Today we take a look at the ClamAV antivirus software and how to use it to protect your server or desktop. I will show you how to configure ClamAV to scan all system, website and email files daily and notify you by email in case that a virus gets detected. For those that don't know ClamAV, ClamAV is an open-source antivirus software solution that is available on all Linux distributions. One of the requirements of this guide is that your server has already a working mail service.
This tutorial is working fine on Debian systems, but should be compatible with Ubuntu systems as well.
Installation and configuration
First of all we execute the command to install Clamav and a tool to send email notifications.
apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx
Be sure that the virus definition will be updated with the command:
service ClamAV-freshclam start
By default, ClamAV will do a check for new virus definitions every hour, if you want to change this parameter you can edit the file /etc/clamav/freshclam.conf.
nano /etc/clamav/freshclam.conf
And change the following line:
# Check for new database 24 times a day Checks 24
to
# Check for new database 1 times a day Checks 1
in this case the check will be done, only once a day. I suggest you to leave 24 times a day.
To do a manual update of the virus definitions, you can execute:
freshclam -v
Enable notify and schedule the scan
In the following script, modify the variable DIRTOSCAN to specify the directories that you want to scan.
We create the file /root/clamscan_daily.sh
nano /root/clamscan_daily.sh
and we paste the following code:
#!/bin/bash LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"; EMAIL_MSG="Please see the log file attached."; EMAIL_FROM="clamav-daily@example.com"; EMAIL_TO="username@example.com"; DIRTOSCAN="/var/www /var/vmail"; for S in ${DIRTOSCAN}; do DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1); echo "Starting a daily scan of "$S" directory. Amount of data to be scanned is "$DIRSIZE"."; clamscan -ri "$S" >> "$LOGFILE"; # get the value of "Infected lines" MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3); # if the value is not equal to zero, send an email with the log file attached if [ "$MALWARE" -ne "0" ];then # using heirloom-mailx below echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"; fi done exit 0
You can change the two variables EMAIL_FROM and EMAIL_TO to reflect your desired email addresses, and change the list of directories to scan in the variable DIRTOSCAN.
Save the file with ( ctrl+o ), and change the permission as follows:
chmod 0755 /root/clamscan_daily.sh
Now enable the daily execution of the script by creating a symlink in the /etc/cron.daily/ directory:
ln /root/clamscan_daily.sh /etc/cron.daily/clamscan_daily
Now you should be able to receive the email notification once a day for virus or malware in your mail files or websites. ClamAV also scans the content of PHP files for the presence of malware or other potentially malicious content.
Test the script
In this configuration, ClamAV won't do any actions on the found viruses, it will only report them. So don't worry, nothing will be deleted or altered. To test the script, just run:
/root/clamscan_daily.sh
After the command has finished, there will be two possible states:
- Clamav has found some virus: in this case you'll receive an email in your inbox with the attached log.
- Clamav has found nothing, or something goes wrong. In this case, you'll need to check what log says. To check the logs you should check in /var/log/clamav/
I'll attach a little log example to know what you should read:
Starting a daily scan of /var/www directory. Amount of data to be scanned is 36G. Mon Jun 15 13:17:14 CEST 2015 ----------- SCAN SUMMARY ----------- Known viruses: 3841819 Engine version: 0.98.4 Scanned directories: 47944 Scanned files: 316827 Infected files: 0 Data scanned: 17386.77 MB Data read: 34921.59 MB (ratio 0.50:1) Time: 1432.747 sec (23 m 52 s) Mon Jun 15 13:41:06 CEST 2015 ------------------------------------------------------ ------------------------------------------------------ Starting a daily scan of /var/vmail directory. Amount of data to be scanned is 7.0G. Mon Jun 15 13:41:27 CEST 2015 /var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361286P15524.domain.tld,W=2675,S=2627:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND /var/vmail/domain.tld/info/Maildir/.Cestino/cur/1371451873.M697795P19793.domain.tld,W=5421,S=5353:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND /var/vmail/domain.tld/info/Maildir/.Cestino/cur/1390203133.M981287P17350.domain.tld,W=3223,S=3157:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND /var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361285P15524.domain.tld,W=2270,S=2227:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
In this case, ClamAV has Found some phishing email at info@domain.tld, so in this case, you'll receive also the email.
That's all!