Koozali.org: home of the SME Server

bash script for scanning emails for virus and deleteing emails

Offline purvis

  • ****
  • 567
  • +0/-0
http://forums.contribs.org/index.php/topic,49499.0.html

There is some background from the above link.

A little bit of background.
On one of our servers, there seems to be some emails arriving with viruses, at least the antivirus software Clamav that is included with SME server thinks so.
From the results in a email to the admin account of the weekly scan for viruses, that can be set from the SME server manager panel, I have been seen email files flagged as with having viruses. I thought that it was odd because, I thought that these all emails where checked for viruses with the ClamAV software when they where received.
After looking over the emails that where suspected of having viruses. They where all spam the type of emails.

Emails with viruses or emails that I think ClamAV suspects as a virus or anything else bad has to GO (be deleted).

So I started trying to write a routine to delete these in a timely manner.
Using the clamscan program that is attached and comes with Clamav is very CPU intensive. It takes awhile to load and just the performance of it is terrible for scanning a lower number of files. clamscan is just rogue bully on CPU and Input/Output hog when scanning a large number of files and it is also a bit of a hog for a few files.

I found out the clamdcan program is more like it to my acceptance. I loads much faster. I am still learning it. But I had nothing but problems with clamdscan not processing the files, for some kind of a error [lstat() failed: Permission denied. ERROR] on each file clamdscan tried to process.

By adding the option [--fdpass] to the clamdscan program, the error went away. As far as I know, clamdscan off loads the file to the clamd service that is running the background.
The clamd service has the same resource hog problem as clamscan. I have been working on a solution to that. But we do not have a large number of emails coming in on our servers and using clamdscan does not bump up the CPU for long like clamscan does.

The way I have written this newer bash script using clamdscan does run much faster from start to stop on our servers for the number of emails being processed.

In the script you will notice that I am trying to regulate the clamd service's niceness. I have not been too successful, maybe a little in reducing the CPU of the clamd service.
And because I do not know of other effects of me changing the niceness of the clamd service. I have remarked it out.  For those people that have much larger number of emails for the script to check for viruses. You can remove the comments where i have commented out the renice setting of the clamd service.

The script will follow on the next post.
If anybody knows how to scan files with clamdscan without the use of the option "--fdpass", I am very interested in how you do that. Thanks.
« Last Edit: March 09, 2013, 06:40:52 AM by purvis »

Offline purvis

  • ****
  • 567
  • +0/-0
Re: bash script for scanning emails for virus and deleteing emails
« Reply #1 on: March 09, 2013, 06:31:00 AM »
Here is the bash script that I am running in the /etc/cron.hourly folder.
I think this script needs to be run more often(many times in an hour)  but hourly is a good place to start, until I get other code placed into the script that runs in a loop.
I will change this script in the future multiple times as I learn bash programming and more about linux and ClamAV.

This bash routine gets rid of using the clamscan program and uses clamdscan program that comes with ClamAV.

As you can see, there is a if statement that allows the this routine to scan all emails for viruses 3 times a day on certain hours.
I kind of like the hours of 6am, 12am and 10pm. I think having those is great for if a server is down for over a few hours or the time is
not set on the server.

WARNING, USING THIS BASH FILE WILL DELETE FILES. IF you want to keep your files, then take out the text "--remove=yes"
Also, you will likely see multiple lines in the logged file of files found with viruses. This routine was just created and I have not had time see what that is about, we have to have some emails with viruses first before I can see what is going on.

I place this code in a file called "clamscanemails" in the folder /etc/cron.hourly .
nano /etc/cron.hourly/clamscanemails
after creating and saving your file
chmod 755 /etc/cron.hourly/clamscanemails

This program will log into a file in the Primary ibay in a folder names serverstatus. You can view the log file which will include the times this program starts and stops for timing purposes and deleted email files with viruses that ClamAV finds.    http://yourserver/serverstatus/clamscanemails.txt


USE THIS CODE AT YOUR OWN RISK

Code: [Select]
#!/bin/bash

#routine created on 03-08-2013 22:32

/usr/bin/renice 20 -p $$ > /dev/null

#pidclamd=$(ps -C clamd -o pid=)
#/usr/bin/renice 20 -p $pidclamd > /dev/null


locationoflogfile="/home/e-smith/files/ibays/Primary/html/serverstatus"
logfilename="clamscanemails.txt"
logit="$locationoflogfile/$logfilename"

mkdir -p $locationoflogfile
chmod 755 $locationoflogfile

TODAY=$(date +"%Y%m%d %T")
echo "$TODAY scanning started" >> $logit

HOUR=$(date +"%k")
if [ "$HOUR" == "06" ] ||  [ "$HOUR" == "12" ] || [ "$HOUR" == "22" ]
then
#scan all emails for viruses on the hour of 06,12,22
echo "scanning all emails" >> $logit

find /home/e-smith/files/users/*/Maildir/ -name "1*.*.$HOSTNAME*"  -exec /usr/bin/clamdscan {} --infected --remove=yes --no-summary --fdpass \; >> $logit
else
#scan all emails less than 3 hours old
echo "scanning only emails 3 hours old" >> $logit
find /home/e-smith/files/users/*/Maildir/ -name "1*.*.$HOSTNAME*" -mmin -186 -exec /usr/bin/clamdscan {} --infected --remove=yes --no-summary --fdpass \; >> $logit
fi

TODAY=$(date +"%Y%m%d %T")
echo "$TODAY scanning ended"  >> $logit
echo '----------------------------------'  >> $logit

#/usr/bin/renice 0 -p $pidclamd > /dev/null
exit 0
« Last Edit: March 09, 2013, 07:59:47 AM by purvis »