General Information
ClamAV is “an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.”
Checklist
Installing ClamAV.
yum install clamav
yum install clamav clamav-update
yum install clamd
yum install clamav-scanner-systemd
Configuring ClamAV.
Virus definition updater for ClamAV.
/etc/freshclam.conf - Ensure Database Mirrors are correct
DatabaseMirror db.us.clamav.net DatabaseMirror db.local.clamav.net
If you have a Squid proxy
HTTPProxyServer myserverhostname
HTTPProxyPort 3128
Run manual virus updates
freshclam -v
Using ClamAV.
ClamAV software runs as non-privileged user(s).
EL 6
EL 7
Freshclam is NOT a service. It is run via a daily cron script.
Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless “on access scanning” is enabled.
Enable On Boot
Service is enabled on boot
chkconfig clamd on
systemctl enable clamd@scan
Service Status
service clamd status
systemctl status clamd@scan
Service Start
service clamd start
systemctl start clamd@scan
Service Stop
service clamd stop
systemctl stop clamd@scan
Log files are located:
Clamscan is the utility that scans files and directories for viruses.
Scan a single file
clamscan myfile
Scan the current working directory
clamscan
Scan a directory recursively
clamscan -r /home/rjones
Scan a stream
cat myfile | clamscan -
Clamscan return codes
The clamd service allows for faster scanning of directories and files.
One off system scan of /home using clamdscan
/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home
To scan systems regularly, use clamdscan and either
Example: Enable on access scanning
Example: Create a cron to launch clamdscan
Whitelisting files/signatures allows for ClamAV to ignore them during scans.
To whitelist a file:
sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp
cat /var/lib/clamav/whitelist-files.fp d41d8cd98f00b204e9800998ecf8427e:0:testfile
Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.
To whitelist a signature and add the signature name:
vim /var/lib/clamav/whitelist-signatures.ign2 Signature.Ignore-1