ClamAV

ClamAV
ClamAV: http://www.clamav.net/

Download: http://www.clamav.net/downloads http://www.clamav.net/lang/en/download http://www.clamav.net/lang/en/download/sources/ http://downloads.sourceforge.net/clamav/clamav-0.97.tar.gz

Scanning
Simple scan: /opt/clamav/bin/clamscan [FOLDER]

Options: -r           # recursive search -i           # Show only infected -l [file]    # log output to file --move=[dir] # move infected --copy=[dir] # copy infected --remove=yes # remove infected

Scan subfolders, show infected only and log results: /opt/clamav/bin/clamscan -r -i -l scan.txt [FOLDER]

scan stdin: cat testfile | clamscan -

Help: man /opt/clamav/share/man/man1/clamscan.1

Updating Definitions
Update virus definitions: (as any user in the clamav group) /opt/clamav/bin/freshclam

After the first run, fix the database permissions one time, so anyone in the clamav group can update: sudo chown clamav:clamav /opt/clamav/share/clamav/* sudo chmod 664 /opt/clamav/share/clamav/*

Databases are stored here: Database directory: /opt/clamav/share/clamav

Installation
NOTE: ALL DOWNLOADS HAVE MIGRATED TO HTTPS://WWW.CLAMAV.NET

Look here for latest version:
 * http://sourceforge.net/projects/clamav/files/
 * Direct download Links
 * CLAM_VERSION=0.99.3
 * http://sourceforge.net/projects/clamav/files/clamav-$CLAM_VERSION.tar.gz
 * http://downloads.sourceforge.net/clamav/clamav-$CLAM_VERSION.tar.gz
 * Latest:
 * http://sourceforge.net/projects/clamav/files/latest/download?source=files

Prerequisites: sudo yum install gcc make openssl-devel
 * 1) redhat/centcio

sudo apt install build-essential gcc make libssl1.0 libssl-dev libxml2 libxml2-dev
 * 1) debian/ubuntu

Create ClamAV User:

sudo /usr/sbin/groupadd clamav sudo /usr/sbin/useradd clamav -g clamav -d /opt/clamav -c "Clam AntiVirus" -s /sbin/nologin
 * 1) create clamav user

sudo usermod -a -G clamav kenneth
 * 1) Add kenneth to clamav group


 * 1) LOGOUT - will need user kenneth to logout and login to take effect

Install/Update ClamAV:


 * 1) AS USER: kenneth

sudo pwd # cache sudo creds...

CLAM_VERSION=0.101.4 mkdir -p ~/.src ; cd ~/.src wget "http://www.clamav.net/downloads/production/clamav-$CLAM_VERSION.tar.gz" tar -zvxf clamav-$CLAM_VERSION.tar.gz cd clamav-$CLAM_VERSION
 * 1) Download ClamAV


 * 1) CLAM_VERSION=0.100.0

CLAM_VERSION=0.99.1 wget "http://downloads.sourceforge.net/clamav/clamav-$CLAM_VERSION.tar.gz"
 * 1) Download ClamAV

mkdir -p ~/.src ; cd ~/.src wget "http://sourceforge.net/projects/clamav/files/latest/download?source=files" -O clamav_latest.tar.gz tar -zvxf clamav_latest.tar.gz cd clamav-*
 * 1) Alternative Download ClamAV Latest

mkdir etc-bak ; cp /opt/clamav/etc/* etc-bak/
 * 1) Backup previous config

sudo rm -rf /opt/clamav
 * 1) remove previous install

./configure --prefix=/opt/clamav make clean make sudo make install
 * 1) Build and Install
 * 2) NOTE: this will take several minutes to compile (make)

sudo cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf sudo cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf
 * 1) Copy default configs

diff etc-bak/clamd.conf /opt/clamav/etc/clamd.conf diff etc-bak/freshclam.conf /opt/clamav/etc/freshclam.conf
 * 1) Check for config differences to build new config (should only be comment out of '#Example')


 * 1) OPTIONAL: edit configs as needed ..OR.. skip to next step
 * 2) sudo vim /opt/clamav/etc/clamd.conf
 * 3) sudo vim /opt/clamav/etc/freshclam.conf

sudo sed -i 's/^Example/#Example/g' /opt/clamav/etc/clamd.conf sudo sed -i 's/^Example/#Example/g' /opt/clamav/etc/freshclam.conf
 * 1) Remove 'Example' statement from config files if the default config is sufficient

sudo mkdir -p /etc/clamav sudo ln -sfn /opt/clamav/etc/clamd.conf /etc/clamav/clamd.conf sudo ln -sfn /opt/clamav/etc/freshclam.conf /etc/clamav/freshclam.conf
 * 1) create /etc/clamav config links

sudo mkdir -p /opt/clamav/share/clamav sudo chown clamav:clamav /opt/clamav/share/clamav sudo chmod 775 /opt/clamav/share/clamav sudo chmod g+s /opt/clamav/share/clamav
 * 1) create database share folder

/opt/clamav/bin/freshclam
 * 1) Update Virus definitions

sudo chown clamav:clamav /opt/clamav/share/clamav/* sudo chmod 664 /opt/clamav/share/clamav/*
 * 1) Fix Permissions for clamav group after update

sudo ln -sfn /opt/clamav/bin/clamscan /usr/local/bin/clamscan sudo ln -sfn /opt/clamav/bin/freshclam /usr/local/bin/freshclam
 * 1) Create bin link

cat > samplevirus.txt <<"EOF" X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EOF clamscan samplevirus.txt rm samplevirus.txt
 * 1) Test
 * 1) /opt/clamav/bin/clamscan samplevirus.txt

cd test clamscan. cd ..
 * 1) More Tests
 * 1) rm -rf test

Setup daily update:

crontab -e 0 2 * * *      /usr/local/bin/freshclam
 * 1) cronjob

Configuration
Allow kenneth to edit: sudo chown kenneth /opt/clamav/etc/*

Configure clamd: vim /opt/clamav/etc/clamd.conf

Configure freshclam: vim /opt/clamav/etc/freshclam.conf

Modify both and comment out the Example line:
 * 1) Comment or remove the line below.
 * 2) Example

