Before testing ClamAV's email scanning capabilities, ensure you have a dedicated test environment. This prevents accidental infections or spam propagation. Here's a basic setup using Docker for isolation:
# Create a test mail server with ClamAV integration
docker run -d --name test_mailserver \
-e ENABLE_CLAMAV=1 \
-p 25:25 \
-p 143:143 \
mailserver/docker-mailserver
Use the EICAR test file - a harmless signature that antivirus software detects as malicious. Create test emails with these payloads:
# Python script to generate test emails
import smtplib
from email.mime.text import MIMEText
eicar_signature = r"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
def create_test_email():
msg = MIMEText(eicar_signature)
msg['Subject'] = 'ClamAV Test - EICAR Signature'
msg['From'] = 'sender@testdomain.com'
msg['To'] = 'recipient@testdomain.com'
return msg
def send_test_email(server='localhost'):
with smtplib.SMTP(server) as smtp:
smtp.send_message(create_test_email())
After sending test emails, check ClamAV logs for detection events. The location varies by system, but typically:
# Check ClamAV logs for detection
tail -f /var/log/clamav/clamav.log | grep 'FOUND'
# Expected output when test is successful:
# Eicar-Test-Signature FOUND
Beyond simple text attachments, test various email components:
- Base64 encoded attachments
- ZIP archives with password protection
- HTML emails with malicious scripts
- Phishing links in message bodies
Here's how to test ZIP archive scanning:
# Create a test ZIP with EICAR file
echo "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" > eicar.txt
zip -e eicar.zip eicar.txt
# Use password 'infected' when prompted
For continuous integration, create automated test scripts. This example uses Python's unittest framework:
import unittest
import subprocess
class TestClamAVIntegration(unittest.TestCase):
def test_eicar_detection(self):
result = subprocess.run(
['clamscan', '--no-summary', '--infected', 'eicar.txt'],
capture_output=True, text=True
)
self.assertIn('Eicar-Test-Signature', result.stdout)
def test_zip_detection(self):
result = subprocess.run(
['clamscan', '--no-summary', '--infected', 'eicar.zip'],
capture_output=True, text=True
)
self.assertIn('Eicar-Test-Signature', result.stdout)
if __name__ == '__main__':
unittest.main()
After initial tests, monitor these metrics in production:
- Scanning throughput (messages/second)
- CPU/memory usage during peak loads
- False positive/negative rates
- Signature update success rate
Use this command to check ClamAV's performance statistics:
clamscan --bytecode-unsigned --stats --quiet /dev/null
When deploying ClamAV on a mail server, you need to verify that:
- On-access scanning catches infected attachments
- On-demand scanning works with your MTA (Postfix/Sendmail/etc.)
- Quarantine mechanisms function properly
- Virus definitions are updating correctly
Create a safe test file using the EICAR standard:
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.com
Attach this to an email and verify:
- ClamAV detects it (should log "Eicar-Test-Signature")
- Your MTA blocks/quarantines the message
- No actual malware executes
For more thorough verification, use ClamAV's test signatures:
# In clamd.conf: TestSignatures yes # Then test with: clamscan --debug --infected /path/to/test/files
Sample log output you should see:
LibClamAV debug: Test signature found LibClamAV debug: Test signature 1
Create a cron job to regularly verify scanning:
#!/bin/bash
RESULT=$(clamscan --no-summary --infected /path/to/eicar.com)
if [[ $RESULT == *"Infected files: 1"* ]]; then
echo "[PASS] ClamAV detection working" | mail -s "ClamAV Test" admin@example.com
else
echo "[FAIL] ClamAV detection failed" | mail -s "ClamAV Alert" admin@example.com
fi
If tests fail:
- Check
clamdprocess is running - Verify freshclam updates are working (
freshclam --debug) - Inspect MTA integration (amavisd-new config for Postfix)
- Review ClamAV logs (/var/log/clamav/clamav.log)