Installation Clam Anti Virus (ClamAV) on DirectAdmin / CentOS


Clam AntiVirus is a popular open source (GPL) anti-virus toolkit for UNIX, designed for e-mail scanning on mail gateways. It provides a flexible and scalable multi-threaded daemon, a command line scanner and it can detect Trojan horses, viruses, malware and other malicious threats. It also comes with an advanced tool for automatic database updating via the Internet.

 

This article will guide you through the installation and configuration of ClamAV on a DirectAdmin based web server.

 

Note: This guide assumes that you are familiar with SSH and basic command line navigation. These instructions apply primarily to clients who operate our Virtual Private Servers or Dedicated servers.

 

Note: If you do not have root-level access you will not be able to make these changes

 

Installation

Login as root and enter the following commands. This will include ClamAV in the CustomBuild configuration and compile ClamAV:

# cd /usr/local/directadmin/custombuild
./build update

./build set clamav yes
./build set clamav_exim yes
./build set exim yes
./build set eximconf yes
./build set eximconf_release 4.5

./build clamav
./build exim
./build exim_conf

 

In case you get the following error when trying to start ClamAV:

[root@server ~]# /etc/init.d/clamd start
Starting clamd: LibClamAV Error: cli_loaddb(): No supported database files found in /usr/share/clamav
ERROR: Can't open file or directory
                                                          [FAILED]

 

or another related error:

LibClamAV Error: cl_load(): Can't get status of /usr/share/clamav

 

This error simply means the virus database can not be found. You can rebuild the database by using:

cd /usr/share
mkdir -p clamav
chown clamav:clamav clamav
freshclam -v

 

Configuration

Edit exim.conf and add the following before "primary_hostname =":

av_scanner = clamd:127.0.0.1 3310

Skip the step above if you are running CustomBuild 2.0, as it adds this for you in the following file: /etc/exim.clamav.load.conf

 

In exim.conf find "check_message:", and copy on the next line the ClamAV directives below:

deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = */defer_ok
deny message = This message contains an attachment of a type which we  do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

 

Restart exim:

/etc/init.d/exim restart

 

Start ClamAV daemon for the first time

service clamd start (stop / restart)

 

To test if Clamd is running:

netstat -tap | grep clamd

 

Which should give an output similar to this:

tcp        0      0 localhost.local:dyna-access *:*                         LISTEN      4405/clamd

 

Clamav check script

Sometimes, the ClamAV virus database gets corrupted after an update. This prevents the ClamAV daemon from running. The optional script below ensures that:

  1. The ClamAV Daemon is running
  2. In case it does not, it tries to restart the daemon
  3. If this does not work, it deletes the virus database, and downloads a new one.
  4. it again attempts to restart the daemon
  5. If all this fails, an email is sent to the email address provided in the script

 

1. Create test File

first, create a dummy test file. This is an empty file that clamd will use to scan during the check:

cd /usr/local/directadmin/scripts/custom
echo "" > clamav.txt

 

2. Create shell script

Create a file with the name "clamdcheck". This file will contain the shell script used to check ClamAV. Use: nano or vi clamdcheck. This file should be placed in the /usr/local/directadmin/scripts/custom directory. Add the script below and save the file when done:

#!/bin/sh

# path to an empty dummy test file
testfile="/usr/local/directadmin/scripts/custom/clamav.txt"

# path to the clamav database files without the ending "/"
dbfolder="/usr/share/clamav"

# path to the clamdscan executable
scan="/usr/bin/clamdscan"

# path to the freshclam executable
freshdb="/usr/bin/freshclam"

# number of times the script tries to kick start clamd
trial=10

# email of server administrator
email="user@domain.com"

# server hostname (no modification needed)
myhost=$(hostname)

# email alert subject on failure
subject="Clamd on ${myhost} is down!"

# email alert body message on failure
message="Clamd on ${myhost} is down!"

output=$($scan $testfile | grep "SCAN SUMMARY")

if [ -z "$output" ]; then
        echo "Clamd is not running!"
        echo "Now trying to start clamd..."
        for (( i=1; i<=$trial; i++ ))
        do
                echo "Trial $i..."
                /sbin/service clamd restart
                output=$($scan $testfile | grep "SCAN SUMMARY")
                if [ -n "$output" ]; then
                        break
                else
                        sleep 3
                fi
        done
        if [ -z "$output" ]; then
                echo "Clamd is still not running!"
                echo "Now trying to refresh clamav database..."
                rm -Rf $dbfolder/*
                $freshdb
                /sbin/service clamd restart
                output=$($scan $testfile | grep "SCAN SUMMARY")
                if [ -z "$output" ]; then
                        echo "Clamd is still not running!"
                        echo "$message" | mail -s "$subject" "$email"
                        echo "Giving up... email alert has been sent to administrator."
                else
                        echo "Clamd is running now!"
                fi
        else
                echo "Clamd is running now!"
        fi
else
        echo "Clamd is running!"
fi

Ensure that the paths are correct and that you have set your correct e-mail address for alerting in the bolded field.

