Installation Clam Anti Virus (ClamAV) on DirectAdmin / CentOS

Clam AntiVirus is a popular open source (GPL) anti-virus toolkit for UNIX, designed for e-mail scanning on mail gateways. It provides a flexible and scalable multi-threaded daemon, a command line scanner and it can detect Trojan horses, viruses, malware and other malicious threats. It also comes with an advanced tool for automatic database updating via the Internet.


This article will guide you through the installation and configuration of ClamAV on a DirectAdmin based web server.


Note: This guide assumes you are familiar with SSH and basic command line navigation. These instructions apply primarily to customers who have Virtual Private Servers or Dedicated servers. If you do not have root-level access you will not be able to make these changes.


Installation

Login as root and enter the following commands. This will include ClamAV in the CustomBuild configuration and compile ClamAV:

cd /usr/local/directadmin/custombuild
./build update
./build set clamav yes
./build clamav

In case you get the following error when trying to start ClamAV:

[root@server ~]# /etc/init.d/clamd start
Starting clamd: LibClamAV Error: cli_loaddb(): No supported database files found in /usr/share/clamav
ERROR: Can't open file or directory
                                                          [FAILED]

or another related error:

LibClamAV Error: cl_load(): Can't get status of /usr/share/clamav

This error simply means the virus database can not be found. You can rebuild the database by using:

cd /usr/share
mkdir -p clamav
chown clamav:clamav clamav
freshclam -v

Configuration

Edit exim.conf and add the following before "primary_hostname =":

av_scanner = clamd:127.0.0.1 3310

Skip the step above if you are running CustomBuild 2.0, as it adds this for you in the following file: /etc/exim.clamav.load.conf


In exim.conf find "check_message:", and copy on the next line the ClamAV directives below:

deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = */defer_ok
deny message = This message contains an attachment of a type which we  do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Restart exim:

/etc/init.d/exim restart

Start ClamAV daemon for the first time

service clamd start (stop / restart)

To test if Clamd is running:

netstat -tap | grep clamd

Which should give an output similar to this:

tcp        0      0 localhost.local:dyna-access *:*                         LISTEN      4405/clamd

Clamav check script

Sometimes, the ClamAV virus database gets corrupted after an update. This prevents the ClamAV daemon from running. The script below ensures that:

  1. The ClamAV Daemon is running
  2. In case it does not, it tries to restart the daemon
  3. If this does not work, it deletes the virus database, and downloads a new one.
  4. it again attempts to restart the daemon
  5. If all this fails, an email is sent to the email address provided in the script

1. Create test File

first, create a dummy test file. This is an empty file that clamd will use to scan during the check:

cd /usr/local/directadmin/scripts/custom
echo "" > clamav.txt

2. Create shell script

Create a file with the name "clamdcheck". This file will contain the shell script used to check ClamAV. Use: nano or vi clamdcheck. This file should be placed in the /usr/local/directadmin/scripts/custom directory. Add the script below and save the file when done:

#!/bin/sh

# path to an empty dummy test file
testfile="/usr/local/directadmin/scripts/custom/clamav.txt"

# path to the clamav database files without the ending "/"
dbfolder="/usr/share/clamav"

# path to the clamdscan executable
scan="/usr/bin/clamdscan"

# path to the freshclam executable
freshdb="/usr/bin/freshclam"

# number of times the script tries to kick start clamd
trial=10

# email of server administrator
email="user@domain.com"

# server hostname (no modification needed)
myhost=$(hostname)

# email alert subject on failure
subject="Clamd on ${myhost} is down!"

# email alert body message on failure
message="Clamd on ${myhost} is down!"

output=$($scan $testfile | grep "SCAN SUMMARY")

if [ -z "$output" ]; then
        echo "Clamd is not running!"
        echo "Now trying to start clamd..."
        for (( i=1; i<=$trial; i++ ))
        do
                echo "Trial $i..."
                /sbin/service clamd restart
                output=$($scan $testfile | grep "SCAN SUMMARY")
                if [ -n "$output" ]; then
                        break
                else
                        sleep 3
                fi
        done
        if [ -z "$output" ]; then
                echo "Clamd is still not running!"
                echo "Now trying to refresh clamav database..."
                rm -Rf $dbfolder/*
                $freshdb
                /sbin/service clamd restart
                output=$($scan $testfile | grep "SCAN SUMMARY")
                if [ -z "$output" ]; then
                        echo "Clamd is still not running!"
                        echo "$message" | mail -s "$subject" "$email"
                        echo "Giving up... email alert has been sent to administrator."
                else
                        echo "Clamd is running now!"
                fi
        else
                echo "Clamd is running now!"
        fi
else
        echo "Clamd is running!"
fi

