services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab/active/software_clamav/clamav.md

181 lines
4.9 KiB
Markdown
Raw Permalink Blame History

# Clamav
- [Clamav](#clamav)
- [Installation](#installation)
- [Notifications](#notifications)
- [Selinux](#selinux)
- [On Access Scanning](#on-access-scanning)
- [Testing](#testing)
- [Ignore Signatures](#ignore-signatures)
<https://wiki.archlinux.org/title/ClamAV>
## Installation
<https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>
```bash
# Install
sudo dnf install clamav clamav-freshclam clamd
##### Set up Freshclam #####
# Create freshclam's log file
sudo touch /var/log/freshclam.log
sudo chmod 600 /var/log/freshclam.log
sudo chown clamscan /var/log/freshclam.log
# Copy configuration files
sudo cp active/software_clamav/freshclam.conf
sudo chown root:root /etc/freshclam.conf
sudo chmod u=rw,go=r /etc/freshclam.conf
# Update the freshclam DB
sudo freshclam
sudo systemctl enable clamav-freshclam --now
##### Set up Clamd #####
# Create clamd's log file
sudo touch /var/log/clamd.scan
sudo chmod 600 /var/log/clamd.scan
sudo chown clamscan /var/log/clamd.scan
# Copy configuration files
# NOTE: Edit scan.conf OnAccessIncludePath to point to your home dir
vim active/software_clamav/scan.conf
sudo cp active/software_clamav/scan.conf /etc/clamd.d/scan.conf
sudo chown root:root /etc/clamd.d/scan.conf
sudo chmod u=rw,go=r /etc/clamd.d/scan.conf
# Allow clamav with selinux
sudo setsebool -P antivirus_can_scan_system 1
```
Edit the `clamd@` service to limit system resources.
```bash
sudo -E systemctl edit clamd@
[Service]
Nice=18
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
```
Then start the clamd service
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now clamd@scan
sudo systemctl status clamd@scan
```
Scan something
```bash
sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads
```
Allow your user to run scans
```bash
sudo -E usermod -aG virusgroup $USER
```
## Notifications
Create a new file called `/etc/clamav/virust-event.sh` and add the following
```bash
#!/bin/bash
PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
# Send an alert to all graphical users.
for ADDRESS in /run/user/*; do
# Skip root, they likely won't have a desktop session anyway
if [ ${ADDRESS} != "/run/user/0" ]; then
USERID=${ADDRESS#/run/user/}
/usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
/usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT"
fi
done
```
Then ensure you have `VirusEvent /etc/clamav/virus-event.bash` in your
`scan.conf`.
Allow clamav to run notify-send in `/etc/sudoers.d/clamav` by adding `clamav
ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send`.
### Selinux
Troubleshooting notification permission denied errors is tricky, but it basically involves:
1. Disable selinux hidden denies: `sudo semodule -DB`
2. Clear the selinux audit logs: `sudo rm /var/log/audit/audit.log*`
3. Set enforce to permissive: `sudo setenforce 0`
4. Try to access eicar.com with clamonacc enabled
5. Capture the audit logs in a `sudo ausearch --raw | audit2allow -m clamav-rules`
6. Set enforce to enforcing: `sudo setenforce 1`
7. Re-enable selinux hidden denies (if you want): `sudo semodule -B`
8. `sudo setsebool daemons_enable_cluster_mode on`
9. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp`
10. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp`
11. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp`
## On Access Scanning
If you want to destroy your computer you can enable on-access scanning.
My recommendation is to only enable on-access scanning for critical ingress
paths, like `~/Downloads` or `~/tmp`. This will help keep system resources free
while also scanning critical points on your system.
```bash
sudo -E systemctl edit clamav-clamonacc.service
[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --config-file=/etc/clamd.d/scan.conf
sudo systemctl daemon-reload
sudo systemctl enable --now clamav-clamonacc.service
```
## Testing
The `eicar` test malware allows you to test any malware scanner, as every
scanner should have its signature included in its database.
1. Create a new file called `eicar.com`
2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
3. Save and scan: `clamdscan --fdpass --multiscan eicar.com`
If you have on access scanning enabled you can try the following
```bash
cd ~/Downloads/
wget https://secure.eicar.org/eicar.com.txt
# This should not work
cat eicar.com.txt
```
## Ignore Signatures
<https://docs.clamav.net/faq/faq-ignore.html>
```bash
# Create the ignore list
cd /var/lib/clamav
touch ignore_list.ign2
```
Then add an ignore, like `PUA.Win.Trojan.Xored-1` which is a [known false
positive](https://github.com/jensyt/imurmurhash-js/issues/1).
Then `systemctl restart clamd@scan`.
Reference in New Issue View Git Blame Copy Permalink