Clapf is a clamav based virus scanning and anti-spam content filter for Postfix. Starting with release 4.50, Exim natively supports ClamAV. Mail Avenger clamscan. Mail Avenger is a highly-configurable SMTP server. It allows you to reject spam during mail transactions, before spooling messages. ClamAV 0.102.0 ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. For ClamAV to work properly, both the ClamAV engine and the ClamAV Virus Database (CVD) must be kept up to date. Freshclam should perform these updates automatically.
Contents
Introduction
This document describes how to configure Mac OS X Clean Access Agent posture assessment via the Network Admission Control (NAC) Manager web console for release 4.5.
Mac posture assessment in this release is limited to AV/AS support only. Refer to the Cisco NAC Appliance (Clean Access) Release Notes for the list of AV/AS that are supported on Mac OSX.
Prerequisites
Requirements
Complete these steps before you attempt this configuration:
Breaking 1 3. This document assumes you are running Cisco NAC Appliance Release 4.5 and that you have completed the following steps according to the guidelines in the Cisco NAC Appliance – Clean Access Manager Installation and Configuration Guide, Release 4.5:
- Install or upgrade your NAC Manager and NAC Server with Cisco NAC Appliance release 4.5 as described in Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.5.
- Ensure that the latest Mac OS X Agent (version 4.5) and AV/AS support packages are available on your NAC Manager as described in Configure and Download Updates.
- Create a default user login page as described in User Login Page.
- Require use of the Mac OS X Clean Access Agent 4.5 as described in Require Use of the Agent.
- Create one or more user roles for Macintosh users as described in Create User Roles.
Note: Please refer to the MAC OS X Agent restrictions section for OS X versions and AV/AS Products and Requirement Types that are supported for Mac posture assessment.
Components Used
The information in this document is based on the Cisco NAC Release 4.5.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Mac Posture Assessment with Clam AntiVirus (ClamAV)
The goal of this procedure is to verify that ClamAV 1.1.0 is installed and updated with the latest virus definitions on the client machine.
If ClamAV 1.1.0 is not installed on the client machine, you must provide the user with a link to the ClamAV website in order to download and install the software. Next, you must verify that ClamAV is updated with the latest definitions. If not, the Clean Access agent can communicate with Clam AV through an API call (with the AV Update requirement type) and request ClamAV to update itself.
Note: As of Cisco NAC 4.5 release, the AV Update requirement type is supported only with ClamWin AV. For all other AV/AS, a Link Distribution or Local Check type of requirement can be configured to remediate users if their virus definitions are not updated.
Step 1. Configure a Rule to Check if ClamAV is Installed
- Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.
- Type a name for the rule. This example uses Is_Clamwin_Installed_OSX.Note: Be descriptive so that you can easily identify the purpose of the rule. You can use digits and underscores in the name, but no spaces.
- Choose ClamWin from the Antivirus Vendor drop-down list.
- Choose Installation from the Type drop-down.
- Choose Mac OSX from the Operating System drop-down list.The table at the bottom of the page is populated with these values.
- Check the Installation check box for 1.x.
- Type a description in the Rule Description text field, and click Save Rule.
The new AV rule is added to the bottom of the Rule List.
Step 2. Configure a Requirement to Remediate Users if ClamAV is not Installed
If the Clean Access Agent detects that ClamAV 1.1.0 is not installed on the client machine, it quarantines the user. At this point, you can configure a Link Distribution requirement type in order to provide the user with a link to download ClamAV 1.1.0.
- Click the Clean Access Agent tab, and then click Requirements.
- Click New Requirement.
- Choose Link Distribution from the Requirement Type drop-down list.
- Choose Mandatory from the Enforce Type drop-down list.In this example, the end user is informed of this requirement and cannot proceed or have network access unless the client system meets the requirement.Refer to Configuring an Optional/Audit Requirement for information about other enforcement types.
