This is an old revision of the document!
Clamav
General Information
ClamAV is “an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.”
Official Site: http://www.clamav.net/index.html
Checklist
- Distro(s): Enterprise Linux 6
- Repo: EPEL
Installation
- Add the EPEL repo.
- Install ClamAV
yum -y install clamav
Configuration
freshclam
Virus definition updater for ClamAV.
- Config: /etc/freshclam.conf
- Daily Cron: /etc/cron.daily/freshclam
/etc/freshclam.conf - Ensure Database Mirrors are correct
DatabaseMirror db.us.clamav.net DatabaseMirror db.local.clamav.net
If you have a Squid proxy
HTTPProxyServer myserverhostname
HTTPProxyPort 3128
Run manual virus updates
freshclam -v
Operation
clamscan
Clamscan is the utility that scans files and directories for viruses.
Scan a single file
clamscan myfile
Scan the current working directory
clamscan
Scan a directory recursively
clamscan -r /home/rjones
Scan a stream
cat myfile | clamscan -
Clamscan return codes
- 0 ⇒ no virus found
- 1 ⇒ virus(es) found
- 2 ⇒ Some error(s) occured
clamdscan
The clamd service allows for faster scanning of directories and files.
One off system scan of /home using clamdscan
/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home
- /usr/bin/time ⇒ Times how long the scan takes
- nice ⇒ Less CPU priority for the scan
- –fdpass ⇒ Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
- –log=/root/clamdscan-report-$(date +%Y%m%d) ⇒ Create log file here
Whitelist Files/Signatures
Whitelisting files/signatures allows for ClamAV to ignore them during scans.
Whitelist a File
To whitelist a file:
- Generate a md5 signature for the file and append it to the file whitelist
sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp
- The entry will look like this
cat /var/lib/clamav/whitelist-files.fp d41d8cd98f00b204e9800998ecf8427e:0:testfile
- Fields are → MD5sum:Filesize:Comment
Whitelist a Signature
Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.
To whitelist a signature and add the signature name:
- Edit the signature white list file
vim /var/lib/clamav/whitelist-signatures.ign2 Signature.Ignore-1