Merge pull request hestiacp#1827 from hestiacp/conf-updates

ClamAV configuration updates

Author: Kristan Kenney

CHANGELOG.md

@@ -90,6 +90,7 @@ All notable changes to this project will be documented in this file.
 - Standardize headers for upgrade scripts
 - Improved how we handle custom themes
 - Refactored HMTL / PHP code WebUI
+- Updated ClamAV configuration
 
 
 ## [1.3.5] - Service Release

install/deb/clamav/clamd.conf

@@ -1,14 +1,13 @@
-#Automatically Generated by clamav-base postinst
-#To reconfigure clamd run #dpkg-reconfigure clamav-base
-#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
+#Automatically Generated by clamav-daemon postinst
+#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
+#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
 LocalSocket /var/run/clamav/clamd.ctl
 FixStaleSocket true
 LocalSocketGroup clamav
 LocalSocketMode 666
 # TemporaryDirectory is not set to its default /tmp here to make overriding
 # the default with environment variables TMPDIR/TMP/TEMP possible
 User clamav
-# AllowSupplementaryGroups true
 ScanMail true
 ScanArchive true
 ArchiveBlockEncrypted false
@@ -19,26 +18,38 @@ ReadTimeout 180
 MaxThreads 12
 MaxConnectionQueueLength 15
 LogSyslog false
+LogRotate true
 LogFacility LOG_LOCAL6
 LogClean false
 LogVerbose true
-PidFile /var/run/clamav/clamd.pid
+PreludeEnable no
+PreludeAnalyzerName ClamAV
 DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
 SelfCheck 3600
 Foreground false
 Debug false
 ScanPE true
+MaxEmbeddedPE 10M
 ScanOLE2 true
+ScanPDF true
 ScanHTML true
+MaxHTMLNormalize 10M
+MaxHTMLNoTags 2M
+MaxScriptNormalize 5M
+MaxZipTypeRcg 1M
+ScanSWF true
 ExitOnOOM false
 LeaveTemporaryFiles false
 AlgorithmicDetection true
 ScanELF true
 IdleTimeout 30
+CrossFilesystems true
 PhishingSignatures true
 PhishingScanURLs true
 PhishingAlwaysBlockSSLMismatch false
 PhishingAlwaysBlockCloak false
+PartitionIntersection false
 DetectPUA false
 ScanPartialMessages false
 HeuristicScanPrecedence false
@@ -48,6 +59,23 @@ SendBufTimeout 200
 MaxQueue 100
 ExtendedDetectionInfo true
 OLE2BlockMacros false
+AllowAllMatchScan true
+ForceToDisk false
+DisableCertCheck false
+DisableCache false
+MaxScanTime 120000
+MaxScanSize 100M
+MaxFileSize 25M
+MaxRecursion 16
+MaxFiles 10000
+MaxPartitions 50
+MaxIconsPE 100
+PCREMatchLimit 10000
+PCRERecMatchLimit 5000
+PCREMaxFileSize 25M
+ScanXMLDOCS true
+ScanHWP3 true
+MaxRecHWP3 16
 StreamMaxLength 25M
 LogFile /var/log/clamav/clamav.log
 LogTime true
@@ -56,5 +84,5 @@ LogFileMaxSize 0
 Bytecode true
 BytecodeSecurity TrustSigned
 BytecodeTimeout 60000
-OfficialDatabaseOnly false
-CrossFilesystems true
+PidFile /var/run/clamav/clamd.pid
+OnAccessMaxFileSize 5M

install/upgrade/versions/1.4.0.sh

@@ -64,6 +64,7 @@ if [ "$MAIL_SYSTEM" == "exim4" ]; then
             echo '      If you want to use the Hestia smtp relay feature,'
             echo '      please review the /etc/exim4/exim4.conf.template'
             echo '      file and resolve any conflicts.'
+            $HESTIA/bin/v-add-user-notification admin 'Manual intervention required to enable SMTP Relay' 'ERROR: Manual intervention required to enable SMTP Relay: <br />Exim only supports one plaintext authenticator. If you want to use the Hestia smtp relay feature, please review the /etc/exim4/exim4.conf.template file and resolve any conflicts.'
         else
             disable_smtp_relay=false
         fi
@@ -178,6 +179,12 @@ if [ -d "$HESTIA/web/images/webapps/" ]; then
     rm -rf $HESTIA/web/src/app/WebApp/Installers/Joomla
 fi
 
+# Update ClamAV configuration file
+if [ -f "/etc/clamav/clamd.conf" ]; then
+    cp -f $HESTIA_INSTALL_DIR/clamav/clamd.conf /etc/clamav/
+    $HESTIA/bin/v-add-user-notification admin 'ClamAV config has been overwritten' 'Warning: If you have manualy changed /etc/clamav/clamd.conf and any changes you made will be lost an backup has been created in the /root/hst_backups folder with the original config. If you have not changed the config file you can ignore this message'
+fi
+
 if [ -f "$HESTIA/data/firewall/ipset/blacklist.sh" ]; then
     sed -i  '/BruteForceBlocker/d' $HESTIA/data/firewall/ipset/blacklist.sh
 fi