Ensure that the paths are correct and that you have set your correct e-mail address for alerting in the bolded field.

Don't forget to make the script executable:

chmod 755 clamdcheck

3. Setup Cronjob

Cron is a scheduling daemon that will run programs and scripts at arbitrary times or intervals. We need to setup a Cronjob to ensure our script runs at a periodic interval (don't set it too frequent as a complete freshclam process will take some time to complete):

crontab -e

This will land you in your default editor. Add the cronjob:

15,45 * * * * /usr/local/directadmin/scripts/custom/clamdcheck > /dev/null 2>&1

Using these settings every half hour the cronjob runs. Make sure to save the file and exit

To display all cronjobs:

crontab -l

Automated Virus Definition updates

You can add another cronjob for automated virus definition updates:

crontab -e

The code below sets the cronjob to execute daily, at 05.38 in the morning:

38 05 * * * sudo freshclam

Scan Options

To check all files on the computer, displaying the name of each file:

clamscan -r /

To check all files on the computer, but only display infected files and ring a bell when found:

clamscan -r --bell -i /

To check files in the all users home directories:

clamscan -r /home

To check files in the USER home directory and move infected files to another folder:

clamscan -r --move=/home/USER/VIRUS /home/USER

To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

clamscan -r --remove /home/USER

will scan the user home directory and output the results to the specified file. -i option is used to report only the infected files.

clamscan -ril /var/log/clamscan.log /home

When using the --exclude setting you can exclude subfolders from the scan.

clamscan --exclude=maildirectory -i -r /home

When using the --remove switch you can remove infected files.

clamscan -ril /var/log/clamscan.log --remove /home

Screen sessions

When running lenghty scans it is handy to startup a screen session. A screen session can be restarted in case you lose your SSH connection, due to connectivity errors or time-out of the session itself. To start the screen session:

screen

Followed by the clamscan command of your choice.

You can detach and attach the screen session. In case you lost the connection use the following commands.

List the available screen sessions.

screen -ls

Now you can attach using the following.

screen -r sessionname

or

screen -rx

You will get the scan result at the end. Only infected files will be listed. You can find the files in “/var/log/clamscan.log”. ( grep the word FOUND ) You may either manually remove or correct these files or else run the below command that will permanently remove all infected files in your system (Make sure to run in screen session)


Further options:

clamscan --help
-h, --help Print help information and exit.
-V, --version Print version number and exit.
-v, --verbose Be verbose.
-l FILE, --log=FILE Save scan report to FILE.
-f FILE, --file-list=FILE Scan files listed line by line in FILE.
-r, --recursive Scan directories recursively. All the subdirectories in the given directory will be scanned.
These options can be used multiple times.
-i, --infected Only print infected files.
--remove[=yes/no(*)] Remove infected files. Be careful.
--move=DIRECTORY Move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.
--copy=DIRECTORY Copy infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan.
  • clamav, security, installation, antivirus
  • 26 Users Found This Useful
Was this answer helpful?

Related Articles

Installation of SpamAssassin on DirectAdmin

In this guide I will be explaining how to install and configure SpamAssasin on a Direct Admin...

Installation of Directadmin on CentOS

In this guide I will be explaining how to install Direct Admin on a clean installation of CentOS...

Installation of Directadmin on CentOS

In this guide I will be explaining how to install Direct Admin on a clean installation of CentOS...

Installation of Directadmin on CentOS

In this guide I will be explaining how to install Direct Admin on a clean installation of CentOS...

Installation CSF Firewall on CentOS 5 and 6

The ConfigServer Security & Firewall is a popular open source Stateful Packet Inspection...