wiki

User Tools

Site Tools

Trace: ibm_bigfix_ilmt deploy_tools ad_rfc2307 ansible
linux:antivirus

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:antivirus [2025/05/13 12:02]
manu [ClamAV] 		linux:antivirus [2025/05/16 10:55] (current)
manu
Line 10: Line 10:
  
 Offline DB update: Offline DB update:
-  ​http://​database.clamav.net/​daily.cvd +  ​https://​database.clamav.net/​daily.cvd 
-  ​http://​database.clamav.net/​main.cvd +  ​https://​database.clamav.net/​main.cvd 
-  ​http://​database.clamav.net/​bytecode.cvd +  ​https://​database.clamav.net/​bytecode.cvd
- +
  
 +Stop every clam process, then copy theses 3 definitions file into /​var/​lib/​clamav and check permissions
 +  chown clamav:​clamav /​var/​lib/​clamav/​*cvd
 +  chmod 644 /​var/​lib/​clamav/​*cvd
 +  ​
 A Linux package install will probably go in /usr, with: A Linux package install will probably go in /usr, with:
   applications in /usr/bin   applications in /usr/bin
Line 59: Line 61:
 To allow ClamAV to operate under SELinux, run the following: To allow ClamAV to operate under SELinux, run the following:
   setsebool -P antivirus_can_scan_system 1   setsebool -P antivirus_can_scan_system 1
 +  ​
 +Start scanning:
 +  * One time: clamscan --recursive /
 +  * Memory: clamscan --memory --infected
 +  * On access: clamonacc
 +
 +Mail filtering configuration file is : clamav-milter.conf
 +
 +<cli prompt='#'>​
 +# clamscan --version
 +ClamAV 0.103.2
 +# clamscan --version
 +ClamAV 1.0.8/​27636/​Tue May 13 10:40:46 2025
 +</​cli>​
 +
 +
 +Only scan one file
 +<cli prompt='#'>​
 +# clamscan Downloads/​LOS.zip
 +</​cli>​
 +To check all files on the computer, displaying the name of each file:
 +<cli prompt='#'>​
 +# clamscan -r /
 +</​cli>​
 +To check all files on the computer, but only display infected files and ring a bell when found:
 +<cli prompt='#'>​
 +# clamscan -r --bell -i /
 +</​cli>​
 +
 +To check files in the USER home directory and move infected files to another folder:
 +<cli prompt='#'>​
 +# clamscan -r --move=/​home/​USER/​VIRUS /home/USER
 +</​cli>​
 +To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
 +<cli prompt='#'>​
 +# clamscan -r --remove /home/USER
 +</​cli>​
 +To scan all folders in your computer (except /sys):
 +<cli prompt='#'>​
 +# clamscan -r -i --exclude-dir="​^/​sys"​ --bell / 
 +</​cli>​
 +To scan specific folders or files, you have to create a file in which you list out which files/​folders you want to scan, and tell clamav where to find that file:
 +<cli prompt='#'>​
 +# clamscan -r -i --bell --file-list=/​home/​nav/​ClamScanTheseFolders.txt
 +</​cli>​
 +My ClamScanTheseFolders.txt contained:
 +<​code>​
 +/​media/​nav/​someFolder1
 +/​media/​nav/​someFolder2
 +/​opt/​someFolder/​somefile
 +</​code>​
 +
 +
 +/​etc/​clamav/​clamd.conf
 +<​code>​
 +LogFile /​var/​log/​clamav/​clamd.log
 +LogTime yes
 +PidFile /​run/​clamav/​clamd.pid
 +TemporaryDirectory /tmp
 +LocalSocket /​run/​clamav/​clamd.ctl
 +
 +ExcludePath ^/​home/​user/​.mozilla/​
 +ExcludePath ^/etc/hosts
 +ExcludePath ^/dev/
 +ExcludePath ^/proc/
 +ExcludePath ^/sys/
 +
 +OnAccessExcludePath /run
 +OnAccessExcludePath /sys
 +OnAccessExcludePath ^/​home/​user/​.mozilla/​
 +OnAccessExcludePath ^/etc/hosts
 +OnAccessExcludePath /proc
 +OnAccessMountPath /
 +
 +OnAccessIncludePath /​home/​user/​Desktop
 +
 +OnAccessExcludeUID 0
 +
 +OnAccessPrevention false
 +OnAccessExtraScanning true
 +OnAccessExcludeUname clamav
 +User clamav
 +# Enable verbose logging.
 +# Default: no
 +LogVerbose yes
 +
 +# Enable debug messages in libclamav.
 +# Default: no
 +Debug yes
 +</​code>​
 +
 +Then you can run it with:
 +
 +clamdscan --multiscan --fdpass --quiet /
 +
 +  --multiscan will speed up the processing because it uses multiple threads.
 +  --fdpass will allow you to scan files as the clamd user that the clamav-daemon.service runs as.
