Difference between revisions of "ClamAV"

From ArchWiki
Jump to: navigation, search
(add single quote and folder)
m (OnAccessScan: in order to work from a background root script, notify-send needs DISPLAY and DBUS_SESSION_BUS_ADDRESS variables set and must be ran as the user for whom to display the message)
 
(53 intermediate revisions by 33 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
 
[[es:ClamAV]]
 
[[es:ClamAV]]
 +
[[fr:CLAMAV]]
 
[[it:ClamAV]]
 
[[it:ClamAV]]
 +
[[ja:ClamAV]]
 +
[[ko:ClamAV]]
 
[[ru:ClamAV]]
 
[[ru:ClamAV]]
 
[[sr:ClamAV]]
 
[[sr:ClamAV]]
[[zh-CN:ClamAV]]
+
[[zh-hans:ClamAV]]
[http://www.clamav.net Clam AntiVirus] is an open source (GPL) anti-virus toolkit for UNIX.  It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops it primarily detects Windows viruses and malware.
+
[http://www.clamav.net Clam AntiVirus] is an open source (GPL) anti-virus toolkit for UNIX.  It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures.
  
 
== Installation ==
 
== Installation ==
ClamAV can be [[pacman|installed]] with package {{Pkg|clamav}}, available in the [[Official Repositories]].
 
  
== Configuration ==
+
[[Install]] the {{Pkg|clamav}} package.
Whether you are going to use clamav as a daemon or use it as a simple file checker you need to comment out the line that contains the word ''Example'', usually it is found at the beginning of {{ic|/etc/clamav/freshclam.conf}} and {{ic|/etc/clamav/clamd.conf}} files.
 
 
 
== Starting the daemon ==
 
The service is called {{ic|clamd.service}}. Read [[Daemons]] for more information about starting it and enabling it to start at boot.
 
 
 
Also change the start options from "no" to "yes":
 
 
 
{{hc|/etc/conf.d/clamav|<nowiki>
 
# change these to "yes" to start
 
START_FRESHCLAM="yes"
 
START_CLAMD="yes"
 
</nowiki>}}
 
  
 
== Updating database ==
 
== Updating database ==
Edit the below file and comment out the line saying "Example"
 
{{hc|/etc/clamav/freshclam.conf|
 
# Comment or remove the line below.
 
# Example
 
}}
 
 
 
Update the virus definitions with:
 
Update the virus definitions with:
 
