clamav is an anti-virus application.
The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.
First, update the package repository:
sudo apt update
Now install the clamav scanner, the daemon and the database updater.
sudo apt install clamav clamav-daemon clamav-freshclam
NOTE: You can also install the clamav-data package, but the clamav-freshclam package is another (easier) way to update your virus definitions.
On RHEL, CentOS or Scientific Linux, you only need to install the clamav package:
yum install clamav
The below two commands will restart the freshclam daemon (which auto updates the database) and then does a manual update of the definitions.
sudo /etc/init.d/clamav-freshclam restart sudo /usr/bin/freshclam
clamscan -r -i /home/peter
where
The below cronjob will run a virus database definition update (so that the scan always has the most recent definitions) and afterwards run a full scan which will only report when there are infected files on the system.
It also does not remove the infected files automatically, you have to do this manually. This way you make sure that it does not delete /bin/bash by accident.
## This should be a root cronjob. 30 01 * * * /usr/bin/freshclam --quiet; /usr/bin/clamscan --recursive --no-summary --infected / 2>/dev/null
NOTE: The 2>/dev/null options keeps the /proc and such access denied errors out of the report.
The infected files however are still found and reported.
Also make sure that your cron is configured so that it mails you the output of the cronjobs. The manual page will help you with that.
This is how a sample email looks if you have an infection:
/tmp/eicar.zip: Eicar-Test-Signature FOUND /tmp/eicar.com: Eicar-Test-Signature FOUND
The below cronjob is an example and you should adapt it as required.
## This should be a root cronjob. */29 * * * * /usr/bin/freshclam --quiet; /usr/bin/clamscan --recursive --no-summary --infected --remove /var/www/sites/uploader.com/public-html/uploads 2>/dev/null
This is how a sample email might look like:
/var/www/sites/uploader.com/public-html/uploads/eicar.zip: Eicar-Test-Signature FOUND /var/www/sites/uploader.com/public-html/uploads/eicar.zip: Removed. /var/www/sites/uploader.com/public-html/uploads/eicar.com: Eicar-Test-Signature FOUND /var/www/sites/uploader.com/public-html/uploads/eicar.com: Removed.
The scan can detect these “viruses”:
In fact, this is not a virus.
To disable detection of PUA use an additional parameter:
--detect-pua=no
And to enable detection of PUA:
--detect-pua=yes
Example:
sudo clamscan -r -i --detect-pua=yes /
When you update the virus signature database, it can return this error message:
freshclam
returns:
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
This is because the user was running freshclam without certain rights.
This is solved by running freshclam with sudo:
sudo freshclam
Scanning can return this error message:
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0 LibClamAV Error: fmap_readpage: pread error: Input/output error
For this to not happen, you must to exclude from scanning several directories, like so:
sudo clamscan -ir --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc /