0 6 min 1 mth

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats. Some of the features of ClamAV are;

Support for various archive formats like Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
Support for almost all mail file formats
Support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
Support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.
Support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.

A multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.

apt-cache policy clamav clamav-daemon

apt install -y gcc make pkg-config python3 python3-pip python3-pytest valgrind check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev sudo libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev cmake

Create ClamAV service account;

useradd -r -M -d /var/lib/clamav -s /bin/false -c "Clam Antivirus" clamav

Open clamav.net downloads page and download source code. You can run the command below to download it the current stable release version as of this writing.

wget https://www.clamav.net/downloads/production/clamav-$VER.tar.gz
tar xzf clamav-$VER.tar.gz
cd clamav-$VER
mkdir build && cd build

cmake .. \
-D CMAKE_INSTALL_PREFIX=/usr \
-D CMAKE_INSTALL_LIBDIR=lib \
-D APP_CONFIG_DIRECTORY=/etc/clamav \
-D DATABASE_DIRECTORY=/var/lib/clamav \
-D ENABLE_JSON_SHARED=OFF

cmake --build .

ctest

cmake --build . --target install

ls -1 /etc/clamav/

cat > /etc/clamav/freshclam.conf << 'EOL' DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogRotate true LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net ConnectTimeout 30 ReceiveTimeout 0 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no Bytecode true NotifyClamd /etc/clamav/clamd.conf cat > /etc/clamav/clamd.conf << 'EOL' LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 User clamav ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog false LogRotate true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PreludeEnable no PreludeAnalyzerName ClamAV DatabaseDirectory /var/lib/clamav OfficialDatabaseOnly false SelfCheck 3600 Foreground false Debug false ScanPE true MaxEmbeddedPE 10M ScanOLE2 true ScanPDF true ScanHTML true MaxHTMLNormalize 10M MaxHTMLNoTags 2M MaxScriptNormalize 5M MaxZipTypeRcg 1M ScanSWF true ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 CrossFilesystems true PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false PartitionIntersection false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 30 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false AllowAllMatchScan true ForceToDisk false DisableCertCheck false DisableCache false MaxScanTime 120000 MaxScanSize 100M MaxFileSize 25M MaxRecursion 16 MaxFiles 10000 MaxPartitions 50 MaxIconsPE 100 PCREMatchLimit 10000 PCRERecMatchLimit 5000 PCREMaxFileSize 25M ScanXMLDOCS true ScanHWP3 true MaxRecHWP3 16 StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OnAccessMaxFileSize 5M EOL

Since we didn't compile ClamAV with mail filtering support, then the configs above are enough.

mkdir /var/log/clamav/ /var/lib/clamav /var/run/clamav/
chown clamav: /var/log/clamav/ /var/lib/clamav /var/run/clamav/
sudo -u clamav freshclam
ls -1 /var/lib/clamav/

cat > /etc/systemd/system/clamav-freshclam.service << EOL [Unit] Description=ClamAV virus database updater Documentation=man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents # If user wants it run from cron, don't start the daemon. ConditionPathExists=!/etc/cron.d/clamav-freshclam Wants=network-online.target After=network-online.target [Service] User=clamav Group=clamav ExecStart=/usr/bin/freshclam -d --foreground=true StandardOutput=syslog [Install] WantedBy=multi-user.target EOL cat > /etc/systemd/system/clamav-daemon.service << EOL [Unit] Description=Clam AntiVirus userspace daemon Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ # Check for database existence ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} [Service] User=clamav Group=clamav ExecStart=/usr/sbin/clamd --foreground=true # Reload the database ExecReload=/bin/kill -USR2 $MAINPID StandardOutput=syslog TimeoutStartSec=420 [Install] WantedBy=multi-user.target EOL systemctl daemon-reload systemctl enable --now clamav-daemon systemctl enable --now clamav-freshclam clamscan [options] [file/directory/-] clamscan -h clamscan /home/ clamscan --no-summary /home/

Print infected files only (-i, --infected);
clamscan -i /

Sound a bell on virus detection (--bell);
clamscan --bell -i /home

Scan directories recursively (-r, --recursive).
clamscan --bell -i -r /home

Remove infected files (--remove[=yes/no(*)]). Be careful as this removes file completely.
clamscan -r --remove /home/USER

Move infected files into DIRECTORY (--move=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.

clamscan -r -i --move=/home/USER/infected /home/

Copy infected files into DIRECTORY (–copy=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.

clamscan -r -i --copy=/home/USER/infected /home/

nice -n 15 clamscan && clamscan -ir /
cpulimit -z -e clamscan -l 20 & clamscan -ir /

About Prime Data Centers: New Cloud Ready Debian Data Center - open facilities with futuristic vision. Ready to cut privacy and security demands of future cloud computing and other hosting challenges. Our Local Content Delivery Network (CDN) leads to the development of more effective non-intrusive applications. Customers will experience faster and better web performance, altogether it will make a powerful green solution. We've served several 500 companies with successful projects in the areas of Web Hosting, Data Center Services, Web designing, Online application development, Backup Services, E-commerce Solutions, and Mobile Application Development - Oct 8, 2015.

Leave a Reply