- Choose the execution priority level for this requirement on the client machine.A high priority (for example, 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Clean Access Agent dialogs in that order). This example assumes that the ClamWin installation check is the first posture requirement and sets the priority to one (1).Note: The Mac OS X Agent does not support automatic remediation. Therefore, the remediation type is set to manual. Also, functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) do not serve any purpose when you create requirement types for Macintosh client remediation.
- In the File Link URL text field, type the URL to which the end users should be directed in order to download ClamAV 1.1.0.
- In the Requirement Name text filed, type a unique name that conveys the action to the end user.This name is visible to users in the Clean Access Agent dialogs. This example uses Download ClamAV.
- In the Description text field, type a description of the requirement and instructions to guide users who fail to meet the requirement.
- Click the Mac OS check box listed in the Operating System section.
- Click Add Requirement in order to add the requirement to the Requirement List.
The new requirement is added to the Requirement List.
Step 3. Map the Link Distribution Requirement with the AV Installation Rule
- Click the Clean Access Agent tab, and then click Requirements.
- Click Requirement-Rules.
- From the Requirement Name drop-down list, choose the requirement you created in Step 2.
- Choose Mac OSX from the Operating System drop-down list.Rules created for the chosen operating system are displayed at the bottom of the page.
- Click the check box for the rule you created in Step 1, and then click Update. Adobe zii patcher 4 2 7 free.
Step 4. Configure a Rule to Check if ClamAV is Updated
- Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.
- Type a name for the rule. This example uses Is_ClamAV_Updated_OSX.Note: Be descriptive so that you can easily identify the purpose of the rule. You can use digits and underscores in the name, but no spaces.
- Choose ClamWin from the Antivirus Vendor drop-down list.
- Choose Virus Definition from the Type drop-down list.
- Choose Mac OSX from the Operating System drop-down list.The Virus Definition Checks for Mac OSX table at the bottom of the page is populated.
- Check the Installation check box for 1.x.
- Type a description in the Rule Description text field, and click Save Rule.
The new AV rule is added to the bottom of the Rule List.
Step 5. Configure a Requirement to Remediate Users if ClamAV is not Updated
If the Clean Access Agent detects that ClamAV 1.1.0 is not updated on the client machine, it quarantines the user. At this point, the user is provided with an Update button in order to remediate.
Once the user clicks the Update button, the Clean Access agent communicates with the underlying ClamAV software and asks ClamAV to update itself.
You can configure an AV Definition Update requirement type in order to implement this functionality. Downie 3 9 10 download free.
- Click the Clean Access Agent tab, and then click Requirements.
- Click New Requirement.
- Choose AV Definition Update from the Requirement Type drop-down list.
- Choose Mandatory from the the Enforce Type drop-down list.In this example, the end user is informed of this requirement and cannot proceed or have network access unless the client system meets the requirement.Refer to Configuring an Optional/Audit Requirement for information about other enforcement types.
- Choose the execution priority level for this requirement on the client machine.A high priority (for example, 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Clean Access Agent dialogs in that order). This example assumes that the ClamWin update check is the second posture requirement and sets the priority to two (2).Note: The Mac OS X Agent does not support automatic remediation. Therefore, the remediation type is set to manual. Also, note that the Remediation Type, Interval, and Retry Count options that appear on the New Requirement configuration page do not serve any purpose when you create requirement types for Macintosh client remediation.
- Choose ClamWin – (Mac OS) from the Antivirus Vendor Name drop-down list.Caution: Make sure you choose the ClamWin – (Mac OS) option, not the ClamWin option.Note: As of Cisco NAC 4.5 release, the AV Update requirement type is supported only with ClamAVon Mac OSX. For all other AV/AS on Mac OSX, a Link Distribution or Local Check requirement type can be configured to remediate users if their virus definitions are not updated.
- In the Requirement Name text field, type a unique name that conveys the action to the end user.This name is visible to users in the Clean Access Agent dialogs. This example uses Update ClamAV.
- In the Description text field, type a description of the requirement and instructions to guide users who fail to meet the requirement.
- Click the Mac OS check box listed in the Operating System section.
