add clamav docs

active/software_clamav/clamav.md

@@ -1,11 +1,15 @@
 # Clamav
 
 - [Clamav](#clamav)
-  - [Quick Start](#quick-start)
+  - [Installation](#installation)
+  - [Notifications](#notifications)
+    - [Selinux](#selinux)
   - [On Access Scanning](#on-access-scanning)
   - [Testing](#testing)
 
-## Quick Start
+<https://wiki.archlinux.org/title/ClamAV>
+
+## Installation
 
 <https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>
 
@@ -51,7 +55,7 @@ sudo setsebool -P antivirus_can_scan_system 1
 Edit the `clamd@` service to limit system resources.
 
 ```bash
-sudo systemctl edit clamd@
+sudo -E systemctl edit clamd@
 
 [Service]
 Nice=18
@@ -67,18 +71,72 @@ sudo systemctl enable --now clamd@scan
 sudo systemctl status clamd@scan
 ```
 
+Scan something
+
+```bash
+sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads
+```
+
 Allow your user to run scans
 
 ```bash
 sudo -E usermod -aG virusgroup $USER
 ```
 
-## On Access Scanning
+## Notifications
 
-If you want to cripple your computer you can enable on-access scanning.
+Create a new file called `/etc/clamav/virust-event.sh` and add the following
 
 ```bash
-sudo systemctl edit clamav-clamonacc.service
+#!/bin/bash
+
+PATH=/usr/bin
+ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
+
+# Send an alert to all graphical users.
+for ADDRESS in /run/user/*; do
+    # Skip root, they likely won't have a desktop session anyway
+    if [ ${ADDRESS} != "/run/user/0" ]; then
+        USERID=${ADDRESS#/run/user/}
+        /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
+            /usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT"
+    fi
+done
+```
+
+Then ensure you have `VirusEvent /etc/clamav/virus-event.bash` in your
+`scan.conf`.
+
+Allow clamav to run notify-send in `/etc/sudoers.d/clamav` by adding `clamav
+ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send`.
+
+### Selinux
+
+Troubleshooting notification permission denied errors is tricky, but it basically involves:
+
+1. Disable selinux hidden denies: `sudo semodule -DB`
+2. Clear the selinux audit logs: `sudo rm /var/log/audit/audit.log*`
+3. Set enforce to permissive: `sudo setenforce 0`
+4. Try to access eicar.com with clamonacc enabled
+5. Capture the audit logs in a `sudo ausearch --raw | audit2allow -m clamav-rules`
+6. Set enforce to enforcing: `sudo setenforce 1`
+7. Re-enable selinux hidden denies (if you want): `sudo semodule -B`
+
+8. `sudo setsebool daemons_enable_cluster_mode on`
+9. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp`
+10. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp`
+11. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp`
+
+## On Access Scanning
+
+If you want to destroy your computer you can enable on-access scanning.
+
+My recommendation is to only enable on-access scanning for critical ingress
+paths, like `~/Downloads` or `~/tmp`. This will help keep system resources free
+while also scanning critical points on your system.
+
+```bash
+sudo -E systemctl edit clamav-clamonacc.service
 
 [Service]
 ExecStart=
@@ -95,5 +153,13 @@ scanner should have its signature included in its database.
 
 1. Create a new file called `eicar.com`
 2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
-3. Save and scan: `clamdscan eicar.com`
-4. If you have on access scanning enabled you shouldn't be able to open it.
+3. Save and scan: `clamdscan --fdpass --multiscan eicar.com`
+
+If you have on access scanning enabled you can try the following
+
+```bash
+cd ~/Downloads/
+wget https://secure.eicar.org/eicar.com.txt
+# This should not work
+cat eicar.com.txt
+```

active/software_clamav/scan.conf

@@ -1,3 +1,8 @@
+# ClamAV will refuse to scan files above 2G regardless of what this is set to
+MaxFileSize 2G
+# MaxScanSize controls how much of an archive is unpacked
+MaxScanSize 64G
+
 LogFileMaxSize 50M
 LogTime yes
 LogSyslog yes
@@ -15,6 +20,7 @@ MaxDirectoryRecursion 20
 User clamscan
 
 Bytecode yes
+HeuristicAlerts yes
 DetectPUA yes
 ScanPE yes
 ScanELF yes
@@ -24,8 +30,12 @@ ScanOLE2 yes
 
 AlertBrokenExecutables no
 AlertBrokenMedia no
-AlertOLE2Macros yes
-AlertPartitionIntersection yes
+AlertEncrypted no
+AlertEncryptedArchive no
+AlertEncryptedDoc no
+AlertOLE2Macros no
+AlertPartitionIntersection no
+AlertExceedsMax yes
 
 ScanPDF yes
 ScanSWF yes
@@ -33,14 +43,20 @@ ScanXMLDOCS yes
 ScanHWP3 yes
 ScanArchive yes
 
-OnAccessIncludePath /home/ducoterra
-OnAccessIncludePath /opt
-OnAccessIncludePath /var
-OnAccessIncludePath /usr
-OnAccessIncludePath /etc
+# These are just examples, add what you think should be protected.
+OnAccessIncludePath /home/ducoterra/Downloads
+OnAccessIncludePath /home/ducoterra/Projects
+OnAccessIncludePath /home/ducoterra/Applications
+OnAccessIncludePath /home/ducoterra/AUR
+
+# Prevention doesn't work with OnAccessMountPath.
+# It works with OnAccessIncludePath, as long as /usr and /etc are not included.
+# Including /var while activating prevention is also not recommended, because
+# this would slow down package installation by a factor of 1000.
+OnAccessPrevention yes
 
 OnAccessExcludeUname clamupdate
 OnAccessExcludeUname clamscan
-OnAccessMaxFileSize 5M
-OnAccessPrevention yes
 OnAccessExtraScanning yes
+
+VirusEvent /etc/clamav/virus-event.bash