ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.
Today’s plan is to install and configure ClamAV software to perform automatic daily system scans and send emails when malware is detected.
We’re using a Debian Wheezy server:
$ uname -rv 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1
# apt-get update && apt-get install clamav clamav-freshclam
Start ClamAV virus database updater if it wasn’t started automatically:
# service clamav-freshclam start
Or alternatively do:
# /etc/init.d/clamav-freshclam start
The above commands will start freshclam in a daemon mode:
# ps -ef | grep fresh | grep clam clamav 1951 1 1 17:19 ? 00:00:03 /usr/bin/freshclam -d --quiet
By default, freshclam will look for new updates every hour:
# grep -i check /etc/clamav/freshclam.conf # Check for new database 24 times a day Checks 24
Note that we can always update ClamAV manually by typing the following command:
# freshclam -v
To be able to send email, we’ll need something simple, somehting like SSMTP:
# apt-get install ssmtp heirloom-mailx
Open the configuration file:
# vim /etc/ssmtp/ssmtp.conf
Change the following settings appropriately (make sure the details are correct):
[email protected] mailhub=mail.example.com:465 AuthUser=[USERNAME] AuthPass=[********] UseTLS=YES AuthMethod=LOGIN RewriteDomain=example.com Hostname=debian FromLineOverride=yes #enables to use mail -r option
SSMTP configuration file contains our email login details, therefore it’s a good practice to restrict access for regular users:
# chmod 0600 /etc/ssmtp/ssmtp.conf
Test if we are able to send an email:
# echo test | mail -v -s "testing ssmtp setup" [email protected] [<-] 220 mail.example.com ESMTP [->] EHLO debian [<-] 250 HELP [->] AUTH LOGIN [<-] 334 VXNlcm5hbWU6 [->] d2VibWFzdGVyQG5ldmFyLmx0 [<-] 334 UGFzc3dvcmQ6 [<-] 235 Authentication succeeded [->] MAIL FROM:<[email protected]> [<-] 250 OK [->] RCPT TO:<[email protected]> [<-] 250 Accepted [->] DATA [<-] 354 Enter message, ending with "." on a line by itself [->] Received: by debian (sSMTP sendmail emulation); [->] From: "root" <[email protected]> [->] Date: Fri, 17 Jan 2014 17:28:17 +0000 [->] To: [email protected] [->] Subject: testing ssmtp setup [->] User-Agent: Heirloom mailx 12.5 6/20/10 [->] MIME-Version: 1.0 [->] Content-Type: text/plain; charset=us-ascii [->] Content-Transfer-Encoding: 7bit [->] [->] test [->] . [<-] 250 OK id=1W4Cl1-0002SM-RO [->] QUIT [<-] 221 mail.example.com closing connection
All looks good so far.
Create the Daily Scan Script
We will create a new directory to store script files:
# mkdir -m 0755 /root/.myscripts
Now open a new file for the script:
# vim /root/.myscripts/clamscan_daily.sh
And add the following code:
#!/bin/bash # written by Tomas Nevar (http://www.lisenet.com) # 17/01/2014 (dd/mm/yy) # copyleft free software # LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"; EMAIL_MSG="Please see the log file attached."; EMAIL_FROM="[email protected]"; EMAIL_TO="[email protected]"; DIRTOSCAN="/home"; # Update ClamAV database echo "Looking for ClamAV database updates..."; freshclam --quiet; TODAY=$(date +%u); if [ "$TODAY" == "6" ];then echo "Starting a full weekend scan."; # be nice to others while scanning the entire root nice -n5 clamscan -ri / --exclude-dir=/sys/ &>"$LOGFILE"; else DIRSIZE=$(du -sh "$DIRTOSCAN" 2>/dev/null | cut -f1); echo "Starting a daily scan of "$DIRTOSCAN" directory. Amount of data to be scanned is "$DIRSIZE"."; clamscan -ri "$DIRTOSCAN" &>"$LOGFILE"; fi # get the value of "Infected lines" MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3); # if the value is not equal to zero, send an email with the log file attached if [ "$MALWARE" -ne "0" ];then #using heirloom-mailx below echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"; fi exit 0
Save the file. Make sure it’s executable:
# chmod 0755 /root/.myscripts/clamscan_daily.sh
You can get the most recent version of the script from GitHub (you need to have git installed):
$ git clone https://github.com/crylium/clamav-daily
Add Script to Cron.daily
Now when we have the script, we want it to be automatically executed every day.
This can be easily achieved by creating a daily cron job. It is assumed that the system is online 24/7 (server in this case) or at least most of the time. Otherwise anacron might be a better choice.
Let’s create a hard link as below:
# ln /root/.myscripts/clamscan_daily.sh /etc/cron.daily/clamscan_daily
Check to make sure that the hard link was created:
# ls -li /etc/cron.daily/clamscan_daily 44626 -rwxr-xr-x 2 root root 493 Jan 17 16:28 /etc/cron.daily/clamscan_daily
There is one main advantage of creating a hard link instead of a symbolic link in my particular case.
I tend to keep all custom scripts in one place for the sake of convenience and they sometimes get renamed. I usually don’t have time to walk around fixing all broken symlinks.
Nevertheless, there are quite a few other alternatives available:
- Create a symbolic link.
- Move the script file to
- Use crontab for script execution.
You should always choose what suits you best in one or another situation.
If you get the following error:
LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav/
Update the database manually:
# freshclam -v