Clam Antivirus (ClamAV)

A free antivirus package for Linux systems, Clam Antivirus, is available from http://www.clamav.net/.

I downloaded the Clam AntiVirus package with wget http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.75.1-1.i386.rpm . I then installed the package on a mail server running Fedora Core 2 Linux.

rpm --install clamav-0.75.1-1.i386.rpm
warning: clamav-0.75.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1

The warning message can be prevented by using the command rpm --import http://crash.fce.vutbr.cz/Petr.Kristof-GPG-KEY prior to installing the package.

To use up2date to update the package, add the lines below to /etc/sysconfig/rhn/sources if you are using Fedora Core 1. You can add them after the other yum lines:

yum crash-hat http://crash.fce.vutbr.cz/crash-hat/1
#yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/1

If you are using Fedora Core 2, use the lines below:

yum crash-hat http://crash.fce.vutbr.cz/crash-hat/2
#yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/2

Otherwise, you will get the error message below when you try up2date clamav:

The following packages you requested were not found:
clamav

Once you have added the line to /etc/sysconfig/rhn/sources, you can then use up2date -u clamav to update the software to a later version when one becomes available.

If you are using another version of Linux, see http://www.clamav.net/binary.html#pagestart for information. Clam AntiVirus will run on other operating systems as well. Supported platforms are listed below (tested platforms in parentheses):

• GNU/Linux - all versions and platforms
• Solaris - all versions and platforms
• FreeBSD - all versions and platforms
• OpenBSD 3.0/1/2 (Intel/SPARC)
• AIX 4.1/4.2/4.3/5.1 (RISC 6000)
• HPUX 11.0
• SCO UNIX
• IRIX 6.5.20f
• Mac OS X
• BeOS
• Cobalt MIPS boxes (RAQ1, RAQ2, QUBE2)
• Windows/Cygwin
• Windows Services for Unix 3.5 (Interix)

Some features may not be available on all operating systems.

If you install the package with the rpm or up2date commands, a new group and a new user account will be created, both named clamav. The clamav configuration file will be located in /etc/clamav.conf. The virus database updater program is called "freshclam". Freshclam's configuration file is /etc/freshclam.conf. You can control how often freshclam checks for new virus signatures by adjusting the Checks value in the /etc/freshclam.conf file. The log file for clamav is /var/log/clamav/clamd.log and the log file for freshclam is in /var/log/clamav/freshclam.log.

The program doesn't start automatically when you install it with the rpm or up2date commands. You can start it with /etc/init.d/clamd start or by rebooting the system.

If you left the TCP listening port to be the default of 3310, you can see whether it is running by using the netstat command netstat -at | grep 3310. You should see the system is listening for connections on that port.

tcp        0      0 *:3310                  *:*                     LISTEN

Or you can use the ps command to check on whether it is running:

[root@mail root]# ps aux | grep clamd | grep -v "grep"
clamav    2315  0.0  6.1 18024 15628 ?       S    00:13   0:00 /usr/sbin/clamd

You can use the clamscan command to scan a directory or file for viruses. E.g. a scan of the files in the directory where clamav test files are stored might produce output such as that shown below:

[root@mail root]# clamscan /usr/share/doc/clamav-0.75.1/test
/usr/share/doc/clamav-0.75.1/test/test-failure.rar: RAR module failure
/usr/share/doc/clamav-0.75.1/test/test-failure.rar: OK
/usr/share/doc/clamav-0.75.1/test/README: OK
/usr/share/doc/clamav-0.75.1/test/test.bz2: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test.zip: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test-zip-noext: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test.msc: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test.rar: ClamAV-Test-Signature FOUND
/usr/share/doc/clamav-0.75.1/test/test: ClamAV-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 24009
Scanned directories: 1
Scanned files: 8
Infected files: 6
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 5.640 sec (0 m 5 s)


The files in the clamav test directory are actually harmless, but the scan shows you the clamav scanning program is working. If you want to test with an actual worm, you can use the following example of Worm.SomeFool.P, aka W32.Netsky.P@mm.

Worm.SomeFool.P

If you want to scan just a particular file, you can use put the file name after the command, e.g. clamscan corrected_doc.pif.

If you wish to manually update the virus defintions, issue the command freshclam.

Clam AntiVirus 0.75.1-1 Package and Download Information

Milter package for use with sendmail
Clam AntiVirus 0.75.1-1 Milter Package and Download Information

[/security/antivirus/clamav] permanent link