This is an old revision of the document!
Notes on ClamAV AntiVirus
Start with this procedure - or see steps listed below:
http://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/
Other links:
http://www.clamav.net/
http://tboxmy.blogspot.com/2013/06/install-clamav-antivirus-on-centos.html
http://tboxmy.blogspot.com/2013/06/install-yum-repo-for-centos.html
http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html
Steps done as root on local linux box:
Make sure the "epel" yum repository is installed first.
yum install clamav clamav-db clamav-devel clamav-milter clamd
chkconfig –list |grep clam (should see results for "clamav-milter" and "clamd")
chkconfig clamav-milter on
chkconfig clamd on
service clamd start
service clamav-milter start
freshclam (to update)
run a recursive scan: clamscan -r -l scan.txt /path/to/dir
Set up crons (credit Devon Hillard):
/etc/cron.hourly/clamscan_hourly
#!/bin/bash # email subject SUBJECT="VIRUS DETECTED ON `hostname`!!!" # Email To ? EMAIL="USER@DOMAIN" # Log location LOG=/var/log/clamav/scan.log echo "" >> ${LOG} echo "***Start /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG} check_scan () { # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem. if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ] then EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX` echo "To: ${EMAIL}" >> ${EMAILMESSAGE} echo "From: root@`hostname`" >> ${EMAILMESSAGE} echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE} echo "Importance: High" >> ${EMAILMESSAGE} echo "X-Priority: 1" >> ${EMAILMESSAGE} echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE} #sendmail -t < ${EMAILMESSAGE} /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE} fi } find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG} check_scan find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -cmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG} check_scan echo "***End /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG} echo "" >> ${LOG}
/etc/cron.daily/clamscan_daily
#!/bin/bash # email subject SUBJECT="VIRUS DETECTED ON `hostname`!!!" # Email To ? EMAIL="USER@DOMAIN" # Log location LOG=/var/log/clamav/scan.log echo "" >> ${LOG} echo "***Start /etc/cron.daily/clamscan_daily at `date`" >> ${LOG} check_scan () { # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem. if [ `tail -n 12 ${LOG} | grep Infected | grep -v 0 | wc -l` != 0 ] then EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX` echo "To: ${EMAIL}" >> ${EMAILMESSAGE} echo "From: root@`hostname`" >> ${EMAILMESSAGE} echo "Subject: ${SUBJECT}" >> ${EMAILMESSAGE} echo "Importance: High" >> ${EMAILMESSAGE} echo "X-Priority: 1" >> ${EMAILMESSAGE} echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE} #sendmail -t < ${EMAILMESSAGE} /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE} fi } clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG} check_scan echo "***End /etc/cron.daily/clamscan_daily at `date`" >> ${LOG} echo "" >> ${LOG}
Make sure that the new cron files are set to executable (chmod +x)
Remember that email from crons will require setup (see GMail on Linux with SSMTP)
Test that clamd runs upon a reboot (it should)
Clamav may report errors in the scan logs if SELinux is set to enforcing; some files cannot be checked even as root.