What is ClamAV?

ClamAV is an opensource antivirus engine which is used to detect trojans , rootkits ,malwares , virus and malicious threats.

It comes with a inbuilt utilities such as command line scanner , multi thread daemon which can be scaled , automatic database updater.

Most of us think that Linux servers are very secure and it’s highly protected.But it’s not the case.Sometimes the packages we install and the application we setup and their dependencies may have security and vulnerability issues.

We have to check the systems regularly for any security threats and vulnerability issues.The security and vulnerability issues can either be in a file , or the packages we install and can be injected through the websites.

To overcome such scenario , We have to setup a proper vulnerability scanner so that we can take actions on them immediately if found any.

In this article , We will see how to setup an open source antivirus engine which helps us to identify trojan , malwares , malicious threats and viruses.

Setup Clamav on Ubuntu Instances:

First we need to install clamav packages in all the systems.Since the clamav package comes with the systems repository we can install it directly.

To install clamav in the Ubuntu systems , use the below command,

apt-get install clamav

Once the clamav is installed , freshclam comes with the package by default.

If you want to know the version of clamav that is installed, Issue the below command.

clamscan -V

freshclam is a command which is used to update the clamav scanner virus definitions.

So For the first time, We need to manually update the virus definitions database and the virus signatures.

For the first time You might face an issues when running freshclam,

[email protected]:~# freshclam 
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

To fix this , We just have to kill the freshclam process using the below command,

pkill freshclam

Now if you run freshclam , You should see the following output.

[email protected]:~# freshclam
Tue Jan 21 23:04:28 2020 -> ClamAV update process started at Tue Jan 21 23:04:28 2020
Tue Jan 21 23:04:28 2020 -> daily.cvd database is up to date (version: 25702, sigs: 2153296, f-level: 63, builder: raynman)
Tue Jan 21 23:04:28 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Jan 21 23:04:28 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

Now we are ready to scan the servers.

You can just run the clamscan command which will scan all the files and folder in the server and provide us the output.

clamscan

This might take longer If you have more files and folders in the server.

If you want to send the scanning process to a file , use the below command.

clamscan -r / > scannedreport.docx

If you want to scan the particular folder and files and subdirectories of that folder, use the below command.

clamscan -r /Downloads > downloadscannedreport.docx

Once the scan is completed, You should see the output as shown below:

[email protected]:~$ clamscan -r Music
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-12.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-04.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-16.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-15.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-14.xml: OK

----------- SCAN SUMMARY -----------
Known viruses: 6708220
Engine version: 0.102.1
Scanned directories: 2
Scanned files: 5
Infected files: 0
Data scanned: 12.11 MB
Data read: 7.34 MB (ratio 1.65:1)
Time: 17.376 sec (0 m 17 s)

If you want to scan all the file and folder and list only the infected files , Use the below command,

clamscan -r --bell -i / > infectedfiles.docs

If you want to send the output to a different file If any infected files found, Use the belo command.

clamscan -r  /Downloads |grep FOUND  >> infectedfiles.docs

Automating the scanning of folders

If you want to schedule the virus scanning to run on the particular time, We need to add a cronjob.

Lets say we want to say our servers everyday at 11PM.We will add a cronjob

crontab -e
0 23 * * * clamscan -r / > scannedoutput.docs

Clamscan can consume lot of CPU.In order to overcome that , We can limit the cpu usage for the clamscan.

cpulimit is the package we have to install and we can limit the cpu usage of a process.

apt-get install cpulimit
yum install cpulimit
cpulimit -e program -l %cpu & 

First we have start a process and then limit the cpu usage for that particular process.

[email protected]:~$ clamscan Downloads/ &
[1] 6885
[email protected]:~$ cpulimit -e 6885 -l 40

This way to can limit the cpu usage for the clamav scanner.

Hope this article helped you to mitigate the issues related to malwares and vulnerabilities using clamscan virus scanner.

Please do check out my other publications.