Configure Clamav for daily system scans and email notification on Debian

Today we take a look at the ClamAV antivirus software and how to use it to protect your server or desktop. I will show you how to configure ClamAV to scan all system, website and email files daily and notify you by email in case that a virus gets detected. For those that don't know ClamAV, ClamAV is an open-source antivirus software solution that is available on all Linux distributions. One of the requirements of this guide is that your server has already a working mail service.

This tutorial is working fine on Debian systems, but should be compatible with Ubuntu systems as well.

Installation and configuration

First of all we execute the command to install Clamav and a tool to send email notifications.

apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx

Be sure that the virus definition will be updated with the command:

service ClamAV-freshclam start

By default, ClamAV will do a check for new virus definitions every hour, if you want to change this parameter you can edit the file /etc/clamav/freshclam.conf.

nano /etc/clamav/freshclam.conf

And change the following line:

# Check for new database 24 times a day
Checks 24

to

# Check for new database 1 times a day
Checks 1

in this case the check will be done, only once a day. I suggest you to leave 24 times a day.

To do a manual update of the virus definitions, you can execute:

freshclam -v

Enable notify and schedule the scan

In the following script, modify the variable DIRTOSCAN to specify the directories that you want to scan.

We create the file /root/clamscan_daily.sh

nano /root/clamscan_daily.sh

and we paste the following code:

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/var/www /var/vmail";

for S in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$S" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$S" >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 # if the value is not equal to zero, send an email with the log file attached
 if [ "$MALWARE" -ne "0" ];then
 # using heirloom-mailx below
 echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
 fi 
done

exit 0

You can change the two variables EMAIL_FROM and EMAIL_TO to reflect your desired email addresses, and change the list of directories to scan in the variable DIRTOSCAN.

Save the file with ( ctrl+o ), and change the permission as follows:

chmod 0755 /root/clamscan_daily.sh

Now enable the daily execution of the script by creating a symlink in the /etc/cron.daily/ directory:

ln /root/clamscan_daily.sh /etc/cron.daily/clamscan_daily

Now you should be able to receive the email notification once a day for virus or malware in your mail files or websites. ClamAV also scans the content of PHP files for the presence of malware or other potentially malicious content.

Test the script

In this configuration, ClamAV won't do any actions on the found viruses, it will only report them. So don't worry, nothing will be deleted or altered. To test the script, just run:

/root/clamscan_daily.sh

After the command has finished, there will be two possible states:

- Clamav has found some virus: in this case you'll receive an email in your inbox with the attached log.

- Clamav has found nothing, or something goes wrong. In this case, you'll need to check what log says. To check the logs you should check in /var/log/clamav/

I'll attach a little log example to know what you should read:

Starting a daily scan of /var/www directory. Amount of data to be scanned is 36G.
Mon Jun 15 13:17:14 CEST 2015

----------- SCAN SUMMARY -----------
Known viruses: 3841819
Engine version: 0.98.4
Scanned directories: 47944
Scanned files: 316827
Infected files: 0
Data scanned: 17386.77 MB
Data read: 34921.59 MB (ratio 0.50:1)
Time: 1432.747 sec (23 m 52 s)
Mon Jun 15 13:41:06 CEST 2015
------------------------------------------------------
------------------------------------------------------
Starting a daily scan of /var/vmail directory. Amount of data to be scanned is 7.0G.
Mon Jun 15 13:41:27 CEST 2015
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361286P15524.domain.tld,W=2675,S=2627:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1371451873.M697795P19793.domain.tld,W=5421,S=5353:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1390203133.M981287P17350.domain.tld,W=3223,S=3157:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361285P15524.domain.tld,W=2270,S=2227:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND

In this case, ClamAV has Found some phishing email at [email protected], so in this case, you'll receive also the email.

That's all!

Share this page:

23 Comment(s)