In this blog post , We will learn to install ClamAV on Centos 7 and scan for viruses.

What is ClamAV?

ClamAV is an opensource antivirus engine which is used to detect trojans , rootkits ,malwares , virus and malicious threats.

It comes with a inbuilt utilities such as command line scanner , multi thread daemon which can be scaled , automatic database updater.

Most of us think that Linux servers are very secure and it’s highly protected.But it’s not the case.Sometimes the packages we install and the application we setup and their dependencies may have security and vulnerability issues.

We have to check the systems regularly for any security threats and vulnerability issues.The security and vulnerability issues can either be in a file , or the packages we install and can be injected through the websites.

To overcome such scenario , We have to setup a proper vulnerability scanner so that we can take actions on them immediately if found any.

In this article , We will see how to setup an open source antivirus engine which helps us to identify trojan , malwares , malicious threats and viruses.

Setup Clamav on Centos 7

Make sure you have sudo or root privileges to proceed with the installation.

By default , The ClamAV packages are not included in the CentOS software repository.

First , We need to add EPEL repository to the system.Install EPEL repository using the below command.

sudo yum install epel-release -y

Lets install the ClamAV packages on the system using the below command.

sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav-server-systemd clamav clamav-scanner-systemd clamav-devel clamav-lib -y

After the packages are installed , Execute the below command to check the version of ClamAV installed on the system.

clamscan -V
clamAV

Configuring ClamAV

We need to disable SELinux on Centos 7 inorder to scan all the files and folder permission for the ClamAV.

Run the below command , To check the status of SELinux.

sestatus

If the status of the SELinux is Enabled , Execute the below command to grant files and folder access for ClamAV.

setsebool -P antivirus_can_scan_system 1
setsebool -P clamd_use_jit 1

Finally We need to configure ClamAV . We need to Comment out or remove the word Example from scan.conf file.

And also we need to Uncomment LocalSocket

sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf
sed -i -e "s/#LocalSocket /LocalSocket /" /etc/clamd.d/scan.conf

And also we need to enabled Freshclam which updates the database that ClamAV uses with virus definitions.

We need to uncomment or remove Example from freshclam.conf file.

sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

freshclam is a command which is used to update the clamav scanner virus definitions.

So For the first time, We need to manually update the virus definitions database and the virus signatures.

freshclam

Once the above execution is completed , We will get the below response.

clamAV

Now we are ready to scan the servers.

You can just run the clamscan command which will scan all the files and folder in the server and provide us the output.

clamscan

This might take longer If you have more files and folders in the server.

clamAV

If you want to send the scanning process to a file , use the below command.

clamscan -r / > scanreport.docx

Using the above command we are scanning all the files and folders in the / directory.And the scanning process and the scanned result will be logged in scanreport.docx file.

If you want to scan the particular folder and files and subdirectories of that folder, use the below command.

clamscan -r Downloads > downloadreport.docx

If you want to scan all the files and folders and list only the infected files , Use the below command,

clamscan -r --bell -i / > infectedfiles.docx

If you want to send the output to a different file If any infected files found, Use the below command.

clamscan -r /Downloads |grep FOUND >> infectedfiles.docs

Automating the scanning of folders

If you want to schedule the virus scanning to run on the particular time, We need to add a cronjob.

Lets say we want to say our servers everyday at 11PM.We will add a cronjob

crontab -e
0 23 * * * clamscan -r / > scannedoutput.docs

Clamscan can consume lot of CPU.In order to overcome that , We can limit the cpu usage for the clamscan.

cpulimit is the package we have to install and we can limit the cpu usage of a process.

yum install cpulimit -y
cpulimit -e program -l %cpu &

First we have start a process and then limit the cpu usage for that particular process.

[email protected]:~$ clamscan Downloads/ &
[1] 6885
[email protected]:~$ cpulimit -e 6885 -l 40

This way to can limit the cpu usage for the clamav scanner.

Managing ClamAV Service

We can setup a systemd service file so that we can easily manage the ClamAV service.

Create a file named clamav.service under /usr/lib/systemd/system/ folder

vi /usr/lib/systemd/system/clamav.service
[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 2
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

Now Save and Close the file and Execute the below commands.

systemctl start freshclam
systemctl enable freshclam

Check the status by running the below command.

systemctl status freshclam

clamAV

We can use clamconf utility to check the configurations of clamAV , It will display the configurations of clamd.d/scan.conf and freshclam.conf.

clamconf

Hope this article helped you to mitigate the issues related to malwares and vulnerabilities using clamscan virus scanner.

Please do check out my other articles.