A free antivirus package for Linux systems, Clam Antivirus, is available from http://www.clamav.net/.
I downloaded the Clam AntiVirus package with
. I then installed the package on a mail server running Fedora Core
rpm --install clamav-0.75.1-1.i386.rpm
warning: clamav-0.75.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
The warning message can be prevented by using the command
rpm --import http://crash.fce.vutbr.cz/Petr.Kristof-GPG-KEY
prior to installing the package.
To use up2date to update the package, add the lines below to /etc/sysconfig/rhn/sources if you are using Fedora Core 1. You can add them after the other yum lines:
yum crash-hat http://crash.fce.vutbr.cz/crash-hat/1
#yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/1
If you are using Fedora Core 2, use the lines below:
yum crash-hat http://crash.fce.vutbr.cz/crash-hat/2
#yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/2
Otherwise, you will get the error message below when you try
The following packages you requested were not found:
Once you have added the line to /etc/sysconfig/rhn/sources,
you can then use
up2date -u clamav to update the software
to a later version when one becomes available.
If you are using another version of Linux, see http://www.clamav.net/binary.html#pagestart for information. Clam AntiVirus will run on other operating systems as well. Supported platforms are listed below (tested platforms in parentheses):
- GNU/Linux - all versions and platforms
- Solaris - all versions and platforms
- FreeBSD - all versions and platforms
- OpenBSD 3.0/1/2 (Intel/SPARC)
- AIX 4.1/4.2/4.3/5.1 (RISC 6000)
- HPUX 11.0
- SCO UNIX
- IRIX 6.5.20f
- Mac OS X
- Cobalt MIPS boxes (RAQ1, RAQ2, QUBE2)
- Windows Services for Unix 3.5 (Interix)
Some features may not be available on all operating systems.
If you install the package with the rpm or up2date commands, a new group and a new user account will be created, both named clamav. The clamav configuration file will be located in /etc/clamav.conf. The virus database updater program is called "freshclam". Freshclam's configuration file is /etc/freshclam.conf. You can control how often freshclam checks for new virus signatures by adjusting the Checks value in the /etc/freshclam.conf file. The log file for clamav is /var/log/clamav/clamd.log and the log file for freshclam is in /var/log/clamav/freshclam.log.
The program doesn't start automatically when you install it with the
rpm or up2date commands. You can start it with
/etc/init.d/clamd start or by rebooting the system.
If you left the TCP listening port to be the default of 3310, you can
see whether it is running by using the netstat command
netstat -at | grep 3310. You should see the system is
listening for connections on that port.
tcp 0 0 *:3310 *:* LISTEN
Or you can use the ps command to check on whether it is running:
[root@mail root]# ps aux | grep clamd | grep -v "grep"
clamav 2315 0.0 6.1 18024 15628 ? S 00:13 0:00 /usr/sbin/clamd
You can use the clamscan command to scan a directory or file for viruses. E.g. a scan of the files in the directory where clamav test files are stored might produce output such as that shown below:
[root@mail root]# clamscan /usr/share/doc/clamav-0.75.1/test
/usr/share/doc/clamav-0.75.1/test/test-failure.rar: RAR module failure
/usr/share/doc/clamav-0.75.1/test/test.bz2: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test.zip: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test-zip-noext: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test.msc: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test.rar: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test: ClamAV-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24009
Scanned directories: 1
Scanned files: 8
Infected files: 6
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 5.640 sec (0 m 5 s)
The files in the clamav test directory are actually harmless, but the scan shows you the clamav scanning program is working. If you want to test with an actual worm, you can use the following example of Worm.SomeFool.P, aka W32.Netsky.P@mm.
If you want to scan just a particular file, you can use put the file
name after the command, e.g.
If you wish to manually update the virus defintions, issue the command
Clam AntiVirus 0.75.1-1 Package and Download Information
Milter package for use with sendmail
Clam AntiVirus 0.75.1-1 Milter Package and Download Information