 +  --quiet should suppress all output except infected files. At least that's what it seems to do on my system but that isn't how it is described in the documentation.
 +
 +If you want to save to file you can just redirect the output clamdscan <​options>​ > /​save/​file.txt
 +Or save it to file with the --log=FILE option. ​
 +
 +Example of script
 +<​code>​
 +#!/bin/bash
 +logname=/​var/​log/​clamav/​clamav.log
 +
 +CURRTIME=$(date +"​%Y-%m-%d_%H_%M"​)
 +clamlog=/​var/​log/​clamav/​clamav_${CURRTIME}.log
 +quarantine=/​var/​clamav/​infected
 +
 +main()
 +{
 +touch $clamlog
 +
 +nice -n5 clamscan --recursive --infected / --excluded-dir=/​proc --exclude-dir=/​sys --exclude-dir=/​dev --exclude-dir=/​media --exclude-dir=/​mnt -l $clamlog
 +
 +MALWARE=$(tail "​$clamlog"​|grep Infected|cut -d" " -f3) && if [ "​$MALWARE"​ -ne "​0"​ ]; 
 +    then mail -s "​Malware Found $(hostname -i; uname -a)" $(cat ~/​.env/​EMAIL) <<< ​
 +    $(cat $clamlog); fi
 +}
 +main > $logname 2>&1
 +</​code>​
 +
 +<cli prompt='#'>​
 +# clamconf -n
 +
 +Checking configuration files in /etc/clamav
 +
 +Config file: clamd.conf
 +-----------------------
 +PreludeAnalyzerName = "​ClamAV"​
 +LogFile = "/​var/​log/​clamav/​clamav.log"​
 +LogFileMaxSize = "​209715200"​
 +LogTime = "​yes"​
 +LogRotate = "​yes"​
 +ExtendedDetectionInfo = "​yes"​
 +LocalSocket = "/​var/​run/​clamav/​clamd.ctl"​
 +LocalSocketGroup = "​clamav"​
 +LocalSocketMode = "​666"​
 +MaxConnectionQueueLength = "​15"​
 +StreamMaxLength = "​26214400"​
 +MaxThreads = "​12"​
 +ReadTimeout = "​180"​
 +SendBufTimeout = "​200"​
 +ExcludePath = "/​.git/",​ "​lost+found",​ "​^/​run/",​ "​^/​sys/",​ "​^/​dev/",​ "​^/​proc/",​ "​^/​var/​log/",​ "​^/​home/​adoyle/",​ "​^/​ssd",​ "​^/​hdd",​ "^/mnt
 +"
 +SelfCheck = "​3600"​
 +User = "​clamav"​
 +BytecodeTimeout = "​60000"​
 +ScanHTML disabled
 +ScanOLE2 disabled
 +ScanPDF disabled
 +MaxScanTime = "​120000"​
 +MaxScanSize = "​104857600"​
 +MaxFileSize = "​26214400"​
 +MaxRecursion = "​16"​
 +MaxEmbeddedPE = "​10485760"​
 +MaxHTMLNormalize = "​10485760"​
 +MaxHTMLNoTags = "​2097152"​
 +MaxScriptNormalize = "​5242880"​
 +PCREMatchLimit = "​10000"​
 +PCRERecMatchLimit = "​5000"​
 +PCREMaxFileSize = "​26214400"​
 +OnAccessMountPath = "/"​
 +OnAccessExcludePath = "/​.git/",​ "​lost+found",​ "/​run",​ "/​sys/",​ "/​dev/",​ "/​proc/",​ "/​var/​log/",​ "/​home/​adoyle/",​ "/​ssd",​ "/​hdd",​ "/​mnt"​
 +OnAccessExcludeRootUID = "​yes"​
 +OnAccessExcludeUname = "​clamav"​
 +
 +Config file: freshclam.conf
 +---------------------------
 +LogFileMaxSize = "​4294967295"​
 +LogTime = "​yes"​
 +LogRotate = "​yes"​
 +UpdateLogFile = "/​var/​log/​clamav/​freshclam.log"​
 +Checks = "​24"​
 +DatabaseMirror = "​db.local.clamav.net",​ "​database.clamav.net"​
 +MaxAttempts = "​5"​
 +ReceiveTimeout disabled
 +
 +clamav-milter.conf not found
 +
 +Software settings
 +-----------------
 +Version: 1.0.1
 +Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON
 +
 +Database information
 +--------------------
 +Database directory: /​var/​lib/​clamav
 +daily.cld: version 26925, sigs: 2036167, built on Thu Jun  1 15:27:46 2023
 +bytecode.cvd:​ version 334, sigs: 91, built on Thu Feb 23 05:33:21 2023
 +main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 20:32:42 2021
 +Total number of signatures: 8683685
 +
 +Platform information
 +--------------------
 +uname: Linux 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23) x86_64
 +OS: Linux, ARCH: x86_64, CPU: x86_64
 +Full OS version: No LSB modules are available.
 +Debian GNU/Linux 12 (bookworm)
 +zlib version: 1.2.13 (1.2.13), compile flags: a9
 +platform id: 0x0a21a1a108000000000c0200
 +
 +Build information
 +-----------------
 +GNU C: 12.2.0 (12.2.0)
 +sizeof(void*) = 8
 +Engine flevel: 161, dconf: 161
 +</​cli>​
linux/antivirus.1747130547.txt.gz · Last modified: 2025/05/13 12:02 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki