Clamav: Difference between revisions

From James's Wiki
No edit summary
No edit summary
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
2/18/18
This wiki is a how-to install ClamAV 0.99.3 on a Raspberry Pi (3) running the latest version of debian (stretch)
and all the fun stuff I went through trying to get it to work.


  wget https://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz
==Install==
Get the latest source code from: https://www.clamav.net/downloads<br>
Download with wget:
  wget https://www.clamav.net/downloads/production/clamav-0.99.4.tar.gz


  tar zxf clamav-0.99.3.tar.gz
Untar with:
  tar zxf clamav-0.99.4.tar.gz


  cd clamav-0.99.3
Enter the clamav directory:
  cd clamav-0.99.4/


  ./configure
Create clamav user:
 
  sudo adduser --disabled-login clamav
 
keeps getting error openssl not found for misconfigured.


so
Download and install prerequisites for compiling:
  sudo apt install libssl-dev
  sudo apt install libssl-dev libpcre3 libpcre3-dev libbz2-dev
 
this fixed it.


Compile ClamAV:
  ./configure
  ./configure


Line 22: Line 27:
  sudo make install
  sudo make install


sudo ldconfig
Make a directory for freshclam and change the owner to clamav:
 
now when I run sudo freshclam I get errors can't find config file so:
sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
 
run freshclam again and still get errors, must edit file.
put an # in front of example in the file like it sez to do
 
still errors WARNING: Can't get information about user clamav
 
so
 
sudo adduser --disabled-login clamav
 
and run freshclam again
hey look another error...what a supprise!
ERROR: Can't change dir to /usr/local/share/clamav
 
the directory dosen't exist and there is nothing in the config file about it so I guess I will create it
 
  sudo mkdir /usr/local/share/clamav
  sudo mkdir /usr/local/share/clamav


  sudo chown clamav:clamav /usr/local/share/clamav/
  sudo chown clamav:clamav /usr/local/share/clamav/


run sudo freshclam again and now its finally doing something...downloading the virus definitions I think.
Make a copy of the config file:
sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf


no pcre support...
Edit the config file:
sudo nano /usr/local/etc/freshclam.conf
and put a '#' in front of 'example'


so...
then:
  sudo apt install libpcre3 libpcre3-dev libbz2-dev
  sudo ldconfig
 
time to recompile...
 
./configue
 
make
 
sudo make install


now we can test it with:
Finally run freshclam to download all the virus definitions:
  clamscan -ri --exclude-dir="^/sys" /home
  sudo freshclam


this will scan /home and report only errors/infections
Now we will run a little test scan just to make sure everything is working:
it will find some infected files...no worries though, its just test files included with the program.
sudo clamscan -ri /home


now we will setup a daily scan of the whole system and tell it to email us if infections are found.
Don't be worried about the infected files just yet. Included in the source code are some test files that contain virus signatures in order to test clamscan. Later we will delete these, but for now leave them alone.


Next create a script that will be run daily to scan your system:
  sudo nano /usr/local/sbin/clamscan_daily.sh
  sudo nano /usr/local/sbin/clamscan_daily.sh


and paste the following script in, change the email address to what you need.
And paste this in: (change email addresses as necessary)
 
  #!/bin/bash
  #!/bin/bash
  LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
  LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
Line 82: Line 63:
   
   
   
   
   clamscan -ri -ri --exclude-dir="^/sys" / >> "$LOGFILE";
   clamscan -ri --exclude-dir="^/sys" / >> "$LOGFILE";
   
   
   # get the value of "Infected lines"
   # get the value of "Infected lines"
Line 90: Line 71:
   if [ "$MALWARE" -ne "0" ];then
   if [ "$MALWARE" -ne "0" ];then
   # using heirloom-mailx below
   # using heirloom-mailx below
   echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found On nsserver" -r "$EMAIL_FROM" "$EMAIL_TO";
   echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found On server" -r "$EMAIL_FROM" "$EMAIL_TO";
   fi  
   fi  
   
   
exit 0
NOTE:
if the email has no attachment try changing the <code>mail -a "$LOFILE...</code> to <code>mail -A $LOFILE...</code>


