ClamAV

23 August 2016 Roberto Puzzanghera0 comments

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Create clamav user and group and install

groupadd clamav
useradd -g clamav clamav
cd /usr/local/src
wget http://www.clamav.net/downloads/production/clamav-0.99.2.tar.gz
tar -xzf clamav-0.99.2.tar.gz
cd clamav-0.99.2
chown -R root.root .

./configure
make
make install

ldconfig

Configuring

Create the log dir:

mkdir -p /var/log/clamd
chown -R clamav.clamav /var/log/clamd/
chmod -R o-rx /var/log/clamd/

/usr/local/etc/clamd.conf

Pay attention at these lines, in particular the one which sets the user who runs the daemon:

# This must be commented
# Example
LogFile /var/log/clamd/clamd.log
LogTime yes
DatabaseDirectory /usr/local/share/clamav/
User clamav
TCPSocket 3310
TCPAddr 127.0.0.1

/usr/local/etc/freshclam.conf

# Comment or remove the line below.
#Example
DatabaseDirectory /usr/local/share/clamav/
UpdateLogFile /var/log/clamd/freshclam.log
DatabaseOwner clamav
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
DatabaseMirror db.it.clamav.net
NotifyClamd /usr/local/etc/clamd.conf

Testing

This test from command line should be done from the clamav source dir. It should find some test files in the clamav-x.yz/test directory. The scan result will be saved in the scan.txt

# cd /path/to/src/clamav/test
# clamscan -r -l scan.txt
----------- SCAN SUMMARY -----------
Known viruses: 834112
Engine version: 0.96.3
Scanned directories: 312
Scanned files: 7541
Infected files: 49
Data scanned: 273.18 MB
Data read: 306.89 MB (ratio 0.89:1)
Time: 24.649 sec (0 m 24 s)

Check the file scan.txt:

clamav-0.97/test/clam.chm: ClamAV-Test-File FOUND
clamav-0.97/test/clam.exe.bz2: ClamAV-Test-File FOUND
clamav-0.97/test/clam.bz2.zip: ClamAV-Test-File FOUND
clamav-0.97/test/clam-upx.exe: ClamAV-Test-File FOUND

Logrotate

Copy this script to /etc/logrotate.d:

cat > /etc/logrotate.d/clamav << __EOF__
/var/log/clamd/*.log {
  daily
  notifempty
  missingok
  postrotate
  /usr/bin/killall -HUP freshclam 2> /dev/null || true
  /usr/bin/killall -HUP clamd 2> /dev/null || true
  endscript
}
__EOF__

Running clamd and freshclam

Create a script clamdctl (download) like this into the /usr/local/bin folder:

#!/bin/sh

COMMAND=$1
DAEMON=/usr/local/sbin/clamd

if [ "$COMMAND" == "start" ] ; then
    echo -n "Starting clamd daemon ... "
    $DAEMON
    echo " done."
    exit
elif [ "$COMMAND" == "stop" ] ; then
    echo -n "Stopping clamd daemon ... "
    killall -TERM clamd
    echo " done."
    exit
elif [ "$COMMAND" == "help" ] ; then
    $DAEMON --help   
    exit
else
    echo "usage: $0 start|stop|help"
    exit
fi

Start the daemon

# chmod +x /usr/local/bin/clamdctl 
# clamdctl help

                      Clam AntiVirus Daemon 0.96.3
           By The ClamAV Team: http://www.clamav.net/team
           (C) 2007-2009 Sourcefire, Inc.

    --help                   -h             Show this help.
    --version                -V             Show version number.
    --debug                                 Enable debug mode.
    --config-file=FILE       -c FILE        Read configuration from FILE.

# clamdctl start

Create a startup script like this for freshclam (download):

#!/bin/sh

COMMAND=$1
DAEMON=/usr/local/bin/freshclam

if [ "$COMMAND" == "start" ] ; then
    echo -n "Starting freshclam daemon ... "
    $DAEMON -d
    echo " done."
    exit
elif [ "$COMMAND" == "stop" ] ; then
    echo -n "Stopping freshclam daemon ... "
    killall -TERM freshclam
    echo " done."
    exit
else
    echo "usage: $0 start|stop"
    exit
fi

Start the daemon:

chmod +x /usr/local/bin/freshclamctl
freshclamctl start

Don't forget to enable clamd and freshclam startup at boot time in your rc.local

Check that the database has been updated

# more /var/log/clamd/freshclam.log

--------------------------------------
freshclam daemon 0.96.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Fri Oct 22 13:15:43 2010
main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
WARNING: getfile: daily-11979.cdiff not found on remote server (IP: 195.22.205.162)
WARNING: getpatch: Can''t download daily-11979.cdiff from db.it.clamav.net
WARNING: getfile: daily-11979.cdiff not found on remote server (IP: 213.92.8.5)
WARNING: getpatch: Can''t download daily-11979.cdiff from db.it.clamav.net
WARNING: getfile: daily-11979.cdiff not found on remote server (IP: 193.206.139.37)
WARNING: getpatch: Can''t download daily-11979.cdiff from db.it.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 12167, sigs: 142570, f-level: 53, builder: guitar)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 86, sigs: 10, f-level: 53, builder: edwin)
Database updated (847307 signatures) from db.it.clamav.net (IP: 193.206.139.37)
Clamd successfully notified about the update.
--------------------------------------

Adding foxhole database

First of all, thanks a lot to Costel Balta for the hint on this topic.

Zero hour (0hr) emailed malware has always been an issue.  ClamAV can also be used to block these attachments which in some environments may be useful. The foxhole databases use the .cdb extension which uses the ClamAV engine to look inside certain container files for various filenames and it also allows the use of Regular Expressions, on those filenames.

To add the foxhole database just save the foxhole_all.cdb to your clamav DatabaseDirectory, chown to your clamav user and restart clamd:

cd /usr/local/share/clamav/
wget http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb
chown clamav:clamav foxhole_all.cdb
clamdctl stop
clamdctl start

Add a comment