggering malware? AOL Desktop software has it's own built-in email scanner but I'm trying to get away from using their software and rely just on TB.
ThanksThere are many aspects to this question.
First, using SSL or TLS to send and receive email is important because it prevents others from sniffing your email login. Particularly if you are using a device over wi-fi or on untrusted networks, this is critical because if others obtain your email login, bad things can happen.
Of course, using SSL or TLS with your mail server also protects the content of your email from being captured by others, so that's good too.
Second, you are correct that there can be security threats in email other than the attachments, although the attachments generally are the most dangerous. Your antivirus should protect you from bad attachments because in order to open them, they need to be written to disk in a temporary folder, and your AV software leaps into action whenever a new file is added to disk. You also can hedge your bets by using a two-step approach: first save the attachment to disk and only after it survives the real-time AV scan then launch it in the appropriate application.
Sometimes content in the message body can trigger a vulnerability in your email software or a plugin. As these vulnerabilities become known, Mozilla updates its software, but there seem to always be new issues discovered and there will never be perfect security. I'm not sure how helpful email scanning is for this problem. -
I think my email was hacked from my iPad how can I check it for viruses
I think my e mail was hacked from my iPad. How can I check the iPad for viruses?
Well there are apps for that, but iPads and others are not suseptable to viruses, if they are its very very very small number. So I would suspect that you are fine, but check the app store for an app that would scan for viruses, i use Virusbarrier to scan downloads i get in emails, or links.
-
Virus Scanning email attachments
hi,
I would like to know how to programmatically launch a virus scanner to scan for viruses in email attachments, like yahoo does.
regards,
Sabinadear sabina,
i am also intersted in launching a email sacnner through my program....... if u find any solution please inform me on [email protected] if possible can u send me the code.
all the best....
thank you,
sachin -
HT5621 How can I scan for viruses on my Mac?
How can I scan for viruses on my Mac desktop?
You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful: The User Tip seeks to offer guidance on the main security threats and how to avoid them.
https://discussions.apple.com/docs/DOC-2435
More useful information can also be found here:
www.thesafemac.com/mmg -
What is the preferred virus scan program for iphone? I believe that I have a virus. My phone will come on by itself and it appears to be recording audio. I have read about spyware/surveilance viruses that will record audio and take photos.
My phone is not jailbroken. I don't know what you mean about hacked. Maybe it is hacked? This is what is happening: About three times over the past few months I've noticed that my phone while "off" will come on (light up) and the screen shows an arrow towards the bottom; an arrow such that you would see on various "players" in order to "play" video or audio, I've searched my phone and cannot find any app that produces this particular screen though. Once I pick up the phone when this screen myseriously appears out of nowhere and press anything, it goes away and goes to the standard "slider" front page to unlock the phone.
Maybe you are looking for
-
Problems encountered while running Java EE tutorial in JDeveloper
I am using JDeveloper version 10.1.3.1 to run Java EE tutorial, I got the following error messages while running ServiceRequestFacadeClientEmbed to test the data model (tutorial page 44 of 222), please help me fix those errors. Thanks a lot for your
-
Since upgrading to Lion, I can no longer view my previews in Aperture.
Since I updated to Lion, Aperture has been sluggish and annoying and keeps quitting on me... However, the worst problem I have is that I cannot view the previews of most of my photos. The files are all referenced and kept on an external hard drive. I
-
When I'm browsing on Safari, it all of a sudden cuts off and the screen turns blue. It turns blue for about 5 seconds and then returns to the desktop screen. Any idea what's going on?
-
100TX Full Duplex not working forced to 100/half - fixed
I dont know if everybody figured this out. but I found this info on an old board and it worked for me on my qaud Intel running SL server. First check your Network Utility to see which network interface is active but problamatic. (eg. en0, en1, en2).
-
When I select "get media" nothing happens and the photo downloader does not respond.
I am unable to download my photos to Elements 10. The program recognizes my Canon camera and he number of photos on its card. But when I tap "get media" nothing happens and I then cannot even cancel or close the photo downloader page, which Task Ma