====== Clamav ======
**General Information**
ClamAV is "an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats."
* Official Site: [[http://www.clamav.net/index.html]]
* Virus Database Mail List Archives: http://www.gossamer-threads.com/lists/clamav/virusdb/
* User Mailing List Archives: http://www.gossamer-threads.com/lists/clamav/users/
**Checklist**
* Distro(s): Enterprise Linux 6
* Repo: EPEL
----
====== Installation ======
Installing ClamAV.
* Add the [[linux_wiki:repos#epel|EPEL repo]].
* Install ClamAV Scanner and Auto Updater (Freshclam)
* EL 6yum install clamav
* EL 7yum install clamav clamav-update
* Install ClamAV's Scanning Daemon (clamd)
* EL 6yum install clamd
* EL 7yum install clamav-scanner-systemd
----
====== Configuration ======
Configuring ClamAV.
----
===== freshclam =====
Virus definition updater for ClamAV.
* Config: /etc/freshclam.conf
* Daily Cron: /etc/cron.daily/freshclam
/etc/freshclam.conf - Ensure Database Mirrors are correct
DatabaseMirror db.us.clamav.net
DatabaseMirror db.local.clamav.net
If you have a Squid proxy
HTTPProxyServer myserverhostname
HTTPProxyPort 3128
Run manual virus updates
freshclam -v
----
====== Operation ======
Using ClamAV.
----
===== Application Users =====
ClamAV software runs as non-privileged user(s).
**EL 6**
* Freshclam runs as: clam
* Clamd runs as: clam
**EL 7**
* Freshclam runs as: clamupdate
* Clamd runs as: clamscan
----
===== Service =====
Freshclam is NOT a service. It is run via a daily cron script.
\\
Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless "on access scanning" is enabled.
* To scan certain directories regularly, either enable on access scanning, or create a cron that runs clamdscan against directories.
**Enable On Boot**
Service is enabled on boot
* EL6chkconfig clamd on
* EL7systemctl enable clamd@scan
**Service Status**
* EL6service clamd status
* EL7systemctl status clamd@scan
**Service Start**
* EL6service clamd start
* EL7systemctl start clamd@scan
**Service Stop**
* EL6service clamd stop
* EL7systemctl stop clamd@scan
----
===== Log Files =====
Log files are located:
* Freshclam
* EL 6: /var/log/clamav/freshclam.log
* EL 7: /var/log/freshclam.log
* Clamd
* EL 6: /var/log/clamav/clamd.log
* EL 7: /var/log/clamd.scan
===== Other Files =====
* **Freshclam (Virus Definitions Database Updater)**
* Application: freshclam (/usr/bin/freshclam)
* Configuration: /etc/freshclam.conf
* Auto Update job: /etc/cron.daily/freshclam
* **Scanning Daemon (clamd)**
* Configuration:
* EL 6: /etc/clamd.conf
* EL 7: /etc/clamd.d/scan.conf
* **ClamAV Databases**: /var/lib/clamav
* bytecode.cvd - detailed bytecode signatures database for virus detection
* daily.cld - daily definition database from deltas build throughout the day
* main.cvd - main database of definitions
----
===== clamscan =====
Clamscan is the utility that scans files and directories for viruses.
Scan a single file
clamscan myfile
Scan the current working directory
clamscan
Scan a directory recursively
clamscan -r /home/rjones
Scan a stream
cat myfile | clamscan -
Clamscan return codes
* 0 => no virus found
* 1 => virus(es) found
* 2 => Some error(s) occured
----
===== clamdscan =====
The clamd service allows for faster scanning of directories and files.
One off system scan of /home using clamdscan/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home
* /usr/bin/time => Times how long the scan takes
* nice => Less CPU priority for the scan
* --fdpass => Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
* --log=/root/clamdscan-report-$(date +%Y%m%d) => Create log file here
----
===== Scan Regularly with clamdscan =====
To scan systems regularly, use clamdscan and either
* Enable on access scanning
* Create a cron to launch clamdscan
Example: Enable on access scanning
* FIXME -> Show this example
Example: Create a cron to launch clamdscan
* FIXME -> Show this example
----
===== Whitelist Files/Signatures =====
Whitelisting files/signatures allows for ClamAV to ignore them during scans.
\\
==== Whitelist a File ====
To whitelist a file:
* Generate a md5 signature for the file and append it to the file whitelistsigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp
* The entry will look like thiscat /var/lib/clamav/whitelist-files.fp
d41d8cd98f00b204e9800998ecf8427e:0:testfile
* Fields are -> MD5sum:Filesize:Comment
\\
==== Whitelist a Signature ====
Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.
To whitelist a signature and add the signature name:
* Edit the signature white list filevim /var/lib/clamav/whitelist-signatures.ign2
Signature.Ignore-1
----