Using clamscan to do your virus washing and tired of waiting for it to finish? Why not try new, improved clamdscan instead? It mightn’t wash whiter, but it’ll definitely wash quicker.
In Linux – Setting up ClamAV on RHEL we worked through installing the ClamAV antivirus package on Red Hat Enterprise Linux to support some simple, command-line virus checks:-
# clamscan myfile.jar myfile.jar: OK ----------- SCAN SUMMARY ----------- Known viruses: 3527088 Engine version: 0.98.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.29 MB Data read: 0.18 MB (ratio 1.64:1) Time: 12.771 sec (0 m 12 s)
One thing kinda leaps out from this report – on my box this single file took around 13 seconds to process. As we’ve previously observed, processing multiple files in one batch definitely improves things:-
# clamscan myfile1.jar myfile2.jar myfile3.jar myfile1.jar: OK myfile2.jar: OK myfile3.jar: OK ----------- SCAN SUMMARY ----------- Known viruses: 3527088 Engine version: 0.98.4 Scanned directories: 0 Scanned files: 3 Infected files: 0 Data scanned: 0.29 MB Data read: 0.53 MB (ratio 0.55:1) Time: 15.916 sec (0 m 15 s)
13 seconds for one file, 16 seconds for three makes it pretty obvious that clamscan is doing a lot of work when it starts up. This extra time is spent loading the virus database into memory and those nice people from ClamAV have a ready-made way to avoid it. Use clamdscan instead.
Well, okay, it’s not quite that simple. The difference between these two tools is that plain clamscan loads its own virus database and does the processing itself whereas clamdscan is a thin client for the clamd daemon, which keeps its virus database in memory ready to use. So in order to use clamdscan, you need to have clamd running.
Installing clamd
If you’ve built from source you probably have everything you need to use clamd on your server though you won’t have a script in /etc/init.d to manage it as a service. Since all it needs to do is launch or kill the clamd process (/usr/local/sbin/clamd on my source build) you can easily crib one from your other init.d scripts. The meat of it should look something like this:-
case "$1" in
start)
echo -n "Starting Clam AntiVirus Daemon: "
daemon /usr/local/sbin/clamd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd
;;
stop)
echo -n "Stopping Clam AntiVirus Daemon: "
killproc clamd
rm -f /var/run/clamav/clamd.sock
rm -f /var/run/clamav/clamd.pid
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd
;;
esac
If you’ve installed a pre-packaged version you might find clamd isn’t part of the basic ClamAV package. On RHEL you need to add the clamd package as well:-
yum install clamd
Or if you’re installing from the distribution media:-
rpm --install clamd-0.98.4-1.el6.x86_64.rpm
Configuring clamd
If you’re lucky enough to be using the RHEL pre-canned build you’ll find /etc/clamd.conf pretty much good-to-go. Unlike clamscan though, where you can fine-tune a lot of scanning options, clamd will take those settings from this configuration file instead. So if you are using any exotic options you’ll need to make sure they’re set in this file. You might want to review the options in there anyway, perhaps to enable logging.
If you’ve built from source you might find clamd.conf lurking elsewhere – it’s in /usr/local/etc on my source build and named clamd.conf.sample. You’ll need to rename it and comment out the Example line at the top. You’ll also need to enable connections to it – you can use a local socket or a TCP/IP port by uncommenting the LocalSocket and TCPSocket options respectively. You might also want to enable the PidFile for your daemon management script.
Once it’s configured up, you just need to start the service:-
service clamd start
You might also want to make sure it automatically starts up when the server boots:-
chkconfig --level 2345 clamd on
Finally, if you’ve scripted up the freshclam command to keep your virus definitions up-to-date clamd won’t automatically pick up these changes. You can add the following command to your cron job, after freshclam has run, to get clamd to reload them:-
clamdscan --reload
Using clamd
Once clamd is up and running don’t think (like I did!) that clamscan will magically find it and use it. You need to switch to using clamdscan instead:-
# clamdscan myfile1.jar myfile2.jar myfile3.jar myfile1.jar: OK myfile2.jar: OK myfile3.jar: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.800 sec (0 m 0 s)
Much faster! When migrating any scripted clamscan commands over to using clamdscan remember that most of the command line options for configuring your scan won’t work any more – clamd will use the settings in clamd.conf – so you’ll need to make sure this file contains the common set of options you want to use.