make it executable:
make it executable:
Line 100: Line 82:
  sudo mkdir /var/log/clamav
  sudo mkdir /var/log/clamav
test it with: (a full system scan takes something like 25 min on my RPI 3)
test it with: (a full system scan takes something like 25 min on my RPI 3)
  ./usr/local/sbin/clamscan_daily.sh
This will do a full system scan and email you when it finds infected files (which it will...those test files)
add a crontab entry to run at 1:30am
  sudo /usr/local/sbin/clamscan_daily.sh
add a crontab entry to run at 1:30am and run freshclam
  sudo crontab -e
  sudo crontab -e
paste this in:
paste this in:
  #run clamscan full system check at 1:30am and email on infected files
#run freshclam to get the latest virus definitions
  30 01 * * * /usr/local/sbin/clamscan_daily.sh
30 01 * * * sudo freshclam > /dev/null
  #run clamscan full system check at 1:35am and email on infected files
  35 01 * * * sudo /usr/local/sbin/clamscan_daily.sh > /dev/null
 
clear out the stuff we used to build and install clamav:
clear out the stuff we used to build and install clamav:
  rm clamav-0.99.3.tar.gz
  cd ..


  sudo rm -R clamav-0.99.3/
rm clamav-0.99.4.tar.gz
 
  sudo rm -R clamav-0.99.4/


Finally all done.
Finally all done.
Please note that the log files are NOT setup with logrotate, so they will eventually build up and eat up space...something else for me to figure out :)
Please note that the log files are NOT setup with logrotate, so they will eventually build up and eat up space...something else for me to figure out :)
==References==
https://www.clamav.net/<br>
https://www.howtoforge.com/tutorial/configure-clamav-to-scan-and-notify-virus-and-malware/<br>

Latest revision as of 21:08, 11 March 2018

2/18/18 This wiki is a how-to install ClamAV 0.99.3 on a Raspberry Pi (3) running the latest version of debian (stretch) and all the fun stuff I went through trying to get it to work.

Install

Get the latest source code from: https://www.clamav.net/downloads
Download with wget:

wget https://www.clamav.net/downloads/production/clamav-0.99.4.tar.gz

Untar with:

tar zxf clamav-0.99.4.tar.gz

Enter the clamav directory:

cd clamav-0.99.4/

Create clamav user:

sudo adduser --disabled-login clamav

Download and install prerequisites for compiling:

sudo apt install libssl-dev libpcre3 libpcre3-dev libbz2-dev

Compile ClamAV:

./configure
make
sudo make install

Make a directory for freshclam and change the owner to clamav:

sudo mkdir /usr/local/share/clamav
sudo chown clamav:clamav /usr/local/share/clamav/

Make a copy of the config file:

sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf

Edit the config file:

sudo nano /usr/local/etc/freshclam.conf

and put a '#' in front of 'example'

then:

sudo ldconfig

Finally run freshclam to download all the virus definitions:

sudo freshclam

Now we will run a little test scan just to make sure everything is working:

sudo clamscan -ri /home

Don't be worried about the infected files just yet. Included in the source code are some test files that contain virus signatures in order to test clamscan. Later we will delete these, but for now leave them alone.

Next create a script that will be run daily to scan your system:

sudo nano /usr/local/sbin/clamscan_daily.sh

And paste this in: (change email addresses as necessary)

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="clamav@somewhere.com";
EMAIL_TO="someone@gmail.com";

echo "Starting a daily scan";


 clamscan -ri --exclude-dir="^/sys" / >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 # if the value is not equal to zero, send an email with the log file attached
 if [ "$MALWARE" -ne "0" ];then
 # using heirloom-mailx below
 echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found On server" -r "$EMAIL_FROM" "$EMAIL_TO";
 fi 

NOTE: if the email has no attachment try changing the mail -a "$LOFILE... to mail -A $LOFILE...

make it executable:

sudo chmod 0755 /usr/local/sbin/clamscan_daily.sh

create dir /var/log/clamav:

sudo mkdir /var/log/clamav

test it with: (a full system scan takes something like 25 min on my RPI 3) This will do a full system scan and email you when it finds infected files (which it will...those test files)

sudo /usr/local/sbin/clamscan_daily.sh

add a crontab entry to run at 1:30am and run freshclam

sudo crontab -e

paste this in:

#run freshclam to get the latest virus definitions
30 01 * * * sudo freshclam > /dev/null

#run clamscan full system check at 1:35am and email on infected files
35 01 * * * sudo /usr/local/sbin/clamscan_daily.sh > /dev/null

clear out the stuff we used to build and install clamav:

cd ..
rm clamav-0.99.4.tar.gz
sudo rm -R clamav-0.99.4/

Finally all done. Please note that the log files are NOT setup with logrotate, so they will eventually build up and eat up space...something else for me to figure out :)

References

https://www.clamav.net/
https://www.howtoforge.com/tutorial/configure-clamav-to-scan-and-notify-virus-and-malware/