Using ClamAV with eCS

By Doug Bissett

With the number of viruses encountered in today's world, some sort of virus detection mechanism is required. No matter how careful you are, it is possible to acquire a virus. While it is true, that eCS (also meaning OS/2) is not vulnerable to any known virus, it is still possible that a virus, while attempting to operate, will crash a program, or the whole system. It is also not impossible, that a virus will, someday, actually work in eCS, although it is unlikely that it would do exactly what it was designed to do. The other, main, reason to have an antivirus program, is to be sure that you do not, inadvertently, pass on a windows virus, to a windows user. They have enough problems, without eCS users adding to them, simply because they think they are very careful, and won't do that. Most viruses, today, act, quietly, in the background, and do not make themselves obvious, so it is very difficult to spot one, without help.

In the world of eCS, the options are rather limited. One of the most promising options, is ClamAV, which has been ported from it's native Linux base, so that it will run on eCS. Unfortunately, the main item that is missing, is a background scanner, that will monitor for viruses, as files are opened. That means, that a user really does need to be careful to scan incoming files, BEFORE they are used, or sent to someone else. To make it easier to do that, I did the following:

First, get ClamAV from:

http://web.os2power.com/yuri/ClamAV

You also need the libc 0.6.3 runtime, and the libc pathwriter. Both links are on that page. Both of those packages are WarpIN installers, and you must use them to install the packages, so that WarpIN knows that they are installed. ClamAV will NOT install without them, unless you do it manually (which I will not address). You should also be careful to make sure that you remove any extra copies of the libc package, that you may have installed without the WarpIN installer, to avoid future problems.

Now, install the packages, starting with libc, then pathwriter, then ClamAV. Now, you should have a folder, with three icons in it: ClamAV xxx Daemon, Docs (folder), and ReadMe.txt There should also be a shadow of the Daemon, in your Startup folder. At this point. ClamAV will not work. You need to run the Freshclam program, to get the virus database, and updates. This should be done, on a regular basis, so that the database stays up to date.

Before you can run Freshclam, you need to edit the config files, to match your system. Look in ...\ClamAV\etc and you will find clamd.conf, and freshclam.conf. Clamd.conf configures the ClamAV daemon, while Freshclam.conf configures the updater. I suggest copying those files to a new name (I use clamddb.conf, and freshclamdb.conf), so that any updates will not overwrite my config files (major updates seem to change the file format slightly, so you may need to transpose your config files, into the new format, if something doesn't work after an update). Also note, that most Linux programs like to see forward slashes, in file names, rather than the more usual back slashes as used with eCS.

Start with clamddb.conf, and change the following to match your system (this is from the ClamAV 0.9.3 version):

First, COMMENT the Example line. It won't run without doing that:
 * Comment or remove the line below.
 * Example

Add a log file (not much good, if you don't know what it is doing). Create a LOGS directory, in the directory structure: LogFile x:/APPS/CLAMAV/LOGS/clamd.log
 * Uncomment this option to enable logging.
 * LogFile must be writeable for the user running daemon.
 * A full path is required.
 * Default: disabled

Point the program to where your %TEMP% directory is: TemporaryDirectory x:/temp
 * Optional path to the global temporary directory.
 * Default: system specific (usually /tmp or /var/tmp).

All of the rest of the settings should be left at their default settings, although you can experiment with them, AFTER you get it working.

Now, change freshclamdb.conf:

COMMENT the example line. It won't run without it:
 * Comment or remove the line below.
 * Example

Add a log file (not much good, if you don't know what it is doing): UpdateLogFile x:/APPS/CLAMAV/LOGS/freshclam.log
 * Path to the log file (make sure it has proper permissions)
 * Default: disabled

Now, a tricky part. Set it to download from your country's mirror system. I am in Canada, so I replace XY with CA. This should be the same as what you find in the SET LANG=en_CA line in CONFIG.SYS. If you are in a small country, you may not have a local mirror. The program is supposed to figure that out, and substitute the proper entry, but, if that doesn't work, put something close into the entry. If nothing is found, it will go to the default web site: DatabaseMirror db.CA.clamav.net
 * Uncomment the following line and replace XY with your country
 * code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
 * DatabaseMirror db.XY.clamav.net

You may need proxy settings, if you use a proxy server (if you don't know, you probably don't need it): UNCOMMENT (remove the #) any lines that you change. Set notify, so that an update will automatically notify the daemon to update itself: NotifyClamd x:/APPS/ClamAV/etc/clamddb.conf
 * Proxy settings
 * Default: disabled
 * HTTPProxyServer myproxy.com
 * HTTPProxyPort 1234
 * HTTPProxyUsername myusername
 * HTTPProxyPassword mypass
 * Send the RELOAD command to clamd.
 * Default: no
 * NotifyClamd /path/to/clamd.conf

The rest of the config file settings should be left at default (you can experiment later).

OK, the result should be two config files, now configured, and some icons to work with. ClamAV (as with most *NIX programs), will look for it's config files in x:\MPTN\ETC (where x: is your boot drive). This is also known as %ETC%, since you can refer to it using the ETC environment variable. Since eCS uses %ETC% for networking stuff, it is really not appropriate to use it for ClamAV, so you need to tell the CLAMAV x.xx.x daemon where to find the config files. Add the parameter: --config-file=../etc/clamddb.conf to the parameter field, in the icon for the daemon. The daemon icon should also have a shadow in the Startup folder, so it will be started when you boot the system.

