add clamav docs

2025-11-13 16:53:02 -05:00
parent b328081b59
commit b526901546
2 changed files with 100 additions and 18 deletions
--- a/active/software_clamav/clamav.md
+++ b/active/software_clamav/clamav.md
@@ -1,11 +1,15 @@
 # Clamav
 - [Clamav](#clamav)
-  - [Quick Start](#quick-start)
+  - [Installation](#installation)
  - [Notifications](#notifications)
    - [Selinux](#selinux)
  - [On Access Scanning](#on-access-scanning)
  - [Testing](#testing)
-## Quick Start
+<https://wiki.archlinux.org/title/ClamAV>
 ## Installation
 <https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>
@@ -51,7 +55,7 @@ sudo setsebool -P antivirus_can_scan_system 1
 Edit the `clamd@` service to limit system resources.
 ```bash
-sudo systemctl edit clamd@
+sudo -E systemctl edit clamd@
 [Service]
 Nice=18
@@ -67,18 +71,72 @@ sudo systemctl enable --now clamd@scan
 sudo systemctl status clamd@scan
 ```
 Scan something
 ```bash
 sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads
 ```
 Allow your user to run scans
 ```bash
 sudo -E usermod -aG virusgroup $USER
 ```
-## On Access Scanning
+## Notifications
-If you want to cripple your computer you can enable on-access scanning.
+Create a new file called `/etc/clamav/virust-event.sh` and add the following
 ```bash
-sudo systemctl edit clamav-clamonacc.service
+#!/bin/bash
 PATH=/usr/bin
 ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
 # Send an alert to all graphical users.
 for ADDRESS in /run/user/*; do
    # Skip root, they likely won't have a desktop session anyway
    if [ ${ADDRESS} != "/run/user/0" ]; then
        USERID=${ADDRESS#/run/user/}
        /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
            /usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT"
    fi
 done
 ```
 Then ensure you have `VirusEvent /etc/clamav/virus-event.bash` in your
 `scan.conf`.
 Allow clamav to run notify-send in `/etc/sudoers.d/clamav` by adding `clamav
 ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send`.
 ### Selinux
 Troubleshooting notification permission denied errors is tricky, but it basically involves:
 1. Disable selinux hidden denies: `sudo semodule -DB`
 2. Clear the selinux audit logs: `sudo rm /var/log/audit/audit.log*`
 3. Set enforce to permissive: `sudo setenforce 0`
 4. Try to access eicar.com with clamonacc enabled
 5. Capture the audit logs in a `sudo ausearch --raw | audit2allow -m clamav-rules`
 6. Set enforce to enforcing: `sudo setenforce 1`
 7. Re-enable selinux hidden denies (if you want): `sudo semodule -B`
 8. `sudo setsebool daemons_enable_cluster_mode on`
 9. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp`
 10. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp`
 11. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp`
 ## On Access Scanning
 If you want to destroy your computer you can enable on-access scanning.
 My recommendation is to only enable on-access scanning for critical ingress
 paths, like `~/Downloads` or `~/tmp`. This will help keep system resources free
 while also scanning critical points on your system.
 ```bash
 sudo -E systemctl edit clamav-clamonacc.service
 [Service]
 ExecStart=
@@ -95,5 +153,13 @@ scanner should have its signature included in its database.
 1. Create a new file called `eicar.com`
 2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
-3. Save and scan: `clamdscan eicar.com`
+3. Save and scan: `clamdscan --fdpass --multiscan eicar.com`
-4. If you have on access scanning enabled you shouldn't be able to open it.
+
 If you have on access scanning enabled you can try the following
 ```bash
 cd ~/Downloads/
 wget https://secure.eicar.org/eicar.com.txt
 # This should not work
 cat eicar.com.txt
 ```
--- a/active/software_clamav/scan.conf
+++ b/active/software_clamav/scan.conf
@@ -1,3 +1,8 @@
 # ClamAV will refuse to scan files above 2G regardless of what this is set to
 MaxFileSize 2G
 # MaxScanSize controls how much of an archive is unpacked
 MaxScanSize 64G
 LogFileMaxSize 50M
 LogTime yes
 LogSyslog yes
@@ -15,6 +20,7 @@ MaxDirectoryRecursion 20
 User clamscan
 Bytecode yes
 HeuristicAlerts yes
 DetectPUA yes
 ScanPE yes
 ScanELF yes
@@ -24,8 +30,12 @@ ScanOLE2 yes
 AlertBrokenExecutables no
 AlertBrokenMedia no
-AlertOLE2Macros yes
+AlertEncrypted no
-AlertPartitionIntersection yes
+AlertEncryptedArchive no
 AlertEncryptedDoc no
 AlertOLE2Macros no
 AlertPartitionIntersection no
 AlertExceedsMax yes
 ScanPDF yes
 ScanSWF yes
@@ -33,14 +43,20 @@ ScanXMLDOCS yes
 ScanHWP3 yes
 ScanArchive yes
-OnAccessIncludePath /home/ducoterra
+# These are just examples, add what you think should be protected.
-OnAccessIncludePath /opt
+OnAccessIncludePath /home/ducoterra/Downloads
-OnAccessIncludePath /var
+OnAccessIncludePath /home/ducoterra/Projects
-OnAccessIncludePath /usr
+OnAccessIncludePath /home/ducoterra/Applications
-OnAccessIncludePath /etc
+OnAccessIncludePath /home/ducoterra/AUR
 # Prevention doesn't work with OnAccessMountPath.
 # It works with OnAccessIncludePath, as long as /usr and /etc are not included.
 # Including /var while activating prevention is also not recommended, because
 # this would slow down package installation by a factor of 1000.
 OnAccessPrevention yes
 OnAccessExcludeUname clamupdate
 OnAccessExcludeUname clamscan
-OnAccessMaxFileSize 5M
+OnAccessExtraScanning yes
-OnAccessPrevention yes
+
-OnAccessExtraScanning yes
+VirusEvent /etc/clamav/virus-event.bash