ClamAV AntiVirus Notes
ClamAV on RockyLinux 9 - Basic install instructions
ClamAV on Rocky Linux
CentOS 7 VM notes:
Set /etc/clamd.d/scan.conf "MaxThreads" to 1 (default is 10) to avoid too much CPU usage upon reboot
CentOS 7 issues:
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/
http://linux-audit.com/install-clamav-on-centos-7-using-freshclam/
If not CentOS7, start with this procedure - or see steps listed below:
http://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/
Other links:
http://www.clamav.net/
http://tboxmy.blogspot.com/2013/06/install-clamav-antivirus-on-centos.html
http://tboxmy.blogspot.com/2013/06/install-yum-repo-for-centos.html
http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html
Steps done as root on local linux box:
Use this link to install and follow file modifications carefully (some paths need to be adjusted):
Other notes from previous installs:
- Make sure the "epel" yum repository is installed first
- Using the "rpmforge" repository resulted in conflicting clam vs clamav users
- The "clamav-milter" package is only for sendmail scanning on send
yum install clamav clamav-db clamav-devel clamav-milter clamd
chkconfig –list |grep clam (should see results for "clamav-milter" and "clamd")
chkconfig clamav-milter on
chkconfig clamd on
service clamd start
service clamav-milter start
freshclam (to update)
run a recursive scan: clamscan -r -l scan.txt /path/to/dir
Set up crons (credit Devon Hillard):
/etc/cron.hourly/clamscan_hourly
#!/bin/bash # email subject SUBJECT="VIRUS DETECTED ON `hostname`!!!" # Email To ? EMAIL="USER@DOMAIN" # Log location LOG=/var/log/clamav/scan.log echo "" >> ${LOG} echo "***Start /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG} check_scan () { # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem. if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ] then EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX` echo "To: ${EMAIL}" >> ${EMAILMESSAGE} echo "From: root@`hostname`" >> ${EMAILMESSAGE} echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE} echo "Importance: High" >> ${EMAILMESSAGE} echo "X-Priority: 1" >> ${EMAILMESSAGE} echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE} #sendmail -t < ${EMAILMESSAGE} /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE} fi } find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG} check_scan find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -cmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG} check_scan echo "***End /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG} echo "" >> ${LOG}
/etc/cron.daily/clamscan_daily
#!/bin/bash # email subject SUBJECT="VIRUS DETECTED ON `hostname`!!!" # Email To ? EMAIL="USER@DOMAIN" # Log location LOG=/var/log/clamav/scan.log echo "" >> ${LOG} echo "***Start /etc/cron.daily/clamscan_daily at `date`" >> ${LOG} check_scan () { # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem. if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ] then EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX` echo "To: ${EMAIL}" >> ${EMAILMESSAGE} echo "From: root@`hostname`" >> ${EMAILMESSAGE} echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE} echo "Importance: High" >> ${EMAILMESSAGE} echo "X-Priority: 1" >> ${EMAILMESSAGE} echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE} #sendmail -t < ${EMAILMESSAGE} /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE} fi } clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG} check_scan echo "***End /etc/cron.daily/clamscan_daily at `date`" >> ${LOG} echo "" >> ${LOG}
Make sure that the new cron files are set to executable (chmod +x)
Remember that email from crons will require setup (see GMail on Linux with SSMTP)
Test that clamd runs upon a reboot (it should)
Clamav may report errors in the scan logs if SELinux is set to enforcing; some files cannot be checked even as root.
Check /var/log/clamav for log files updating; freshclam failed on one box because log files had bad permissions. User "clam" and user "clamav" seemed to conflict, and another box only had user clam, not both. This can happen when the clamd RPM and the clamav RPM come from different sources. The following recommendations are what are used in my VM distributions of ZendTo. There are 2 usernames involved: "clam" and "clamav".
The following is all based on the line
User clam
appearing in the file /etc/clamd.conf
More info: http://zend.to/clamavpermissions.php
Fix: Disable rpmforge in /etc/yum.repos.d/ directory
Other scripts: https://www.annasseh.info/knowledgebase/30/Install-ClamAV--on-CentOS-6---64-bit-plus-Configure-Daily-Scanning.html