Install ClamAV on Rocky Linux 8

0
66

In this tutorial, we are going to learn how to install ClamAV on Rocky Linux 8. ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats.

Some of the features of ClamAV include;

  • built-in support for various archive formats, including Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
  • built-in support for almost all mail file formats
  • built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
  • built-in support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.
  • support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.

ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.

Install ClamAV on Rocky Linux 8

Install EPEL Repository on Rocky Linux 8, which provides the latest stable release of ClamAV.

dnf install epel-release

Install ClamAV on Rocky Linux 8

dnf install -y clamav clamd clamav-update

The ClamAV packages installed include:

  • clamd – The Clam AntiVirus Daemon
  • clamav – End-user tools for the Clam Antivirus scanner
  • clamav-data – Virus signature data for the Clam Antivirus scanner
  • clamav-devel – Header files and libraries for the Clam Antivirus scanner
  • clamav-lib – Dynamic libraries for the Clam Antivirus scanner
  • clamav-milter – Milter module for the Clam Antivirus scanner
  • clamav-update – Auto-updater for the Clam Antivirus scanner data-files

There are other ClamAV tools that are installed:

  • clamdscan – a simple scanning client
  • on-access scanning – provides real-time protection via a clamd instance
  • clamdtop – a resource monitoring interface for clamd

Also, there are two major ClamAV configuration files:

  • clamd.conf – for configuring the behavior of the ClamAV Daemon clamd and associated tools
  • freschclam.conf – for configuring the behavior of the signature database update tool, freshclam

Update the ClamAV Signature Database

For scanning to work, you need am updated virus database. There are two options for updating ClamAV database:

  • clamav-freshclam: updates the database from Internet. This is recommended with Internet access.
  • Offline update for systems with no direct internet access.

Update Signature Database with clamav-freshclam

If you have internet access, you can use clamav-freshclam to update the ClamAV virus signature database.

To use this method, stop the clamav-freshclam service (if it is running) and execute freshclam, the virus database update tool.

systemctl stop clamav-freshclam

Before running the ClamAV database update, ensure the line Example is commented out on /etc/freshclam.conf configuration;

# Comment or remove the line below.
#Example

Next, run the database update.

freshclam

If the database is up-to-date, then you might get an output similar to below (Otherwise, the command will pull database updates)

ClamAV update process started at Tue Jul 20 07:44:30 2021
daily database available for update (local version: 26231, remote version: 26237)
Current database is 6 versions behind.
Downloading database patch # 26232...
ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
ERROR: downloadPatch: Can't apply patch
WARNING: Incremental update failed, trying to download daily.cvd
Time:  1m 02s, ETA:    0.0s [========================>]   54.81MiB/54.81MiB
Testing database: '/var/lib/clamav/tmp.a8d880a9dd/clamav-143b07bc043cf326726dc09c22415a8d.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26237, sigs: 1962599, f-level: 90, builder: raynman)
main database available for update (local version: 59, remote version: 61)
Current database is 2 versions behind.
Downloading database patch # 60...
ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
ERROR: downloadPatch: Can't apply patch
WARNING: Incremental update failed, trying to download main.cvd
Time:  3m 11s, ETA:    0.0s [========================>]  160.41MiB/160.41MiB
Testing database: '/var/lib/clamav/tmp.a8d880a9dd/clamav-ff23841557b15f1321d3185d3f333093.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Next, start the clamav-freshclam service so it keeps updating the signature database in the background whenever.

systemctl start clamav-freshclam

Check the status;

systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-07-20 08:32:34 EAT; 12s ago
     Docs: man:freshclam(1)
           man:freshclam.conf(5)
           https://www.clamav.net/documents
 Main PID: 2875 (freshclam)
    Tasks: 1 (limit: 11388)
   Memory: 4.9M
   CGroup: /system.slice/clamav-freshclam.service
           └─2875 /usr/bin/freshclam -d --foreground=true

Jul 20 08:32:34 rocky8.kifarunix-demo.com systemd[1]: Started ClamAV virus database updater.
Jul 20 08:32:35 rocky8.kifarunix-demo.com freshclam[2875]: ClamAV update process started at Tue Jul 20 08:32:35 2021
Jul 20 08:32:40 rocky8.kifarunix-demo.com freshclam[2875]: daily.cvd database is up-to-date (version: 26237, sigs: 1962599, f-level: 90, builder: raynman)
Jul 20 08:32:40 rocky8.kifarunix-demo.com freshclam[2875]: main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
Jul 20 08:32:40 rocky8.kifarunix-demo.com freshclam[2875]: bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Ensure the service is enabled to run on system boot;

systemctl enable clamav-freshclam

freshclam downloads the ClamAV databases, CVDs, and place them on under, /var/lib/clamav/.

ls /var/lib/clamav/ -1
bytecode.cvd
 daily.cld
 freshclam.dat
 main.cvd

For more configuration options for freshclam, check the config file, /etc/freshclam.conf.

