# Clamav

- [Clamav](#clamav)
  - [Installation](#installation)
  - [Notifications](#notifications)
    - [Selinux](#selinux)
  - [On Access Scanning](#on-access-scanning)
  - [Testing](#testing)

<https://wiki.archlinux.org/title/ClamAV>

## Installation

<https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>

```bash
# Install
sudo dnf install clamav clamav-freshclam clamd

##### Set up Freshclam #####

# Create freshclam's log file
sudo touch /var/log/freshclam.log
sudo chmod 600 /var/log/freshclam.log
sudo chown clamscan /var/log/freshclam.log

# Copy configuration files
sudo cp active/software_clamav/freshclam.conf
sudo chown root:root /etc/freshclam.conf
sudo chmod u=rw,go=r /etc/freshclam.conf

# Update the freshclam DB
sudo freshclam
sudo systemctl enable clamav-freshclam --now

##### Set up Clamd #####

# Create clamd's log file
sudo touch /var/log/clamd.scan
sudo chmod 600 /var/log/clamd.scan
sudo chown clamscan /var/log/clamd.scan

# Copy configuration files
# NOTE: Edit scan.conf OnAccessIncludePath to point to your home dir
vim active/software_clamav/scan.conf

sudo cp active/software_clamav/scan.conf /etc/clamd.d/scan.conf
sudo chown root:root /etc/clamd.d/scan.conf
sudo chmod u=rw,go=r /etc/clamd.d/scan.conf

# Allow clamav with selinux
sudo setsebool -P antivirus_can_scan_system 1
```

Edit the `clamd@` service to limit system resources.

```bash
sudo -E systemctl edit clamd@

[Service]
Nice=18
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
```

Then start the clamd service

```bash
sudo systemctl daemon-reload
sudo systemctl enable --now clamd@scan
sudo systemctl status clamd@scan
```

Scan something

```bash
sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads
```

Allow your user to run scans

```bash
sudo -E usermod -aG virusgroup $USER
```

## Notifications

Create a new file called `/etc/clamav/virust-event.sh` and add the following

```bash
#!/bin/bash

PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
    # Skip root, they likely won't have a desktop session anyway
    if [ ${ADDRESS} != "/run/user/0" ]; then
        USERID=${ADDRESS#/run/user/}
        /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
            /usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT"
    fi
done
```

Then ensure you have `VirusEvent /etc/clamav/virus-event.bash` in your
`scan.conf`.

Allow clamav to run notify-send in `/etc/sudoers.d/clamav` by adding `clamav
ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send`.

### Selinux

Troubleshooting notification permission denied errors is tricky, but it basically involves:

1. Disable selinux hidden denies: `sudo semodule -DB`
2. Clear the selinux audit logs: `sudo rm /var/log/audit/audit.log*`
3. Set enforce to permissive: `sudo setenforce 0`
4. Try to access eicar.com with clamonacc enabled
5. Capture the audit logs in a `sudo ausearch --raw | audit2allow -m clamav-rules`
6. Set enforce to enforcing: `sudo setenforce 1`
7. Re-enable selinux hidden denies (if you want): `sudo semodule -B`

8. `sudo setsebool daemons_enable_cluster_mode on`
9. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp`
10. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp`
11. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp`

## On Access Scanning

If you want to destroy your computer you can enable on-access scanning.

My recommendation is to only enable on-access scanning for critical ingress
paths, like `~/Downloads` or `~/tmp`. This will help keep system resources free
while also scanning critical points on your system.

```bash
sudo -E systemctl edit clamav-clamonacc.service

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --config-file=/etc/clamd.d/scan.conf

sudo systemctl daemon-reload
sudo systemctl enable --now clamav-clamonacc.service
```

## Testing

The `eicar` test malware allows you to test any malware scanner, as every
scanner should have its signature included in its database.

1. Create a new file called `eicar.com`
2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
3. Save and scan: `clamdscan --fdpass --multiscan eicar.com`

If you have on access scanning enabled you can try the following

```bash
cd ~/Downloads/
wget https://secure.eicar.org/eicar.com.txt
# This should not work
cat eicar.com.txt
```