Cpanel - Installing DrWEB Server Antivirus

This document is a straightforward step-by-step instruction on how to install DrWEB antivirus on Linux server running CPanel.

Doing backups:

Following files are need to be saved:

/etc/exim.conf

/etc/antivirus.exim or

system_filter.exim>

Installing DrWEB:

First, download DrWEB antivirus RPM package from here:

http://www.sald.com/get.html

Install it using rpm -Uvh command. For example, for glibc 2.3 use:

# rpm -Uvh ftp://ftp.drweb.ru/pub/unix/drweb-4.30-glibc.2.3.i586.rpm

Start drweb daemon using command:

# /opt/drweb/drwebd start

Now lets take care about automatic antivirus databases updates.
Add the following cron job:

00 12 * * * /opt/drweb/update/update.pl

Installing and configuring DrWEB-Exim:

Download drweb-exim from:

http://www.sald.com/get.html

Untar tgz archive.
For example:

tar xzvf drweb-exim-4.29.12-F-linux.tar.gz

Now we need to copy drweb-exim files to proper directories.

# cp -r drweb-exim/etc/drweb/* /etc/drweb/
# cp -r drweb-exim/opt/drweb/doc/* /opt/drweb/doc/
# cp -r drweb-exim/opt/drweb/drweb-* /opt/drweb/

Edit /etc/drweb/drweb_exim.conf

Change:

AdminMail = postmaster>

To:

AdminMail = you@yourdomain.com>

Lets test how it works so far:

# /opt/drweb/drweb-exim --check_only --check_user=drweb

All tests should be "passed".

Configuring Exim :

We need to make changes in two files to make drweb and exim work together.

First, edit /etc/exim.conf

NOTE : Black are lines which we will need to add.

###### begin exim.conf ########

 

[skipped]>

###########################
# Runtime configuration file for Exim #
###########################

trusted_users = drweb
trusted_groups = drweb

 

[skipped]

#!!# message_filter renamed system_filter
system_filter = /etc/antivirus.exim
message_body_visible = 5000

>system_filter_pipe_transport = filter_pipe
system_filter_reply_transport = address_reply

[skipped]

###########################
# TRANSPORTS CONFIGURATION #
########################### ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
############################ A transport is used only when referenced from a director or a router that
# successfully handles an address.

# This transport is used for delivering messages over SMTP connections.

begin transports

filter_pipe:
driver = pipe
user = drweb
group = mail
return_fail_output

 

>

###### end exim.conf ########>

CPanel comes with /etc/antivirus.exim filter file. In clean Exim install it is called system_filter.exim

Add the following at the end of the file:

 

###### begin antivirus.exim #######>>

# to prevent from mail loop, skip already scanned message
if $received_protocol is "drweb-scanned"
then
finish
endif

 


>pipe "/opt/drweb/drweb-exim -f $sender_address -- $recipients"


>>finish

 

###### end antivirus.exim ########>>


Restart Exim and test virus checking:

Thats it with configuration.

Now restart exim:

# /etc/rc.d/init.d/exim restart

And test your email delivery. If email is not going through, inspect /var/logs/exim_mainlog and /var/logs/exim_paniclog

Now take one of those MyDoom worms, attach it to your email message and send it to yourself as a test.