linux_wiki:clamav

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_wiki:clamav [2015/10/08 21:09]
billdozor [clamscan]
linux_wiki:clamav [2019/05/25 23:50] (current)
Line 5: Line 5:
 ClamAV is "an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats." ClamAV is "an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats."
  
-Official Site: [[http://www.clamav.net/index.html]]+  * Official Site: [[http://www.clamav.net/index.html]] 
 +  * Virus Database Mail List Archives: http://www.gossamer-threads.com/lists/clamav/virusdb/ 
 +  * User Mailing List Archives: http://www.gossamer-threads.com/lists/clamav/users/
  
 **Checklist** **Checklist**
-  * Distro: Enterprise Linux 6.x+  * Distro(s): Enterprise Linux 6
   * Repo: EPEL   * Repo: EPEL
  
Line 15: Line 17:
 ====== Installation ====== ====== Installation ======
  
-Add the EPEL repo +Installing ClamAV.
-<code bash> +
-yum -y install epel-release +
-</code>+
  
-Install ClamAV +  * Add the [[linux_wiki:repos#epel|EPEL repo]]. 
-<code bash> +  * Install ClamAV Scanner and Auto Updater (Freshclam) 
-yum -y install clamav +    * EL 6<code bash>yum install clamav</code
-</code>+    * EL 7<code bash>yum install clamav clamav-update</code> 
 +  * Install ClamAV's Scanning Daemon (clamd) 
 +    * EL 6<code bash>yum install clamd</code> 
 +    * EL 7<code bash>yum install clamav-scanner-systemd</code>
  
 ---- ----
  
 ====== Configuration ====== ====== Configuration ======
 +
 +Configuring ClamAV.
 +
 +----
  
 ===== freshclam ===== ===== freshclam =====
Line 49: Line 55:
 Run manual virus updates Run manual virus updates
 <code bash> <code bash>
-freshclam+freshclam -v
 </code> </code>
  
Line 55: Line 61:
  
 ====== Operation ====== ====== Operation ======
 +
 +Using ClamAV.
 +
 +----
 +
 +===== Application Users =====
 +
 +ClamAV software runs as non-privileged user(s).
 +
 +**EL 6**
 +  * Freshclam runs as: clam
 +  * Clamd runs as: clam
 +
 +**EL 7**
 +  * Freshclam runs as: clamupdate
 +  * Clamd runs as: clamscan
 +
 +----
 +
 +===== Service =====
 +
 +Freshclam is NOT a service. It is run via a daily cron script.
 +
 +\\
 +Clamd (the scanning daemon) is run as a service. It does not scan anything by itself unless "on access scanning" is enabled.
 +  * To scan certain directories regularly, either enable on access scanning, or create a cron that runs clamdscan against directories.
 +
 +**Enable On Boot**
 +
 +Service is enabled on boot
 +  * EL6<code bash>chkconfig clamd on</code>
 +  * EL7<code bash>systemctl enable clamd@scan</code>
 +
 +**Service Status**
 +
 +  * EL6<code bash>service clamd status</code>
 +  * EL7<code bash>systemctl status clamd@scan</code>
 +
 +**Service Start**
 +
 +  * EL6<code bash>service clamd start</code>
 +  * EL7<code bash>systemctl start clamd@scan</code>
 +
 +**Service Stop**
 +
 +  * EL6<code bash>service clamd stop</code>
 +  * EL7<code bash>systemctl stop clamd@scan</code>
 +
 +----
 +
 +===== Log Files =====
 +
 +Log files are located: 
 +    * Freshclam
 +      * EL 6: /var/log/clamav/freshclam.log
 +      * EL 7: /var/log/freshclam.log
 +    * Clamd
 +      * EL 6: /var/log/clamav/clamd.log
 +      * EL 7: /var/log/clamd.scan
 +
 +===== Other Files =====
 +
 +  * **Freshclam (Virus Definitions Database Updater)**
 +    * Application: freshclam (/usr/bin/freshclam)
 +    * Configuration: /etc/freshclam.conf 
 +    * Auto Update job: /etc/cron.daily/freshclam
 +
 +  * **Scanning Daemon (clamd)**
 +    * Configuration:
 +      * EL 6: /etc/clamd.conf
 +      * EL 7: /etc/clamd.d/scan.conf
 +
 +  * **ClamAV Databases**: /var/lib/clamav
 +    * bytecode.cvd - detailed bytecode signatures database for virus detection
 +    * daily.cld - daily definition database from deltas build throughout the day
 +    * main.cvd - main database of definitions
 +
 +----
  
 ===== clamscan ===== ===== clamscan =====
Line 84: Line 168:
   * 1 => virus(es) found   * 1 => virus(es) found
   * 2 => Some error(s) occured   * 2 => Some error(s) occured
 +
 +----
 +
 +===== clamdscan =====
 +
 +The clamd service allows for faster scanning of directories and files.
 +
 +One off system scan of /home using clamdscan<code bash>/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home</code>
 +  * /usr/bin/time => Times how long the scan takes
 +  * nice => Less CPU priority for the scan
 +  * --fdpass => Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
 +  * --log=/root/clamdscan-report-$(date +%Y%m%d) => Create log file here
 +
 +----
 +
 +===== Scan Regularly with clamdscan =====
 +
 +To scan systems regularly, use clamdscan and either
 +  * Enable on access scanning
 +  * Create a cron to launch clamdscan
 +
 +Example: Enable on access scanning
 +  * FIXME -> Show this example
 +
 +Example: Create a cron to launch clamdscan
 +  * FIXME -> Show this example
 +
 +----
 +
 +===== Whitelist Files/Signatures =====
 +
 +Whitelisting files/signatures allows for ClamAV to ignore them during scans.
 +
 +\\
 +==== Whitelist a File ====
 +
 +To whitelist a file:
 +  * Generate a md5 signature for the file and append it to the file whitelist<code bash>sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp</code>
 +    * The entry will look like this<code bash>cat /var/lib/clamav/whitelist-files.fp
 +
 +d41d8cd98f00b204e9800998ecf8427e:0:testfile</code>
 +      * Fields are -> MD5sum:Filesize:Comment
 +
 +\\
 +==== Whitelist a Signature ====
 +
 +Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.
 +
 +To whitelist a signature and add the signature name:
 +  * Edit the signature white list file<code bash>vim /var/lib/clamav/whitelist-signatures.ign2
 +
 +Signature.Ignore-1</code>
  
 ---- ----
  
  • linux_wiki/clamav.1444352961.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)