Technology consulting and quantitative research
 |
Previous | TOC | Next |  |
 | Technical document: Virus detection with Clam Antivirus |
| Chapter 1 - Setting up Clam Antivirus | |
Disclaimer
This document is meant as help in the right direction, and nothing more. There is no substitute for carefully reading all official documentation, READMEs and INSTALLs. The authors and SU3 Analytics do not accept any responsibility for any consequences of using this guide and instructions contained herein. If you have any questions, or would like any assistance or further information regarding the material contained here, then please do contact info@su3analytics.com.Introduction
Clam AntiVirus is an open source virus detection toolkit for Linux, designed especially for use on mail servers. The core clamav package consists of:- A database of approximately 367,000 virus signatures (stored in main.cvd and daily.cvd)
- A database update daemon freshclam
- A commandline tool clamscan that can be used to scan files and directories
- The Clam AntiVirus daemon clamd
- A simple commandline client for clamd
Requirements
Before compiling and installing clamav you must ensure that you have following deployed on your system:- The zlib and zlib-devel packages
- The gcc compiler suite
- The bzip2 and bzip2-devel library
- GNU MP - the GNU Multiple Precision arithmetic library
> wget http://ftp.sunet.se/pub/gnu/gmp/gmp-4.2.2.tar.bz2
> bunzip2 gmp-4.2.2.tar.bz2
> tar -xvf gmp-4.2.2.tar
> cd gmp-4.2.2
> ./configure
> make
> make check
> make install
Downloading, compiling and installing Clam AntiVirus
Before installing clamav for the first time you need to add a clamav user and group. As root: > groupadd clamav> useradd -g clamav -s /sbin/nologin -c "Clam_AntiVirus" clamav
Check on the website www.clamav.net for the latest stable releases and documentation. Then, as root: > cd
> wget http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.93.3.tar.gz
> tar -xvf clamav-0.93.3.tar.gz
> cd clamav-0.93.3
> ./configure
> make
> make check
> make install
To recursively check any directory, use the commandline tool clamscan. For example: > cd
> clamscan -r -l scan.txt clamav-0.93.3 will recursively check the directory clamav-0.93.3 and output the results to the file scan.txt. This should find the example, or test viruses, that come bundled with clamav.
Running the Clam AntiVirus daemon
You will not be able to run the Clam AntiVirus daemon clamd until the configuration file /etc/clamd.conf has been updated. The various options are well documented, un-comment and tweak as appropriate. However pay particular attention to, and set as shown:# Comment or remove the line below. #Example # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /tmp/clamd.socket # TCP port address. # Default: no # ** THIS SHOULD BE LEFT COMMENTED OUT ** #TCPSocket 10025 # Enable internal e-mail scanner. # Default: yes ScanMail yes # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges User clamav # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/run/clamav/clamd.pidYou can then start clamd by simply doing: > clamd You can test the daemon is working by using the client: > cd
> clamdscan -l scan.txt clamav-0.93.3 Note that clamd should not be run as root. See here for a startup and shutdown script for clamd. This should be saved as: /usr/local/sbin/clamd.sh Do not forget to set the execute permission: > chmod u+x /usr/local/sbin/clamd.sh Check the script is working by stopping and starting clamd a few times. You will probably want to start at boot time, the simplest way is to add a line to your rc.local file or equivalent:
/usr/local/sbin/clamd.sh start
Updating the virus database
It is obviously important that the database be kept up to date. Packaged with clamav is the database update daemon freshclam. Before running for the first time, the configuration file /etc/freshclam.conf will have to be updated. The file is well commented, the options to note here are:# Comment or remove the line below. #Example # Path to the log file (make sure it has proper permissions) # Default: disabled UpdateLogFile /var/log/freshclam.log # This option allows you to save the process identifier of the daemon # Default: disabled PidFile /var/run/clamav/freshclam.pid # Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. DatabaseMirror db.uk.clamav.net # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) DatabaseOwner clamav # Number of database checks per day. # Default: 12 (every two hours) Checks 24freshclam will not create a log file if it does not exist, so you'll have to create it first, and set the correct permissions. As root: > cd /var/log
> touch freshclam.log
> chmod 600 freshclam.log
> chown clamav freshclam.log
> chgrp clamav freshclam.log
Now freshclam can be run interactively from the commandline, just do: > freshclam It can also be added as a cron job, however the simplest method of ensuring automatic updates is to run freshclam in daemon mode: > freshclam -d which will update the database according to the "Checks" option in the config file. A startup and shutdown script for freshclam is here. Save this down as freshclam.sh and add to yout rc.local or equivalent to ensure boot time start. With the databse being automatically updated and the daemon running, we can now configure postfix to filter mail with Clam AntiVirus.
|
Previous: Table of Contents | TOC | Next: Chapter 2 - Setting up ClamSMTP | |