
ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats. Some of the features of ClamAV are;
Support for various archive formats like Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
Support for almost all mail file formats
Support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
Support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.
Support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.
A multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.
apt-cache policy clamav clamav-daemon
apt install -y gcc make pkg-config python3 python3-pip python3-pytest valgrind check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev sudo libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev cmake
Create ClamAV service account;
useradd -r -M -d /var/lib/clamav -s /bin/false -c "Clam Antivirus" clamav
Open clamav.net downloads page and download source code. You can run the command below to download it the current stable release version as of this writing.
wget https://www.clamav.net/downloads/production/clamav-$VER.tar.gz
tar xzf clamav-$VER.tar.gz
cd clamav-$VER
mkdir build && cd build
cmake .. \
-D CMAKE_INSTALL_PREFIX=/usr \
-D CMAKE_INSTALL_LIBDIR=lib \
-D APP_CONFIG_DIRECTORY=/etc/clamav \
-D DATABASE_DIRECTORY=/var/lib/clamav \
-D ENABLE_JSON_SHARED=OFF
cmake --build .
ctest
cmake --build . --target install
ls -1 /etc/clamav/
cat > /etc/clamav/freshclam.conf << 'EOL'
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
cat > /etc/clamav/clamd.conf << 'EOL'
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
EOL
Since we didn't compile ClamAV with mail filtering support, then the configs above are enough.
mkdir /var/log/clamav/ /var/lib/clamav /var/run/clamav/
chown clamav: /var/log/clamav/ /var/lib/clamav /var/run/clamav/
sudo -u clamav freshclam
ls -1 /var/lib/clamav/
cat > /etc/systemd/system/clamav-freshclam.service << EOL
[Unit]
Description=ClamAV virus database updater
Documentation=man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents
# If user wants it run from cron, don't start the daemon.
ConditionPathExists=!/etc/cron.d/clamav-freshclam
Wants=network-online.target
After=network-online.target
[Service]
User=clamav
Group=clamav
ExecStart=/usr/bin/freshclam -d --foreground=true
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
EOL
cat > /etc/systemd/system/clamav-daemon.service << EOL
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
[Service]
User=clamav
Group=clamav
ExecStart=/usr/sbin/clamd --foreground=true
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
TimeoutStartSec=420
[Install]
WantedBy=multi-user.target
EOL
systemctl daemon-reload
systemctl enable --now clamav-daemon
systemctl enable --now clamav-freshclam
clamscan [options] [file/directory/-]
clamscan -h
clamscan /home/
clamscan --no-summary /home/
Print infected files only (-i, --infected);
clamscan -i /
Sound a bell on virus detection (--bell);
clamscan --bell -i /home
Scan directories recursively (-r, --recursive).
clamscan --bell -i -r /home
Remove infected files (--remove[=yes/no(*)]). Be careful as this removes file completely.
clamscan -r --remove /home/USER
Move infected files into DIRECTORY (--move=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.
clamscan -r -i --move=/home/USER/infected /home/
Copy infected files into DIRECTORY (–copy=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.
clamscan -r -i --copy=/home/USER/infected /home/
nice -n 15 clamscan && clamscan -ir /
cpulimit -z -e clamscan -l 20 & clamscan -ir /
About Prime Data Centers: New Cloud Ready Debian Data Center - open facilities with futuristic vision. Ready to cut privacy and security demands of future cloud computing and other hosting challenges. Our Local Content Delivery Network (CDN) leads to the development of more effective non-intrusive applications. Customers will experience faster and better web performance, altogether it will make a powerful green solution. We've served several 500 companies with successful projects in the areas of Web Hosting, Data Center Services, Web designing, Online application development, Backup Services, E-commerce Solutions, and Mobile Application Development - Oct 8, 2015.