====== Clamav ======

**General Information**

ClamAV is "an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats."

  * Official Site: [[http://www.clamav.net/index.html]]
  * Virus Database Mail List Archives: http://www.gossamer-threads.com/lists/clamav/virusdb/
  * User Mailing List Archives: http://www.gossamer-threads.com/lists/clamav/users/

**Checklist**
  * Distro(s): Enterprise Linux 6
  * Repo: EPEL

----

====== Installation ======

Installing ClamAV.

  * Add the [[linux_wiki:repos#epel|EPEL repo]].
  * Install ClamAV Scanner and Auto Updater (Freshclam)
    * EL 6<code bash>yum install clamav</code>
    * EL 7<code bash>yum install clamav clamav-update</code>
  * Install ClamAV's Scanning Daemon (clamd)
    * EL 6<code bash>yum install clamd</code>
    * EL 7<code bash>yum install clamav-scanner-systemd</code>

----

====== Configuration ======

Configuring ClamAV.

----

===== freshclam =====

Virus definition updater for ClamAV.
    * Config: /etc/freshclam.conf
    * Daily Cron: /etc/cron.daily/freshclam

/etc/freshclam.conf - Ensure Database Mirrors are correct
<code bash>
DatabaseMirror db.us.clamav.net
DatabaseMirror db.local.clamav.net
</code>

If you have a Squid proxy
<code bash>
HTTPProxyServer myserverhostname
HTTPProxyPort 3128
</code>

Run manual virus updates
<code bash>
freshclam -v
</code>

----

====== Operation ======

Using ClamAV.

----

===== Application Users =====

ClamAV software runs as non-privileged user(s).

**EL 6**
  * Freshclam runs as: clam
  * Clamd runs as: clam

**EL 7**
  * Freshclam runs as: clamupdate
  * Clamd runs as: clamscan

----

===== Service =====

Freshclam is NOT a service. It is run via a daily cron script.

\\
Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless "on access scanning" is enabled.
  * To scan certain directories regularly, either enable on access scanning, or create a cron that runs clamdscan against directories.

**Enable On Boot**

Service is enabled on boot
  * EL6<code bash>chkconfig clamd on</code>
  * EL7<code bash>systemctl enable clamd@scan</code>

**Service Status**

  * EL6<code bash>service clamd status</code>
  * EL7<code bash>systemctl status clamd@scan</code>

**Service Start**

  * EL6<code bash>service clamd start</code>
  * EL7<code bash>systemctl start clamd@scan</code>

**Service Stop**

  * EL6<code bash>service clamd stop</code>
  * EL7<code bash>systemctl stop clamd@scan</code>

----

===== Log Files =====

Log files are located: 
    * Freshclam
      * EL 6: /var/log/clamav/freshclam.log
      * EL 7: /var/log/freshclam.log
    * Clamd
      * EL 6: /var/log/clamav/clamd.log
      * EL 7: /var/log/clamd.scan

===== Other Files =====

  * **Freshclam (Virus Definitions Database Updater)**
    * Application: freshclam (/usr/bin/freshclam)
    * Configuration: /etc/freshclam.conf 
    * Auto Update job: /etc/cron.daily/freshclam

  * **Scanning Daemon (clamd)**
    * Configuration:
      * EL 6: /etc/clamd.conf
      * EL 7: /etc/clamd.d/scan.conf

  * **ClamAV Databases**: /var/lib/clamav
    * bytecode.cvd - detailed bytecode signatures database for virus detection
    * daily.cld - daily definition database from deltas build throughout the day
    * main.cvd - main database of definitions

----

===== clamscan =====

Clamscan is the utility that scans files and directories for viruses.

Scan a single file
<code bash>
clamscan myfile
</code>

Scan the current working directory
<code bash>
clamscan
</code>

Scan a directory recursively
<code bash>
clamscan -r /home/rjones
</code>

Scan a stream
<code bash>
cat myfile | clamscan -
</code>

Clamscan return codes
  * 0 => no virus found
  * 1 => virus(es) found
  * 2 => Some error(s) occured

----

===== clamdscan =====

The clamd service allows for faster scanning of directories and files.

One off system scan of /home using clamdscan<code bash>/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home</code>
  * /usr/bin/time => Times how long the scan takes
  * nice => Less CPU priority for the scan
  * --fdpass => Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
  * --log=/root/clamdscan-report-$(date +%Y%m%d) => Create log file here

----

===== Scan Regularly with clamdscan =====

To scan systems regularly, use clamdscan and either
  * Enable on access scanning
  * Create a cron to launch clamdscan

Example: Enable on access scanning
  * FIXME -> Show this example

Example: Create a cron to launch clamdscan
  * FIXME -> Show this example

----

===== Whitelist Files/Signatures =====

Whitelisting files/signatures allows for ClamAV to ignore them during scans.

\\
==== Whitelist a File ====

To whitelist a file:
  * Generate a md5 signature for the file and append it to the file whitelist<code bash>sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp</code>
    * The entry will look like this<code bash>cat /var/lib/clamav/whitelist-files.fp

d41d8cd98f00b204e9800998ecf8427e:0:testfile</code>
      * Fields are -> MD5sum:Filesize:Comment

\\
==== Whitelist a Signature ====

Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.

To whitelist a signature and add the signature name:
  * Edit the signature white list file<code bash>vim /var/lib/clamav/whitelist-signatures.ign2

Signature.Ignore-1</code>

----