XWall · The Mail Filter
Prerequisites

Make sure ClamAV is properly installed and XWall can communicate native with the ClamAV service

See also Install ClamAV Antivirus Native Win32

SaneSecurity Rules

You have two options to download the rules:

Either using the old ClamSup, which has more options, or using the new Sigupdate, which is simpler to install.

Using ClamSup (this no longer works, because the download links are invalid)

Download

ClamSup.zip
Latest ClamSup.ini
Rsync for Windows

Note: You need to open port 873 in the firewall to make cwRsync working.

Create a directory named ClamSup beside the ClamAV directory

e.g. assuming that ClamAV is in C:\ClamAV then create C:\ClamSup

Extract the downloaded files into the ClamSup directory

Open ClamSup.cfg with an editor and adjust the path so that it matches your ClamAV installation

Make sure the line

LOCALFOLDER=C:\ClamAV\db

points to the db folder in the ClamAV directory.

Open a DOS Box, change to the ClamSup directory and type

start ClamSup.bat -v

ClamSup will run for a few minutes and download all SaneSecurity databases. After the download ClamSup copies the databases into the ClamAV db folder and restarts ClamAV.

In the case ClamSup.bat immediately closes, locate clamsup.error and check the error. Once you fixed the error, start ClamSup.bat again.

Create a schedule that starts ClamSup.bat every 2 hours

Using Sigupdate

From http://sanesecurity.com/usage/windows-scripts/ download

ClamWin/ClamAV Sigupdate 0.4 beta

Note: You need to open port 873 in the firewall to make cwRsync working.

Create a directory named Sigupdate beside the ClamAV directory

e.g. assuming that ClamAV is in C:\ClamAV then create C:\Sigupdate

Extract the downloaded files into the Sigupdate directory

Download Rsync for Windows

Note: You need to open port 873 in the firewall to make cwRsync working.

Extract the file in the bin directory into the Sigupdate\winrsync directory

Open Sigupdate.bat with an editor and adjust the path so that it matches your ClamAV installation

Open a DOS Box, change to the ClamSup directory and type

Sigupdate.bat

Sigupdate will run for a few seconds and download all SaneSecurity databases. After the download Sigupdate copies the databases into the ClamAV db folder and restarts ClamAV.

Create a schedule that starts Sigupdate.bat every 2 hours

In XWall enable Options->Spam->SaneSecurity and send a test message.

ClamAV Configuration

Suggested settings for ClamAV in clamd.conf:

LogFile c:\Clamav\log\clamd.log
DatabaseDirectory c:\clamav\db
LogTime true
LogFileMaxSize 20480000
TCPSocket 3310
# Twice as much ClamAV threads as worker threads in XWall
MaxThreads 40
# Disable Zip in ClamAV and uncheck Options->Virus->Options->Scanner supports ZIP
ScanArchive no
# No Phishing, because ClamAV gets confused by simple forwards
PhishingScanURLs no
# No need that ClamAV decodes the message, XWall already does it
ScanMail no
# Must be enabled when checking for Office Macros with Options->ClamAV->Macro
#ScanOLE2 yes
#OLE2BlockMacros yes
#In case freshclam can't connect to clamd
#TCPAddr 10.0.0.1

Testing SaneSecurity

Save the following message into a file and send the file using SMTPSend and the -g option to XWall.

SaneSecurity should detect the special subject as a test message.

For more information on signature testing see http://sanesecurity.com/support/signature-testing/

_Begin of SaneSecurity test message_
From: clamavtest@sample.com
To: trash@mydomain.com
Subject: rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Sample SaneSecurity test message
_End of SaneSecurity test message_

© 1996-2017 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
support@dataenter.co.at
2017-01-04 / Phone
2017-01-04 / Tablet
Changed: 2017-01-04
Server
Desktop
Copyright © 1996-2017 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 2020770
support@dataenter.co.at