linux_wiki:clamav

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:clamav [2018/04/09 00:46]
billdozor [Service]
linux_wiki:clamav [2019/05/25 23:50]
Line 1: Line 1:
-====== Clamav ====== 
- 
-**General Information** 
- 
-ClamAV is "an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats." 
- 
-  * Official Site: [[http://www.clamav.net/index.html]] 
-  * Virus Database Mail List Archives: http://www.gossamer-threads.com/lists/clamav/virusdb/ 
-  * User Mailing List Archives: http://www.gossamer-threads.com/lists/clamav/users/ 
- 
-**Checklist** 
-  * Distro(s): Enterprise Linux 6 
-  * Repo: EPEL 
- 
----- 
- 
-====== Installation ====== 
- 
-Installing ClamAV. 
- 
-  * Add the [[linux_wiki:repos#epel|EPEL repo]]. 
-  * Install ClamAV Scanner and Auto Updater (Freshclam) 
-    * EL 6<code bash>yum install clamav</code> 
-    * EL 7<code bash>yum install clamav clamav-update</code> 
-  * Install ClamAV's Scanning Daemon (clamd) 
-    * EL 6<code bash>yum install clamd</code> 
-    * EL 7<code bash>yum install clamav-scanner-systemd</code> 
- 
----- 
- 
-====== Configuration ====== 
- 
-Configuring ClamAV. 
- 
----- 
- 
-===== freshclam ===== 
- 
-Virus definition updater for ClamAV. 
-    * Config: /etc/freshclam.conf 
-    * Daily Cron: /etc/cron.daily/freshclam 
- 
-/etc/freshclam.conf - Ensure Database Mirrors are correct 
-<code bash> 
-DatabaseMirror db.us.clamav.net 
-DatabaseMirror db.local.clamav.net 
-</code> 
- 
-If you have a Squid proxy 
-<code bash> 
-HTTPProxyServer myserverhostname 
-HTTPProxyPort 3128 
-</code> 
- 
-Run manual virus updates 
-<code bash> 
-freshclam -v 
-</code> 
- 
----- 
- 
-====== Operation ====== 
- 
-Using ClamAV. 
- 
----- 
- 
-===== Application Users ===== 
- 
-ClamAV software runs as non-privileged user(s). 
- 
-**EL 6** 
-  * Freshclam runs as: clam 
-  * Clamd runs as: clam 
- 
-**EL 7** 
-  * Freshclam runs as: clamupdate 
-  * Clamd runs as: clamscan 
- 
----- 
- 
-===== Service ===== 
- 
-Freshclam is NOT a service. It is run via a daily cron script. 
- 
-\\ 
-Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless "on access scanning" is enabled. 
-  * To scan certain directories regularly, either enable on access scanning, or create a cron that runs clamdscan against directories. 
- 
-**Enable On Boot** 
- 
-Service is enabled on boot 
-  * EL6<code bash>chkconfig clamd on</code> 
-  * EL7<code bash>systemctl enable clamd@scan</code> 
- 
-**Service Status** 
- 
-  * EL6<code bash>service clamd status</code> 
-  * EL7<code bash>systemctl status clamd@scan</code> 
- 
-**Service Start** 
- 
-  * EL6<code bash>service clamd start</code> 
-  * EL7<code bash>systemctl start clamd@scan</code> 
- 
-**Service Stop** 
- 
-  * EL6<code bash>service clamd stop</code> 
-  * EL7<code bash>systemctl stop clamd@scan</code> 
- 
----- 
- 
-===== Log Files ===== 
- 
-Log files are located:  
-    * Freshclam 
-      * EL 6: /var/log/clamav/freshclam.log 
-      * EL 7: /var/log/freshclam.log 
-    * Clamd 
-      * EL 6: /var/log/clamav/clamd.log 
-      * EL 7: /var/log/clamd.scan 
- 
-===== Other Files ===== 
- 
-  * **Freshclam (Virus Definitions Database Updater)** 
-    * Application: freshclam (/usr/bin/freshclam) 
-    * Configuration: /etc/freshclam.conf  
-    * Auto Update job: /etc/cron.daily/freshclam 
- 
-  * **Scanning Daemon (clamd)** 
-    * Configuration: 
-      * EL 6: /etc/clamd.conf 
-      * EL 7: /etc/clamd.d/scan.conf 
- 
-  * **ClamAV Databases**: /var/lib/clamav 
-    * bytecode.cvd - detailed bytecode signatures database for virus detection 
-    * daily.cld - daily definition database from deltas build throughout the day 
-    * main.cvd - main database of definitions 
- 
----- 
- 
-===== clamscan ===== 
- 
-Clamscan is the utility that scans files and directories for viruses. 
- 
-Scan a single file 
-<code bash> 
-clamscan myfile 
-</code> 
- 
-Scan the current working directory 
-<code bash> 
-clamscan 
-</code> 
- 
-Scan a directory recursively 
-<code bash> 
-clamscan -r /home/rjones 
-</code> 
- 
-Scan a stream 
-<code bash> 
-cat myfile | clamscan - 
-</code> 
- 
-Clamscan return codes 
-  * 0 => no virus found 
-  * 1 => virus(es) found 
-  * 2 => Some error(s) occured 
- 
----- 
- 
-===== clamdscan ===== 
- 
-The clamd service allows for faster scanning of directories and files. 
- 
-One off system scan of /home using clamdscan<code bash>/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home</code> 
-  * /usr/bin/time => Times how long the scan takes 
-  * nice => Less CPU priority for the scan 
-  * --fdpass => Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user) 
-  * --log=/root/clamdscan-report-$(date +%Y%m%d) => Create log file here 
- 
----- 
- 
-===== Whitelist Files/Signatures ===== 
- 
-Whitelisting files/signatures allows for ClamAV to ignore them during scans. 
- 
-\\ 
-==== Whitelist a File ==== 
- 
-To whitelist a file: 
-  * Generate a md5 signature for the file and append it to the file whitelist<code bash>sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp</code> 
-    * The entry will look like this<code bash>cat /var/lib/clamav/whitelist-files.fp 
- 
-d41d8cd98f00b204e9800998ecf8427e:0:testfile</code> 
-      * Fields are -> MD5sum:Filesize:Comment 
- 
-\\ 
-==== Whitelist a Signature ==== 
- 
-Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's. 
- 
-To whitelist a signature and add the signature name: 
-  * Edit the signature white list file<code bash>vim /var/lib/clamav/whitelist-signatures.ign2 
- 
-Signature.Ignore-1</code> 
- 
----- 
  
  • linux_wiki/clamav.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)