That should allow the programs to work. Now, you need to set up some new program icons. The first one, that you need, is to run Freshclam, so you can get the database, and updates. Create a new program icon, and set the program properties to: Path and file name = x:\APPS\CLAMAV\BIN\FRESHCLAM.EXE Parameters = --config-file=../etc/freshclamdb.conf Working directory = x:\APPS\CLAMAV\BIN You will want to run this program, on a regular basis. I use the scheduler feature of DragText, to run it every 4 hours. Note, that it is a good idea, to avoid doing updates at, or near, the hour, or half hour, since many people tend to do it at those times.

Now, you should run Freshclam, to get the database, and the updates. This, usually, takes only a few seconds (depending on your Internet connection), and it will notify you, that it was unable to notify the daemon (it isn't running, yet). Now, you can start the daemon, and it should start up. The daemon should run, all of the time, so you will want to go to the program properties-> Session, and set both Start minimized, and Close window on exit. You may want to do the same for Freshclam, so it won't pop open a window, when it runs (perhaps it would be good to make sure it does run, as you expect, before doing that).

That gets the ClamAV daemon running, and, you can update the program. Now, you need a way to scan files, or directories (including whole drives). There are two ways to get ClamAV to scan files. One is to use the Clamscan program (clamscan.exe). You can use that, if you wish, but it does take a few seconds to get started up, every time you want to use it. The other method, is to use the ClamDScan program (clamdscan.exe). ClamDScan has the advantage that it actually uses the daemon, that is already running, so there is no startup time. Clamscan is more powerful, and you can use it, if you wish, but this discussion will ignore that option. So, make a program icon, with: Path and file name = x:\APPS\CLAMAV\BIN\CLAMDSCAN.EXE Parameters = -v --config-file=../etc/clamddb.conf -l ../Logs/ClamDscan.log -m Working directory = x:\APPS\CLAMAV\BIN Now, since we want to be able to scan individual files, it is recommended that you set the ClamDScan program, so that it is associated with all files. (Before continuing, please read the next paragraph) To do that, open the program Properties-> Association, and type * in the New name box. Click Add. Since you will, likely, want to see what ClamAV thought about the file, go to Session, and turn off Close window on exit. Close the properties notebook.

You may notice, that ClamDScan is now the default program, for every file, that, previously, would open with the text editor, if no other program was associated with it. This is not exactly desirable, so you should go to the icon for the text editor, and also set it to open every file (the * in the association). Hopefully, this will now cause the text editor to open all files, unless some other association has been set. One problem with doing this, is that associations operate in the order that they are created, so you should do the association for the text editor first, and then do the association for ClamDScan. Another problem, is that adding any new associations messes this up, so you may need to remove the associations for these two programs, and put them back again, after making other associations.

OK, if all went well, you should now be able to go right click on any file, and select the arrow beside Open As, and ClamDScan should be an option. Clicking on ClamDScan will run ClamAV on the selected file, leaving the window open, so you can see what happened. You will need to close the window, when you are done. The default association, with the text editor, should also still work, as it always did.

The next step will only work with a system that has eWorkplace, or, XWorkplace, installed. We will now add a menu item to the drives, and folders, menu, to be able to run ClamDScan on whole drives, and whole folders. Look in System Setup for the Extended Menu Options folder (this may be in the Appearance folder, on some versions of eCS). Create a shadow of the ClamDScan program in there, and close it up. Now, you should have a menu item, in the folder, or drive, properties menu, that will run ClamDScan.

If you are using PMMail (preferably, the new one, from VOICE): http://www.os2voice.org/ you can make it scan every incoming message, by using a Message receive exit. First pick a spot that will hold a REXX script, to be used by PMMail. Create the following, called ClamScanPMM.cmd (or any other name that suits you). Insert the following:  /* Clamscan for PMMail */

/* Load REXXUTIL.DLL */ call RxFuncAdd 'SysLoadFuncs', 'RexxUtil', 'SysLoadFuncs' call SysLoadFuncs

x = setlocal;

fname=arg(1)

if pos(' ',strip(fname))>0 then fname='"'fname'"'

Curdir=directory CSdir=directory("x:\APPS\ClamAV\bin")

rc=lineOut('../Logs/ClanDscanPMM.log','===============================') rc=lineOut('../Logs/ClanDscanPMM.log',Date' 'Time) rc=stream('../Logs/ClanDscanPMM.log','C','CLOSE')

'ClamDscan.exe --config-file=../etc/clamddb.conf -l ../Logs/ClanDscanPMM.log' fname

RetCode=rc

if RetCode=1 then do do while lines(fname) Newline=lineIn(fname) if left(Newline,8)="Subject:" then do     Newline=insert(' [SUSPECTED VIRUS]',Newline,8,18) end rc=lineOut(fname'.out',Newline) end rc=lineOut(fname'.out') rc=stream(fname,'C','CLOSE') rc=sysFileDelete(fname) 'copy 'fname'.out 'fname rc=sysFileDelete(fname'.out') end if RetCode>1 then do rc=lineOut('../Logs/ClanDscanPMM.log','SCANNER FAILED RC='RetCode) rc=stream('../Logs/ClanDscanPMM.log','C','CLOSE') end olddir=directory(Curdir)

x = endlocal;

exit 

change the drive, and path, in line 13, to match your system, and save it. Go to Account-> Account Settings-> REXX, and enter the full path, and file name, in the Message receive exit field, and enable it. You can select Execute script in foreground, but I suggest that you don't. Next, create an incoming filter. Go to account-> Filters... and add a new filter. Call it VirusTrap (or any other name that suits you). Do a simple test for: Search = Subject: For: = [SUSPECTED VIRUS] no connective Under Actions, select Move message to whatever folder you wish (I suggest making a folder for these files).

Other e-mail programs should have similar facilities to be able to run programs against incoming e-mail.