ClamAV
ClamAV
ClamAV:
http://www.clamav.net/
Download:
http://www.clamav.net/downloads http://www.clamav.net/lang/en/download http://www.clamav.net/lang/en/download/sources/ http://downloads.sourceforge.net/clamav/clamav-0.97.tar.gz
Scanning
Simple scan:
/opt/clamav/bin/clamscan [FOLDER]
Options:
-r # recursive search -i # Show only infected -l [file] # log output to file --move=[dir] # move infected --copy=[dir] # copy infected --remove=yes # remove infected
Scan subfolders, show infected only and log results:
/opt/clamav/bin/clamscan -r -i -l scan.txt [FOLDER]
scan stdin:
cat testfile | clamscan -
Help:
man /opt/clamav/share/man/man1/clamscan.1
Updating Definitions
Update virus definitions: (as any user in the clamav group)
/opt/clamav/bin/freshclam
After the first run, fix the database permissions one time, so anyone in the clamav group can update:
sudo chown clamav:clamav /opt/clamav/share/clamav/* sudo chmod 664 /opt/clamav/share/clamav/*
Databases are stored here:
Database directory: /opt/clamav/share/clamav
Installation
NOTE: ALL DOWNLOADS HAVE MIGRATED TO HTTPS://WWW.CLAMAV.NET
Look here for latest version:
- http://sourceforge.net/projects/clamav/files/
- Direct download Links
- Latest:
Prerequisites:
# redhat/centos sudo yum install gcc make openssl-devel
# debian/ubuntu sudo apt install build-essential gcc make libssl1.0 libssl-dev libxml2 libxml2-dev
Create ClamAV User:
# create clamav user sudo /usr/sbin/groupadd clamav sudo /usr/sbin/useradd clamav -g clamav -d /opt/clamav -c "Clam AntiVirus" -s /sbin/nologin
# Add kenneth to clamav group sudo usermod -a -G clamav kenneth
# LOGOUT - will need user kenneth to logout and login to take effect
Install/Update ClamAV: [1]
# AS USER: kenneth
sudo pwd # cache sudo creds...
# Download ClamAV CLAM_VERSION=0.101.4 mkdir -p ~/.src ; cd ~/.src wget "http://www.clamav.net/downloads/production/clamav-$CLAM_VERSION.tar.gz" tar -zvxf clamav-$CLAM_VERSION.tar.gz cd clamav-$CLAM_VERSION
#CLAM_VERSION=0.100.0
# Download ClamAV CLAM_VERSION=0.99.1 wget "http://downloads.sourceforge.net/clamav/clamav-$CLAM_VERSION.tar.gz"
# Alternative Download ClamAV Latest mkdir -p ~/.src ; cd ~/.src wget "http://sourceforge.net/projects/clamav/files/latest/download?source=files" -O clamav_latest.tar.gz tar -zvxf clamav_latest.tar.gz cd clamav-*
# Backup previous config mkdir etc-bak ; cp /opt/clamav/etc/* etc-bak/
# remove previous install sudo rm -rf /opt/clamav
# Build and Install # NOTE: this will take several minutes to compile (make) ./configure --prefix=/opt/clamav make clean make sudo make install
# Copy default configs sudo cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf sudo cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf
# Check for config differences to build new config (should only be comment out of '#Example') diff etc-bak/clamd.conf /opt/clamav/etc/clamd.conf diff etc-bak/freshclam.conf /opt/clamav/etc/freshclam.conf
# OPTIONAL: edit configs as needed ..OR.. skip to next step #sudo vim /opt/clamav/etc/clamd.conf #sudo vim /opt/clamav/etc/freshclam.conf
# Remove 'Example' statement from config files if the default config is sufficient sudo sed -i 's/^Example/#Example/g' /opt/clamav/etc/clamd.conf sudo sed -i 's/^Example/#Example/g' /opt/clamav/etc/freshclam.conf
# create /etc/clamav config links sudo mkdir -p /etc/clamav sudo ln -sfn /opt/clamav/etc/clamd.conf /etc/clamav/clamd.conf sudo ln -sfn /opt/clamav/etc/freshclam.conf /etc/clamav/freshclam.conf
# create database share folder sudo mkdir -p /opt/clamav/share/clamav sudo chown clamav:clamav /opt/clamav/share/clamav sudo chmod 775 /opt/clamav/share/clamav sudo chmod g+s /opt/clamav/share/clamav
# Update Virus definitions /opt/clamav/bin/freshclam
# Fix Permissions for clamav group after update sudo chown clamav:clamav /opt/clamav/share/clamav/* sudo chmod 664 /opt/clamav/share/clamav/*
# Create bin link sudo ln -sfn /opt/clamav/bin/clamscan /usr/local/bin/clamscan sudo ln -sfn /opt/clamav/bin/freshclam /usr/local/bin/freshclam
# EICAR Test cat > samplevirus.txt <<"EOF" X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EOF #/opt/clamav/bin/clamscan samplevirus.txt clamscan samplevirus.txt rm samplevirus.txt
# More Tests cd test clamscan . cd .. # rm -rf test
Setup daily update:
# cronjob
crontab -e
0 2 * * * /usr/local/bin/freshclam
Configuration
Allow kenneth to edit:
sudo chown kenneth /opt/clamav/etc/*
Configure clamd:
vim /opt/clamav/etc/clamd.conf
Configure freshclam:
vim /opt/clamav/etc/freshclam.conf
Modify both and comment out the Example line:
# Comment or remove the line below. #Example
The configured defaults values can be all viewed with: (and look for errors)
/opt/clamav/bin/clamconf
Testing
Test with:
/opt/clamav/bin/clamscan -r -l scan.txt clamav-$VERSION
Example output:
----------- SCAN SUMMARY ----------- Known viruses: 852104 Engine version: 0.96.5 Scanned directories: 238 Scanned files: 4522 Infected files: 46 Data scanned: 186.71 MB Data read: 201.43 MB (ratio 0.93:1) Time: 22.671 sec (0 m 22 s)
Configure the ClamAV daemon, clamd, for testing. Comment out "Example" line in clamav.conf and save:
vi /opt/clamav/etc/clamd.conf
# Comment or remove the line below. Example
Now try with clamd, which should provide output that is similar to the clamscan command you entered above.
