ClamAV

Resources

ClamAV is an open-source (GPL-2) anti-virus engine. The base package (app-antivirus/clamav) provides a number of utilities, including a daemon (clamd), a command line scanner (clamscan), an on-access file scanner (clamonacc), and a tool for fetching updates (freshclam).

ClamAV is a flexible tool, and can be used in many different ways including:

Providing email virus scanning as part of a mail gateway.
Web scanning.
Endpoint Security (desktop scanning).

This is often accomplished by an application or service calling ClamAV as part of its workflow, for example Postfix (mail-mta/postfix) can be configured to connect to a ClamAV daemon listening for connections on the system.

Installation

Emerge

First, install ClamAV:

root #emerge --ask app-antivirus/clamav

Update detection database

Run freshclam to download the latest ClamAV detection database.

root #freshclam

Services

OpenRC

Start the ClamAV and freshclam services, and add them to the default runlevel:

root #

rc-service freshclam start

root #

rc-update add freshclam default

root #

rc-service clamd start

root #

rc-update add clamd default

clamav-milter or clamonacc services may likewise require starting.

On-access scanning is discussed below. Scan a directory to validate the installation:

user $clamscan ~

...
----------- SCAN SUMMARY -----------
Known viruses: 7162024
Engine version: 0.102.3
Scanned directories: 1
Scanned files: 36
Infected files: 0
Data scanned: 44.62 MB
Data read: 39.45 MB (ratio 1.13:1)
Time: 12.278 sec (0 m 12 s)

Configuration

The default Gentoo configuration of clamd is usable for both desktop systems and mail servers; changes can be made to /etc/clamav/clamd.conf if the defaults are not suitable. If the desired functionality is the ability to scan files for viruses on demand, no changes need to be made.

The ClamAV daemon on Gentoo (under both OpenRC and systemd) creates a world-writable socket at /run/clamav/clamd.ctl. Users who want to scan a file or directory should ask the clamd daemon to do it using the clamdscan --fdpass command:

user $clamdscan --fdpass /etc/clamd.conf

/etc/clamd.conf: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.313 sec (0 m 0 s)
Start Date: 2020:10:23 09:16:19
End Date:   2020:10:23 09:16:19

The --fdpass option sends a file descriptor to clamd rather than a path name, and avoids the need for the clamav user to be able to read everyone's files. As a result, the daemon should be able to run as the default clamav user in any scenario. The administrator should not have to mess with any users or groups.

Warning
Do not change the user or group that clamd runs. In particular, doing so will invalidate the socket permissions expected by the service scripts.

Integration with mail-filter/amavisd-new

This works "out of the box" after configuring amavis to use clamdscan --fdpass to invoke the virus scanner. For example,

FILE /etc/amavisd.conf

# Use clamdscan with the --fdpass option so that the "clamav" user doesn't      
# need to be able to read amavis's private working directory.                   
@av_scanners = (
  ['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],                              
);

Contrary to many how-to documents scattered about the internet, it is not required to change any users or groups to make amavisd-new work with ClamAV.

On-access file scanning

On Linux systems ClamAV is able to use the fanotify API to perform on-access file scanning of nominated directories. clamonacc is the included utility that provides this functionality and it shares its configuration with clamd in /etc/clamd.conf

KERNEL Enable fanotify

File Systems --->
	[*] Filesystem wide access notification
	[*]	fanotify permissions checking

In the following example the /home directory will be recursively watched by clamonacc:

FILE /etc/clamd.conf

OnAccessPrevention yes
OnAccessIncludePath /home
OnAccessExcludeUname clamav

Note
ClamAV provides some documentation (recipes) for configuring clamonacc that may be useful.

Download an eicar test file to a location within the include path.

user $wget https://www.eicar.org/download/eicar.com -o ~/eicar.com

Invoke clamonacc with elevated permissions to test the configuration

user $sudo clamonacc

Attempt to access the eicar test file (clamonacc should prevent it):

user $cat ~/eicar.com

cat: eicar.com: Operation not permitted

Note
The clamd service does not currently launch clamonacc. A solution needs to be implemented for this.

Additional clamonacc configuration

If the default clamonacc performance is insufficient, and there are available system resources, the following configuration values can be adjusted (increased from the default) in /etc/clamd.conf:

MaxQueue
MaxThreads
OnAccessMaxThreads

ClamAV GUI

app-antivirus/clamtk can be installed to provide users with a GUI for that can (among other things): configure clamd scan settings, schedule scans of user home directories, and launch on-demand scans of individual files or folders.

root #emerge --ask app-antivirus/clamtk

External resources

ClamAV (Arch Wiki)