ClamAV

October 30, 2020 Roberto Puzzanghera7 comments

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Create clamav user and group and install

groupadd clamav
useradd -g clamav clamav
cd /usr/local/src
wget http://www.clamav.net/downloads/production/clamav-0.103.0.tar.gz
tar -xzf clamav-0.103.0.tar.gz
cd clamav-0.103.0
chown -R root.root .

./configure --with-pcre
make
make install

ldconfig

Configuring

Create the log and the database directories:

mkdir -p /var/log/clamd
chown -R clamav.clamav /var/log/clamd/
chmod -R o-rx /var/log/clamd/

mkdir -p /usr/local/share/clamav
chown clamav.clamav /usr/local/share/clamav

/usr/local/etc/clamd.conf

Pay attention at these lines, in particular the one which sets the user who runs the daemon:

# This must be commented
# Example
LogFile /var/log/clamd/clamd.log
LogTime yes
DatabaseDirectory /usr/local/share/clamav/
User clamav
TCPSocket 3310
TCPAddr 127.0.0.1

/usr/local/etc/freshclam.conf

# Comment or remove the line below.
#Example
DatabaseDirectory /usr/local/share/clamav/
UpdateLogFile /var/log/clamd/freshclam.log
DatabaseOwner clamav
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
DatabaseMirror db.it.clamav.net
NotifyClamd /usr/local/etc/clamd.conf

Logrotate

Copy this script to /etc/logrotate.d:

cat > /etc/logrotate.d/clamav << __EOF__
/var/log/clamd/*.log {
  daily
  notifempty
  missingok
  postrotate
  /usr/bin/killall -HUP freshclam 2> /dev/null || true
  /usr/bin/killall -HUP clamd 2> /dev/null || true
  endscript
}
__EOF__

Running clamd and freshclam

Before running clamd you have to run freshclam to download the database. Create a startup script like this for freshclam (download):

#!/bin/sh 
# 
# Start/stop/restart freshclam. 
# 

DAEMON=/usr/local/bin/freshclam 

# Start clamav: 
start() { 
 if [ -x $DAEMON ]; then 
   echo -n "Starting freshclam daemon ... " 
   $DAEMON -d 
   echo " done." 
 fi 
} 

# Stop clamav: 
stop() { 
   echo -n "Stopping freshclam daemon ... " 
   killall -TERM freshclam 
   echo " done." 
} 

# Restart clamav: 
restart() { 
 stop 
 sleep 1 
 start 
} 

case "$1" in 
'start') 
 start 
 ;; 
'stop') 
 stop 
 ;; 
'restart') 
 restart 
 ;; 
*) 
 echo "usage $0 start|stop|restart" 
esac

Start the daemon:

cd /usr/local/bin
wget https://notes.sagredo.eu/files/qmail/freshclamctl
chmod +x /usr/local/bin/freshclamctl
freshclamctl start

Check that the database has been updated

# more /var/log/clamd/freshclam.log

--------------------------------------
freshclam daemon 0.96.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Fri Oct 22 13:15:43 2010
main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
WARNING: getfile: daily-11979.cdiff not found on remote server (IP: 195.22.205.162)
WARNING: getpatch: Can''t download daily-11979.cdiff from db.it.clamav.net
WARNING: getfile: daily-11979.cdiff not found on remote server (IP: 213.92.8.5)
WARNING: getpatch: Can''t download daily-11979.cdiff from db.it.clamav.net
WARNING: getfile: daily-11979.cdiff not found on remote server (IP: 193.206.139.37)
WARNING: getpatch: Can''t download daily-11979.cdiff from db.it.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 12167, sigs: 142570, f-level: 53, builder: guitar)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 86, sigs: 10, f-level: 53, builder: edwin)
Database updated (847307 signatures) from db.it.clamav.net (IP: 193.206.139.37)
Clamd successfully notified about the update.
--------------------------------------

Now create a script clamdctl (download) like this into the /usr/local/bin folder:

