Configure Clamav for daily system scans and email notification on Debian

Today we take a look at the ClamAV antivirus software and how to use it to protect your server or desktop. I will show you how to configure ClamAV to scan all system, website and email files daily and notify you by email in case that a virus gets detected. For those that don't know ClamAV, ClamAV is an open-source antivirus software solution that is available on all Linux distributions. One of the requirements of this guide is that your server has already a working mail service.

This tutorial is working fine on Debian systems, but should be compatible with Ubuntu systems as well.

Installation and configuration

First of all we execute the command to install Clamav and a tool to send email notifications.

apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx

Be sure that the virus definition will be updated with the command:

service ClamAV-freshclam start

By default, ClamAV will do a check for new virus definitions every hour, if you want to change this parameter you can edit the file /etc/clamav/freshclam.conf.

nano /etc/clamav/freshclam.conf

And change the following line:

# Check for new database 24 times a day
Checks 24

to

# Check for new database 1 times a day
Checks 1

in this case the check will be done, only once a day. I suggest you to leave 24 times a day.

To do a manual update of the virus definitions, you can execute:

freshclam -v

Enable notify and schedule the scan

In the following script, modify the variable DIRTOSCAN to specify the directories that you want to scan.

We create the file /root/clamscan_daily.sh

nano /root/clamscan_daily.sh

and we paste the following code:

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/var/www /var/vmail";

for S in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$S" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$S" >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 # if the value is not equal to zero, send an email with the log file attached
 if [ "$MALWARE" -ne "0" ];then
 # using heirloom-mailx below
 echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
 fi 
done

exit 0

You can change the two variables EMAIL_FROM and EMAIL_TO to reflect your desired email addresses, and change the list of directories to scan in the variable DIRTOSCAN.

Save the file with ( ctrl+o ), and change the permission as follows:

chmod 0755 /root/clamscan_daily.sh

Now enable the daily execution of the script by creating a symlink in the /etc/cron.daily/ directory:

ln /root/clamscan_daily.sh /etc/cron.daily/clamscan_daily

Now you should be able to receive the email notification once a day for virus or malware in your mail files or websites. ClamAV also scans the content of PHP files for the presence of malware or other potentially malicious content.

Test the script

In this configuration, ClamAV won't do any actions on the found viruses, it will only report them. So don't worry, nothing will be deleted or altered. To test the script, just run:

/root/clamscan_daily.sh

After the command has finished, there will be two possible states:

- Clamav has found some virus: in this case you'll receive an email in your inbox with the attached log.

- Clamav has found nothing, or something goes wrong. In this case, you'll need to check what log says. To check the logs you should check in /var/log/clamav/

I'll attach a little log example to know what you should read:

Starting a daily scan of /var/www directory. Amount of data to be scanned is 36G.
Mon Jun 15 13:17:14 CEST 2015

----------- SCAN SUMMARY -----------
Known viruses: 3841819
Engine version: 0.98.4
Scanned directories: 47944
Scanned files: 316827
Infected files: 0
Data scanned: 17386.77 MB
Data read: 34921.59 MB (ratio 0.50:1)
Time: 1432.747 sec (23 m 52 s)
Mon Jun 15 13:41:06 CEST 2015
------------------------------------------------------
------------------------------------------------------
Starting a daily scan of /var/vmail directory. Amount of data to be scanned is 7.0G.
Mon Jun 15 13:41:27 CEST 2015
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361286P15524.domain.tld,W=2675,S=2627:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1371451873.M697795P19793.domain.tld,W=5421,S=5353:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1390203133.M981287P17350.domain.tld,W=3223,S=3157:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361285P15524.domain.tld,W=2270,S=2227:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND

In this case, ClamAV has Found some phishing email at [email protected], so in this case, you'll receive also the email.

That's all!

Share this page:

23 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Chris hawkins

Great Article!

Having a problem with the /root/clamscan_daily.sh script!

Error is:

"[email protected]:~# /root/clamscan_daily.sh

Starting a daily scan of /var/www directory.

 Amount of data to be scanned is 20K.

/root/clamscan_daily.sh: line 13: : No such file or directory

tail: cannot open ‘’ for reading: No such file or directory"

/root/clamscan_daily.sh: line 19: [: : integer expression expected"

Any idea what's wrong?

Thanks again for the article

 

 

 

By: ethan

Hey, did you ever get this resolved?

By: Adam

The variable $LOGFILE is used in the script, but is never defined.  Add the following line to the script and you should be good to go.

To the end of the variable declaration section at the top, add:

LOGFILE="/path/to/log/file.log"; 

and you should be all set.  

Be sure that the path you set exists!

By: Patrik

You probably do not have /var/log/clamav directory created (the clamav dir) create it or change the path and it will work.

By: diablo666

Mmmm just retested but no error to me.

Can you please paste the code of your /root/clamscan_daily.sh ?

By: swedala

Thanks for a good simple tutorial.

I have good knowledge about linux and had been able to develop it as well, but I'm lazy so I searched if someone else have done the job for me ;-)

Found this tutorial and when I checked the script and it was promising.

