====== Linux antivirus ======

===== ClamAV =====

https://www.clamav.net/

Packages are available for Linux, MacOS and Windows

ClamAV can be updated offline or online

Offline DB update:
  https://database.clamav.net/daily.cvd
  https://database.clamav.net/main.cvd
  https://database.clamav.net/bytecode.cvd

Stop every clam process, then copy theses 3 definitions file into /var/lib/clamav and check permissions
  chown clamav:clamav /var/lib/clamav/*cvd
  chmod 644 /var/lib/clamav/*cvd
  
A Linux package install will probably go in /usr, with:
  applications in /usr/bin
  daemons in /usr/sbin
  libraries in /usr/lib
  headers in /usr/include
  configs in /etc/clamav
  databases in /var/lib/clamav

The full list of packages includes:
  clamav - command-line interface
  clamav-base - base package
  clamav-daemon - scanner daemon
  clamav-docs - documentation
  clamav-freshclam - virus database update utility
  clamav-milter - sendmail integration
  clamdscan - A command-line client for clamd similar to clamscan
  clamav-testfiles - test files
  libclamav-dev - development files
  libclamav9 - library
  libclamunrar9 - unrar support

For Redhat like distribution, you'll find it in EPEL repo

EPEL offers a selection of packages to install ClamAV:

    clamd - The Clam AntiVirus Daemon
    clamav - End-user tools for the Clam Antivirus scanner
    clamav-data - Virus signature data for the Clam Antivirus scanner
    clamav-devel - Header files and libraries for the Clam Antivirus scanner
    clamav-lib - Dynamic libraries for the Clam Antivirus scanner
    clamav-milter - Milter module for the Clam Antivirus scanner
    clamav-update - Auto-updater for the Clam Antivirus scanner data-files

Most users will only need to run:
  dnf install -y clamav clamd clamav-update
  
Run these to generate example configs in /etc/clamav/, if needed:
  clamconf -g freshclam.conf > freshclam.conf
  clamconf -g clamd.conf > clamd.conf
  clamconf -g clamav-milter.conf > clamav-milter.conf
  
To allow ClamAV to operate under SELinux, run the following:
  setsebool -P antivirus_can_scan_system 1
  
Start scanning:
  * One time: clamscan --recursive /
  * Memory: clamscan --memory --infected
  * On access: clamonacc

Mail filtering configuration file is : clamav-milter.conf

<cli prompt='#'>
# clamscan --version
ClamAV 0.103.2
# clamscan --version
ClamAV 1.0.8/27636/Tue May 13 10:40:46 2025
</cli>


Only scan one file
<cli prompt='#'>
# clamscan Downloads/LOS.zip
</cli>
To check all files on the computer, displaying the name of each file:
<cli prompt='#'>
# clamscan -r /
</cli>
To check all files on the computer, but only display infected files and ring a bell when found:
<cli prompt='#'>
# clamscan -r --bell -i /
</cli>

To check files in the USER home directory and move infected files to another folder:
<cli prompt='#'>
# clamscan -r --move=/home/USER/VIRUS /home/USER
</cli>
To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
<cli prompt='#'>
# clamscan -r --remove /home/USER
</cli>
To scan all folders in your computer (except /sys):
<cli prompt='#'>
# clamscan -r -i --exclude-dir="^/sys" --bell / 
</cli>
To scan specific folders or files, you have to create a file in which you list out which files/folders you want to scan, and tell clamav where to find that file:
<cli prompt='#'>
# clamscan -r -i --bell --file-list=/home/nav/ClamScanTheseFolders.txt
</cli>
My ClamScanTheseFolders.txt contained:
<code>
/media/nav/someFolder1
/media/nav/someFolder2
/opt/someFolder/somefile
</code>


/etc/clamav/clamd.conf
<code>
LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl

ExcludePath ^/home/user/.mozilla/
ExcludePath ^/etc/hosts
ExcludePath ^/dev/
ExcludePath ^/proc/
ExcludePath ^/sys/

OnAccessExcludePath /run
OnAccessExcludePath /sys
OnAccessExcludePath ^/home/user/.mozilla/
OnAccessExcludePath ^/etc/hosts
OnAccessExcludePath /proc
OnAccessMountPath /

OnAccessIncludePath /home/user/Desktop

OnAccessExcludeUID 0

OnAccessPrevention false
OnAccessExtraScanning true
OnAccessExcludeUname clamav
User clamav
# Enable verbose logging.
# Default: no
LogVerbose yes

# Enable debug messages in libclamav.
# Default: no
Debug yes
</code>

Then you can run it with:

clamdscan --multiscan --fdpass --quiet /

  --multiscan will speed up the processing because it uses multiple threads.
  --fdpass will allow you to scan files as the clamd user that the clamav-daemon.service runs as.
  --quiet should suppress all output except infected files. At least that's what it seems to do on my system but that isn't how it is described in the documentation.

If you want to save to file you can just redirect the output clamdscan <options> > /save/file.txt
Or save it to file with the --log=FILE option. 

Example of script
<code>
#!/bin/bash
logname=/var/log/clamav/clamav.log

CURRTIME=$(date +"%Y-%m-%d_%H_%M")
clamlog=/var/log/clamav/clamav_${CURRTIME}.log
quarantine=/var/clamav/infected

main()
{
touch $clamlog

nice -n5 clamscan --recursive --infected / --excluded-dir=/proc --exclude-dir=/sys --exclude-dir=/dev --exclude-dir=/media --exclude-dir=/mnt -l $clamlog

MALWARE=$(tail "$clamlog"|grep Infected|cut -d" " -f3) && if [ "$MALWARE" -ne "0" ]; 
    then mail -s "Malware Found $(hostname -i; uname -a)" $(cat ~/.env/EMAIL) <<< 
    $(cat $clamlog); fi
}
main > $logname 2>&1
</code>

<cli prompt='#'>
# clamconf -n

Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "209715200"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
ExcludePath = "/.git/", "lost+found", "^/run/", "^/sys/", "^/dev/", "^/proc/", "^/var/log/", "^/home/adoyle/", "^/ssd", "^/hdd", "^/mnt
"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
ScanHTML disabled
ScanOLE2 disabled
ScanPDF disabled
MaxScanTime = "120000"
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
OnAccessMountPath = "/"
OnAccessExcludePath = "/.git/", "lost+found", "/run", "/sys/", "/dev/", "/proc/", "/var/log/", "/home/adoyle/", "/ssd", "/hdd", "/mnt"
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUname = "clamav"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ReceiveTimeout disabled

clamav-milter.conf not found

Software settings
-----------------
Version: 1.0.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
daily.cld: version 26925, sigs: 2036167, built on Thu Jun  1 15:27:46 2023
bytecode.cvd: version 334, sigs: 91, built on Thu Feb 23 05:33:21 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 20:32:42 2021
Total number of signatures: 8683685

Platform information
--------------------
uname: Linux 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: No LSB modules are available.
Debian GNU/Linux 12 (bookworm)
zlib version: 1.2.13 (1.2.13), compile flags: a9
platform id: 0x0a21a1a108000000000c0200

Build information
-----------------
GNU C: 12.2.0 (12.2.0)
sizeof(void*) = 8
Engine flevel: 161, dconf: 161
</cli>