ClamAV is an open-source (GPL-2) anti-virus engine. The base package (app-antivirus/clamav) provides a number of utilities, including a daemon (clamd), a command line scanner (clamscan), an on-access file scanner (clamonacc), and a tool for fetching updates (freshclam).
ClamAV is a flexible tool, and can be used in many different ways including:
- Providing email virus scanning as part of a mail gateway
- Web scanning
- Endpoint Security (desktop scanning)
This is often accomplished by an application or service calling ClamAV as part of its workflow, for example Postfix (mail-mta/postfix) can be configured to connect to a ClamAV daemon listening for connections on the system.
First, install ClamAV:
emerge --ask app-antivirus/clamav
Run freshclam to download the latest ClamAV detection database.
Start the ClamAV service and add it to the default runlevel:
rc-service clamd start
rc-update add clamd default
Scan a directory to validate the installation:
... ----------- SCAN SUMMARY ----------- Known viruses: 7162024 Engine version: 0.102.3 Scanned directories: 1 Scanned files: 36 Infected files: 0 Data scanned: 44.62 MB Data read: 39.45 MB (ratio 1.13:1) Time: 12.278 sec (0 m 12 s)
The default Gentoo configuration of clamd is sane for desktop systems; changes can be made to /etc/clamd.conf if the defaults are not suitable. If the desired functionality is the ability to scan files for viruses on demand no changes need to be made.
On Access File Scanning
On Linux systems ClamAV is able to use the fanotify API to perform on-access file scanning of nominated directories. clamonacc is the included utility that provides this functionality and it shares its configuration with clamd in /etc/clamd.conf
File Systems ---> [*] Filesystem wide access notification [*] fanotify permissions checking
In the following example the /home directory will be recursively watched by clamonacc:
OnAccessPrevention yes OnAccessIncludePath /home OnAccessExcludeUname clamav
ClamAV provides some documentation (recipes) for confguring clamonacc that may be useful.
Download an eicar test file to a location within the include path.
wget https://www.eicar.org/download/eicar.com -o ~/eicar.com
Invoke clamonacc with elevated permissions to test the configuration
Attempt to access the eicar test file (clamonacc should prevent it):
cat: eicar.com: Operation not permitted
The clamd service does not currently launch clamonacc. A solution needs to be implemented for this.
Additional clamonacc configuration
If the default clamonacc performance is insufficient, and there are available system resources, the following configuration values can be adjusted (increased from the default) in /etc/clamd.conf:
app-antivirus/clamtk can be installed to provide users with a GUI for that can (among other things): configure clamd scan settings, schedule scans of the user's home directory, and launch on-demand scans of individual files or folders.
emerge --ask app-antivirus/clamtk
- ClamAV (Arch Wiki)