  # freshclam
 
  # freshclam
Line 37: Line 21:
 
  /var/lib/clamav/daily.cvd
 
  /var/lib/clamav/daily.cvd
 
  /var/lib/clamav/main.cvd
 
  /var/lib/clamav/main.cvd
 +
/var/lib/clamav/bytecode.cvd
 +
 +
The virus definition updater service is called {{ic|freshclamd.service}}. Consider starting it and enabling it to start at boot so that the virus definitions are kept recent.
 +
 +
== Starting the daemon ==
 +
 +
Consider updating the database before starting the service for the first time or you will run into troubles/errors which will prevent ClamAV to start correctly.
 +
 +
The service is called {{ic|clamd.service}}. [[Start]] it or [[enable]] it to start at boot. You will need to run {{ic|freshclam}} prior to starting the service.
 +
 +
== Testing the software ==
 +
 +
In order to make sure ClamAV and the definitions are installed correctly, scan the [http://www.eicar.org/86-0-Intended-use.html EICAR test file] (a harmless signature with no virus code) with clamscan.
 +
 +
$ curl http://www.eicar.org/download/eicar.com.txt | clamscan -
 +
 +
The output '''must''' include:
 +
 +
stdin: Eicar-Test-Signature FOUND
 +
 +
Otherwise; read the Troubleshooting part or ask for help in the [https://bbs.archlinux.org/ Arch Forums].
 +
 +
== Adding more databases/signatures repositories ==
 +
 +
ClamAV can use databases/signature from other repositories or security vendors.
 +
 +
To add the most important ones in a single step, install {{AUR|clamav-unofficial-sigs}} and configure it in {{ic|/etc/clamav-unofficial-sigs/user.conf}}.
 +
 +
This will add signatures/databases from e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect, etc. For the full list of databases, [https://github.com/extremeshok/clamav-unofficial-sigs#description see the description of the GitHub repository].
 +
 +
=== Set up clamav-unofficial-sigs ===
 +
 +
First, edit the configuration in {{ic|/etc/clamav-unofficial-sigs/user.conf}}, and change the following line:
 +
 +
# Uncomment the following line to enable the script
 +
user_configuration_complete="yes"
 +
 +
To enable the unofficial signature service (which includes manpages, log rotation, and a cron job), run the following:
 +
 +
# clamav-unofficial-sigs.sh --install-all
 +
 +
Note that you still must have the {{ic|clamd}} service running in order to have signature updates from ClamAV themselves.
 +
 +
This will refresh the signatures from the databases used in the clamav-unofficial-sigs script and extra ones as configured in each configuration file in the {{ic|/etc/clamav-unofficial-sigs}} folder. To refresh signatures from these databases manually, run the following:
 +
 +
# clamav-unofficial-sigs.sh
 +
 +
To stop the cron job from running, delete this file: {{ic|/etc/cron.d/clamav-unofficial-sigs}}.
 +
 +
==== MalwarePatrol database ====
 +
 +
If you would like to use the MalwarePatrol database, sign up for an account at https://www.malwarepatrol.net/.
 +
 +
In {{ic|/etc/clamav-unofficial-sigs/user.conf}}, change the following to enable this functionality:
 +
 +
malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # enter your receipt number here
 +
malwarepatrol_product_code="8" # Use 8 if you have a Free account or 15 if you are a Premium customer.
 +
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
 +
malwarepatrol_free="yes" # Set to yes if you have a Free account or no if you are a Premium customer.
 +
 +
Source: https://www.malwarepatrol.net/clamav-configuration-guide/
 +
 +
== Scan for viruses ==
  
== Scan for Viruses ==
 
 
{{ic|clamscan}} can be used to scan certain files, home directory, or an entire system:
 
{{ic|clamscan}} can be used to scan certain files, home directory, or an entire system:
  
 
  $ clamscan myfile
 
  $ clamscan myfile
  $ clamscan -r -i /home
+
  $ clamscan --recursive --infected /home # or -r -i
  $ clamscan -r -i --exclude-dir='^/sys|^/proc|^/dev|^/lib|^/bin|^/sbin' /
+
  $ clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /
 +
 
 +
If you would like {{ic|clamscan}} to remove the infected file add to the command the {{ic|--remove}} option, or you can use {{ic|1=--move=/dir}} to quarantine them.
 +
 
 +
You may also want {{ic|clamscan}} to scan larger files. In this case, append the options {{ic|1=--max-filesize=4000M}} and {{ic|1=--max-scansize=4000M}} to the command. '4000M' is the largest possible value, and may be lowered as necessary.
 +
 
 +
Using the {{ic|1=-l /path/to/file}} option will print the {{ic|clamscan}} logs to a text  file for locating reported infections.
 +
 
 +
== Using the milter ==
 +
 
 +
Copy {{ic|/etc/clamav/clamav-milter.conf.sample}} to {{ic|/etc/clamav/clamav-milter.conf}} and adjust it to your needs. For example:
 +
 +
{{hc|/etc/clamav/clamav-milter.conf|2=<nowiki>
 +
MilterSocket /run/clamav/clamav-milter.sock
 +
MilterSocketMode 660
 +
FixStaleSocket yes
 +
User clamav
 +
PidFile /run/clamav/clamav-milter.pid
 +
TemporaryDirectory /tmp
 +
ClamdSocket unix:/var/lib/clamav/clamd.sock
 +
LogSyslog yes
 +
LogInfected Basic
 +
</nowiki>}}
 +
 
 +
Create {{ic|/etc/systemd/system/clamav-milter.service}}:
 +
 
 +
{{hc|/etc/systemd/system/clamav-milter.service|2=<nowiki>
 +
[Unit]
 +
Description='ClamAV Milter'
 +
After=clamd.service
 +
 
 +
[Service]
 +
Type=forking
 +
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf
 +
 
 +
[Install]
 +
WantedBy=multi-user.target
 +
</nowiki>}}
 +
 
 +
Enable and start the service.
 +
 
 +
== OnAccessScan ==
 +
On-access scanning requires the kernel to be compiled with the ''fanotify'' kernel module (kernel >= 3.8). Check if ''fanotify'' has been enabled before enabling on-access scanning.
 +
$ cat /proc/config.gz | gunzip | grep FANOTIFY=y
 +
 
 +
On-access scanning will scan the file while reading, writing or executing it.
 +
 
 +
First, edit the {{ic|/etc/clamav/clamd.conf}} configuration file by adding the following to the end of the file (you can also change the individual options):
 +
 
 +
{{hc|/etc/clamav/clamd.conf|
 +
# Enables on-access scan, requires clamd service running
 +
ScanOnAccess true
 +
 
 +
# Set the mount point where to recursively perform the scan,
 +
# this could be every path or multiple path (one line for path)
 +
OnAccessMountPath /usr
 +
OnAccessMountPath /home/
 +
OnAccessExcludePath /var/log/
 +
 
 +
# Flag fanotify to block any events on monitored files to perform the scan
 +
OnAccessPrevention false
 +
 
 +
# Perform scans on newly created, moved, or renamed files
 +
OnAccessExtraScanning true
 +
 
 +
# Check the UID from the event of fanotify
 +
OnAccessExcludeUID 0
 +
 
 +
# Specify an action to perform when clamav detects a malicious file
 +
# it is possible to specify an inline command too
 +
VirusEvent /etc/clamav/detected.zsh
 +
 
 +
# WARNING: clamd should run as root
 +
User root
 +
}}
 +
 
 +
Next, create the file {{ic|/etc/clamav/detected.zsh}} and add the following (replace X_user with the username and X_userId with the userid for whom to display the desktop notification). This allows you to change/specify the debug message when a virus has been detected by clamd's on-access scanning service:
 +
 
 +
{{hc|/etc/clamav/detected.zsh|2=<nowiki>
 +
#!/usr/bin/env zsh
 +
alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
 +
 
 +
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log
  
If you would like {{ic|clamscan}} to remove the infected file use the {{ic|--remove}} option in the command.
+
if [[ -z $(command -v notify-send) ]]; then
 +
  echo "$alert" {{!}} wall -n
 +
else
 +
  sudo -u X_user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/X_userId/bus /usr/bin/notify-send -i dialog-warning "$alert"
 +
fi
 +
</nowiki>}}
  
Using the {{ic|-l <path to file>}} option will print the {{ic|clamscan}} logs to a text  file for locating reported infections.
+
If you are using [[AppArmor]], it is also necessary to allow clamd to run as root:
 +
 
 +
# aa-complain clamd
 +
 
 +
Restart/start the service with {{ic|systemctl restart clamd.service}}.
 +
 
 +
Source: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
  
 
== Troubleshooting ==
 
== Troubleshooting ==
 +
 
=== Error: Clamd was NOT notified ===
 
=== Error: Clamd was NOT notified ===
 +
 
If you get the following messages after running freshclam:
 
If you get the following messages after running freshclam:
 
{{bc|
 
{{bc|
Line 57: Line 198:
 
}}
 
}}
  
Add a sock file for clamav:
+
Add a sock file for ClamAV:
 
{{bc|
 
{{bc|
 
# touch /var/lib/clamav/clamd.sock
 
# touch /var/lib/clamav/clamd.sock
 
# chown clamav:clamav /var/lib/clamav/clamd.sock
 
# chown clamav:clamav /var/lib/clamav/clamd.sock
 
}}
 
}}
Then, edit {{Ic|/etc/clamav/clamd.conf}} &ndash; uncomment this line:
+
Then, edit {{Ic|/etc/clamav/clamd.conf}} - uncomment this line:
{{bc|LocalSocket /var/lib/clamav/clamd.sock}}
+
LocalSocket /var/lib/clamav/clamd.sock
Save the file and [[Daemons|restart the daemon]]
+
Save the file and [[Daemons|restart the daemon]] with {{ic|systemctl restart clamd.service}}.
  
