ClamAV

From Gentoo Wiki
Jump to: navigation, search

ClamAV is an open-source (GPL-2) anti-virus engine. The base package (app-antivirus/clamav) provides a number of utilities, including a daemon (clamd), a command line scanner (clamscan), an on-access file scanner (clamonacc), and a tool for fetching updates (freshclam).

ClamAV is a flexible tool, and can be used in many different ways including:

  • Providing email virus scanning as part of a mail gateway
  • Web scanning
  • Endpoint Security (desktop scanning)

This is often accomplished by an application or service calling ClamAV as part of its workflow, for example Postfix (mail-mta/postfix) can be configured to connect to a ClamAV daemon listening for connections on the system.

Installation

First, install ClamAV:

root #emerge --ask app-antivirus/clamav

Run freshclam to download the latest ClamAV detection database.

root #freshclam

Start the ClamAV service and add it to the default runlevel:

root #rc-service clamd start
root #rc-update add clamd default

Scan a directory to validate the installation:

user $clamscan ~
...
----------- SCAN SUMMARY -----------
Known viruses: 7162024
Engine version: 0.102.3
Scanned directories: 1
Scanned files: 36
Infected files: 0
Data scanned: 44.62 MB
Data read: 39.45 MB (ratio 1.13:1)
Time: 12.278 sec (0 m 12 s)

Configuration

The default Gentoo configuration of clamd is sane for desktop systems; changes can be made to /etc/clamd.conf if the defaults are not suitable. If the desired functionality is the ability to scan files for viruses on demand no changes need to be made.

On Access File Scanning

On Linux systems ClamAV is able to use the fanotify API to perform on-access file scanning of nominated directories. clamonacc is the included utility that provides this functionality and it shares its configuration with clamd in /etc/clamd.conf

KERNEL Enable fanotify
File Systems --->
	[*] Filesystem wide access notification
	[*]	fanotify permissions checking

In the following example the /home directory will be recursively watched by clamonacc:

FILE /etc/clamd.conf
OnAccessPrevention yes
OnAccessIncludePath /home
OnAccessExcludeUname clamav
Note
ClamAV provides some documentation (recipes) for confguring clamonacc that may be useful.

Download an eicar test file to a location within the include path.

Invoke clamonacc with elevated permissions to test the configuration

user $sudo clamonacc

Attempt to access the eicar test file (clamonacc should prevent it):

user $cat ~/eicar.com
cat: eicar.com: Operation not permitted
Note
The clamd service does not currently launch clamonacc. A solution needs to be implemented for this.

Additional clamonacc configuration

If the default clamonacc performance is insufficient, and there are available system resources, the following configuration values can be adjusted (increased from the default) in /etc/clamd.conf:

  • MaxQueue
  • MaxThreads
  • OnAccessMaxThreads

ClamAV GUI

app-antivirus/clamtk can be installed to provide users with a GUI for that can (among other things): configure clamd scan settings, schedule scans of the user's home directory, and launch on-demand scans of individual files or folders.

root #emerge --ask app-antivirus/clamtk

External resources