services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab/active/software_clamav/clamav.md

4.9 KiB
Raw Permalink Blame History

Clamav

https://wiki.archlinux.org/title/ClamAV

Installation

https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up

# Install
sudo dnf install clamav clamav-freshclam clamd

##### Set up Freshclam #####

# Create freshclam's log file
sudo touch /var/log/freshclam.log
sudo chmod 600 /var/log/freshclam.log
sudo chown clamscan /var/log/freshclam.log

# Copy configuration files
sudo cp active/software_clamav/freshclam.conf
sudo chown root:root /etc/freshclam.conf
sudo chmod u=rw,go=r /etc/freshclam.conf

# Update the freshclam DB
sudo freshclam
sudo systemctl enable clamav-freshclam --now

##### Set up Clamd #####

# Create clamd's log file
sudo touch /var/log/clamd.scan
sudo chmod 600 /var/log/clamd.scan
sudo chown clamscan /var/log/clamd.scan

# Copy configuration files
# NOTE: Edit scan.conf OnAccessIncludePath to point to your home dir
vim active/software_clamav/scan.conf

sudo cp active/software_clamav/scan.conf /etc/clamd.d/scan.conf
sudo chown root:root /etc/clamd.d/scan.conf
sudo chmod u=rw,go=r /etc/clamd.d/scan.conf

# Allow clamav with selinux
sudo setsebool -P antivirus_can_scan_system 1

Edit the clamd@ service to limit system resources.

sudo -E systemctl edit clamd@

[Service]
Nice=18
IOSchedulingClass=idle
CPUSchedulingPolicy=idle

Then start the clamd service

sudo systemctl daemon-reload
sudo systemctl enable --now clamd@scan
sudo systemctl status clamd@scan

Scan something

sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads

Allow your user to run scans

sudo -E usermod -aG virusgroup $USER

Notifications

Create a new file called /etc/clamav/virust-event.sh and add the following

#!/bin/bash

PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
    # Skip root, they likely won't have a desktop session anyway
    if [ ${ADDRESS} != "/run/user/0" ]; then
        USERID=${ADDRESS#/run/user/}
        /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
            /usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT"
    fi
done

Then ensure you have VirusEvent /etc/clamav/virus-event.bash in your scan.conf.

Allow clamav to run notify-send in /etc/sudoers.d/clamav by adding clamav ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send.

Selinux

Troubleshooting notification permission denied errors is tricky, but it basically involves:

  1. Disable selinux hidden denies: sudo semodule -DB

  2. Clear the selinux audit logs: sudo rm /var/log/audit/audit.log*

  3. Set enforce to permissive: sudo setenforce 0

  4. Try to access eicar.com with clamonacc enabled

  5. Capture the audit logs in a sudo ausearch --raw | audit2allow -m clamav-rules

  6. Set enforce to enforcing: sudo setenforce 1

  7. Re-enable selinux hidden denies (if you want): sudo semodule -B

  8. sudo setsebool daemons_enable_cluster_mode on

  9. sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp

  10. sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp

  11. sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp

On Access Scanning

If you want to destroy your computer you can enable on-access scanning.

My recommendation is to only enable on-access scanning for critical ingress paths, like ~/Downloads or ~/tmp. This will help keep system resources free while also scanning critical points on your system.

sudo -E systemctl edit clamav-clamonacc.service

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --config-file=/etc/clamd.d/scan.conf

sudo systemctl daemon-reload
sudo systemctl enable --now clamav-clamonacc.service

Testing

The eicar test malware allows you to test any malware scanner, as every scanner should have its signature included in its database.

  1. Create a new file called eicar.com
  2. Add the contents: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  3. Save and scan: clamdscan --fdpass --multiscan eicar.com

If you have on access scanning enabled you can try the following

cd ~/Downloads/
wget https://secure.eicar.org/eicar.com.txt
# This should not work
cat eicar.com.txt

Ignore Signatures

https://docs.clamav.net/faq/faq-ignore.html

# Create the ignore list
cd /var/lib/clamav
touch ignore_list.ign2

Then add an ignore, like PUA.Win.Trojan.Xored-1 which is a known false positive.

Then systemctl restart clamd@scan.

Reference in New Issue View Git Blame Copy Permalink