#!/bin/sh 
# 
# Start/stop/restart clamav. 
# 

DAEMON=/usr/local/sbin/clamd 

# Start clamav: 
start() { 
 if [ -x $DAEMON ]; then 
   echo -n "Starting clamd daemon:  /usr/sbin/clamd " 
   $DAEMON 
   echo " done." 
 fi 
} 

# Stop clamav: 
stop() { 
  echo -n "Stopping clamd daemon ... " 
  killall -TERM clamd 
  echo " done." 
} 

# Restart clamav: 
restart() { 
  stop 
  sleep 1 
  start 
} 

# Help 
help() { 
  $DAEMON --help 
  exit 
} 

case "$1" in 
'start') 
 start 
 ;; 
'stop') 
 stop 
 ;; 
'restart') 
 restart
  ;; 
'help') 
 help 
 ;; 
*) 
 echo "usage $0 start|stop|restart|help" 
esac

Start the daemon

cd /usr/local/bin
wget https://notes.sagredo.eu/files/qmail/clamdctl 
chmod +x /usr/local/bin/clamdctl 
clamdctl help

                      Clam AntiVirus Daemon 0.96.3
           By The ClamAV Team: http://www.clamav.net/team
           (C) 2007-2009 Sourcefire, Inc.

    --help                   -h             Show this help.
    --version                -V             Show version number.
    --debug                                 Enable debug mode.
    --config-file=FILE       -c FILE        Read configuration from FILE.

clamdctl start

Don't forget to enable clamd and freshclam startup at boot time in your rc.local.

Testing

This test from command line should be done from the clamav source dir. It should find some test files in the clamav-x.yz/test directory. The scan result will be saved in the scan.txt

# cd /path/to/src/clamav/test
# clamscan -r -l scan.txt
----------- SCAN SUMMARY -----------
Known viruses: 834112
Engine version: 0.96.3
Scanned directories: 312
Scanned files: 7541
Infected files: 49
Data scanned: 273.18 MB
Data read: 306.89 MB (ratio 0.89:1)
Time: 24.649 sec (0 m 24 s)

Check the file scan.txt:

clamav-0.97/test/clam.chm: ClamAV-Test-File FOUND
clamav-0.97/test/clam.exe.bz2: ClamAV-Test-File FOUND
clamav-0.97/test/clam.bz2.zip: ClamAV-Test-File FOUND
clamav-0.97/test/clam-upx.exe: ClamAV-Test-File FOUND

Comments

eXtremeSHOK/clamav-unofficial-sigs

Hi Roberto,

I would like to advise to include the build with "eXtremeSHOK/clamav-unofficial-sigs" for ClamAV from https://github.com/extremeshok/clamav-unofficial-sigs.  It can replace the part of FOXHOLE in your guide with additional third party signatures/databases for ClamAV.  I am running this with ClamAV on CentOS 8.2 for months without any problem.  It is simple to setup and maintain.  See if this is benefit to you and others.

Reply | Permalink

eXtremeSHOK/clamav-unofficial-sigs

Thank you Tony. I'll check It out

Reply | Permalink

Error parsing PNG files ?

Hi

Checking another thing I found this errors on clamd.log
Someone see this error ?

 /var/qmail/simscan/1601953823.829459.89457/image007.png: Can't parse data ERROR

Something I missed to configure ?

Reply | Permalink

Foxhole database

Hi

This database is not working with freshclam  0.102.4 , now use CLD files not CDB or I'm missing something ?

Reply | Permalink

Foxhole database

Hi, it's working here with 0.103.0

I have a line like this in my config file and I see regular updates

DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb

Reply | Permalink

Blog platform

I am curious to find out what blog platform you have been working with? I'm having some minor security problems with my latest blog and I would like to find something more risk-free. Do you have any recommendations?

Reply | Permalink

Blog platform

This is a CMS written by myself. Of course it embeds classes and plugins of other people, but it's not wordpress, nor drupal etc.

I'm not an expert of the security concerns of the popular cms...

Reply | Permalink