Clamav

General Information

ClamAV is “an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.”

Official Site: http://www.clamav.net/index.html
Virus Database Mail List Archives: http://www.gossamer-threads.com/lists/clamav/virusdb/
User Mailing List Archives: http://www.gossamer-threads.com/lists/clamav/users/

Checklist

Distro(s): Enterprise Linux 6
Repo: EPEL

Installation

Installing ClamAV.

Add the EPEL repo.
Install ClamAV Scanner and Auto Updater (Freshclam)
- EL 6
```
yum install clamav
```
- EL 7
```
yum install clamav clamav-update
```

Install ClamAV's Scanning Daemon (clamd)

EL 6
```
yum install clamd
```
EL 7
```
yum install clamav-scanner-systemd
```

Configuration

Configuring ClamAV.

freshclam

Virus definition updater for ClamAV.

Config: /etc/freshclam.conf
Daily Cron: /etc/cron.daily/freshclam

/etc/freshclam.conf - Ensure Database Mirrors are correct

DatabaseMirror db.us.clamav.net
DatabaseMirror db.local.clamav.net

If you have a Squid proxy

HTTPProxyServer myserverhostname
HTTPProxyPort 3128

Run manual virus updates

freshclam -v

Operation

Using ClamAV.

Application Users

ClamAV software runs as non-privileged user(s).

EL 6

Freshclam runs as: clam
Clamd runs as: clam

EL 7

Freshclam runs as: clamupdate
Clamd runs as: clamscan

Service

Freshclam is NOT a service. It is run via a daily cron script.

Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless “on access scanning” is enabled.

To scan certain directories regularly, either enable on access scanning, or create a cron that runs clamdscan against directories.

Enable On Boot

Service is enabled on boot

EL6
```
chkconfig clamd on
```
EL7
```
systemctl enable clamd@scan
```

Service Status

EL6
```
service clamd status
```
EL7
```
systemctl status clamd@scan
```

Service Start

EL6
```
service clamd start
```
EL7
```
systemctl start clamd@scan
```

Service Stop

EL6
```
service clamd stop
```
EL7
```
systemctl stop clamd@scan
```

Log Files

Log files are located:

Freshclam
- EL 6: /var/log/clamav/freshclam.log
- EL 7: /var/log/freshclam.log
Clamd
- EL 6: /var/log/clamav/clamd.log
- EL 7: /var/log/clamd.scan

Other Files

Freshclam (Virus Definitions Database Updater)
- Application: freshclam (/usr/bin/freshclam)
- Configuration: /etc/freshclam.conf
- Auto Update job: /etc/cron.daily/freshclam

Scanning Daemon (clamd)
- Configuration:
  - EL 6: /etc/clamd.conf
  - EL 7: /etc/clamd.d/scan.conf

ClamAV Databases: /var/lib/clamav
- bytecode.cvd - detailed bytecode signatures database for virus detection
- daily.cld - daily definition database from deltas build throughout the day
- main.cvd - main database of definitions

clamscan

Clamscan is the utility that scans files and directories for viruses.

Scan a single file

clamscan myfile

Scan the current working directory

clamscan

Scan a directory recursively

clamscan -r /home/rjones

Scan a stream

cat myfile | clamscan -

Clamscan return codes

0 ⇒ no virus found
1 ⇒ virus(es) found
2 ⇒ Some error(s) occured

clamdscan

The clamd service allows for faster scanning of directories and files.

One off system scan of /home using clamdscan

/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home

/usr/bin/time ⇒ Times how long the scan takes
nice ⇒ Less CPU priority for the scan
–fdpass ⇒ Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
–log=/root/clamdscan-report-$(date +%Y%m%d) ⇒ Create log file here

Scan Regularly with clamdscan

To scan systems regularly, use clamdscan and either

Enable on access scanning
Create a cron to launch clamdscan

Example: Enable on access scanning

→ Show this example

Example: Create a cron to launch clamdscan

→ Show this example

Whitelist Files/Signatures

Whitelisting files/signatures allows for ClamAV to ignore them during scans.

Whitelist a File

To whitelist a file:

Generate a md5 signature for the file and append it to the file whitelist

sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp

The entry will look like this

cat /var/lib/clamav/whitelist-files.fp
 
d41d8cd98f00b204e9800998ecf8427e:0:testfile

Fields are → MD5sum:Filesize:Comment

Whitelist a Signature

Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.

To whitelist a signature and add the signature name:

Edit the signature white list file

vim /var/lib/clamav/whitelist-signatures.ign2
 
Signature.Ignore-1

Table of Contents