diff --git a/active/software_clamav/clamav.md b/active/software_clamav/clamav.md index 2073150..e042b15 100644 --- a/active/software_clamav/clamav.md +++ b/active/software_clamav/clamav.md @@ -1,11 +1,15 @@ # Clamav - [Clamav](#clamav) - - [Quick Start](#quick-start) + - [Installation](#installation) + - [Notifications](#notifications) + - [Selinux](#selinux) - [On Access Scanning](#on-access-scanning) - [Testing](#testing) -## Quick Start + + +## Installation @@ -51,7 +55,7 @@ sudo setsebool -P antivirus_can_scan_system 1 Edit the `clamd@` service to limit system resources. ```bash -sudo systemctl edit clamd@ +sudo -E systemctl edit clamd@ [Service] Nice=18 @@ -67,18 +71,72 @@ sudo systemctl enable --now clamd@scan sudo systemctl status clamd@scan ``` +Scan something + +```bash +sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads +``` + Allow your user to run scans ```bash sudo -E usermod -aG virusgroup $USER ``` -## On Access Scanning +## Notifications -If you want to cripple your computer you can enable on-access scanning. +Create a new file called `/etc/clamav/virust-event.sh` and add the following ```bash -sudo systemctl edit clamav-clamonacc.service +#!/bin/bash + +PATH=/usr/bin +ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME" + +# Send an alert to all graphical users. +for ADDRESS in /run/user/*; do + # Skip root, they likely won't have a desktop session anyway + if [ ${ADDRESS} != "/run/user/0" ]; then + USERID=${ADDRESS#/run/user/} + /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \ + /usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT" + fi +done +``` + +Then ensure you have `VirusEvent /etc/clamav/virus-event.bash` in your +`scan.conf`. + +Allow clamav to run notify-send in `/etc/sudoers.d/clamav` by adding `clamav +ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send`. + +### Selinux + +Troubleshooting notification permission denied errors is tricky, but it basically involves: + +1. Disable selinux hidden denies: `sudo semodule -DB` +2. Clear the selinux audit logs: `sudo rm /var/log/audit/audit.log*` +3. Set enforce to permissive: `sudo setenforce 0` +4. Try to access eicar.com with clamonacc enabled +5. Capture the audit logs in a `sudo ausearch --raw | audit2allow -m clamav-rules` +6. Set enforce to enforcing: `sudo setenforce 1` +7. Re-enable selinux hidden denies (if you want): `sudo semodule -B` + +8. `sudo setsebool daemons_enable_cluster_mode on` +9. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp` +10. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp` +11. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp` + +## On Access Scanning + +If you want to destroy your computer you can enable on-access scanning. + +My recommendation is to only enable on-access scanning for critical ingress +paths, like `~/Downloads` or `~/tmp`. This will help keep system resources free +while also scanning critical points on your system. + +```bash +sudo -E systemctl edit clamav-clamonacc.service [Service] ExecStart= @@ -95,5 +153,13 @@ scanner should have its signature included in its database. 1. Create a new file called `eicar.com` 2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*` -3. Save and scan: `clamdscan eicar.com` -4. If you have on access scanning enabled you shouldn't be able to open it. \ No newline at end of file +3. Save and scan: `clamdscan --fdpass --multiscan eicar.com` + +If you have on access scanning enabled you can try the following + +```bash +cd ~/Downloads/ +wget https://secure.eicar.org/eicar.com.txt +# This should not work +cat eicar.com.txt +``` \ No newline at end of file diff --git a/active/software_clamav/scan.conf b/active/software_clamav/scan.conf index eb4335b..aaa4658 100644 --- a/active/software_clamav/scan.conf +++ b/active/software_clamav/scan.conf @@ -1,3 +1,8 @@ +# ClamAV will refuse to scan files above 2G regardless of what this is set to +MaxFileSize 2G +# MaxScanSize controls how much of an archive is unpacked +MaxScanSize 64G + LogFileMaxSize 50M LogTime yes LogSyslog yes @@ -15,6 +20,7 @@ MaxDirectoryRecursion 20 User clamscan Bytecode yes +HeuristicAlerts yes DetectPUA yes ScanPE yes ScanELF yes @@ -24,8 +30,12 @@ ScanOLE2 yes AlertBrokenExecutables no AlertBrokenMedia no -AlertOLE2Macros yes -AlertPartitionIntersection yes +AlertEncrypted no +AlertEncryptedArchive no +AlertEncryptedDoc no +AlertOLE2Macros no +AlertPartitionIntersection no +AlertExceedsMax yes ScanPDF yes ScanSWF yes @@ -33,14 +43,20 @@ ScanXMLDOCS yes ScanHWP3 yes ScanArchive yes -OnAccessIncludePath /home/ducoterra -OnAccessIncludePath /opt -OnAccessIncludePath /var -OnAccessIncludePath /usr -OnAccessIncludePath /etc +# These are just examples, add what you think should be protected. +OnAccessIncludePath /home/ducoterra/Downloads +OnAccessIncludePath /home/ducoterra/Projects +OnAccessIncludePath /home/ducoterra/Applications +OnAccessIncludePath /home/ducoterra/AUR + +# Prevention doesn't work with OnAccessMountPath. +# It works with OnAccessIncludePath, as long as /usr and /etc are not included. +# Including /var while activating prevention is also not recommended, because +# this would slow down package installation by a factor of 1000. +OnAccessPrevention yes OnAccessExcludeUname clamupdate OnAccessExcludeUname clamscan -OnAccessMaxFileSize 5M -OnAccessPrevention yes -OnAccessExtraScanning yes \ No newline at end of file +OnAccessExtraScanning yes + +VirusEvent /etc/clamav/virus-event.bash