# Clamav

- [Clamav](#clamav)
  - [Quick Start](#quick-start)
  - [On Access Scanning](#on-access-scanning)
  - [Testing](#testing)

## Quick Start

<https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>

```bash
# Install
sudo dnf install clamav clamav-freshclam clamd

##### Set up Freshclam #####

# Create freshclam's log file
sudo touch /var/log/freshclam.log
sudo chmod 600 /var/log/freshclam.log
sudo chown clamscan /var/log/freshclam.log

# Copy configuration files
sudo cp active/software_clamav/freshclam.conf
sudo chown root:root /etc/freshclam.conf
sudo chmod u=rw,go=r /etc/freshclam.conf

# Update the freshclam DB
sudo freshclam
sudo systemctl enable clamav-freshclam --now

##### Set up Clamd #####

# Create clamd's log file
sudo touch /var/log/clamd.scan
sudo chmod 600 /var/log/clamd.scan
sudo chown clamscan /var/log/clamd.scan

# Copy configuration files
# NOTE: Edit scan.conf OnAccessIncludePath to point to your home dir
vim active/software_clamav/scan.conf

sudo cp active/software_clamav/scan.conf /etc/clamd.d/scan.conf
sudo chown root:root /etc/clamd.d/scan.conf
sudo chmod u=rw,go=r /etc/clamd.d/scan.conf

# Allow clamav with selinux
sudo setsebool -P antivirus_can_scan_system 1
```

Edit the `clamd@` service to limit system resources.

```bash
sudo systemctl edit clamd@

[Service]
Nice=18
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
```

Then start the clamd service

```bash
sudo systemctl daemon-reload
sudo systemctl enable --now clamd@scan
sudo systemctl status clamd@scan
```

Allow your user to run scans

```bash
sudo -E usermod -aG virusgroup $USER
```

## On Access Scanning

If you want to cripple your computer you can enable on-access scanning.

```bash
sudo systemctl edit clamav-clamonacc.service

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --config-file=/etc/clamd.d/scan.conf

sudo systemctl daemon-reload
sudo systemctl enable --now clamav-clamonacc.service
```

## Testing

The `eicar` test malware allows you to test any malware scanner, as every
scanner should have its signature included in its database.

1. Create a new file called `eicar.com`
2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
3. Save and scan: `clamdscan eicar.com`
4. If you have on access scanning enabled you shouldn't be able to open it.