- Click Add Requirement in order to add the requirement to the Requirement List.
The new requirement is added to the Requirement List.
Step 6. Map the AV Definition Update Requirement with the Virus Definition Rule
- Click the Clean Access Agent tab, and then click Requirements.
- Click Requirement-Rules.
- From the Requirement Name drop-down list, choose the requirement you created in Step 5.
- Choose Mac OSX from the Operating System drop-down list.Rules created for the chosen operating system are displayed at the bottom of the page.
- Click the check box for the rule you created in Step 4, and then click Update.
Step 7. Map the Requirements to Roles
At this point, you can link the posture requirements (which have been mapped to rules) to the role in which the end user is placed.
- Click the Clean Access Agent tab, and then click Role-Requirements.
- Click Role-Requirements.
- Choose Normal Login Role from the Role Type drop-down list.
- From the User Role drop-down list, choose the role where you want the posture requirements to be applied. This example applies the posture requirements to the employee role.The requirements created earlier in this example are displayed at the bottom of the page.
- Check the check boxes for the requirements that you want to apply to this role, and click Update.
Step 8. Allow Access to the Remediation Site in Temporary Role
Once users are found to be non-compliant, they are quarantined and placed in the temporary role. At this point, the users must be able to reach the remediation resources (AV server, websites, patch servers, etc.) so that they can remediate themselves.
Clamxav 2 11 – Virus Checker Based On Clamav Mac
For this purpose, you must open appropriate access in the Temporary Role. In this example, the users must be able to reach http://www.clamxav.com for both the requirements (installation and virus definition update).
- Choose User Management > User Roles, and then click the Traffic Control tab.
- Click Host.
- Choose Temporary Role from the drop-down list, and scroll down to the bottom of the list.
- Add clamxav.com to the Allowed Host list, and click Add.This step ensures that traffic from the clients to http://www.clamxav.com is allowed through the NAC servers.Note: These two conditions are important:
- The NAC server uses the DNS response from the DNS server to dynamically open up access. Hence, the return traffic from the DNS server (DNS response) must go through the NAC server.
- You must have a trusted DNS server defined. For best practices, Cisco recommends that you add specific DNS server entries here as opposed to trusting all DNS servers (*). This example adds the DNS server IP (192.168.2.44) as a trusted DNS server. You can add multiple trusted DNS servers. If you do not have a trusted DNS server defined, the NAC Manager advises you accordingly through a message as shown in this image:
Verify the End User Experience
Use this section to confirm that your configuration works properly.
This Mac posture verification scenario assumes that your initial NAC setup (NAC Manager and Server) is complete and that the NAC Server is reachable from the client machines. Cisco Clean Access Agent 4.5.0.0 should be installed on the Mac that runs OSX 10.4 or higher. This scenario assumes that the Mac does not have ClamAV installed prior to this test.
Website Checker
- Log in to your Clean Access Agent (version 4.5.0.0).You are quarantined and asked to remediate.Note: The RUN check boxes are checked, but not editable, because the requirements are mandatory. If a requirement was configured as Optional, the RUN check box would be editable, and you can choose to skip that requirement.
- Click Remediate.You are redirected to the ClamAV website.
- Download and install ClamAV.You might be prompted to run the Clam Antivirus Engine before you can use ClamAV as shown in this image:
- Follow the onscreen instructions in order to complete the installation.The Clean Access agent displays the status of the Download ClamAV requirement as successful and moves on to the second requirement (Update ClamAV).Once ClamAV is updated, the status of the Update ClamAV requirement displays successful.
- Click Complete to log in to the network.Once you successfully log in to the network, this messages appears.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
- ClamXAV v3.1.1 - 7th October 2020
- Improvements in CPU usage
- Improvements in Time Machine volume recognition
- Improvements in handling false positives
- Fix for Full Disk Access menu item showing up (disabled) on macOS before 10.14
- Fixed typos in French
- Security update details:
- Affected parts: Privileged Helper Tool and Privileged Helper Tool Updater
Available for: macOS 10.10 and later
Impact: A malicious application may be able to execute arbitrary code with system privileges.
