How to check that ClamAV is running.

8 posts / 0 new
Last post
#1 Sun, 01/21/2007 - 13:19
Blueforce

How to check that ClamAV is running.

Hi,

How do I check that ClamAV is running? Earlier this info was found in the daily logwatch, like this: --------------------- clam-update Begin ------------------------

Last ClamAV update process started at Sun Apr 16 23:02:09 2006

Last Status: main.cvd is up to date (version: 37, sigs: 46700, f-level: 7, builder: ccordes) daily.cvd is up to date (version: 1403, sigs: 4303, f-level: 7, builder: arnaud)

---------------------- clam-update End -------------------------

This info must have been removed (unfortunately) from the logwatch because I no longer see this info in the logwatch.

I would like to know how and where to check that ClamAV is running and is up to date, this because we suddenly started to receive lots of spam mails with exe-files attached, some of them with virus and troians. These infected files was delivered normally by the server and was found when received in my computer. I also did try disabling my virus protection and sent a Eicar testvirus string in a mail whitch also was delivered by our server.

Server runs FC4 and Virtualmin Pro, all with the latest versions.

Regards, Leif

Wed, 01/24/2007 - 15:11
Blueforce

Anyone...??

Wed, 01/24/2007 - 16:07
Joe
Joe's picture

Hey Leif,

Sorry for the slow reply.

You can run "service clamd status" to see if the daemon is running.

Check the maillog for any information about what's happening when the virus check occurs...I believe you'll see an error if something goes wrong with the clamscan command (actually, it might show up in the user's procmail log, and only if logging is enabled...). But it's always worth checking the maillog when something weird is happening with mail.

--

Check out the forum guidelines!

Wed, 01/24/2007 - 16:31
Blueforce

Hi Joe,

Should the ClamAV info be shown in logwatch??

When I check clamd status I get this answer:

[[root@server ~]]# service clamd status
clamd: unrecognized service
[[root@server ~]]#

As I recall I have not been able to check any clamAV info since we reinstalled our server(about 7-8 month ago), before I could check the status by a command(don't remember it know) that reported ClamAv status, build, version and so.

Any ideas?

Regards,
Leif

Thu, 01/25/2007 - 15:31
SeanKelly

QUOTE:

As I recall I have not been able to check any clamAV info since we reinstalled our server(about 7-8 month ago)

Leif,

Are you sure ClamAV is installed?

Try rpm -q clamav

If not then yum install clamav

S

Thu, 01/25/2007 - 16:08
SeanKelly

to get the last clamav update info (like posted) do: freshclam ?

to get the Version info do: clamscan -V OR freshclam -V

Thu, 01/25/2007 - 16:48
Blueforce

Hi Sean,

I have checked "clamscan -V" and it reports the the version, build and so on. "freshclam -V" report an error. Virtualmin also reports that ClamAV is installed and active when I re-check and refresh configuration.

The strange thing is that we suddenly started to recieve many infected mails every day. It must be more than a year ago that I letest did recieve them, for example the attached and infected file "postcard.exe".

I have checked the mail logs and logfiles but I can't see any info in the logfiles that a e-mail was scand by ClamAV, and I have checked the logs for mail that I am sere hade a infected file attached to it. Maybe I'm not looking in the right place?

Sometimes when I send the Eicar virus test string it also get delivered normally. Maybe I chould set the server to store the infected mail in a folder/file so I actually see the infected mails, instead of just throw them away. But this feels like a very wrong way to tell if ClamAV actually is working.

Regards,
Leif

Thu, 01/25/2007 - 16:58
Blueforce

One more thing,

I also don't know if the logwatch no longer provides the ClamAV status in the log, or if something is wrong in my settings. The first 6 month when our first FC4 box was running, logwatch always reported ClamAV status, but since the reinstall about 8 month ago (due to harware chrash) it no longer have provided the ClamAV status in the logwatch.

Regards,
Leif