ClamAV

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers, it primarily detects malware with its built-in signatures and is not a traditional endpoint security suite.

The current situation of anti-malware products on Linux is inadequate due to several factors:

1. Limited Variety: Compared to Windows, there are fewer users/clients resulting in limited interested for companies to develop products for Linux.
2. Complacency: Many believe Linux is inherently secure, leading to a lack of awareness and focus on malware protection. This creates a gap in proactive defense mechanisms.
3. Lack of Features: Existing tools often lack advanced features which are common in Windows anti-malware products, making them less effective on Linux.

This is especially bad because the amount of malware on Linux is increasing just as the possible attack surface due to the increasing number of Linux-based servers and IoT devices.

Currently on Linux one of the few existing and actively developed anti-malware solutions is ClamAV.

Installation

Install the clamav package.

This will install the following tools:

clamd: ClamAV Daemon
clamonacc: On-Access real-time protection
clamdscan: A simple scanning client
clamdtop: A resource monitoring interface for clamd
freshclam: Daemon for virus signature updates
clamconf: Tool to create and check configuration files

All ClamAV related tools, services and daemons communicate with clamd via a socket.

By default this is done via a local socket configured and named as "LocalSocket".

ClamAV also provides the possibility to enable communication via remote locations by using a network socket which is configured and names as "TCPSocket".

Another important thing to note is that when using LocalSocket, then clamd will need to be run under a user with the right permissions to scan the files you plan on including in your monitoring.

Configuration

Default configuration files should already exists. Other wise you can manually create them by using clamconf:

clamconf -g freshclam.conf > freshclam.conf
clamconf -g clamd.conf > clamd.conf
clamconf -g clamav-milter.conf > clamav-milter.conf

The following files contain the relevant configuration options.

• freshclam: /etc/clamav/freshclam.conf
• clamd: /etc/clamav/clamd.conf
• clamd mail filtering: /etc/clamav/clamav-milter.conf

Last but not least you can check your config files by running clamconf

The default installation will create sane default configurations such as clamav user+group and the required clamd configuration.

Additional recommended configurations can be set:

/etc/clamav/clamd.conf

# Log time with each message.
# Default: no
LogTime yes

# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
ExtendedDetectionInfo yes

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav

# Maximum depth directories are scanned at.
# Default: 15
MaxDirectoryRecursion 20

DetectPUA yes
HeuristicAlerts yes
ScanPE yes
ScanELF yes
ScanOLE2 yes
ScanPDF yes
ScanSWF yes
ScanXMLDOCS yes
ScanHWP3 yes
ScanOneNote yes
ScanMail yes
ScanHTML yes
ScanArchive yes
Bytecode yes
AlertBrokenExecutables yes
AlertBrokenMedia yes
AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes
AlertOLE2Macros yes
AlertPartitionIntersection yes

Enabling real-time protection OnAccessScan

On-access scanning is the real-time protection daemon which will scan the file while reading, writing or executing it. It can be configured to either notify on detection or prevent/block on detection.

On-access scanning requires the kernel to be compiled with the fanotify kernel module (kernel >= 3.8), which is true for official Arch Linux kernel packages. Check if fanotify has been enabled before enabling on-access scanning. You can check if the required modules are enabled by running:

$ zgrep FANOTIFY /proc/config.gz

Configuration OnAccessScan is done via editing the /etc/clamav/clamd.conf configuration file.

The following changes are required for OnAccessScan to work:

/etc/clamav/clamd.conf

# Exclude the UID of the scanner itself from checking, to prevent loops
OnAccessExcludeUname clamav

# WARNING: for security reasons, clamd should NEVER run as root.
# Previous instructions in this wiki included this line, remove it:
# User root    # REMOVE THIS
# Add this instead:
User clamav

The following additional changes are recommended and will put the On-Access Scanner into notify-only mode:

/etc/clamav/clamd.conf

# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /

# Alternatively, add some directories instead of mount points
# OnAccessIncludePath /home

# Prevention doesn't work with OnAccessMountPath.
# It works with OnAccessIncludePath, as long as /usr and /etc are not included.
# Including /var while activating prevention is also not recommended, because
# this would slow down package installation by a factor of 1000.
OnAccessPrevention no

# Perform scans on newly created, moved, or renamed files
OnAccessExtraScanning yes

# Optionallyexclude root-owned processes
# OnAccessExcludeRootUID true

Next, allow the clamav user to run notify-send as any user with custom environment variables via sudo:

/etc/sudoers.d/clamav

clamav ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send

Creating notification popups for alerts

So far ClamAV will silenlty log any detection but not alert the user. A pop-up to alert the user on any detection can be added.

First add the following line to your clamd configuration:

/etc/clamav/clamd.conf

VirusEvent /etc/clamav/virus-event.bash

Next, create the file /etc/clamav/virus-event.bash, make it executable and add the following:

/etc/clamav/virus-event.bash

#!/bin/bash
PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
    USERID=${ADDRESS#/run/user/}
    /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
        /usr/bin/notify-send -w -t 999999999 -i dialog-warning "Virus found!" "$ALERT"
done

This allows you to change/specify the message when a virus has been detected by clamd's on-access scanning service.

