ClamAV

From Omnia
(Redirected from Linux/virus)
Jump to navigation Jump to search

ClamAV

ClamAV:

http://www.clamav.net/

Download:

http://www.clamav.net/downloads
http://www.clamav.net/lang/en/download
http://www.clamav.net/lang/en/download/sources/
http://downloads.sourceforge.net/clamav/clamav-0.97.tar.gz

Scanning

Simple scan:

/opt/clamav/bin/clamscan [FOLDER]

Options:

-r            # recursive search
-i            # Show only infected
-l [file]     # log output to file
--move=[dir]  # move infected
--copy=[dir]  # copy infected
--remove=yes  # remove infected

Scan subfolders, show infected only and log results:

 /opt/clamav/bin/clamscan -r -i -l scan.txt [FOLDER]

scan stdin:

cat testfile | clamscan -

Help:

man /opt/clamav/share/man/man1/clamscan.1

Updating Definitions

Update virus definitions: (as any user in the clamav group)

/opt/clamav/bin/freshclam

After the first run, fix the database permissions one time, so anyone in the clamav group can update:

sudo chown clamav:clamav /opt/clamav/share/clamav/*
sudo chmod 664 /opt/clamav/share/clamav/*

Databases are stored here:

Database directory: /opt/clamav/share/clamav

Installation

NOTE: ALL DOWNLOADS HAVE MIGRATED TO HTTPS://WWW.CLAMAV.NET

Look here for latest version:

Prerequisites:

# redhat/centos
sudo yum install gcc make openssl-devel
# debian/ubuntu
sudo apt install build-essential gcc make libssl1.0 libssl-dev libxml2 libxml2-dev

Create ClamAV User:

# create clamav user
sudo /usr/sbin/groupadd clamav
sudo /usr/sbin/useradd clamav -g clamav -d /opt/clamav -c "Clam AntiVirus" -s /sbin/nologin
# Add kenneth to clamav group
sudo usermod -a -G clamav kenneth
# LOGOUT - will need user kenneth to logout and login to take effect

Install/Update ClamAV: [1]

# AS USER: kenneth
sudo pwd  # cache sudo creds...
# Download ClamAV
CLAM_VERSION=0.101.4
mkdir -p ~/.src ; cd ~/.src
wget "http://www.clamav.net/downloads/production/clamav-$CLAM_VERSION.tar.gz"
tar -zvxf clamav-$CLAM_VERSION.tar.gz
cd clamav-$CLAM_VERSION

#CLAM_VERSION=0.100.0
# Download ClamAV
CLAM_VERSION=0.99.1
wget "http://downloads.sourceforge.net/clamav/clamav-$CLAM_VERSION.tar.gz"
# Alternative Download ClamAV Latest
mkdir -p ~/.src ; cd ~/.src
wget "http://sourceforge.net/projects/clamav/files/latest/download?source=files" -O clamav_latest.tar.gz
tar -zvxf clamav_latest.tar.gz
cd clamav-*

# Backup previous config
mkdir etc-bak ; cp /opt/clamav/etc/* etc-bak/
# remove previous install
sudo rm -rf /opt/clamav
# Build and Install
# NOTE: this will take several minutes to compile (make)
./configure --prefix=/opt/clamav
make clean
make
sudo make install
# Copy default configs
sudo cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf
sudo cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf
# Check for config differences to build new config (should only be comment out of '#Example')
diff etc-bak/clamd.conf /opt/clamav/etc/clamd.conf
diff etc-bak/freshclam.conf /opt/clamav/etc/freshclam.conf
# OPTIONAL: edit configs as needed ..OR.. skip to next step
#sudo vim /opt/clamav/etc/clamd.conf
#sudo vim /opt/clamav/etc/freshclam.conf
# Remove 'Example' statement from config files if the default config is sufficient
sudo sed -i 's/^Example/#Example/g' /opt/clamav/etc/clamd.conf
sudo sed -i 's/^Example/#Example/g' /opt/clamav/etc/freshclam.conf
# create /etc/clamav config links
sudo mkdir -p /etc/clamav
sudo ln -sfn /opt/clamav/etc/clamd.conf /etc/clamav/clamd.conf
sudo ln -sfn /opt/clamav/etc/freshclam.conf /etc/clamav/freshclam.conf
# create database share folder
sudo mkdir -p /opt/clamav/share/clamav
sudo chown clamav:clamav /opt/clamav/share/clamav
sudo chmod 775 /opt/clamav/share/clamav
sudo chmod g+s /opt/clamav/share/clamav
# Update Virus definitions
/opt/clamav/bin/freshclam
# Fix Permissions for clamav group after update
sudo chown clamav:clamav /opt/clamav/share/clamav/*
sudo chmod 664 /opt/clamav/share/clamav/*
# Create bin link
sudo ln -sfn /opt/clamav/bin/clamscan /usr/local/bin/clamscan
sudo ln -sfn /opt/clamav/bin/freshclam /usr/local/bin/freshclam
# EICAR Test
cat > samplevirus.txt <<"EOF"
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF
#/opt/clamav/bin/clamscan samplevirus.txt
clamscan samplevirus.txt
rm samplevirus.txt
# More Tests
cd test
clamscan .
cd ..
# rm -rf test

Setup daily update:

# cronjob
crontab -e
    0 2 * * *       /usr/local/bin/freshclam

Configuration

Allow kenneth to edit:

sudo chown kenneth /opt/clamav/etc/*

Configure clamd:

vim /opt/clamav/etc/clamd.conf

Configure freshclam:

vim /opt/clamav/etc/freshclam.conf

Modify both and comment out the Example line:

# Comment or remove the line below.
#Example

The configured defaults values can be all viewed with: (and look for errors)

/opt/clamav/bin/clamconf

Testing

Test with:

/opt/clamav/bin/clamscan -r -l scan.txt clamav-$VERSION

Example output:

----------- SCAN SUMMARY -----------
Known viruses: 852104
Engine version: 0.96.5
Scanned directories: 238
Scanned files: 4522
Infected files: 46
Data scanned: 186.71 MB
Data read: 201.43 MB (ratio 0.93:1)
Time: 22.671 sec (0 m 22 s)

Configure the ClamAV daemon, clamd, for testing. Comment out "Example" line in clamav.conf and save:

vi /opt/clamav/etc/clamd.conf
# Comment or remove the line below.
Example

Now try with clamd, which should provide output that is similar to the clamscan command you entered above.

/opt/clamav/bin/clamdscan -l scan.txt clamav-$VERSION
ERROR: Clamd is not configured properly.

Update with:

# uncomment the "Example" line in the etc/freshclam.conf
bin/freshclam

Scan folder:

bin/clamscan [folder]
bin/clamscan -r [folder]  # recursive

Test signature: eicar | THE ANTI-VIRUS OR ANTI-MALWARE TEST FILE - http://www.eicar.org/anti_virus_test_file.htm

cat > samplevirus.txt <<"EOF"
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

Source: http://www.linux.org/docs/ldp/howto/Qmail-ClamAV-HOWTO/x120.html


Clam AntiVirus Daemon

Start daemon:

/opt/clamav/sbin/clamd

Initial error:

ERROR: Please define server type (local and/or TCP).

Configure:

/opt/clamav/etc/clamd.conf
# TCP port address.
# Default: no
TCPSocket 3310

Now start clamd.

/opt/clamav/sbin/clamd

To use clamdscan with clamd:

/opt/clamav/bin/clamdscan

Documentation:

man /opt/clamav/share/man/man1/clamdscan.1
man /opt/clamav/share/man/man8/clamd.8

Updates

Virus database

Your virus definition may be out of date:

$ /opt/clamav/bin/clamscan -r -l scan.txt myfolder
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************

Initially when running freshclam will get the following error:

ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf
ERROR: Can't open/parse the config file /opt/clamav/etc/freshclam.conf

Edit the freshclam.conf and comment out the "Example" line:

sudo chown -R kenneth:kenneth /opt/clamav/etc
vi /opt/clamav/etc/freshclam.conf

Modify both and comment out the Example line:

# Comment or remove the line below.
#Example


NOTES:

  1. touch /var/log/clam-update.log
  2. chmod 600 /var/log/clamupdate.log
  3. chown clamav /var/log/clamupdate.log

freshclam -d -c 6 -l /var/log/clam-update.log

This checks for a new virus definition database six (6) times a day. Check the /var/log/clam-update.log file

add the freshclam -d -c 6 -l /var/log/clam-update.log to your startup scripts.

ClamAV engine is outdated

If you installed from sources

  • Uninstall the old version
  • Compile and install the new one

Submit

Clam AntiVirus - Submit a file - http://www.clamav.net/lang/en/sendvirus/

"If you want to be notified of changes in the virus database, please join the clamav-virusdb at lists.clamav.net mailing-list"

Scripts

Written by Kenneth Burgener November 2015

/usr/local/bin/check-infected:

#!/bin/bash

if [ "$1" == "" ] ; then
    echo "Purpose: Check if infected, then if '-f' truncate and rename"
    echo "         infected file with .infected extension"
    echo "Usage: $0 [-f] <possible_infected_file>"
    exit 1
fi

if [ "$1" == "-f" ] ; then
    FIX=true
    FNAME=$2
    if [ "$3" != "" ] ; then
        echo "Too many files specified"
        exit 1
    fi
else
    FIX=false
    FNAME=$1
    if [ "$2" != "" ] ; then
        echo "Too many files specified"
        exit 1
    fi
fi

echo "== Checking $FNAME =="

if [ ! -e "$FNAME" ] ; then
    echo "File does not exist!"
    exit 1
fi

clamscan --quiet "$FNAME"
if [ $? -eq 0 ] ; then
    echo "File is not infected."
    exit 0
fi

if [ "FNAME" = "true" ] ; then
  echo "Marking as infected..."
  > "$FNAME"
  mv "$FNAME" "$FNAME.infected"
fi

/usr/local/bin/infected:

#!/bin/bash

if [ "$1" == "" ] ; then
    echo "Truncate and rename infected file with .infected extension"
    echo "Usage: $0 infected_file"
    exit 1
fi

if [ ! -e "$1" ] ; then
    echo "File $1 does not exist!"
    exit 1
fi

echo "Marking $1 as infected..."

> "$1"
mv "$1" "$1.infected"

References

Issues

cli_loadldb: logical signature uses PCREs but support is disabled

LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332 uses PCREs but support is disabled, skipping

The new .99 uses PCRE. Install with the following and reconfigure/compile ClamAV:

yum install pcre-devel

keywords