[ Server ][ CentOS7 ] ClamAV AntiVirus install > linux

Notes on ClamAV AntiVirus

CentOS 7 VM notes:
Set /etc/clamd.d/scan.conf “MaxThreads” to 1 (default is 10) to avoid too much CPU usage upon reboot

CentOS 7 issues:
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/ 
http://linux-audit.com/install-clamav-on-centos-7-using-freshclam/

If not CentOS7, start with this procedure - or see steps listed below: 
http://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/

Other links: 
http://www.clamav.net/
http://tboxmy.blogspot.com/2013/06/install-clamav-antivirus-on-centos.html
http://tboxmy.blogspot.com/2013/06/install-yum-repo-for-centos.html
http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html

Steps done as root on local linux box:

Notes:

• Make sure the “epel” yum repository is installed first
• Using the “rpmforge” repository resulted in conflicting clam vs clamav users
• The “clamav-milter” package is only for sendmail scanning on send

yum install clamav clamav-db clamav-devel clamav-milter clamd

chkconfig –list |grep clam (should see results for “clamav-milter” and “clamd”)

chkconfig clamav-milter on

chkconfig clamd on

service clamd start

service clamav-milter start

freshclam (to update)

run a recursive scan: clamscan -r -l scan.txt /path/to/dir

Set up crons (credit Devon Hillard):

/etc/cron.hourly/clamscan_hourly

#!/bin/bash
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="USER@DOMAIN"
# Log location
LOG=/var/log/clamav/scan.log
echo "" >> ${LOG}
echo "***Start /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG}
check_scan () {
    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: root@`hostname`" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        #sendmail -t < ${EMAILMESSAGE}
        /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE}
    fi
}
find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan
find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -cmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan
echo "***End /etc/cron.hourly/clamscan_hourly at `date`" >> ${LOG}
echo "" >> ${LOG}

/etc/cron.daily/clamscan_daily

#!/bin/bash
# email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="USER@DOMAIN"
# Log location
LOG=/var/log/clamav/scan.log
echo "" >> ${LOG}
echo "***Start /etc/cron.daily/clamscan_daily at `date`" >> ${LOG}
check_scan () {
    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: root@`hostname`" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        #sendmail -t < ${EMAILMESSAGE}
        /usr/bin/mutt -s "${SUBJECT}" $EMAIL < ${EMAILMESSAGE}
    fi
}
clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan
echo "***End /etc/cron.daily/clamscan_daily at `date`" >> ${LOG}
echo "" >> ${LOG}

Make sure that the new cron files are set to executable (chmod +x)

Remember that email from crons will require setup (see GMail on Linux with SSMTP)

Test that clamd runs upon a reboot (it should)

Clamav may report errors in the scan logs if SELinux is set to enforcing; some files cannot be checked even as root.

Check /var/log/clamav for log files updating; freshclam failed on one box because log files had bad permissions. User “clam” and user “clamav” seemed to conflict, and another box only had user clam, not both. This can happen when the clamd RPM and the clamav RPM come from different sources. The following recommendations are what are used in my VM distributions of ZendTo. There are 2 usernames involved: “clam” and “clamav”.

The following is all based on the line

User clam

appearing in the file /etc/clamd.conf

More info: http://zend.to/clamavpermissions.php

Fix: Disable rpmforge in /etc/yum.repos.d/ directory

Other scripts: https://www.annasseh.info/knowledgebase/30/Install-ClamAV--on-CentOS-6---64-bit-plus-Configure-Daily-Scanning.html