ClamAV

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures.

Installation

Install the clamav package.

Updating database

Update the virus definitions with:

# freshclam

If you are behind a proxy, edit /etc/clamav/freshclam.conf and update HTTPProxyServer, HTTPProxyPort, HTTPProxyUsername and HTTPProxyPassword.

The database files are saved in:

/var/lib/clamav/daily.cvd
/var/lib/clamav/main.cvd
/var/lib/clamav/bytecode.cvd

Start/enable clamav-freshclam.service so that the virus definitions are kept recent.

Starting the daemon

Note:
  • You will need to run freshclam before starting the service for the first time or you will run into trouble/errors which will prevent ClamAV from starting correctly.
  • The daemon is not needed if you only want to perform stand-alone scans. See Scan for viruses below.

The service is called clamav-daemon.service. Start it and enable it to start at boot.

Testing the software

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl https://secure.eicar.org/eicar.com.txt | clamscan -

The output must include:

stdin: Win.Test.EICAR_HDB-1 FOUND

Otherwise; read the Troubleshooting part or ask for help in the Arch Forums.

Adding more databases/signatures repositories

ClamAV can use databases/signature from other repositories or security vendors.

To add the most important ones in a single step, install either clamav-unofficial-sigsAUR (see GitHub description) or python-fangfrischAUR (see online documentation). Both will add signatures/databases from popular providers, e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect, etc.

Note: You still must have the clamav-freshclam.service started in order to have official signature updates from ClamAV mirrors.

Option #1: Set up Fangfrisch

Fangfrisch was designed as a more secure, flexible and convenient replacement for clamav-unofficial-sigs, and requires very little configuration (/etc/fangfrisch/fangfrisch.conf).

Most importantly, Fangfrisch never needs to be run with root permissions, unlike clamav-unofficial-sigs.

Create database structure by running:

# sudo -u clamav /usr/bin/fangfrisch --conf /etc/fangfrisch/fangfrisch.conf initdb

Enable the fangfrisch.timer.

Option #2: Set up clamav-unofficial-sigs

Enable the clamav-unofficial-sigs.timer.

This will regularly update the unofficial signatures based on the configuration files in the directory .

To update signatures manually, run the following:

# clamav-unofficial-sigs.sh

To change any default settings, refer and modify .

MalwarePatrol database

If you would like to use the MalwarePatrol database, sign up for an account at https://www.malwarepatrol.net/free-guard-upgrade-option.

In , change the following to enable this functionality:

malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # enter your receipt number here
malwarepatrol_product_code="8" # Use 8 if you have a Free account or 15 if you are a Premium customer.
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
malwarepatrol_free="yes" # Set to yes if you have a Free account or no if you are a Premium customer.

Source: https://www.malwarepatrol.net/clamav-configuration-guide/

Scan for viruses

There are two options for on-demand scanning:

using the stand-alone scanner

can be used to scan certain files, home directories, or an entire system:
$ clamscan myfile
$ clamscan --recursive --infected /home
# clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

If you would like to remove the infected file add to the command the --remove option, or you can use --move=/dir to quarantine them.

You may also want to scan larger files. In this case, append the options and to the command. '4000M' is the largest possible value, and may be lowered as necessary.

Using the option will print the logs to a text file for locating reported infections.

using the daemon

is similar to the above but utilizes the daemon, which must be running for the command to work. Most options are ignored since the daemon reads the the settings specified in .

Using the milter

Milter will scan your sendmail server for email containing virus. Adjust to your needs. For example:

Create :

/etc/systemd/system/clamav-milter.service
[Unit]
Description='ClamAV Milter'
After=clamav-daemon.service

[Service]
Type=forking
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf

[Install]
WantedBy=multi-user.target

Enable and start clamav-milter.service.

For Postfix add the following lines to :

Check journalctl if the permission to access for postfix is set accordingly, if not, add user postfix to group .

OnAccessScan

(Original source: https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html)

On-access scanning will scan the file while reading, writing or executing it.

On-access scanning requires the kernel to be compiled with the fanotify kernel module (kernel >= 3.8), which is true for official Arch Linux kernel packages. Check if fanotify has been enabled before enabling on-access scanning.

$ zgrep FANOTIFY /proc/config.gz

First, edit the configuration file by adding the following to the end of the file (you can also change the individual options).

Next, allow the clamav user to run notify-send as any user with custom environment variables via sudo:

Next, create the file /etc/clamav/virus-event.bash, make it executable and add the following:

This allows you to change/specify the message when a virus has been detected by clamd's on-access scanning service.

Restart the clamav-daemon.service.

By default, clamonacc passes clamav the names of just-accessed files for scanning. This is a problem, because files inaccessible to the clamav user cannot be scanned this way. Instead, it is possible to instruct clamonacc (which always runs as root) to use file descriptor passing. Edit with the following:

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc.log

Lastly, you will need to start/enable the .

If you get AppArmor denials about clamd, set the profile to a complain-only mode:

# aa-complain clamd

Tips and tricks

Using clamscan

When scanning a file or directory from command line using only single CPU thread is used. This may be ok in cases when timing is not critical or you do not want computer to become sluggish. If there is a need to scan large directory or USB drive quickly you may want to use all available CPUs to speed up the process.

is designed to be single-threaded, so xargs can be used to run the scan in parallel:
$ find /home/archie -type f -print0 | xargs -0 -P $(nproc) clamscan

In this example the parameter for xargs runs in as many processes as there are CPUs (reported by ) at the same time. and options will allow even finer control of batching the workload across the threads.

Using clamdscan

If you already have daemon running can be used instead (see #Starting the daemon):

$ clamdscan --multiscan --fdpass /home/archie

Here the parameter enables to scan the contents of the directory in parallel using available threads. parameter is required to pass the file descriptor permissions to as the daemon is running under user and group.

The number of available threads for is determined in via MaxThreads parameter . Even though you may see that the number of MaxThreads specified is more than one (current default is 10), when you start the scan using from command line and do not specify option, only one effective CPU thread will be used for scanning.

Troubleshooting

Error: Clamd was NOT notified

If you get the following messages after running freshclam:

Add a sock file for ClamAV

# touch /run/clamav/clamd.ctl
# chown clamav:clamav /run/clamav/clamd.ctl

Then, edit /etc/clamav/clamd.conf - uncomment this line:

LocalSocket /run/clamav/clamd.ctl

Save the file and restart clamav-daemon.service.

Error: No supported database files found

If you get the next error when starting the daemon:

This happens because of mismatch between /etc/clamav/freshclam.conf setting and setting . /etc/clamav/freshclam.conf pointing to , but (default directory) pointing to , or other directory. Edit in and replace with the same as in /etc/clamav/freshclam.conf. After that clamav will start up successfully.

Error: Can't create temporary directory

If you get the following error, along with a 'HINT' containing a UID and a GID number:

# can't create temporary directory

Correct permissions:

# chown UID:GID /var/lib/clamav && chmod 755 /var/lib/clamav
gollark: You can stalk people while using somewhat widely available information! I think that's generally what happens!
gollark: They ARE NOT MUTUALLY EXCLUSIVE.
gollark: Just don't stalk people?
gollark: I need to figure out how to get it to show the current song.
gollark: Sad! With an unreliable network you can't use osmarks internet radioâ„¢!

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.