[[linux_wiki:clamav]]

Clamav

General Information

ClamAV is “an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.”

Checklist

  • Distro(s): Enterprise Linux 6
  • Repo: EPEL

Installation

Installing ClamAV.

  • Add the EPEL repo.
  • Install ClamAV Scanner and Auto Updater (Freshclam)
    • EL 6
      yum install clamav
    • EL 7
      yum install clamav clamav-update
  • Install ClamAV's Scanning Daemon (clamd)
    • EL 6
      yum install clamd
    • EL 7
      yum install clamav-scanner-systemd

Configuration

Configuring ClamAV.


Virus definition updater for ClamAV.

  • Config: /etc/freshclam.conf
  • Daily Cron: /etc/cron.daily/freshclam

/etc/freshclam.conf - Ensure Database Mirrors are correct

DatabaseMirror db.us.clamav.net
DatabaseMirror db.local.clamav.net

If you have a Squid proxy

HTTPProxyServer myserverhostname
HTTPProxyPort 3128

Run manual virus updates

freshclam -v

Operation

Using ClamAV.


ClamAV software runs as non-privileged user(s).

EL 6

  • Freshclam runs as: clam
  • Clamd runs as: clam

EL 7

  • Freshclam runs as: clamupdate
  • Clamd runs as: clamscan

Freshclam is NOT a service. It is run via a daily cron script.


Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless “on access scanning” is enabled.

  • To scan certain directories regularly, either enable on access scanning, or create a cron that runs clamdscan against directories.

Enable On Boot

Service is enabled on boot

  • EL6
    chkconfig clamd on
  • EL7
    systemctl enable clamd@scan

Service Status

  • EL6
    service clamd status
  • EL7
    systemctl status clamd@scan

Service Start

  • EL6
    service clamd start
  • EL7
    systemctl start clamd@scan

Service Stop

  • EL6
    service clamd stop
  • EL7
    systemctl stop clamd@scan

Log files are located:

  • Freshclam
    • EL 6: /var/log/clamav/freshclam.log
    • EL 7: /var/log/freshclam.log
  • Clamd
    • EL 6: /var/log/clamav/clamd.log
    • EL 7: /var/log/clamd.scan
  • Freshclam (Virus Definitions Database Updater)
    • Application: freshclam (/usr/bin/freshclam)
    • Configuration: /etc/freshclam.conf
    • Auto Update job: /etc/cron.daily/freshclam
  • Scanning Daemon (clamd)
    • Configuration:
      • EL 6: /etc/clamd.conf
      • EL 7: /etc/clamd.d/scan.conf
  • ClamAV Databases: /var/lib/clamav
    • bytecode.cvd - detailed bytecode signatures database for virus detection
    • daily.cld - daily definition database from deltas build throughout the day
    • main.cvd - main database of definitions

Clamscan is the utility that scans files and directories for viruses.

Scan a single file

clamscan myfile

Scan the current working directory

clamscan

Scan a directory recursively

clamscan -r /home/rjones

Scan a stream

cat myfile | clamscan -

Clamscan return codes

  • 0 ⇒ no virus found
  • 1 ⇒ virus(es) found
  • 2 ⇒ Some error(s) occured

The clamd service allows for faster scanning of directories and files.

One off system scan of /home using clamdscan

/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home
  • /usr/bin/time ⇒ Times how long the scan takes
  • nice ⇒ Less CPU priority for the scan
  • –fdpass ⇒ Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
  • –log=/root/clamdscan-report-$(date +%Y%m%d) ⇒ Create log file here

To scan systems regularly, use clamdscan and either

  • Enable on access scanning
  • Create a cron to launch clamdscan

Example: Enable on access scanning

  • FIXME → Show this example

Example: Create a cron to launch clamdscan

  • FIXME → Show this example

Whitelisting files/signatures allows for ClamAV to ignore them during scans.


To whitelist a file:

  • Generate a md5 signature for the file and append it to the file whitelist
    sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp
    • The entry will look like this
      cat /var/lib/clamav/whitelist-files.fp
       
      d41d8cd98f00b204e9800998ecf8427e:0:testfile
      • Fields are → MD5sum:Filesize:Comment


Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.

To whitelist a signature and add the signature name:

  • Edit the signature white list file
    vim /var/lib/clamav/whitelist-signatures.ign2
     
    Signature.Ignore-1

  • linux_wiki/clamav.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)