Scanning a Linux Server for Malware and Virus by ClamAV
The ClamAV antivirus software and how to use it to protect your server or desktop (Linux/Windows platform. It's also worth noting that ClamAV doesn't behave like a Windows antivirus. It doesn't hog up RAM or run in the background all the time. It also doesn't have all of the extra bells and whistles. It scans for viruses, and that's about all.
1. SETUP
- Install on Fedora/CentOS/Redhatyum install clamav
- Install on Debian/Ubuntu
apt-get install clamav
- Compile from source code
+ Download: http://www.clamav.net/downloads/production/clamav-0.100.0.tar.gz
+ Compile:
tar xvf clamav-0.100.0.tar.gz
cd clamav-0.100.0/
./configure --prefix=/opt/clamav
make
sudo make install
All pages will be placed in /opt/clamav
2. CONFIGURING
All Clamav's configuration in /opt/clamav/etc (contains 2 files: clamav.conf and freshclam.conf)- clamd.conf (The configuration file save all Clamav's configrations)
# BASIC
LogFile /var/log/clamd.log
LogFileUnlock yes
LogFileMaxSize 20M
LogTime yes
LogClean yes
LogSyslog no
LogVerbose no
LogRotate yes
PreludeEnable yes
PreludeAnalyzerName ClamAV-LadiPage-DNS
ExtendedDetectionInfo yes
PidFile /var/run/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /opt/clamav/db
OfficialDatabaseOnly no
LocalSocket /tmp/clamd.sock
LocalSocketMode 660
FixStaleSocket yes
MaxConnectionQueueLength 200
StreamMaxLength 25M
StreamMinPort 30000
StreamMaxPort 32000
MaxThreads 20
ReadTimeout 300
CommandReadTimeout 5
SendBufTimeout 500
MaxQueue 200
IdleTimeout 60
MaxDirectoryRecursion 20
FollowDirectorySymlinks yes
FollowFileSymlinks yes
CrossFilesystems yes
SelfCheck 600
User root
ExitOnOOM yes
Foreground no
Debug no
LeaveTemporaryFiles yes
AllowAllMatchScan no
DetectPUA yes
AlgorithmicDetection yes
ForceToDisk yes
DisableCache yes
## Executable files
ScanPE yes
DisableCertCheck yes
ScanELF yes
DetectBrokenExecutables yes
## Documents
ScanOLE2 yes
OLE2BlockMacros no
ScanPDF yes
ScanSWF yes
ScanXMLDOCS yes
ScanHWP3 yes
## Mail files
ScanMail yes
ScanPartialMessages yes
PhishingSignatures yes
PhishingScanURLs yes
PhishingAlwaysBlockSSLMismatch yes
PhishingAlwaysBlockCloak yes
PartitionIntersection yes
HeuristicScanPrecedence yes
## Data Loss Prevention (DLP)
StructuredDataDetection yes
StructuredMinCreditCardCount 5
StructuredMinSSNCount 5
StructuredSSNFormatNormal yes
StructuredSSNFormatStripped yes
## HTML
ScanHTML yes
## Archives
ScanArchive yes
ArchiveBlockEncrypted yes
## Limits
MaxScanSize 300M
MaxFileSize 300M
MaxRecursion 16
MaxFiles 150000
MaxEmbeddedPE 10M
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
MaxPartitions 128
MaxIconsPE 200
MaxRecHWP3 16
PCREMatchLimit 200000
PCRERecMatchLimit 10000
PCREMaxFileSize 100M
BlockMax no
## Bytecode
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 1000
DatabaseDirectory /opt/clamav/db
UpdateLogFile /var/log/freshclam.log
LogFileMaxSize 20M
LogTime yes
LogVerbose no
LogSyslog no
LogRotate yes
PidFile /var/run/freshclam.pid
DatabaseOwner root
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.io.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 5
ScriptedUpdates yes
CompressLocalDatabase no
OnUpdateExecute command
OnErrorExecute command
OnOutdatedExecute command
Foreground no
Debug no
ConnectTimeout 60
ReceiveTimeout 60
TestDatabases yes
SafeBrowsing yes
Bytecode yes
3. RUN
- Update:/opt/clamav/bin/freshclamav
- Scan:
/opt/clamav/bin/clamscan -i -r --max-scansize=4000M --max-filesize=4000M /path/directory
In:
-i : Only display infected files
-r : The scan recursive
--max-scansize : The maximum amount of data that you want ClamAV to crawl through
--max-filesize : The maximum size of the files that you want ClamAV to scan