This is an old revision of the document!
Clamav
General Information
ClamAV is “an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.”
Official Site: http://www.clamav.net/index.html
Checklist
- Distro(s): Enterprise Linux 6
- Repo: EPEL
Installation
Configuration
Configuring ClamAV.
freshclam
Virus definition updater for ClamAV.
- Config: /etc/freshclam.conf
- Daily Cron: /etc/cron.daily/freshclam
/etc/freshclam.conf - Ensure Database Mirrors are correct
DatabaseMirror db.us.clamav.net DatabaseMirror db.local.clamav.net
If you have a Squid proxy
HTTPProxyServer myserverhostname
HTTPProxyPort 3128
Run manual virus updates
freshclam -v
Operation
Using ClamAV.
Application Users
ClamAV software runs as non-privileged user(s).
EL 6
- Freshclam runs as: clam
- Clamd runs as: clam
EL 7
- Freshclam runs as: clamupdate
- Clamd runs as: clamscan
Service
Freshclam is NOT a service. It is run via a daily cron script.
Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless “on access scanning” is enabled.
Enable On Boot
Service is enabled on boot
- EL6
chkconfig clamd on
- EL7
systemctl enable clamd@scan
Service Status
- EL6
service clamd status
- EL7
systemctl status clamd@scan
Service Start
- EL6
service clamd start
- EL7
systemctl start clamd@scan
Service Stop
- EL6
service clamd stop
- EL7
systemctl stop clamd@scan
Log Files
Log files are located:
- Freshclam
- EL 6: /var/log/clamav/freshclam.log
- EL 7: /var/log/freshclam.log
- Clamd
- EL 6: /var/log/clamav/clamd.log
- EL 7: /var/log/clamd.scan
Other Files
- Freshclam (Virus Definitions Database Updater)
- Application: freshclam (/usr/bin/freshclam)
- Configuration: /etc/freshclam.conf
- Auto Update job: /etc/cron.daily/freshclam
- Scanning Daemon (clamd)
- Configuration:
- EL 6: /etc/clamd.conf
- EL 7: /etc/clamd.d/scan.conf
- ClamAV Databases: /var/lib/clamav
- bytecode.cvd - detailed bytecode signatures database for virus detection
- daily.cld - daily definition database from deltas build throughout the day
- main.cvd - main database of definitions
clamscan
Clamscan is the utility that scans files and directories for viruses.
Scan a single file
clamscan myfile
Scan the current working directory
clamscan
Scan a directory recursively
clamscan -r /home/rjones
Scan a stream
cat myfile | clamscan -
Clamscan return codes
- 0 ⇒ no virus found
- 1 ⇒ virus(es) found
- 2 ⇒ Some error(s) occured
clamdscan
The clamd service allows for faster scanning of directories and files.
One off system scan of /home using clamdscan
/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home
- /usr/bin/time ⇒ Times how long the scan takes
- nice ⇒ Less CPU priority for the scan
- –fdpass ⇒ Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
- –log=/root/clamdscan-report-$(date +%Y%m%d) ⇒ Create log file here
Whitelist Files/Signatures
Whitelisting files/signatures allows for ClamAV to ignore them during scans.
Whitelist a File
To whitelist a file:
- Generate a md5 signature for the file and append it to the file whitelist
sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp
- The entry will look like this
cat /var/lib/clamav/whitelist-files.fp d41d8cd98f00b204e9800998ecf8427e:0:testfile
- Fields are → MD5sum:Filesize:Comment
Whitelist a Signature
Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.
To whitelist a signature and add the signature name:
- Edit the signature white list file
vim /var/lib/clamav/whitelist-signatures.ign2 Signature.Ignore-1