Updating ClamAV on OS X Server >= 10.5.6

A tutorial on how to properly update ClamAV on Mac OS X 10.5.5 Server or greater. By Athanasios Alexandrides

Download “Updating ClamAV on OS X Server 10.5.5 or greater” (PDF File)

The purpose of this document is to provide instructions on how to update the version of ClamAV included with OS X 10.5.5 Server or greater. DO NOT use these instructions for 10.4.x Server. A separate tutorial is available for 10.4.x.

It will guide you through updating to the latest stable version of ClamAV without breaking Server Admin functionality. The new version will be installed alongside Apple’s. Thus, it will not be overwritten by Apple SW updates.

Although the Apple included version of ClamAV is suitable for most users, there are situations where one might need to update. A common reason is to take advantage of the latest security fixes.

This document is written for Mac OS X 10.5.5 or greater.

19 replies
  1. Mike Hams
    Mike Hams says:

    Are these instructions likely to be updated since SourceForge is now persona non grata and the download directory address has changed?

    Reply
  2. Richard Williams
    Richard Williams says:

    Hi

    I’m trying to update to 0.99.2 as the version with Server 2.2.5 no longer works . I’ve downloaded the source from clamav,net but the ‘tar’ returns ‘Unrecognized archive format’. Do you know where I can get the source in OS X format?

    Reply
  3. Athanasios Alexandrides
    Athanasios Alexandrides says:

    The plist files are in clamav_extras_105_096.tar.gz as per the tutorial. Make sure you had no typos in the URL.

    10.8 uses different locations and is not covered by any tutorial. Just adapt locations as needed.

    That said, the best option is to upgrade the Server OS. Fixing ClamAV is only a temporary solution as the next problem is certainly around the corner. A server OS should ideally not be used after it is declared EOL by the vendor.

    Reply
    • David Blanchard
      David Blanchard says:

      I did have a typo. Sorry about that. I was able to complete the rest except for loading and unloading amavisd from launchctl. it’s simply isnt there.

      I agree about the EOL, but right now I need the band-aid so I can let mail process without worrying about virus scanning.

      Reply
  4. Liza Lynch
    Liza Lynch says:

    David, we have the same problem since the weekend on a client’s old Mac OS X 10.6.8 system (yes, also EOL, I realise). Like you I need the band aid solution.

    I can’t do a ‘make’ on that machine because it doesn’t have the developer tools installed. Do you have the updated clamAV, and if so where does it have to be put on the server?

    Reply
  5. Liza Lynch
    Liza Lynch says:

    Athanasios – I think I’ve got it working now. I got hold of the Dev Tools and after that your instructions were extremely helpful! Thanks.

    Reply
  6. Al Varnell
    Al Varnell says:

    I was able to assist a Lion Server user to a successful update using your instructions (you can ignore the e-mail I sent you using the Contact page), so I know it can still be done using a 0.98 engine. My only remaining question concerns the applicability of those instructions in light of the requirement for OpenSSL beginning with 0.98.3 and PCRE for all 0.99 releases. Should the instructions be updated to account for these or at least indicate what the latest engine that can be installed using the instructions?

    Reply
  7. Celia
    Celia says:

    Is there a difference in compiling clamav from source or installing it through homebrew? The brew version doesn’t seem to compile with “enable-bigstack” and “enable-static” – are these flags necessary?

    Reply
  8. Athanasios Alexandrides
    Athanasios Alexandrides says:

    Hi Celia. Either way should work. The main difference between the two methods is that compiling from source uses as many components as possible that are already part of macOS/OS X. Brew on the other hand installs all dependencies it needs. On an older OS, I’d prefer to compile myself as you run into less issues against the stock components. On newer OS, go for brew as it is less of a headache.

    Reply
  9. Jon Gardner
    Jon Gardner says:

    On 10.13.6, Server 5.6.3, this method doesn’t really work well. The launchd scripts aren’t the same. The most straightforward solution for me has been to replace the Apple binaries in Server.app with softlinks to the latest clamav binaries from MacPorts or Homebrew. The script below does this for the MacPorts install; Homebrew would be similar but with different paths to the new binaries. The one change I had to make in the config files was commenting out the “LogLevel” entries; apparently that’s either deprecated or specific to Apple’s version, because the “stock” binaries rejected the config as long as “LogLevel” was in there.

    apply MacPorts ClamAV configuration

    #

    define Server.app root directory (saves typing later 🙂

    SR=/Applications/Server.app/Contents/ServerRoot

    stop mail services

    serveradmin stop mail

    softlink existing config files to macports default

    (be sure to comment-out “LogLevel” entries in both files!)

    ln -s /Library/Server/Mail/Config/clamav/clamd.conf /opt/local/etc/clamd.conf
    ln -s /Library/Server/Mail/Config/clamav/freshclam.conf /opt/local/etc/freshclam.conf

    save a copy of original Apple clamd binary

    if [ ! -f $SR/usr/sbin/clamd.apple ]
    then
    mv $SR/usr/sbin/clamd $SR/usr/sbin/clamd.apple
    fi

    link macports clamd binary to Apple default location

    ln -s /opt/local/bin/clamd $SR/usr/sbin/clamd
    #

    do the same things with the other clamav binaries

    for prg in clambc clamconf clamdscan clamdtop clamscan clamsubmit freshclam
    do
    if [ ! -f $SR/usr/bin/$prg.apple ]
    then
    mv $SR/usr/bin/$prg $SR/usr/bin/$prg.apple
    fi
    ln -s /opt/local/bin/$prg $SR/usr/bin/$prg
    done

    start mail services

    serveradmin start mail

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to Bill Kirwin Cancel reply

Your email address will not be published. Required fields are marked *