By default, clamonacc passes clamav the names of just-accessed files for scanning. This is a problem, because files inaccessible to the clamav user cannot be scanned this way. Instead, it is possible to instruct clamonacc (which always runs as root) to use file descriptor passing. Edit clamav-clamonacc.service with the following:

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc.log

Lastly, you will need to start/enable or restart the clamav-clamonacc.service as well as the clamav-daemon.service

See: ClamAV#Starting_the_ClamAV_+_OnAccessScanning_daemon

If you get AppArmor denials about clamd, set the profile to a complain-only mode:

# aa-complain clamd

Updating database

Update the virus definitions with:

# freshclam

If you are behind a proxy, edit /etc/clamav/freshclam.conf and update HTTPProxyServer, HTTPProxyPort, HTTPProxyUsername and HTTPProxyPassword.

The database files are saved in:

/var/lib/clamav/daily.cld
/var/lib/clamav/main.cld
/var/lib/clamav/bytecode.cvd

For automatic updates first create and set the requires freshclam.log file:

touch /var/log/clamav/freshclam.log
chmod 600 /var/log/clamav/freshclam.log
chown clamav /var/log/clamav/freshclam.log

Start/enable clamav-freshclam.service or clamav-freshclam-once.timer so that the virus definitions are kept recent.

The clamav-freshclam.service launches freshclam in daemon mode, defaulting to 12 checks per day (every 2 hours). The frequency can be changed in /etc/clamav/freshclam.conf.

The clamav-freshclam-once.timer launches the freshclam check once per day. The frequency can be changed in /usr/lib/systemd/system/clamav-freshclam-once.timer.

Starting the ClamAV + OnAccessScanning daemon

This will load all virus signatures in RAM. As of February 2024 these signatures require at least 1.6GB of free RAM. Twice that amount of RAM is used shortly, during the periodic update of the signatures.

The service is called clamav-daemon.service. Start it and enable it to start at boot.

Additionally start and enable clamav-clamonacc.service for real-time on access protection.

Testing the software

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl https://secure.eicar.org/eicar.com.txt | clamscan -

The output must include:

stdin: Win.Test.EICAR_HDB-1 FOUND

Real-time protection

You can download and save a the eicar file in one of the directories you configured clamonacc to monitor. For example:

$ cd /home/user/Downloads/
$ wget https://secure.eicar.org/eicar.com.txt
$ cat eicar.com.txt

Adding more databases/signatures repositories

ClamAV can use databases/signature from other repositories or security vendors.

To add the most important ones in a single step, install either clamav-unofficial-sigs^AUR (see GitHub description) or python-fangfrisch^AUR (see online documentation). Both will add signatures/databases from popular providers, e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect, etc.

Option #1: Set up Fangfrisch

Fangfrisch was designed as a more secure, flexible and convenient replacement for clamav-unofficial-sigs, and requires very little configuration (/etc/fangfrisch/fangfrisch.conf).

Most importantly, Fangfrisch never needs to be run with root permissions, unlike clamav-unofficial-sigs.

Create database structure by running:

# sudo -u clamav /usr/bin/fangfrisch --conf /etc/fangfrisch/fangfrisch.conf initdb

Enable the fangfrisch.timer (system-level).

Option #2: Set up clamav-unofficial-sigs

Enable the clamav-unofficial-sigs.timer.

This will regularly update the unofficial signatures based on the configuration files in the directory /etc/clamav-unofficial-sigs.

To update signatures manually, run the following:

# clamav-unofficial-sigs.sh

To change any default settings, refer and modify /etc/clamav-unofficial-sigs/user.conf.

MalwarePatrol database

If you would like to use the MalwarePatrol database, sign up for an account at https://malwareblocklist.org/ (for a fee).

In /etc/clamav-unofficial-sigs/user.conf, change the following to enable this functionality:

malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # enter your receipt number here
malwarepatrol_product_code="8" # Use 8 if you have a Free account or 15 if you are a Premium customer.
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
malwarepatrol_free="yes" # Set to yes if you have a Free account or no if you are a Premium customer.

Source: https://www.malwarepatrol.net/clamav-configuration-guide/

Scan for viruses

There are two options for on-demand scanning:

using the stand-alone scanner

clamscan can be used to scan certain files, home directories, or an entire system:

$ clamscan myfile
$ clamscan --recursive --infected /home/archie
# clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

If you would like clamscan to remove the infected file add to the command the --remove option, or you can use --move=/dir to quarantine them.

You may also want clamscan to scan larger files. In this case, append the options --max-filesize=4000M and --max-scansize=4000M to the command. '4000M' is the largest possible value, and may be lowered as necessary.

Using the -l /path/to/file option will print the clamscan logs to a text file for locating reported infections.

using the daemon

clamdscan is similar to the above but utilizes the daemon, which must be running for the command to work. Most options are ignored since the daemon reads the settings specified in /etc/clamav/clamd.conf.

