Automate ClamAV to Perform Daily System Scan and Send Email Notifications on Linux

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.

Today’s plan is to install and configure ClamAV software to perform automatic daily system scans and send emails when malware is detected. 

Install ClamAV

On Debian/Ubuntu, do:

# apt-get update && apt-get install clamav clamav-freshclam

On CentOS, do:

# yum install epel-release
# yum install clamav clamav-update

On Debian, start ClamAV virus database updater if it wasn’t started automatically:

# service clamav-freshclam start

Or alternatively do:

# /etc/init.d/clamav-freshclam start

The above commands will start freshclam in a daemon mode:

# ps -ef | grep fresh | grep clam
clamav  1951   1  1 17:19 ?  00:00:03 /usr/bin/freshclam -d --quiet

By default, freshclam will look for new updates every hour:

# grep -i check /etc/clamav/freshclam.conf
# Check for new database 24 times a day
Checks 24

Note that we can always update ClamAV manually by typing the following command:

# freshclam -v

Install SSMTP

To be able to send email, we’ll need something simple, something like SSMTP.

On Debian/Ubuntu, do:

# apt-get install ssmtp heirloom-mailx

On CentOS, do:

# yum install ssmtp mailx

Open the configuration file:

# vim /etc/ssmtp/ssmtp.conf

Change the following settings appropriately (make sure the details are correct):

[email protected]
mailhub=mail.example.com:465
AuthUser=[USERNAME]
AuthPass=[********]
UseTLS=YES
AuthMethod=LOGIN
RewriteDomain=example.com
Hostname=debian
FromLineOverride=yes #enables to use mail -r option

SSMTP configuration file contains our email login details, therefore it’s a good practice to restrict access for regular users:

# chmod 0600 /etc/ssmtp/ssmtp.conf

Test if we are able to send an email:

# echo test | mail -v -s "testing ssmtp setup" [email protected]
[<-] 220 mail.example.com ESMTP [->] EHLO debian
[<-] 250 HELP [->] AUTH LOGIN
[<-] 334 VXNlcm5hbWU6 [->] d2VibWFzdGVyQG5ldmFyLmx0
[<-] 334 UGFzc3dvcmQ6
[<-] 235 Authentication succeeded [->] MAIL FROM:<root@debian>
[<-] 250 OK [->] RCPT TO:<[email protected]>
[<-] 250 Accepted [->] DATA
[<-] 354 Enter message, ending with "." on a line by itself [->] Received: by debian (sSMTP sendmail emulation); 
[->] From: "root" <root@debian>
[->] Date: Fri, 17 Jan 2014 17:28:17 +0000
[->] To: [email protected]
[->] Subject: testing ssmtp setup
[->] User-Agent: Heirloom mailx 12.5 6/20/10
[->] MIME-Version: 1.0
[->] Content-Type: text/plain; charset=us-ascii
[->] Content-Transfer-Encoding: 7bit
[->]
[->] test
[->] .
[<-] 250 OK id=1W4Cl1-0002SM-RO [->] QUIT
[<-] 221 mail.example.com closing connection

All looks good so far.

Create the Daily Scan Script

We will create a new directory to store script files:

# mkdir -m 0755 /root/.myscripts

Now open a new file for the script:

# vim /root/.myscripts/clamscan_daily.sh

And add the following code:

#!/bin/bash
# written by Tomas (http://www.lisenet.com)
# 17/01/2014 (dd/mm/yy)
# copyleft free software
#
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"; 
EMAIL_MSG="Please see the log file attached."; 
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/home";

# Update ClamAV database
echo "Looking for ClamAV database updates...";
freshclam --quiet;

TODAY=$(date +%u);

if [ "$TODAY" == "6" ];then
 echo "Starting a full weekend scan.";

 # be nice to others while scanning the entire root
 nice -n5 clamscan -ri / --exclude-dir=/sys/ &>"$LOGFILE";
else
 DIRSIZE=$(du -sh "$DIRTOSCAN" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$DIRTOSCAN" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$DIRTOSCAN" &>"$LOGFILE";
fi

# get the value of "Infected lines" 
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3); 

# if the value is not equal to zero, send an email with the log file attached 
if [ "$MALWARE" -ne "0" ];then 
  #using heirloom-mailx below 
  echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"; 
fi 
exit 0

Save the file. Make sure it’s executable:

# chmod 0755 /root/.myscripts/clamscan_daily.sh

You can get the most recent version of the script from GitHub (you need to have git installed):

$ git clone https://github.com/lisenet/clamav-daily

Add Script to Cron.daily

Now when we have the script, we want it to be automatically executed every day.

This can be easily achieved by creating a daily cron job. It is assumed that the system is online 24/7 (server in this case) or at least most of the time. Otherwise anacron might be a better choice.

Let’s create a hard link as below:

# ln /root/.myscripts/clamscan_daily.sh /etc/cron.daily/clamscan_daily

Check to make sure that the hard link was created:

# ls -li /etc/cron.daily/clamscan_daily
44626 -rwxr-xr-x 2 root root 493 Jan 17 16:28 /etc/cron.daily/clamscan_daily

There is one main advantage of creating a hard link instead of a symbolic link in my particular case.

I tend to keep all custom scripts in one place for the sake of convenience and they sometimes get renamed. I usually don’t have time to walk around fixing all broken symlinks.

Nevertheless, there are quite a few other alternatives available:

  1. Create a symbolic link.
  2. Move the script file to cron.daily folder.
  3. Use crontab for script execution.

You should always choose what suits you best in one or another situation.

Troubleshoting

If you get the following error:

LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav/

Update the database manually:

# freshclam -v

19 thoughts on “Automate ClamAV to Perform Daily System Scan and Send Email Notifications on Linux

  1. Hi Tomas,
    I had a little problem with HTML tags…
    In your code you have this :
    MAIL_TO="[email protected]";
    and this :
    echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
    so the script don’t works for me, I had an error message like this :
    Send options without primary recipient specified.
    So I modified
    MAIL_TO="[email protected]";
    to
    EMAIL_TO="[email protected]";
    and it works fine! Thank you again!
    Marco

  2. Is there any option to add a log rotate function?

    Right now my directory /var/log/clamav is filling up with clamscan reports.

    • Hi Erik. I don’t see why you cannot use something like this:

      /var/log/clamav/clamav.log {
       size 1k
       copytruncate
       rotate 4
      }

      Add to logrotate.conf and you’re good to go.

  3. Hello, nice post but please i keep getting the below error. Can you please assist?

    /etc/cron.hourly/clamscan_hourly: line 28: clamscan: command not found

    • Do you have clamscan installed? If so, then check the location of the binary file, “whereis clamscan” should do. It might not be in your PATH. What distribution are use running on?

  4. Hi There

    Thanks for sharing this – I’ve got past a few niggles but this one is confusing me!

    clamscan_daily.sh: 27: [: Illegal number:

    This is relating to the following command:

    if [ “$MALWARE” -ne “0” ];then

    Any help greatly appreciated :-) I’m running Debian on a RPi

    Thanks Scott

  5. hi, this error appear
    /etc/cron.daily/clamscan_daily
    Looking for ClamAV database updates…
    Starting a daily scan of /home directory.
    Amount of data to be scanned is 44G.
    /etc/cron.daily/clamscan_daily: line 29: /var/log/clamav/clamav-2019-05-07.log: No such file or directory
    tail: cannot open ‘/var/log/clamav/clamav-2019-05-07.log’ for reading: No such file or directory
    /etc/cron.daily/clamscan_daily: line 36: [: : integer expression expected

Leave a Reply

Your email address will not be published. Required fields are marked *