Description: A local privilege escalation issue was resolved with improved client verification in the privileged helper tools.
Thanks to Csaba Fitzl (@theevilbit) of Offensive Security for reporting this to us. - ClamXAV v3.1 - 11th August 2020
- Added support for macOS 11 (Big Sur)
- Additional log file processing for business customers
- Improved QuickScan speed
- Updated French localisation
- Updated Portugese translation
- Fixed typo in German localisation
- Improvements in multi-user setups
- Improvements to handling of virtual machine images
- References to 'Internet' are now 'internet', inline with current practice and style guidelines.
- References to 'expiry date' are now 'renewal date'
- Fixed intermittent issue where main window may open far too small
- Fixed issue where clean files may show in the infection list with '(null)' as the infection name.
- Fixed intermittent issue where Quick Scan would appear like it's constantly in progress.
- Fixed an intermittent issue that caused it to look like ClamXAV had hung at the end of a QuickScan
- Fixed intermittent issue with open panel not showing
- Fixed an issue preventing an item showing up as deleted
- Fixed issue with 'Last Scanned Date' on macOS 10.15
- An item's 'Last Scanned Date' now shows relative dates
- ClamXAV will now report meta-data on malware detections. Note that we're tracking malware, not you!
- See our Privacy Policy for more details.
- ClamXAV v3.0.15 - 18th December 2019
- Improved scan times on macOS 10.15 Catalina
- Improved reliability of Full Disk Access check
- Improved removal of configuration profiles
- Fixed intermittent issue where Sentry wouldn't honour exclude/ignore settings
- Fixed intermittent issue where Sentry would attempt to scan external/network disks incorrectly.
- Improved efficiency
- Reverts a previous change by excluding the community malware database by default.
- This may be re-enable via Advanced Preferences
- Fixed typo in French localisation
- Resolved issue with networked volumes unexpectedly being scanned on macOS 10.15 Catalina
- Miscellaneous bug fixes
- ClamXAV v3.0.14 - 10th October 2019
- Qualified for use on macOS 10.15 Catalina
- Improvements in Full Disk Access
- Improvements to speed of malware database download and verification
- ClamXAV Menu item now updates properly when subscription is renewed
- Improved efficiency for removing some particularly stubborn malware
- Resolved various issues with mail scanning script
- Fixed issue where the email scanning script wasn't being updated properly
- Resolved an issue with scheduling
- Fix for Time Machine volume still getting scanned despite being excluded
- Fix for excessive CPU usage caused by already-heavy load on the computer
- Resolved issues with preferences override for enterprise customers
- Resolved an issue with mounting remote volumes during a Quick Scan
- ClamXAV Menu Item no longer jumps up and down during scanning/updating
- ClamXAV v3.0.12 - 15th July 2019
- Added the ability to deactivate your Mac so you can move your licence to another Mac
- Added ability (via expert global pref SentryQuarantineDisabled ) to turn off Sentry auto-quarantining
- Added log rotation for ClamXAV-helper.log file
- Improved installation of the email scanning script
- Resolved various bugs with the email scanning script
- Improved handling of corrupt files
- Improved reliability of built-in uninstaller
- Removed some more unnecessary log output
- Updated non-English translations
- ClamXAV v3.0.11 - 13th May 2019
- Improved support for home folders which have been moved onto different volumes
- Improvements to malware database download process
- Improved handling of situation when Apple Mail failed to download an email's attachments
- Improvements in subscription handling
- Fixed issue which could cause ClamXAV to be unresponsive with an empty Source List
- Fixed issue which prevented ClamXAV checking its own app updates properly
- Removed some unnecessary log output
- Updated date in the copyright strings
- ClamXAV v3.0.10 - 29th April 2019
- ClamXAV is now notarized via the Apple Notarization Service
- Improved visibility of the 'Advanced Ignore Settings' button
- Improved support for scanning email via Apple Mail *
- Included command line interface to update malware database†
- Improved the ability to delete hard-to-remove malware
- Prevent continuous alert sounds during database update if app his hidden or minimized to Dock
- Fixed issue where ClamXAV might crash when a disk is connected
- Fixed issue where Sentry doesn't disable properly
- Fixed an intermittent issue where the Source List wouldn't populate
- Fixed an intermittent issue downloading malware database updates
- * Create a mail rule in Apple Mail to trigger on 'Every Message'. Perform a 'Run Applescript' action and specify 'Scan with ClamXAV'.