Offline Database Update

If your system do not have internet access, simply download the CVDs from ClamAV downloads page and place them under the /var/lib/clamav.

install ClamAV on Rocky Linux 8

Once the downloaded CVDs are placed on the ClamAV database, be sure to change the ownership and permissions accordingly;

chown -R clamupdate: /var/lib/clamav/
chmod 644 /var/lib/clamav/*.cvd

Configuring Clamd

There are a few configuration options that needs to be adjusted in order to use the ClamAV.

vim /etc/clamd.d/scan.conf

Ensure the line below is commented out (hash is put at the beginning of the line) or removed.

# Comment or remove the line below.
#Example

Define the path to a local socket file the daemon will listen on and adjust the permissions. You can thus uncomment these lines:

  • #LocalSocket /run/clamd.scan/clamd.sock
  • #LocalSocketMode 660

Such that your configuration file looks like;

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /run/clamd.scan/clamd.sock

...

# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
LocalSocketMode 660

Save and exit the file.

Create Clamd Systemd Service

To control clamd with systemd, create the service file by running the command below;

cat > /etc/systemd/system/clamd.service << 'EOL'
[Unit]
Description = clamd scanner daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
Restart = on-failure
TimeoutStartSec=420

[Install]
WantedBy = multi-user.target
EOL
systemctl daemon-reload

Start Clamd;

systemctl enable --now clamd

Check the status;

systemctl status clamd
● clamd.service - clamd scanner daemon
   Loaded: loaded (/etc/systemd/system/clamd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-07-20 09:44:21 EAT; 10s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Process: 2307 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS)
 Main PID: 2308 (clamd)
    Tasks: 2 (limit: 11388)
   Memory: 1.1G
   CGroup: /system.slice/clamd.service
           └─2308 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: ELF support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: Mail files support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: OLE2 support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: PDF support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: SWF support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: HTML support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: XMLDOCS support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: HWP3 support enabled.
Jul 20 09:44:19 rocky8.kifarunix-demo.com clamd[2308]: Self checking every 600 seconds.
Jul 20 09:44:21 rocky8.kifarunix-demo.com systemd[1]: Started clamd scanner daemon.

Clamscan CLI Options and Example Usage

Clamscan is used to scan files and directories for viruses. From the man pages, the clamscan command syntax is:

clamscan [options] [file/directory/-]

Some of the clamscan command options and their example usage is illustrated below;

Print help information using -h or --help option.

clamscan -h

Note: Options marked with [=yes/no(*)] can be optionally followed by =yes or =no. If they get called without the boolean argument the scanner will assume ‘yes’. The asterisk marks the default internal setting for a given option.

  • Scan specific directory or file;
clamscan /home/
clamscan /home/filename.docx
  • Do not display summary at the end of scanning.
clamscan --no-summary /home/
  • Print infected files only (-i--infected);
clamscan -i /
  • Skip printing OK files (-o--suppress-ok-results);
clamscan -o /home/
  • Sound a bell on virus detection (--bell);
clamscan --bell -i /home
  • Scan directories recursively (-r--recursive).
clamscan --bell -i -r /home
  • Save scan report to FILE (-l FILE--log=FILE);
clamscan --bell -i -r /home -l home-scan.txt
  • Scan files listed line by line in FILE (-f FILE, --file-list=FILE).
clamscan -i -f /tmp/scan
  • Remove infected files (--remove[=yes/no(*)]). Be careful as this removes file completely.
 clamscan -r --remove /home/USER
  • Move infected files into DIRECTORY (--move=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.
clamscan -r -i --move=/home/USER/infected /home/
  • Copy infected files into DIRECTORY (–copy=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.
clamscan -r -i --copy=/home/USER/infected /home/

There is quite long list of options for various usage of clamscan. Consult man clamscan for more details.

ClamAV On-Access Scanning

ClamAV On-Access scan feature helps to block processes from attempting to access malicious files. This prevention occurs in kernel-space, and thus offers stronger protection than a purely user-space solution.

Read more on ClamAV On-Access Scanning.

ClamAV Return Codes

The following are the exit return codes for ClamAV.

  • 0 : No virus found.
  • 1 : Virus(es) found.
  • 2 : Some error(s) occurred.

Limiting Clamscan CPU Usage

clamscan can be CPU intensive especially if it scanning a large directory.

To limit the clamscan CPU time to certain levels, you can use two tools;

  • nice: lowers the priority of clamscan (limits relative cpu time).
  • cpulimit: limits absolute cpu time.

To use nice command,

nice -n 15 clamscan && clamscan -ir /

As long as no other process requires cputime, clamscan will maximize it. But as soon as another process with a higher priority needs cputime, clamscan will lost it.

Using cpulimit;

cpulimit -z -e clamscan -l 20 & clamscan -ir /

Limits clamscan cpu time to 15% when scanning the entire root directory.

Further Reading

Read more about ClamAV on the documentation page.

ClamAV Documentation

Other Tutorials

Install Nikto Web Scanner on Rocky Linux 8

Detecting Malicious Files with Wazuh and VirusTotal

LEAVE A REPLY

Please enter your comment!
Please enter your name here