If you need a free to use, open source antivirus package for your Linux server, ClamAV should definitely be in your shortlist. If your Linux server runs Red Hat Enterprise Linux, setting it up couldn’t be easier.
The open source ClamAV antivirus package is pretty easy to build, install and configure if your Linux distro doesn’t happen to come with it. Since Red Hat Enterprise Linux does come with it, it’s even more of a breeze.
A quick yum install will usually do the job for you:-
yum install clamav
Or, if you’re adding it from the installation media, adding the following two RPMs will work too:-
rpm --install clamav-0.98.4-1.el6.x86_64.rpm rpm --install clamav-db-0.98.4-1.el6.x86_64.rpm
Versions numbers will, of course, be different for different RHEL releases but a quick ls *clam* in the RPMs folder will ferret them out for you.
Job done.
Well, almost.
Fresh…
The most important thing you should do after installing ClamAV is to set up a regular job to keep its virus definitions up-to-date. This is achieved through the freshclam tool and a cron like the following will give you a nightly update:-
30 23 * * * /usr/sbin/freshclam
The Red Hat ClamAV distribution comes with a configuration file that’s ready to go. If you’ve built from source you may find freshclam lurking in another folder (e.g. /usr/local/bin) and you will need to tweak its configuration file. Even if you’ve installed the pre-canned version you might want to review the options in there anyway.
The configuration file you need is freshclam.conf and will live under /etc if you’re using the distro build. Again it may be lurking somewhere else (e.g. /usr/local/etc) if you’ve built from source.
The file starts with the following:-
# Comment or remove the line below. Example
In the distro file Example is already commented out so you’re good-to-go, if you’ve built form source you’ll need to comment out or remove this line or freshclam won’t run.
You’ll want to be able to check updates are working correctly and these are the logging options the distro configuration comes with:-
UpdateLogFile /var/log/clamav/freshclam.log LogFileMaxSize 2M LogSyslog yes
The default options write to both its own freshclam.log and to /var/log/messages. If that’s a little over-the-top for you, either set LogSyslog to no or comment out the UpdateLogFile setting. If you’ve built from source you’ll almost certainly want to set one of these as both will be off by default.
If you experience problems with freshclam and the logs don’t help, you can uncomment the following to get more information:-
#LogVerbose yes #LogRotate yes
…and clean
ClamAV will integrate with your mail server or run as a daemon to provide on-access scanning. If your needs aren’t quite as full-on as this and you just want to keep a less-intensive eye on a few directories, scripting the command-line clamscan tool may be enough for you.
clamscan will be lurking in /usr/bin if you installed the distro version and a quick clamscan –help will reveal screens full of options to tailor what it does. Rather like freshclam though, its default behaviour will pretty much do the job for you by running it with just the filenames you want to check.
By way of a simple example, the following script will check all files updated in the last hour and move them to a quarantine folder for you:-
find /home/uploads -type f -mmin -60 -print | while read checkfile
do
clamscan --move /home/quarantine "$checkfile"
done
You can make this much more efficient if you give clamscan all the files to check in one go rather than running it once for each, but if your target set of files aren’t changing frequently, running it once per file does make it easy to identify which file a virus was detected in via the return code:-
find /home/uploads -type f -mmin -60 -print | while read checkfile
do
clamscan --move /home/quarantine --no-summary "$checkfile"
RETVAL=$?
if [ $RETVAL -eq 1 ]
then
# send alert email for $checkfile
fi
done