 
=== Error: No supported database files found ===
 
=== Error: No supported database files found ===
 +
 
If you get the next error when starting the daemon:
 
If you get the next error when starting the daemon:
 
{{bc|
 
{{bc|
Line 73: Line 215:
 
}}
 
}}
 
   
 
   
Run freshclam as root:
+
This happens because of mismatch between {{ic|/etc/freshclam.conf}} setting {{ic|DatabaseDirectory}} and {{ic|/etc/clamd.conf}} setting {{ic|DatabaseDirectory}}.
{{bc|# freshclam -v}}
+
{{ic|/etc/freshclam.conf}} pointing to {{ic|/var/lib/clamav}}, but {{ic|/etc/clamd.conf}} (default directory) pointing to {{ic|/usr/share/clamav}}, or other directory. Edit in {{ic|/etc/clamd.conf}} and replace with the same DatabaseDirectory like in {{ic|/etc/freshclam.conf}}. After that clamav will start up succesfully.
  
 
=== Error: Can't create temporary directory ===
 
=== Error: Can't create temporary directory ===
 +
 
If you get the following error, along with a 'HINT' containing a UID and a GID number:
 
If you get the following error, along with a 'HINT' containing a UID and a GID number:
{{bc|# can't create temporary directory}}
+
# can't create temporary directory
  
Do the following:
+
Correct permissions:
{{bc|# chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav}}
+
# chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav

Latest revision as of 16:47, 23 September 2017

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures.

Installation

Install the clamav package.

Updating database

Update the virus definitions with:

# freshclam

The database files are saved in:

/var/lib/clamav/daily.cvd
/var/lib/clamav/main.cvd
/var/lib/clamav/bytecode.cvd

The virus definition updater service is called freshclamd.service. Consider starting it and enabling it to start at boot so that the virus definitions are kept recent.

Starting the daemon

Consider updating the database before starting the service for the first time or you will run into troubles/errors which will prevent ClamAV to start correctly.

The service is called clamd.service. Start it or enable it to start at boot. You will need to run freshclam prior to starting the service.

Testing the software

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl http://www.eicar.org/download/eicar.com.txt | clamscan -

The output must include:

stdin: Eicar-Test-Signature FOUND

Otherwise; read the Troubleshooting part or ask for help in the Arch Forums.

Adding more databases/signatures repositories

ClamAV can use databases/signature from other repositories or security vendors.

To add the most important ones in a single step, install clamav-unofficial-sigsAUR and configure it in /etc/clamav-unofficial-sigs/user.conf.

This will add signatures/databases from e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect, etc. For the full list of databases, see the description of the GitHub repository.

Set up clamav-unofficial-sigs

First, edit the configuration in /etc/clamav-unofficial-sigs/user.conf, and change the following line:

# Uncomment the following line to enable the script
user_configuration_complete="yes"

To enable the unofficial signature service (which includes manpages, log rotation, and a cron job), run the following:

# clamav-unofficial-sigs.sh --install-all

Note that you still must have the clamd service running in order to have signature updates from ClamAV themselves.

This will refresh the signatures from the databases used in the clamav-unofficial-sigs script and extra ones as configured in each configuration file in the /etc/clamav-unofficial-sigs folder. To refresh signatures from these databases manually, run the following:

# clamav-unofficial-sigs.sh

To stop the cron job from running, delete this file: /etc/cron.d/clamav-unofficial-sigs.

MalwarePatrol database

If you would like to use the MalwarePatrol database, sign up for an account at https://www.malwarepatrol.net/.

In /etc/clamav-unofficial-sigs/user.conf, change the following to enable this functionality:

malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # enter your receipt number here
malwarepatrol_product_code="8" # Use 8 if you have a Free account or 15 if you are a Premium customer.
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
malwarepatrol_free="yes" # Set to yes if you have a Free account or no if you are a Premium customer.

Source: https://www.malwarepatrol.net/clamav-configuration-guide/

Scan for viruses

clamscan can be used to scan certain files, home directory, or an entire system:

$ clamscan myfile
$ clamscan --recursive --infected /home # or -r -i
$ clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

If you would like clamscan to remove the infected file add to the command the --remove option, or you can use --move=/dir to quarantine them.

