mod_clamav 0.21 review

by on

mod_clamav is a virus scanning module which uses the Clam Antivirus (clamav) package to scan Web traffic for viruses

License: GPL (GNU General Public License)
File size: 0K
Developer: Andreas M?ller
0 stars award from

mod_clamav is a virus scanning module which uses the Clam Antivirus (clamav) package to scan Web traffic for viruses. Apache 2 introduces filters, which allow to modify content generated by some other module. mod_clamav is an Apache 2 filter which scans the content delivered by the proxy module (mod_proxy) for viruses using the Clamav virus scanning engine.

mod_clamav was written and is currently maintained by Andreas M?ller, it is distributed under the GNU General Public License, see the file COPYING in the distribution for details.

This document describes Version 0.21 of mod_clamav. This version can be downloaded from The most current version will always be available at

Before installing mod_clamav, make sure you have Clamav properly installed. The module is of only limited use if the proxy module is not available to apache, which is not built by default. So you may want to go back to your Apache compilation and adjust the options to configure so that the proxy module to be built.

The only configuration option necessary for mod_clamav is --with-apache=/your/apache2/directory. So installing the module usually takes the familiar steps

./configure --with-apache=/usr/local/apache2
make install

mod_clamav can produce extensive log messages, but as they may slow down the module, log messages at debug level are only produced if the module is compiled with debugging enabled. Add -DCLAMAV_DEBUG to your CFLAGS environment variable to enable debuggin:

export CFLAGS

mod_clamav has so far been tested on Linux, Solaris and Mac OS X (the latter only in local mode on Jaguar, Clamav 0.70 on Panther finds a suitable pthreads implementation and compiles the daemon, and mod_clamav seems to work in daemon mode on Panter, but I have not fully tested it). If you succeed to install the module on some other platform, please keep the maintainer updated.

Some initial testing on FreeBSD revealed some permission problems, but mod_clamav seems to work if the apache server and clamd run with the same uid.

mod_clamav is an Apache 2 filter, so there is no hope that it will ever be usable with Apache 1. Filters were introduced in Apache 2 to inspect and modify content delivered by some other module.

mod_clamav takes the output of the proxy module, and scans it for viruses using the Clamav library (local mode) or the Clamav daemon (daemon mode). This means that in local mode, the virus scanning engine is part of the apache process, thus virus scanning does not take an extra round-trip to a virus scanning proxy, as with many other virus scanning products.

The clamav library could work entirely inside main memory, but this would cause a problem for large downloads: they could eat up all memory starving the machine in the process. Hence mod_clamav writes the data to a file, the location is configurable with the ClamavTmpdir directive. If file IO is a problem, the temporary files can be placed on a ramdisk.

Long downloads create a special dilemma for a virus scanning proxy: the proxy should not send anything to the browser before it has made sure the object is virus free, but the browser may think the server has a problem if no data is transmitted for a long time. mod_clamav therefore sends one byte every minute (or less if you prefer) of the file being downloaded to the browser. This is enough to keep the browser happy.

Some platforms do not support daemon mode, because the Clamav daemon (which uses pthreads), is not available for them. One example is Mac OS X, on which mod_clamav can only be used in local mode.

One problem with browsers is that the decide to time out if the proxy does not send any data to them. So mod_clamav sends a single byte every minute, even before anything has been checked for viruses. This has the side effect that no HTML error message can be displayed to the client if a byte has been sent already. If the transfer from the server completes within the first minute, i.e. before the first trickle byte is sent to the browser, mod_clamav sends an HTML error message (new in 0.9).

mod_clamav 0.21 search tags