- - Infected items will be coloured with a blue background and moved to Junk.
- † Installed at /usr/local/ClamXAV3/bin/XAV
- ClamXAV v3.0.9 - 30th December 2018
- Fix for issue with scheduled scans
- ClamXAV v3.0.8 - 19th December 2018
- Improvements in malware database updates
- Performance enhancements
- No longer automatically scans connected hard disks at startup
- Fixes for German localisation issues
- Fix for intermittent issue which left source list empty
- Fix for high cpu usage under certain conditions
- ClamXAV v3.0.7 - 26th September 2018
- Performance improvements
- ClamXAV v3.0.6 - 24th September 2018
- Support for macOS 10.14 Mojave and Dark Mode
- Added Brazilian Portugese localisation
- Improved Sentry handling of external volumes
- Improved drag and drop support for excluding files and folders
- ClamXAV will now wait for an internet connection before attempting to update its malware database
- Fixed hang which could occur at launch if one of the database files was missing
- Fixed erroneous reports of Malware database update failed (32767) in the Reports window
- ClamXAV v3.0.5 - 5th September 2018
- Speed and stability improvements
- Improvements to engine installation & repair
- Fixed issue of constantly repairing the scanning engine
- Fixed issue with ClamXAV Menu Item crashing upon first installation
- Improved handling of network volumes
- Sentry now properly recognises and completely ignores Time Machine backup disks
- Resolved issue where database update stayed at 0% despite the update actually taking place in the background
- The Reports Window no longer allows you to select 'Reveal in Finder' for a file that's been deleted
- Improved wording for incomplete scans in the Reports Window
- ClamXAV v3.0.4 - 21st August 2018
- Stability improvements
- Reduced CPU usage during scan
- Fix for Sentry not honouring the 'scan inserted volumes' setting
- Improved handling of Time Machine and Time Capsule disks
- Improved handling of app updates via the ClamXAV Menu Item
- Fixed issue where scan settings may not be saved when changing selected source list item
- Fixed issue that caused Little Snitch to block ClamXAV's internet access
- ClamXAV v3.0.3 - 16th August 2018
- Improved wording of Sentry options in the Settings Area
- Fixed issues regarding downloading malware database
- Fixed inability to disable Sentry background monitor
- Fixed crash related to handling of exclusion settings
- ClamXAV v3.0.2 - 15th August 2018
- Fix for issues downloading malware database
- ClamXAV v3.0.1 - 15th August 2018
- Fix for German localisation
- Fixed ClamXAV 2 registration key recognition for commercial licences
- ClamXAV v3.0 – 15th August 2018
- Everything is new. Every single bit.
- There’s far too much to list everything here, but here are some headline updates:
- The biggest update since 2009!
- Totally rebuilt from the ground up
Completely new user interface but it should still feel familiar - Vastly improved, fully-integrated, log viewer
Reduced CPU usage of main app
You can run multiple scans at one time
Complete integration of all component parts (Main app, Sentry, Scheduling, Reports)
Smart source list which automatically displays all available volumes.
You can now have per-source-item scan settings
…along with different exclude settings per scan item
You can enable/disable quarantine per scan item
… and even enable/disable quarantine during a scan
We’ve added copy & paste support for “exclude file settings” (between source list items as well as copying files from Finder)
If you quit ClamXAV, the scan will continue
All-new ClamXAV menu item which shows progress of all current scans and database updates - There’s so much more, but I think you get the gist. It’s all new!