/opt/clamav/bin/clamdscan -l scan.txt clamav-$VERSION
ERROR: Clamd is not configured properly.
Update with:
# uncomment the "Example" line in the etc/freshclam.conf bin/freshclam
Scan folder:
bin/clamscan [folder] bin/clamscan -r [folder] # recursive
Test signature: eicar | THE ANTI-VIRUS OR ANTI-MALWARE TEST FILE - http://www.eicar.org/anti_virus_test_file.htm
cat > samplevirus.txt <<"EOF" X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EOF
Source: http://www.linux.org/docs/ldp/howto/Qmail-ClamAV-HOWTO/x120.html
Clam AntiVirus Daemon
Start daemon:
/opt/clamav/sbin/clamd
Initial error:
ERROR: Please define server type (local and/or TCP).
Configure:
/opt/clamav/etc/clamd.conf
# TCP port address. # Default: no TCPSocket 3310
Now start clamd.
/opt/clamav/sbin/clamd
To use clamdscan with clamd:
/opt/clamav/bin/clamdscan
Documentation:
man /opt/clamav/share/man/man1/clamdscan.1 man /opt/clamav/share/man/man8/clamd.8
Updates
Virus database
Your virus definition may be out of date:
$ /opt/clamav/bin/clamscan -r -l scan.txt myfolder LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: **************************************************
Initially when running freshclam will get the following error:
ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf ERROR: Can't open/parse the config file /opt/clamav/etc/freshclam.conf
Edit the freshclam.conf and comment out the "Example" line:
sudo chown -R kenneth:kenneth /opt/clamav/etc vi /opt/clamav/etc/freshclam.conf
Modify both and comment out the Example line:
# Comment or remove the line below. #Example
NOTES:
- touch /var/log/clam-update.log
- chmod 600 /var/log/clamupdate.log
- chown clamav /var/log/clamupdate.log
freshclam -d -c 6 -l /var/log/clam-update.log
This checks for a new virus definition database six (6) times a day. Check the /var/log/clam-update.log file
add the freshclam -d -c 6 -l /var/log/clam-update.log to your startup scripts.
ClamAV engine is outdated
- UpgradeInstructions - http://wiki.clamav.net/Main/UpgradeInstructions
If you installed from sources
- Uninstall the old version
- Compile and install the new one
Submit
Clam AntiVirus - Submit a file - http://www.clamav.net/lang/en/sendvirus/
- Send a malware sample - http://www.clamav.net/sendvirus/submit-malware/
"If you want to be notified of changes in the virus database, please join the clamav-virusdb at lists.clamav.net mailing-list"
- Clam AntiVirus - Mailing Lists - http://www.clamav.net/support/ml
Scripts
Written by Kenneth Burgener November 2015
/usr/local/bin/check-infected:
#!/bin/bash
if [ "$1" == "" ] ; then
echo "Purpose: Check if infected, then if '-f' truncate and rename"
echo " infected file with .infected extension"
echo "Usage: $0 [-f] <possible_infected_file>"
exit 1
fi
if [ "$1" == "-f" ] ; then
FIX=true
FNAME=$2
if [ "$3" != "" ] ; then
echo "Too many files specified"
exit 1
fi
else
FIX=false
FNAME=$1
if [ "$2" != "" ] ; then
echo "Too many files specified"
exit 1
fi
fi
echo "== Checking $FNAME =="
if [ ! -e "$FNAME" ] ; then
echo "File does not exist!"
exit 1
fi
clamscan --quiet "$FNAME"
if [ $? -eq 0 ] ; then
echo "File is not infected."
exit 0
fi
if [ "FNAME" = "true" ] ; then
echo "Marking as infected..."
> "$FNAME"
mv "$FNAME" "$FNAME.infected"
fi
/usr/local/bin/infected:
#!/bin/bash
if [ "$1" == "" ] ; then
echo "Truncate and rename infected file with .infected extension"
echo "Usage: $0 infected_file"
exit 1
fi
if [ ! -e "$1" ] ; then
echo "File $1 does not exist!"
exit 1
fi
echo "Marking $1 as infected..."
> "$1"
mv "$1" "$1.infected"
References
- Linux Online - Qmail-Scanner and ClamAV HowTo
- eicar | THE ANTI-VIRUS OR ANTI-MALWARE TEST FILE
- AntiVirus (ClamAV) Setup Howto for RHEL/CentOS 5 ‹‹ Linux Mail Server Setup and Howto Guide
- How To Install ClamAV On Red Hat Enterprise Linux : Bob Plankers, The Lone Sysadmin
- ClamAV - The free Anti Virus solution for Windows on Linux | All about Linux
Issues
cli_loadldb: logical signature uses PCREs but support is disabled
LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332 uses PCREs but support is disabled, skipping
The new .99 uses PCRE. Install with the following and reconfigure/compile ClamAV:
yum install pcre-devel