Clamav
2/18/18 This wiki is a how-to install ClamAV 0.99.3 on a Raspberry Pi (3) running the latest version of debian (stretch) and all the fun stuff I went through trying to get it to work.
wget https://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz
tar zxf clamav-0.99.3.tar.gz
cd clamav-0.99.3
./configure
keeps getting error openssl not found or misconfigured.
so
sudo apt install libssl-dev
this fixed it.
./configure
make
sudo make install
sudo ldconfig
now when I run sudo freshclam I get errors can't find config file so:
sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
run freshclam again and still get errors, must edit file. put an # in front of example in the file like it sez to do
still errors WARNING: Can't get information about user clamav
so
sudo adduser --disabled-login clamav
and run freshclam again hey look another error...what a supprise! ERROR: Can't change dir to /usr/local/share/clamav
the directory dosen't exist and there is nothing in the config file about it so I guess I will create it
sudo mkdir /usr/local/share/clamav
sudo chown clamav:clamav /usr/local/share/clamav/
run sudo freshclam again and now its finally doing something...downloading the virus definitions I think.
so the virus defs downloaded just fine but when I scanned I got lots of errors.... no pcre support...
so...
sudo apt install libpcre3 libpcre3-dev libbz2-dev
time to recompile...
./configue
make
sudo make install
now we can test it with:
clamscan -ri --exclude-dir="^/sys" /home
this will scan /home and report only errors/infections it will find some infected files...no worries though, its just test files included with the program.
now we will setup a daily scan of the whole system and tell it to email us if infections are found.
sudo nano /usr/local/sbin/clamscan_daily.sh
and paste the following script in, change the email address to what you need.
#!/bin/bash LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"; EMAIL_MSG="Please see the log file attached."; EMAIL_FROM="clamav@somewhere.com"; EMAIL_TO="someone@gmail.com"; echo "Starting a daily scan"; clamscan -ri -ri --exclude-dir="^/sys" / >> "$LOGFILE"; # get the value of "Infected lines" MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3); # if the value is not equal to zero, send an email with the log file attached if [ "$MALWARE" -ne "0" ];then # using heirloom-mailx below echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found On nsserver" -r "$EMAIL_FROM" "$EMAIL_TO"; fi exit 0
make it executable:
sudo chmod 0755 /usr/local/sbin/clamscan_daily.sh
create dir /var/log/clamav:
sudo mkdir /var/log/clamav
test it with: (a full system scan takes something like 25 min on my RPI 3)
./usr/local/sbin/clamscan_daily.sh
add a crontab entry to run at 1:30am
sudo crontab -e
paste this in:
#run clamscan full system check at 1:30am and email on infected files 30 01 * * * /usr/local/sbin/clamscan_daily.sh
clear out the stuff we used to build and install clamav:
rm clamav-0.99.3.tar.gz
sudo rm -R clamav-0.99.3/
Finally all done. Please note that the log files are NOT setup with logrotate, so they will eventually build up and eat up space...something else for me to figure out :)
References:
https://www.clamav.net/ https://www.howtoforge.com/tutorial/configure-clamav-to-scan-and-notify-virus-and-malware/