Using the milter

Milter will scan your sendmail server for email containing virus. Adjust /etc/clamav/clamav-milter.conf to your needs. For example:

/etc/clamav/clamav-milter.conf

MilterSocket /tmp/clamav-milter.socket
MilterSocketMode 660
FixStaleSocket yes
User clamav
MilterSocketGroup clamav
PidFile /run/clamav/clamav-milter.pid
TemporaryDirectory /tmp
ClamdSocket unix:/run/clamav/clamd.ctl
LogSyslog yes
LogInfected Basic

Create /etc/systemd/system/clamav-milter.service:

/etc/systemd/system/clamav-milter.service

[Unit]
Description='ClamAV Milter'
After=clamav-daemon.service

[Service]
Type=forking
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf

[Install]
WantedBy=multi-user.target

Enable and start clamav-milter.service.

For Postfix add the following lines to /etc/postfix/main.cf:

/etc/postfix/main.cf

smtpd_milters = unix:/tmp/clamav-milter.socket
milter_default_action = tempfail

Check journalctl if the permission to access clamav-milter.socket for postfix is set accordingly, if not, add user postfix to group clamav.

Tips and tricks

Run in multiple threads

Using clamscan

When scanning a file or directory from command line using clamscan only single CPU thread is used. This may be ok in cases when timing is not critical or you do not want computer to become sluggish. If there is a need to scan large directory or USB drive quickly you may want to use all available CPUs to speed up the process.

clamscan is designed to be single-threaded, so xargs can be used to run the scan in parallel:

$ find /home/archie -type f -print0 | xargs -0 -P $(nproc) clamscan

In this example the -P parameter for xargs runs clamscan in as many processes as there are CPUs (reported by nproc) at the same time. --max-lines and --max-args options will allow even finer control of batching the workload across the threads.

This will consume loads of RAM as all processes are individual and will load the signature files. A single thread will consume around 1G (or more) of RAM, and may hang your computer unless OOM is clever enough. You may want to consider using clamdscan instead.

Using clamdscan

If you already have clamd daemon running clamdscan can be used instead (see #Starting the ClamAV + OnAccessScanning daemon):

$ clamdscan --multiscan --fdpass /home/archie

Here the --multiscan parameter enables clamd to scan the contents of the directory in parallel using available threads. --fdpass parameter is required to pass the file descriptor permissions to clamd as the daemon is running under clamav user and group.

The number of available threads for clamdscan is determined in /etc/clamav/clamd.conf via MaxThreads parameter clamd.conf(5). Even though you may see that the number of MaxThreads specified is more than one (current default is 10), when you start the scan using clamdscan from command line and do not specify --multiscan option, only one effective CPU thread will be used for scanning.

Enable TCPSocket

If you enable TCPSocket in /etc/clamav/clamd.conf, you must edit clamav-daemon.socket too (see FS#57669). The systemd socket file needs to be configured with a matching port and IP address:

/etc/systemd/system/clamav-daemon.socket.d/override.conf

[Socket]
ListenStream=
ListenStream=/run/clamav/clamd.ctl
ListenStream=127.0.0.1:3310

And finally restart clamav-daemon.socket to see a Clamd binding at TCP port 3310:

# ss -tulpn | grep clamd

tcp   LISTEN 0      4096       127.0.0.1:3310      0.0.0.0:*    users:(("clamd",pid=599,fd=4),("systemd",pid=1,fd=44))

Troubleshooting

Error: Clamd was NOT notified

If you get the following messages after running freshclam:

WARNING: Clamd was NOT notified: Cannot connect to clamd through
/var/lib/clamav/clamd.sock connect(): No such file or directory

Add a sock file for ClamAV:

# touch /run/clamav/clamd.ctl
# chown clamav:clamav /run/clamav/clamd.ctl

Then, edit /etc/clamav/clamd.conf - uncomment this line:

LocalSocket /run/clamav/clamd.ctl

Save the file and restart clamav-daemon.service.

Error: No supported database files found

If you get the next error when starting the daemon:

LibClamAV Error: cli_loaddb(): No supported database files found
in /var/lib/clamav ERROR: Not supported data format

This happens because of mismatch between /etc/clamav/freshclam.conf setting DatabaseDirectory and /etc/clamav/clamd.conf setting DatabaseDirectory. /etc/clamav/freshclam.conf pointing to /var/lib/clamav, but /etc/clamav/clamd.conf (default directory) pointing to /usr/share/clamav, or other directory. Edit in /etc/clamav/clamd.conf and replace with the same DatabaseDirectory as in /etc/clamav/freshclam.conf. After that clamav will start up successfully.

Error: Can't create temporary directory

If you get the following error, along with a 'HINT' containing a UID and a GID number:

# can't create temporary directory

Correct permissions:

# chown UID:GID /var/lib/clamav && chmod 755 /var/lib/clamav

See also

• Wikipedia:ClamAV