Clam Anti Virus

[viking60]

ClamAV is a free AV program for Linux and Windows. It is often recommended by Linux users because it is open source. But it is not that easy install point and click software. It may or may not be possible to install clamtk on your distro which gives you a GUI. But nevertheless you must edit the config files to make it work.

I installed clamAV and looked for the files /etc/clamav/freshclam.conf and /etc/clamav/clamd.conf, which are the ones that need to be altered.

So happily I entered

Code: Select all

sudo nano /etc/clamav/freshclam.conf

and...it was not there same thing with clamd.conf.
I did have /etc/clamav/freshclam.conf.sample and /etc/clamav/clamd.conf.sample so I copied them over to freshclam.conf and clamd.conf

Code: Select all

cp /etc/clamav/freshclam.conf.sample /etc/clamav/freshclam.conf

and

Code: Select all

cp /etc/clamav/clamd.conf.sample /etc/clamav/clamd.conf

Now I could enter the file and comment out the word "Example" at the beginning of the file:

Code: Select all

##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##


# Comment or remove the line below.
#Example <--- this needs to be commented out for clamAV to work

# Path to the database directory.
# WARNING: It must match clamd.co.......

Same procedure in clamd.conf and I was ready to go.

The first thing I wanted to do was to update the virus definitions so I did this in a terminal:

Code: Select all

freshclam

I got this error

Code: Select all

ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!

So I chmoded the directory to 777

Code: Select all

chmod -R 777 /var/lib/clamav/

Maybe I could have used sudo - and 755 would probably be sufficient - but that is what I did.
I repeated freshclam in a terminal and the virus database was refreshed.
You need to do this even if you have the clam GUI - clamtk - installed.

So time for my first scan then. I wanted to scan my mail so I scanned the .thunderbird directory :

Code: Select all

clamscan -r -i .thunderbird


The -r or--recursive Scans directories recursively. All the subdirectories in the given directory will be scanned and the -i or --infectedOnly print infected files.

You can simply do a

Code: Select all

clamsan .thunderbird

to only check that directory without the subdirectories.


And true enough if found a (Windows)virus:

Code: Select all

[viking@thomas-pc ~]$ clamscan -r -i .thunderbird
.thunderbird/0xsvi6ot.default/Mail/mail.bjoernvold-1.com/Inbox: Email.Trojan-465 FOUND


So to remove it I repeated the command and added

Code: Select all

--remove

like this

Code: Select all

clamscan -r -i .thunderbird --remove


And that went like a charm:

Code: Select all

[viking@berserk-pc ~]$ clamscan -r -i .thunderbird --remove
.thunderbird/0xsvi6ot.default/Mail/mail.bjoernvold-1.com/Inbox: Email.Trojan-465 FOUND
.thunderbird/0xsvi6ot.default/Mail/mail.bjoernvold-1.com/Inbox: Removed.

I could have entered that command in the first place to scan and remove the viruses in one operation - but I like to see the findings first since there is such a thing as false positives.

So yes ClamAV is a good AV even if it is not the easiest to set up - once you have done it - it works.
You can start it as a service(daemon) - with:

Code: Select all

sudo systemctl enable clamd.service


and then start it with:

Code: Select all

sudo systemctl start clamd.service


This does not apply for Ubuntu but for all the other systemd distros out there.

[jkerr82508]

In Mageia, clamav, freshclam and clamtk all work "out of the box". No further configuration is needed. This is how it was for years in Mandriva. Other "user-friendly" distros may do something similar.

Jim

[viking60]

Thanks Jim.
That is a good thing - I thought the "activation" and update of the database was a license thing since it is hard to imagine why else they would actively disable a working configuration by adding a line containing "Example"-.

In any case; if it does not work this might help for troubleshooting.

[jkerr82508]

That is a good thing - I thought the "activation" and update of the database was a license thing since it is hard to imagine why else they would actively disable a working configuration

Yes. Mageia gives this warning:

Code: Select all

clamav-0.95+ bundles support for RAR v3 in "libclamav" without permission,
from Eugene Roshal of RARlabs. There is also patent issues involved.
Therefore Mageia has been forced to remove the offending code.

Jim

[viking60]

I did chmod clamscan to 777 -just to make it work but on every update I did get a warning that my "chmoding" was different from the package which was 755.
Just chmoding the files to 755 would not work though.

So the correct way to do it is to set the rights like this:

Code: Select all

chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav

..but what does UID:GID mean and how can I find it on my system - right?

UID means User ID and GID means Group ID and you will find them on your system like this.

Code: Select all

id -u viking

and

Code: Select all

id -g viking

Well I am viking: if you are average_joe then you would type id -u average_joe in fact if you simply do a id -u you will get the UID of the user that you are logged in as.

So in my case id -u was 1001 and id -g was 100 - now I have the information to give me those elevated rights without "chmoding" everything to 777 (aka "all the rights in the world for all"):

Code: Select all

sudo chown 1001:100 /var/lib/clamav & chmod 755 /var/lib/clamav

You may also have to get access to the log:

Code: Select all

sudo chown 1001:100 /var/log/clamav/freshclam.log

That works!

[viking60]

I often discover viruses in My ~/.thunderbird directory so I try to remember to scan it. Other than that I never find any viruses.

Code: Select all

~/.thunderbird/ clamscan -r -i --remove


This scans and only reports infected files -- and removes them.
The result is like this:

Code: Select all

/home/viking/.thunderbird/0xsvi6ot.default/Mail/mail.bjoernvold.com/Junk: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/viking/.thunderbird/0xsvi6ot.default/Mail/mail.bjoernvold.com/Junk: Removed.


[R_Head]

I never used Clam Anti Virus... since you have it; is it worth it? I am asking because never had the need so far. I use plain text as replies and remove a lot of the fluff.

[viking60]

Well you don't need it but the viruses found in the mailbox may infect your Windows using friends.

It is not worth spending the juice to make it a running daemon. If you are dual booting with Windows then you could monitor your WIndows side and find and remove viruses there.

Just updating and scanning once in a while is good enough here. We are still talking WIndows viruses here since there are practically non for Linux.

So I guess the honest answer is that you don't need it.

On a classical server like Centos it makes sense though since lots of Windows users may access and it is used by LMD

[viking60]

I had problems updating the virus database today.

Code: Select all

freschclam

did come up with:

Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working

So basically that means that I am out of luck since clam has tried every possible mirror.

The solution:



1

Code: Select all

cd /var/lib/clamav

2 remove all content in it to force Clamav to generate new mirrors and files and signatures etc - like this:

Code: Select all

rm -r

3 Run

Code: Select all

freshclam -a

again

Et Viola it will generate the new data and download the database so you can run your good old clamscan -a again

[chrispeddler]

Is Clamscan as good (or better) as the other well-known AV available out there? Any takeaways?