Christopher Juckins

SysAdmin Tips, Tricks and other Software Tools

User Tools

Site Tools


clamav_antivirus

This is an old revision of the document!


Notes on ClamAV AntiVirus

Start with this procedure - or see steps listed below:
http://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/

Other links:
http://www.clamav.net/
http://tboxmy.blogspot.com/2013/06/install-clamav-antivirus-on-centos.html
http://tboxmy.blogspot.com/2013/06/install-yum-repo-for-centos.html
http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html

Steps done as root on local linux box:

Make sure the "epel" yum repository is installed first.

yum install clamav clamav-db clamav-devel clamav-milter clamd

chkconfig –list |grep clam (should see results for "clamav-milter" and "clamd")

chkconfig clamav-milter on

chkconfig clamd on

service clamd start

service clamav-milter start

freshclam (to update)

run a recursive scan: clamscan -r -l scan.txt /path/to/dir

Set up crons (credit Devon Hillard):

/etc/cron.hourly/clamscan_hourly

#!/bin/bash
 
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="USER@DOMAIN"
# Log location
LOG=/var/log/clamav/scan.log

echo "" >> ${LOG}
echo "***Start /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG}

check_scan () {
 
    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: root@`hostname`" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        #sendmail -t < ${EMAILMESSAGE}
        /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE}
    fi
 
}
 
find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan
 
find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -cmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan

echo "***End /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG}
echo "" >> ${LOG}

/etc/cron.daily/clamscan_daily

#!/bin/bash
 
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="USER@DOMAIN"
# Log location
LOG=/var/log/clamav/scan.log

echo "" >> ${LOG}
echo "***Start /etc/cron.daily/clamscan_daily at `date`" >> ${LOG}
 
check_scan () {
 
    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: root@`hostname`" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        #sendmail -t < ${EMAILMESSAGE}
        /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE}
    fi
 
}
 
clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG}
 
check_scan

echo "***End /etc/cron.daily/clamscan_daily at `date`" >> ${LOG}
echo "" >> ${LOG}

Make sure that the new cron files are set to executable (chmod +x)

Remember that email from crons will require setup (see GMail on Linux with SSMTP)

Test that clamd runs upon a reboot (it should)

Clamav may report errors in the scan logs if SELinux is set to enforcing; some files cannot be checked even as root.

Check /var/log/clamav for log files updating; freshclam failed on one box because log files had bad permissions. User "clam" and user "clamav" seemed to conflict, and another box only had user clam, not both. This can happen when the clamd RPM and the clamav RPM come from different sources. The following recommendations are what are used in my VM distributions of ZendTo. There are 2 usernames involved: "clam" and "clamav".

The following is all based on the line

User clam

appearing in the file /etc/clamd.conf

More info: http://zend.to/clamavpermissions.php

Fix: Disable rpmforge in /etc/yum.repos.d/ directory

clamav_antivirus.1397129125.txt.gz · Last modified: 2014/04/10 07:25 by juckins