You may also want clamscan to scan larger files. In this case, append the options --max-filesize=4000M and --max-scansize=4000M to the command. '4000M' is the largest possible value, and may be lowered as necessary.

Using the -l /path/to/file option will print the clamscan logs to a text file for locating reported infections.

Using the milter

Copy /etc/clamav/clamav-milter.conf.sample to /etc/clamav/clamav-milter.conf and adjust it to your needs. For example:

/etc/clamav/clamav-milter.conf
MilterSocket /run/clamav/clamav-milter.sock
MilterSocketMode 660
FixStaleSocket yes
User clamav
PidFile /run/clamav/clamav-milter.pid
TemporaryDirectory /tmp
ClamdSocket unix:/var/lib/clamav/clamd.sock
LogSyslog yes
LogInfected Basic

Create /etc/systemd/system/clamav-milter.service:

/etc/systemd/system/clamav-milter.service
[Unit]
Description='ClamAV Milter'
After=clamd.service

[Service]
Type=forking
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf

[Install]
WantedBy=multi-user.target

Enable and start the service.

OnAccessScan

On-access scanning requires the kernel to be compiled with the fanotify kernel module (kernel >= 3.8). Check if fanotify has been enabled before enabling on-access scanning.

$ cat /proc/config.gz | gunzip | grep FANOTIFY=y

On-access scanning will scan the file while reading, writing or executing it.

First, edit the /etc/clamav/clamd.conf configuration file by adding the following to the end of the file (you can also change the individual options):

/etc/clamav/clamd.conf
# Enables on-access scan, requires clamd service running
ScanOnAccess true

# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /usr
OnAccessMountPath /home/
OnAccessExcludePath /var/log/

# Flag fanotify to block any events on monitored files to perform the scan
OnAccessPrevention false

# Perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true

# Check the UID from the event of fanotify
OnAccessExcludeUID 0

# Specify an action to perform when clamav detects a malicious file
# it is possible to specify an inline command too
VirusEvent /etc/clamav/detected.zsh

# WARNING: clamd should run as root
User root

Next, create the file /etc/clamav/detected.zsh and add the following (replace X_user with the username and X_userId with the userid for whom to display the desktop notification). This allows you to change/specify the debug message when a virus has been detected by clamd's on-access scanning service:

/etc/clamav/detected.zsh
#!/usr/bin/env zsh
alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log

if [[ -z $(command -v notify-send) ]]; then
  echo "$alert" {{!}} wall -n
else
  sudo -u X_user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/X_userId/bus /usr/bin/notify-send -i dialog-warning "$alert"
fi

If you are using AppArmor, it is also necessary to allow clamd to run as root:

# aa-complain clamd

Restart/start the service with systemctl restart clamd.service.

Source: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Troubleshooting

Error: Clamd was NOT notified

If you get the following messages after running freshclam:

WARNING: Clamd was NOT notified: Cannot connect to clamd through 
/var/lib/clamav/clamd.sock connect(): No such file or directory

Add a sock file for ClamAV:

# touch /var/lib/clamav/clamd.sock
# chown clamav:clamav /var/lib/clamav/clamd.sock

Then, edit /etc/clamav/clamd.conf - uncomment this line:

LocalSocket /var/lib/clamav/clamd.sock

Save the file and restart the daemon with systemctl restart clamd.service.

Error: No supported database files found

If you get the next error when starting the daemon:

LibClamAV Error: cli_loaddb(): No supported database files found
in /var/lib/clamav ERROR: Not supported data format

This happens because of mismatch between /etc/freshclam.conf setting DatabaseDirectory and /etc/clamd.conf setting DatabaseDirectory. /etc/freshclam.conf pointing to /var/lib/clamav, but /etc/clamd.conf (default directory) pointing to /usr/share/clamav, or other directory. Edit in /etc/clamd.conf and replace with the same DatabaseDirectory like in /etc/freshclam.conf. After that clamav will start up succesfully.

Error: Can't create temporary directory

If you get the following error, along with a 'HINT' containing a UID and a GID number:

# can't create temporary directory

Correct permissions:

# chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav