Clam AntiVirus is a popular open source (GPL) anti-virus toolkit for UNIX, designed for e-mail scanning on mail gateways. It provides a flexible and scalable multi-threaded daemon, a command line scanner and it can detect Trojan horses, viruses, malware and other malicious threats. It also comes with an advanced tool for automatic database updating via the Internet.
This article will guide you through the installation and configuration of ClamAV on a DirectAdmin based web server.
Note: This guide assumes that you are familiar with SSH and basic command line navigation. These instructions apply primarily to clients who operate our Virtual Private Servers or Dedicated servers.
Installation
Login as root and enter the following commands. This will include ClamAV in the CustomBuild configuration and compile ClamAV:
# cd /usr/local/directadmin/custombuild ./build update ./build set clamav yes ./build set clamav_exim yes ./build set exim yes ./build set eximconf yes ./build set eximconf_release 4.5 ./build clamav ./build exim ./build exim_conf
In case you get the following error when trying to start ClamAV:
[root@server ~]# /etc/init.d/clamd start
Starting clamd: LibClamAV Error: cli_loaddb(): No supported database files found in /usr/share/clamav
ERROR: Can't open file or directory
[FAILED]
or another related error:
LibClamAV Error: cl_load(): Can't get status of /usr/share/clamav
This error simply means the virus database can not be found. You can rebuild the database by using:
cd /usr/share mkdir -p clamav chown clamav:clamav clamav freshclam -v
Configuration
Edit exim.conf and add the following before "primary_hostname =":
av_scanner = clamd:127.0.0.1 3310
Skip the step above if you are running CustomBuild 2.0, as it adds this for you in the following file: /etc/exim.clamav.load.conf
In exim.conf find "check_message:", and copy on the next line the ClamAV directives below:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = */defer_ok
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
Restart exim:
/etc/init.d/exim restart
Start ClamAV daemon for the first time
service clamd start (stop / restart)
To test if Clamd is running:
netstat -tap | grep clamd
Which should give an output similar to this:
tcp 0 0 localhost.local:dyna-access *:* LISTEN 4405/clamd
Clamav check script
Sometimes, the ClamAV virus database gets corrupted after an update. This prevents the ClamAV daemon from running. The optional script below ensures that:
- The ClamAV Daemon is running
- In case it does not, it tries to restart the daemon
- If this does not work, it deletes the virus database, and downloads a new one.
- it again attempts to restart the daemon
- If all this fails, an email is sent to the email address provided in the script
1. Create test File
first, create a dummy test file. This is an empty file that clamd will use to scan during the check:
cd /usr/local/directadmin/scripts/custom echo "" > clamav.txt
2. Create shell script
Create a file with the name "clamdcheck". This file will contain the shell script used to check ClamAV. Use: nano or vi clamdcheck. This file should be placed in the /usr/local/directadmin/scripts/custom directory. Add the script below and save the file when done:
#!/bin/sh
# path to an empty dummy test file
testfile="/usr/local/directadmin/scripts/custom/clamav.txt"
# path to the clamav database files without the ending "/"
dbfolder="/usr/share/clamav"
# path to the clamdscan executable
scan="/usr/bin/clamdscan"
# path to the freshclam executable
freshdb="/usr/bin/freshclam"
# number of times the script tries to kick start clamd
trial=10
# email of server administrator
email="user@domain.com"
# server hostname (no modification needed)
myhost=$(hostname)
# email alert subject on failure
subject="Clamd on ${myhost} is down!"
# email alert body message on failure
message="Clamd on ${myhost} is down!"
output=$($scan $testfile | grep "SCAN SUMMARY")
if [ -z "$output" ]; then
echo "Clamd is not running!"
echo "Now trying to start clamd..."
for (( i=1; i<=$trial; i++ ))
do
echo "Trial $i..."
/sbin/service clamd restart
output=$($scan $testfile | grep "SCAN SUMMARY")
if [ -n "$output" ]; then
break
else
sleep 3
fi
done
if [ -z "$output" ]; then
echo "Clamd is still not running!"
echo "Now trying to refresh clamav database..."
rm -Rf $dbfolder/*
$freshdb
/sbin/service clamd restart
output=$($scan $testfile | grep "SCAN SUMMARY")
if [ -z "$output" ]; then
echo "Clamd is still not running!"
echo "$message" | mail -s "$subject" "$email"
echo "Giving up... email alert has been sent to administrator."
else
echo "Clamd is running now!"
fi
else
echo "Clamd is running now!"
fi
else
echo "Clamd is running!"
fi
Ensure that the paths are correct and that you have set your correct e-mail address for alerting in the bolded field.
Don't forget to make the script executable:
chmod 755 clamdcheck
3. Setup Cronjob
Cron is a scheduling daemon that will run programs and scripts at arbitrary times or intervals. We need to setup a Cronjob to ensure our script runs at a periodic interval (don't set it too frequent as a complete freshclam process will take some time to complete):
crontab -e
This will land you in your default editor. Add the cronjob:
15,45 * * * * /usr/local/directadmin/scripts/custom/clamdcheck > /dev/null 2>&1
Using these settings every half hour the cronjob runs. Make sure to save the file and exit
To display all cronjobs:
crontab -l
Automated Virus Definition updates
You can add another cronjob for automated virus definition updates:
crontab -e
The code below sets the cronjob to execute daily, at 05.38 in the morning:
38 05 * * * sudo freshclam
Scan Options
To check all files on the computer, displaying the name of each file:
clamscan -r /
To check all files on the computer, but only display infected files and ring a bell when found:
clamscan -r --bell -i /
To check files in the all users home directories:
clamscan -r /home
To check files in the USER home directory and move infected files to another folder:
clamscan -r --move=/home/USER/VIRUS /home/USER
To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
clamscan -r --remove /home/USER
will scan the user home directory and output the results to the specified file. -i option is used to report only the infected files.
clamscan -ril /var/log/clamscan.log /home
When using the --exclude setting you can exclude subfolders from the scan.
clamscan --exclude=maildirectory -i -r /home
When using the --remove switch you can remove infected files.
clamscan -ril /var/log/clamscan.log --remove /home
Screen sessions
When running lenghty scans it is handy to startup a screen session. A screen session can be restarted in case you lose your SSH connection, due to connectivity errors or time-out of the session itself.
To start the screen session enter screen, followed by the clamscan command that you require (see the scan options section for the correct syntax):
screen [clamscan...]
You can detach and attach the screen session. In case you lost the connection you use the following commands to reconnect.
List the available screen sessions.
screen -ls
Now you can attach using the following.
screen -r sessionname
or
screen -rx
You will get the scan result at the end. Only infected files will be listed. You can find the files in “/var/log/clamscan.log”. ( grep the word FOUND ) You may either manually remove or correct these files or else run the below command that will permanently remove all infected files in your system (Make sure to run in screen session)
Further options
clamscan --help
-h, --help Print help information and exit. -V, --version Print version number and exit. -v, --verbose Be verbose. -l FILE, --log=FILE Save scan report to FILE. -f FILE, --file-list=FILE Scan files listed line by line in FILE. -r, --recursive Scan directories recursively. All the subdirectories in the given directory will be scanned. These options can be used multiple times. -i, --infected Only print infected files. --remove[=yes/no(*)] Remove infected files. Be careful. --move=DIRECTORY Move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. --copy=DIRECTORY Copy infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.
Include additional ClamAV Signatures
You have the ability to use 3rd party compiled malware/virus signature databases to extend ClamAV's signature database collection. Some additional sources are from
- Malware Expert
- Linux Malware Detect
- interserver.net
Add the following database lines into /etc/freshclam.conf at the very bottom of the file:
#Malware Experts
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp #Linux Malware Detect
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb
#interserver.net
DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb DatabaseCustomURL http://sigs.interserver.net/interservertopline.db DatabaseCustomURL http://sigs.interserver.net/shell.ldb DatabaseCustomURL http://sigs.interserver.net/whitelist.fp
malware.expert.ndb is a Generic Hex pattern PHP malware, which can cause false positive alarms, because there are generic eval, base64 and other hex pattern signatures (very low false positive rate). We want to scan all .php files and check the false positives manually for malware. If some signature causes to you problems, you can whitelist them. It may contain false positive alerts due to normal PHP code having legit use for specific PHP patterns i.e. eval/base64. You may need to manually inspect files that are reported as malware.
malware.expert.hdb is statics MD5 pattern for files, and there are no false positive.
malware.expert.ldb is LDB signatures(read more), which use multi-words search for malware in files.
malware.expert.fp is whitelisted, what we found is that cause false positive malware.
interserver256.hdb 100% known malware sha256 format
interservertopline.db inserts into files, manual cleaning HEX
shell.ldb 99.9% known malware using logical signatures
whitelist.fp MD5 checksums of false positives or common files
