From 75f4aaebf1ca7e2cc90bbd587ba17215e79d498e Mon Sep 17 00:00:00 2001
From: ducoterra <git@ducoterra.net>
Date: Fri, 7 Nov 2025 13:29:02 -0500
Subject: [PATCH] add clamav docs

---
 .gitignore                            |  3 +-
 active/software_clamav/clamav.md      | 99 +++++++++++++++++++++++++++
 active/software_clamav/freshclam.conf |  8 +++
 active/software_clamav/scan.conf      | 46 +++++++++++++
 4 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 active/software_clamav/clamav.md
 create mode 100644 active/software_clamav/freshclam.conf
 create mode 100644 active/software_clamav/scan.conf

diff --git a/.gitignore b/.gitignore
index 9f2a97e..6f96ba3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,5 @@ __pycache__/
 .pytest_cache/
 .venv/
 .mypy_cache
-TODO.md
\ No newline at end of file
+TODO.md
+eicar.com
\ No newline at end of file
diff --git a/active/software_clamav/clamav.md b/active/software_clamav/clamav.md
new file mode 100644
index 0000000..2073150
--- /dev/null
+++ b/active/software_clamav/clamav.md
@@ -0,0 +1,99 @@
+# Clamav
+
+- [Clamav](#clamav)
+  - [Quick Start](#quick-start)
+  - [On Access Scanning](#on-access-scanning)
+  - [Testing](#testing)
+
+## Quick Start
+
+<https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>
+
+```bash
+# Install
+sudo dnf install clamav clamav-freshclam clamd
+
+##### Set up Freshclam #####
+
+# Create freshclam's log file
+sudo touch /var/log/freshclam.log
+sudo chmod 600 /var/log/freshclam.log
+sudo chown clamscan /var/log/freshclam.log
+
+# Copy configuration files
+sudo cp active/software_clamav/freshclam.conf
+sudo chown root:root /etc/freshclam.conf
+sudo chmod u=rw,go=r /etc/freshclam.conf
+
+# Update the freshclam DB
+sudo freshclam
+sudo systemctl enable clamav-freshclam --now
+
+##### Set up Clamd #####
+
+# Create clamd's log file
+sudo touch /var/log/clamd.scan
+sudo chmod 600 /var/log/clamd.scan
+sudo chown clamscan /var/log/clamd.scan
+
+# Copy configuration files
+# NOTE: Edit scan.conf OnAccessIncludePath to point to your home dir
+vim active/software_clamav/scan.conf
+
+sudo cp active/software_clamav/scan.conf /etc/clamd.d/scan.conf
+sudo chown root:root /etc/clamd.d/scan.conf
+sudo chmod u=rw,go=r /etc/clamd.d/scan.conf
+
+# Allow clamav with selinux
+sudo setsebool -P antivirus_can_scan_system 1
+```
+
+Edit the `clamd@` service to limit system resources.
+
+```bash
+sudo systemctl edit clamd@
+
+[Service]
+Nice=18
+IOSchedulingClass=idle
+CPUSchedulingPolicy=idle
+```
+
+Then start the clamd service
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable --now clamd@scan
+sudo systemctl status clamd@scan
+```
+
+Allow your user to run scans
+
+```bash
+sudo -E usermod -aG virusgroup $USER
+```
+
+## On Access Scanning
+
+If you want to cripple your computer you can enable on-access scanning.
+
+```bash
+sudo systemctl edit clamav-clamonacc.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/clamonacc -F --fdpass --config-file=/etc/clamd.d/scan.conf
+
+sudo systemctl daemon-reload
+sudo systemctl enable --now clamav-clamonacc.service
+```
+
+## Testing
+
+The `eicar` test malware allows you to test any malware scanner, as every
+scanner should have its signature included in its database.
+
+1. Create a new file called `eicar.com`
+2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
+3. Save and scan: `clamdscan eicar.com`
+4. If you have on access scanning enabled you shouldn't be able to open it.
\ No newline at end of file
diff --git a/active/software_clamav/freshclam.conf b/active/software_clamav/freshclam.conf
new file mode 100644
index 0000000..3c8d0d1
--- /dev/null
+++ b/active/software_clamav/freshclam.conf
@@ -0,0 +1,8 @@
+LogFileMaxSize 100M
+LogTime yes
+
+DatabaseDirectory /var/lib/clamav
+DatabaseOwner clamupdate
+DatabaseMirror database.clamav.net
+
+Bytecode yes
\ No newline at end of file
diff --git a/active/software_clamav/scan.conf b/active/software_clamav/scan.conf
new file mode 100644
index 0000000..eb4335b
--- /dev/null
+++ b/active/software_clamav/scan.conf
@@ -0,0 +1,46 @@
+LogFileMaxSize 50M
+LogTime yes
+LogSyslog yes
+
+ExtendedDetectionInfo yes
+
+LocalSocket /var/run/clamd.scan/clamd.socket
+LocalSocketGroup virusgroup
+LocalSocketMode 660
+FixStaleSocket yes
+
+MaxThreads 8
+MaxDirectoryRecursion 20
+
+User clamscan
+
+Bytecode yes
+DetectPUA yes
+ScanPE yes
+ScanELF yes
+ScanMail yes
+ScanHTML yes
+ScanOLE2 yes
+
+AlertBrokenExecutables no
+AlertBrokenMedia no
+AlertOLE2Macros yes
+AlertPartitionIntersection yes
+
+ScanPDF yes
+ScanSWF yes
+ScanXMLDOCS yes
+ScanHWP3 yes
+ScanArchive yes
+
+OnAccessIncludePath /home/ducoterra
+OnAccessIncludePath /opt
+OnAccessIncludePath /var
+OnAccessIncludePath /usr
+OnAccessIncludePath /etc
+
+OnAccessExcludeUname clamupdate
+OnAccessExcludeUname clamscan
+OnAccessMaxFileSize 5M
+OnAccessPrevention yes
+OnAccessExtraScanning yes
\ No newline at end of file