Clamav

From James's Wiki
Revision as of 20:34, 18 February 2018 by Ractive (talk | contribs)

2/18/18 This wiki is a how-to install ClamAV 0.99.3 on a Raspberry Pi (3) running the latest version of debian (stretch) and all the fun stuff I went through trying to get it to work.


wget https://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz
tar zxf clamav-0.99.3.tar.gz
cd clamav-0.99.3
./configure 


keeps getting error openssl not found or misconfigured.

so

sudo apt install libssl-dev

this fixed it.

./configure
make
sudo make install
sudo ldconfig

now when I run sudo freshclam I get errors can't find config file so:

sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf

run freshclam again and still get errors, must edit file. put an # in front of example in the file like it sez to do

still errors WARNING: Can't get information about user clamav

so

sudo adduser --disabled-login clamav

and run freshclam again hey look another error...what a supprise! ERROR: Can't change dir to /usr/local/share/clamav

the directory dosen't exist and there is nothing in the config file about it so I guess I will create it

sudo mkdir /usr/local/share/clamav
sudo chown clamav:clamav /usr/local/share/clamav/

run sudo freshclam again and now its finally doing something...downloading the virus definitions I think.

no pcre support...

so...

sudo apt install libpcre3 libpcre3-dev libbz2-dev

time to recompile...

./configue
make
sudo make install

now we can test it with:

clamscan -ri --exclude-dir="^/sys" /home

this will scan /home and report only errors/infections it will find some infected files...no worries though, its just test files included with the program.

now we will setup a daily scan of the whole system and tell it to email us if infections are found.

sudo nano /usr/local/sbin/clamscan_daily.sh

and paste the following script in, change the email address to what you need.

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="clamav@somewhere.com";
EMAIL_TO="someone@gmail.com";

echo "Starting a daily scan";


 clamscan -ri -ri --exclude-dir="^/sys" / >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 # if the value is not equal to zero, send an email with the log file attached
 if [ "$MALWARE" -ne "0" ];then
 # using heirloom-mailx below
 echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found On nsserver" -r "$EMAIL_FROM" "$EMAIL_TO";
 fi 

exit 0

make it executable:

sudo chmod 0755 /usr/local/sbin/clamscan_daily.sh

create dir /var/log/clamav:

sudo mkdir /var/log/clamav

test it with: (a full system scan takes something like 25 min on my RPI 3)

./usr/local/sbin/clamscan_daily.sh

add a crontab entry to run at 1:30am

sudo crontab -e

paste this in:

#run clamscan full system check at 1:30am and email on infected files
30 01 * * * /usr/local/sbin/clamscan_daily.sh

clear out the stuff we used to build and install clamav:

rm clamav-0.99.3.tar.gz
sudo rm -R clamav-0.99.3/

Finally all done. Please note that the log files are NOT setup with logrotate, so they will eventually build up and eat up space...something else for me to figure out :)

References: https://www.clamav.net/ https://www.howtoforge.com/tutorial/configure-clamav-to-scan-and-notify-virus-and-malware/

https://www.howtoforge.com/tutorial/configure-clamav-to-scan-and-notify-virus-and-malware/