The configured defaults values can be all viewed with: (and look for errors) /opt/clamav/bin/clamconf

Testing
Test with: /opt/clamav/bin/clamscan -r -l scan.txt clamav-$VERSION

Example output: --- SCAN SUMMARY --- Known viruses: 852104 Engine version: 0.96.5 Scanned directories: 238 Scanned files: 4522 Infected files: 46 Data scanned: 186.71 MB Data read: 201.43 MB (ratio 0.93:1) Time: 22.671 sec (0 m 22 s)

Configure the ClamAV daemon, clamd, for testing. Comment out "Example" line in clamav.conf and save: vi /opt/clamav/etc/clamd.conf

Example
 * 1) Comment or remove the line below.

Now try with clamd, which should provide output that is similar to the clamscan command you entered above. /opt/clamav/bin/clamdscan -l scan.txt clamav-$VERSION

ERROR: Clamd is not configured properly.

Update with: bin/freshclam
 * 1) uncomment the "Example" line in the etc/freshclam.conf

Scan folder: bin/clamscan [folder] bin/clamscan -r [folder] # recursive

Test signature: eicar | THE ANTI-VIRUS OR ANTI-MALWARE TEST FILE - http://www.eicar.org/anti_virus_test_file.htm cat > samplevirus.txt <<"EOF" X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EOF

Source: http://www.linux.org/docs/ldp/howto/Qmail-ClamAV-HOWTO/x120.html

Clam AntiVirus Daemon
Start daemon: /opt/clamav/sbin/clamd

Initial error: ERROR: Please define server type (local and/or TCP).

Configure: /opt/clamav/etc/clamd.conf

TCPSocket 3310
 * 1) TCP port address.
 * 2) Default: no

Now start clamd. /opt/clamav/sbin/clamd

To use clamdscan with clamd: /opt/clamav/bin/clamdscan

Documentation: man /opt/clamav/share/man/man1/clamdscan.1 man /opt/clamav/share/man/man8/clamd.8

Virus database
Your virus definition may be out of date: $ /opt/clamav/bin/clamscan -r -l scan.txt myfolder LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: ***  Please update it as soon as possible. *** LibClamAV Warning: **************************************************

Initially when running freshclam will get the following error: ERROR: Please edit the example config file /opt/clamav/etc/freshclam.conf ERROR: Can't open/parse the config file /opt/clamav/etc/freshclam.conf

Edit the freshclam.conf and comment out the "Example" line: sudo chown -R kenneth:kenneth /opt/clamav/etc vi /opt/clamav/etc/freshclam.conf

Modify both and comment out the Example line:
 * 1) Comment or remove the line below.
 * 2) Example

NOTES:


 * 1) touch /var/log/clam-update.log
 * 2) chmod 600 /var/log/clamupdate.log
 * 3) chown clamav /var/log/clamupdate.log

freshclam -d -c 6 -l /var/log/clam-update.log

This checks for a new virus definition database six (6) times a day. Check the /var/log/clam-update.log file

add the freshclam -d -c 6 -l /var/log/clam-update.log to your startup scripts.

ClamAV engine is outdated

 * UpgradeInstructions - http://wiki.clamav.net/Main/UpgradeInstructions

If you installed from sources
 * Uninstall the old version
 * Compile and install the new one

Submit
Clam AntiVirus - Submit a file - http://www.clamav.net/lang/en/sendvirus/
 * Send a malware sample - http://www.clamav.net/sendvirus/submit-malware/

"If you want to be notified of changes in the virus database, please join the clamav-virusdb at lists.clamav.net mailing-list"
 * Clam AntiVirus - Mailing Lists - http://www.clamav.net/support/ml

Scripts
Written by Kenneth Burgener November 2015

/usr/local/bin/check-infected:
 * 1) !/bin/bash

if [ "$1" == "" ] ; then echo "Purpose: Check if infected, then if '-f' truncate and rename" echo "        infected file with .infected extension" echo "Usage: $0 [-f] " exit 1 fi

if [ "$1" == "-f" ] ; then FIX=true FNAME=$2 if [ "$3" != "" ] ; then echo "Too many files specified" exit 1 fi else FIX=false FNAME=$1 if [ "$2" != "" ] ; then echo "Too many files specified" exit 1 fi fi

echo "== Checking $FNAME =="

if [ ! -e "$FNAME" ] ; then echo "File does not exist!" exit 1 fi

clamscan --quiet "$FNAME" if [ $? -eq 0 ] ; then echo "File is not infected." exit 0 fi

if [ "FNAME" = "true" ] ; then echo "Marking as infected..." > "$FNAME" mv "$FNAME" "$FNAME.infected" fi

/usr/local/bin/infected:
 * 1) !/bin/bash

if [ "$1" == "" ] ; then echo "Truncate and rename infected file with .infected extension" echo "Usage: $0 infected_file" exit 1 fi

if [ ! -e "$1" ] ; then echo "File $1 does not exist!" exit 1 fi

echo "Marking $1 as infected..."

> "$1" mv "$1" "$1.infected"

cli_loadldb: logical signature uses PCREs but support is disabled
LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332 uses PCREs but support is disabled, skipping

The new .99 uses PCRE. Install with the following and reconfigure/compile ClamAV: yum install pcre-devel