CLAMAV





CLAMAV

Windows-based operating systems have been notorious breeding grounds for computer worms and viruses. Many commercial anti-virus products have been developed to protect computers from malicious software and, with varying degrees of success, prevent the initial infection. Unix-based systems and OS X have avoided the virus outbreaks that have plagued Windows systems. One could argue several reasons for this, from different security models within the operating systems to the overwhelming presence of networked Windows systems in relation to others. Regardless of the possible reasons for the disparate threat of virus attacks against Unix- and Windows-based systems, the developers behind Clamav recognize that a proactive defense is a positive step for Unix-based systems—even if those systems don't appear to be under the same level of threat.

Clamav is an open-source utility that provides anti-virus scanning and defenses for Unix-based systems. In fact, Clamav can be put to use protecting Windows users from e-mail borne viruses as well by running it on a Unix-based mail server and inspecting all e-mail ingress.

Download and Installation

The Clamav binaries and a wealth of install documentation are available at http://www.clamav.net. Clamav can run as a background process and requires a specific user account for this. Be sure to create a "clamav" user on your system. OS X users will notice that this user already exists. A successful installation will create a clamd.conf file and several binaries, most likely in the /usr/local/ directory prefix (check /usr/local/etc and /usr/local/sbin). The clamd.conf file must be edited before your first scan. At the very least, the "Example" entry near the beginning of the file must be removed. The other default entries will get you started, but you may wish to tweak them as you become more familiar with Clamav.

Implementation

The clamscan command applies virus checks to a file, directory, or directory tree. Some of the most useful options are described in Figure.

Figure: Clamscan Options

Option

Description

–exclude=<pattern>
–exclude-dir=<pattern>

Does not scan files or directories that match the <pattern>. The pattern is based on a regular expression, not shell-expansion patterns that a command like ls might use. For example, to exclude any file that ends in .sh clamscan –exclude=".+\.sh$"

–include=<pattern>
–include-dir=<pattern>

Only scans files or directories that match the <pattern>.

-l <file>
–log <file>

Saves report information to <file>.

–move=<directory>

Moves any file that is marked as containing a virus to <directory>. This is safer than using the –remove option, but you should still be wary of false positives against important system files.

–no-summary

Does not display scan summary information upon completion. This is typically useful when the output is to be parsed by another script.

-r
–recursive

Recursively scans the target directory.

–remove

Removes any file that is marked as containing a virus. Note that false positives or errors might erroneously delete important files.

–stdout

Writes output to STDOUT. Use this when piping multiple commands.

As useful as clamscan may be on a Linux system, you can also use it to periodically scan a Windows system. Here's an example of running clamscan against a Windows file system on a dual-boot laptop:

[[email protected] ~]$ clamscan  /mnt/windows/WINNT/
/mnt/windows/WINNT/SYSTEM.INI: OK
/mnt/windows/WINNT/tabletoc.log: OK
/mnt/windows/WINNT/taskman.exe: OK
/mnt/windows/WINNT/tsoc.log: OK
/mnt/windows/WINNT/twain.dll: OK
/mnt/windows/WINNT/twain_32.dll: OK
/mnt/windows/WINNT/twunk_16.exe: OK
/mnt/windows/WINNT/twunk_32.exe: OK
/mnt/windows/WINNT/uinst001.exe: OK
/mnt/windows/WINNT/uneng.exe: OK
/mnt/windows/WINNT/uninst.exe: OK
...
----------- SCAN SUMMARY -----------
Known viruses: 40206
Engine version: 0.87
Scanned directories: 1
Scanned files: 138
Infected files: 0
Data scanned: 9.25 MB
Time: 13.157 sec (0 m 13 s)

Mail Servers

Clamav works well with mail servers and clients on Unix-based systems. The goal of these types of configurations is to block viruses at one of their most common entry points: e-mail. When performed on the server, content scans can block and clean malicious e-mail without any interaction from the user. This provides a great benefit in terms of comprehensiveness (every user's e-mail is checked). The potential drawback of this method is that the mail server must be robust enough to handle the additional load of processing files, including memory and disk space to check archived files.

Update Virus Definitions

Much of an anti-virus's accuracy relies on up-to-date signatures of threats. The freshclam utility interfaces with your local installation and a central update server.

[[email protected] etc]$ sudo freshclam
ClamAV update process started at Mon Sep 19 16:04:22 2005
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5,
 builder: tkojm)
Downloading daily.cvd [*]
daily.cvd updated (version: 1090, sigs: 581, f-level: 6, builder:
 ccordes)
Database updated (40206 signatures) from db.us.clamav.net (IP:
 216.24.174.245)

Even though definitions can be updated more than twice per hour, such hyper-vigilance generates unnecessary network traffic if not properly thought through. If you plan on deploying Clamav across several dozen servers or workstations, consider centralizing the virus definitions. Then only one server must be in charge of obtaining the latest updates while the other servers can obtain the signatures from the local storage. Make sure that the virus database directory to which you are updating signatures is the same one that clamd and clamscan look for.

Previous Section
Next Section


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows