The Forum Sentry hardware comes pre-loaded with certain features that software versions do not. One of these features is antivirus. Forum Sentry supports ICAP AV interface to any antivirus vendor that supports ICAP. Forum Sentry also offers ClamAV, an open source alternate that utilizes pattern recognition. Since it is message body aware, with ClamAV, it can detect malicious code, inside the XML message as it passes through. When Forum Sentry is used for encryption, on the edge, or as a cloud gateway, it becomes a logical point for Malware detection. The Sentry and ClamAV enables extensive pattern recognition at no additional expense. It’s usually deployed as one rule in a larger rule group (policy), and done with low latency since there is no need to “leave” and then return to continue processing a rule group.
In this tutorial we will go over installing ClamAV on a 32 bit CentOS virtual machine, the same installation shown in our first Forum Sentry tutorial.
1. With Forum Sentry xmlserver service running, log into the management console and select Partners, Default AV in the menu, you can see if ClamAV is detected by the Sentry. In this case “Default AV version not detected” and a socket port, along with a action if virus is detected.
2. To start, I needed to add the Epel repository (Extra Packages for Enterprise Linux). The command for my 32 Bit version of CentOS being:
su -c ‘rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm’
su -c ‘yum install foo’
3. After adding the repository, we can now install ClamAv with:
yum install clamav clamd then selecting Y.
4. Start the ClamAV service with:
chkconfig clamd on /etc/init.d/clamd start
5. Notice the warning that ClamAV Virus database is older than 7 days? Initialize Freshclam to update daily with:
6. We are looking for Forum Sentry to scan files passing through as a policy in a rule group. So let’s check now to see if it is connected to the ClamAV install. Going back to the Forum Sentry console and looking under Partners, Default AV we now see the date and time of the last Freshclam update and version. Select Enable and select and appropriate option or enter an appropriate message.
You’re now ready to add a scan for virus rule to your rule groups. By changing the ClamAV parameters, you can set up your own frequency of updates, and determine if you wish to scan this virtual machine as well. Additional parameters are included in the Forum Sentry documentation.