As I mentioned above, I'm lazy so I want to avoid attachments, guess I will change the script.

echo "$LOGFILE" | mail -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"

By: diablo666

Hi swedala, the idea of the script is that, if there's no error, no mail will be sent. So when it will be sent, i want to check fast what is the problem, so i've decide to attach the log.

But as you said, may be someone don't want the attachment, and your suggestion is welcome to us! :)

By: Rex

Hi,

How can we set ClamAV scan & remove virus itself daily?

 

Thanks

By: Antony Rappai

I am glad I stumbled upon this, I stumbled across this articles, I will be using bits and pieces for an article that will be writing on cloud server security.

I shall mention this link in the credits  :)

By: Davide Cester

Hi, very useful script, thank you!

I would like to suggest a couple of improvements:

- truncate $LOGFILE just before the loop, to improve readability when testing the log:

> $LOGFILE

- replace echo commands with cat "..." >> $LOGFILE to have everything in the log file:

  echo "  ===== Scanning $S        Total size: "$DIRSIZE"." >> $LOGFILE;

The additional newline before ===== is because clamscan output has a blank line at the beginning, and the "Scanning..." header appears to belong to the previous block, reducing readability.

Bye :)

By: Olli

i've just seen that on ubuntu 16.04 mail command has changed. now -a adds an header and -A attaches a file.

echo "$EMAIL_MSG"|mail -A "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";

By: Mashkoor Qadir

Hi Team,

This is really very informative article. I am having one problem with daily auto scaning. the script is not scanning the multiple directories. such as I need to scan /home /usr /var and so on. but it doens't scan all the directories. I copied the above script and paste it in the same way.  individual directory containing sub directories scaning is working fine.

 

could you please help me .

By: Mashkoor Qadir

Hi Team,

 

I got the solution of this now have an othre problem. Error message is as below . Please help me out of this issue.

"warning:LibClamAV Warning: cli_scanbzip: bzip2 support not compiled in "

Deuring the scan I got the above warning messgae, however it also gives us the scanning report for the directories.

 

By: Noman

The script is working only when I execute it directly. After sometime, it does create a log file and I see some paths to malicious files. But problem is with cron job. Cron job is executed and it also creates log file but log file is empty and it is empty everyday since I setup cron job. Why is cron job not filling the log file?

By: Sudheer

Is there any way not to scan already scanned items,

Because it's taking more time to scan already scanned files, (for the first scan it's ok to scan all the files, the second scan should scan only the new files which are not scanned.) 

Please suggest me any solution to scan only new files.

By: Kevin Ruffus

There is an issue with compatibility with other mail utilities such as postfix. Attachments and commands to attach them vary, so to prevent this issue the script can be simplified:

remove EMAIL_MSG variable

add HOST variable

set HOST="$(hostname -f)"

change

    echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";

to

    cat "$LOGFILE" | mail -s "Malware Found on $HOST" -r "$EMAIL_FROM" "$EMAIL_TO";

That should be compatible across the board and tells you exactly which host is infected.

 

By: koushik

run the below command

# find /home/COUTHIT.LOCAL/username/ -ctime -1 -print | xargs /usr/bin/clamscan -ri --log=/root/clamscan.log

By: Maximilian

Hello,

how can I configure the shellscript without the email part and with a cam.log file in the home directory where the infected files will be write?

By: Holger

For anybody who stumbles across this nice article: The service commands on recent (k)ubuntu for the freshclam virus-db-update service would be

 

 

# check service status

sudo systemctl status clamav-freshcla

# restart service

sudo systemctl restart clamav-freshclam

 

(note the spelling difference)

By: Mazufa

Hello!

My ClamAV installation works otherwise but it doesn't send me a notification even if a virus is found. I have installed mailx on my Debian operating system, but even if a virus is found then no notification is sent to me. I downloaded an eicar site to test for a virus. What can I do to fix this problem? I would really like to receive email notifications.

By: MG

Hello,

I am still having the similar issue as mentiond by Chris but a liilte different. Here is the o/p of run of the script

/root/clamscan_daily.sh: line 8: 30330 Killed                  clamscan -ri "$S" &> "$LOGFILE"

/root/clamscan_daily.sh: line 20: [: : integer expression expected

I do have the logfile folder as defined I can see the log file there with the appended date as defined as defination. I cannot figure out what is wrong - any suggestions. 

 

By: MG

Hello,

I am still having the similar issue as mentiond by Chris but a liilte different. Here is the o/p of run of the script

/root/clamscan_daily.sh: line 8: 30330 Killed                  clamscan -ri "$S" &> "$LOGFILE"

/root/clamscan_daily.sh: line 20: [: : integer expression expected

I do have the logfile folder as defined I can see the log file there with the appended date as defined as defination. I cannot figure out what is wrong - any suggestions. 

 

By: Torben

Hey, thanks for this tutorial. Unfortunatly heirloom have been deleted within the Ubuntu 18.04 release. Would be great if you consider to update ist tutorial with another mailing method. Thanks!