Scan MailboxStore ClamAV: Difference between revisions
(Created page with "{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}}===Overview=== Sites that need to rescan for zero-day exploits that may have evaded ClamAV can scan and remove t...") |
No edit summary |
||
Line 48: | Line 48: | ||
This script is not meant to be glamorous or extremely efficient. Instead, it is functional. If you have suggestions to this, please do so! The better it is, the better it will be for everyone to enjoy :). | This script is not meant to be glamorous or extremely efficient. Instead, it is functional. If you have suggestions to this, please do so! The better it is, the better it will be for everyone to enjoy :). | ||
{{Article Footer| | {{Article Footer|ZCS 7.1.x and prior|03/19/2012}} | ||
[[Category: ClamAV]] | [[Category: ClamAV]] |
Revision as of 21:06, 19 March 2012
Article Information |
---|
This article applies to the following ZCS versions. |
Overview
Sites that need to rescan for zero-day exploits that may have evaded ClamAV can scan and remove the e-mails after the fact (manually or through a cron job). This allows for e-mails to be removed from user's mailboxes even after they may have gone through. This could be useful during after-hours, on weekends, or just to ensure and lower the chances that someone does not inadvertently later open a malicious e-mail.
Setup
To setup clamd scanning on-demand, create a subdirectory underneath /opt/zimbra/ (for example, mine is /opt/zimbra/ryan) and run the following commands as the zimbra user (as root: su - zimbra)
vi virusremovestore.sh
(NOTE: You may also use a text editor of your choice)
Now, insert the following "code" into the file:
#!/bin/bash old_IFS=$IFS echo "Scanning Mail Store for Viruses" ~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found do uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"` msgid=`echo $messageid | cut -d'-' -f1` if [[ "$uid" == *.archive ]]; then echo "Archive: Did not remove message $msgid from $uid" elif [[ "$uid" == *virus*quarantine* ]]; then echo "Skipping message $msgid in virus quarantine" else zmmailbox -z -m $uid dm $msgid echo "Found and removed infected message $msgid from $uid" fi done IFS=$old_IFS
Save the file and run chmod +x virusremovestore.sh. The file is now ready for execution.
Execution/Running
In order to run the file, you would simply run it as you would any other shell script or binary file (do this as the zimbra user)...by either going to the directory and ./virusremovestore.sh or by using the entire path.
NOTE: You can also set this to run in a cron job at intervals of your choosing. My only suggestion is to let each execution completely finish before starting a new one.
In any case, the application will echo to your terminal that it is executing. It will then scan and remove the viruses automatically except for the virus-quarantine account and accounts ending in .archive (if you use a different naming convention, please change it in the code above.
This script is not meant to be glamorous or extremely efficient. Instead, it is functional. If you have suggestions to this, please do so! The better it is, the better it will be for everyone to enjoy :).