Christopher Juckins

SysAdmin Tips, Tricks and other Software Tools

User Tools

Site Tools


clamav_antivirus

This is an old revision of the document!


Notes on ClamAV AntiVirus

http://www.clamav.net/
http://tboxmy.blogspot.com/2013/06/install-clamav-antivirus-on-centos.html
http://tboxmy.blogspot.com/2013/06/install-yum-repo-for-centos.html
http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html

Steps done as root on local linux box:

yum install clamav clamav-db clamav-devel clamav-milter clamd

chkconfig \-\-list |grep clam (should see results for "clamav-milter" and "clamd")

chkconfig clamav-milter on

chkconfig clamd on

service clamd start

service clamav-milter start

freshclam (to update)

run a recursive scan: clamscan -r -l scan.txt /path/to/dir

Set up crons (credit Devon Hillard):

/etc/cron.hourly/clamscan_hourly

#!/bin/bash
 
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="USER@DOMAIN"
# Log location
LOG=/var/log/clamav/scan.log

echo "" >> ${LOG}
echo "***Start /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG}

check_scan () {
 
    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: root@`hostname`" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        #sendmail -t < ${EMAILMESSAGE}
        /usr/bin/mutt -s \"${SUBJECT}\" $EMAIL < ${EMAILMESSAGE}
    fi
 
}
 
find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan
 
find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -cmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan

echo "***End /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG}
echo "" >> ${LOG}

/etc/cron.daily/clamscan_daily

#!/bin/bash
 
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="USER@DOMAIN"
# Log location
LOG=/var/log/clamav/scan.log

echo "" >> ${LOG}
echo "***Start /etc/cron.daily/clamscan_daily at `date`" >> ${LOG}
 
check_scan () {
 
    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: root@`hostname`" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        #sendmail -t < ${EMAILMESSAGE}
        /usr/bin/mutt -s \"${SUBJECT}\" $EMAIL < ${EMAILMESSAGE}
    fi
 
}
 
clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG}
 
check_scan

echo "***End /etc/cron.daily/clamscan_daily at `date`" >> ${LOG}
echo "" >> ${LOG}

Remember that email from crons will require setup (see GMail on Linux with SSMTP)

Test that clamd runs upon a reboot (it should)

clamav_antivirus.1386727340.txt.gz · Last modified: 2013/12/10 21:02 by juckins