Don't forget to make the script executable:

chmod 755 clamdcheck

 

3. Setup Cronjob

Cron is a scheduling daemon that will run programs and scripts at arbitrary times or intervals. We need to setup a Cronjob to ensure our script runs at a periodic interval (don't set it too frequent as a complete freshclam process will take some time to complete):

crontab -e

 

This will land you in your default editor. Add the cronjob:

15,45 * * * * /usr/local/directadmin/scripts/custom/clamdcheck > /dev/null 2>&1

 

Using these settings every half hour the cronjob runs. Make sure to save the file and exit

To display all cronjobs:

crontab -l

 

Automated Virus Definition updates

You can add another cronjob for automated virus definition updates:

crontab -e

 

The code below sets the cronjob to execute daily, at 05.38 in the morning:

38 05 * * * sudo freshclam

 

Scan Options

To check all files on the computer, displaying the name of each file:

clamscan -r /

 

To check all files on the computer, but only display infected files and ring a bell when found:

clamscan -r --bell -i /

 

To check files in the all users home directories:

clamscan -r /home

 

To check files in the USER home directory and move infected files to another folder:

clamscan -r --move=/home/USER/VIRUS /home/USER

 

To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

clamscan -r --remove /home/USER

 

will scan the user home directory and output the results to the specified file. -i option is used to report only the infected files.

clamscan -ril /var/log/clamscan.log /home

 

When using the --exclude setting you can exclude subfolders from the scan.

clamscan --exclude=maildirectory -i -r /home

 

When using the --remove switch you can remove infected files.

clamscan -ril /var/log/clamscan.log --remove /home

 

Screen sessions

When running lenghty scans it is handy to startup a screen session. A screen session can be restarted in case you lose your SSH connection, due to connectivity errors or time-out of the session itself.

To start the screen session enter screen, followed by the clamscan command that you require (see the scan options section for the correct syntax):

screen [clamscan...]

 

You can detach and attach the screen session. In case you lost the connection you use the following commands to reconnect.

 

List the available screen sessions.

screen -ls

 

Now you can attach using the following.

screen -r sessionname

or

screen -rx

 

You will get the scan result at the end. Only infected files will be listed. You can find the files in “/var/log/clamscan.log”. ( grep the word FOUND ) You may either manually remove or correct these files or else run the below command that will permanently remove all infected files in your system (Make sure to run in screen session)

 

Further options

clamscan --help
-h, --help Print help information and exit.
-V, --version Print version number and exit.
-v, --verbose Be verbose.
-l FILE, --log=FILE Save scan report to FILE.
-f FILE, --file-list=FILE Scan files listed line by line in FILE.
-r, --recursive Scan directories recursively. All the subdirectories in the given directory will be scanned.
These options can be used multiple times.
-i, --infected Only print infected files.
--remove[=yes/no(*)] Remove infected files. Be careful.
--move=DIRECTORY Move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.
--copy=DIRECTORY Copy infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.

 

Include additional ClamAV Signatures

You have the ability to use 3rd party compiled malware/virus signature databases to extend ClamAV's signature database collection. Some additional sources are from

Add the following database lines into /etc/freshclam.conf at the very bottom of the file:

#Malware Experts
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp #Linux Malware Detect
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb
#interserver.net
DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb DatabaseCustomURL http://sigs.interserver.net/interservertopline.db DatabaseCustomURL http://sigs.interserver.net/shell.ldb DatabaseCustomURL http://sigs.interserver.net/whitelist.fp

malware.expert.ndb is a Generic Hex pattern PHP malware, which can cause false positive alarms, because there are generic eval, base64 and other hex pattern signatures (very low false positive rate). We want to scan all .php files and check the false positives manually for malware. If some signature causes to you problems, you can whitelist them. It may contain false positive alerts due to normal PHP code having legit use for specific PHP patterns i.e. eval/base64. You may need to manually inspect files that are reported as malware.

malware.expert.hdb is statics MD5 pattern for files, and there are no false positive.

malware.expert.ldb is LDB signatures(read more), which use multi-words search for malware in files.

malware.expert.fp is whitelisted, what we found is that cause false positive malware.

interserver256.hdb 100% known malware sha256 format

interservertopline.db inserts into files, manual cleaning HEX

shell.ldb 99.9% known malware using logical signatures

whitelist.fp MD5 checksums of false positives or common files

 

  • security, installation
  • 30 Users Found This Useful
Was this answer helpful?

Related Articles

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation Rootkit Hunter (rkhunter) on CentOS

  Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible...

Installation Rootkit Hunter (rkhunter) on CentOS

  Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible...