Clamav

This is an old revision of the document!

General Information

ClamAV is “an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.”

Checklist

Virus definition updater for ClamAV.

/etc/freshclam.conf - Ensure Database Mirrors are correct

DatabaseMirror db.us.clamav.net
DatabaseMirror db.local.clamav.net

If you have a Squid proxy

HTTPProxyServer myserverhostname
HTTPProxyPort 3128

Run manual virus updates

freshclam -v

ClamAV software runs as non-privileged user(s).

EL 6

EL 7

Clamscan is the utility that scans files and directories for viruses.

Scan a single file

clamscan myfile

Scan the current working directory

clamscan

Scan a directory recursively

clamscan -r /home/rjones

Scan a stream

cat myfile | clamscan -

Clamscan return codes

The clamd service allows for faster scanning of directories and files.

One off system scan of /home using clamdscan

/usr/bin/time nice clamdscan --fdpass --log=/root/clamdscan-report-$(date +%Y%m%d) /home

/usr/bin/time ⇒ Times how long the scan takes
nice ⇒ Less CPU priority for the scan
–fdpass ⇒ Pass file descriptor permissions to clamd (allows for a faster scan when clamd is running as a different user)
–log=/root/clamdscan-report-$(date +%Y%m%d) ⇒ Create log file here

Whitelisting files/signatures allows for ClamAV to ignore them during scans.

To whitelist a file:

Generate a md5 signature for the file and append it to the file whitelist

sigtool --md5 /data/testfile >> /var/lib/clamav/whitelist-files.fp

The entry will look like this

cat /var/lib/clamav/whitelist-files.fp
 
d41d8cd98f00b204e9800998ecf8427e:0:testfile

Whitelisting a signature should be performed with caution, as it has the potential to ignore legitimate virus's.

To whitelist a signature and add the signature name:

Edit the signature white list file

vim /var/lib/clamav/whitelist-signatures.ign2
 
Signature.Ignore-1

Installation