A FreeBSD based file server is part of the SoCruel.NU infrastructure for some time now. All the devices accessing the file server have anti-virus software installed and configured. But the file server itself has not. So I decided to install and configure ClamAV on this file server. ClamAV is an open source anti-virus engine using different virus signature databases and is used in a variety situations including protecting end points. ClamAV is in the FreeBSD ports tree so the installation part is easy!
The following requirements have to be in place to be able to implement what is described in this post:
We use the
package system of FreeBSD to install the ClamAV software:
$ sudo pkg install clamav
The package also installs a
clamav user and group. And it creates 2 files in the
clamd scans files or directories on demand and
freshclam updates the virus databases.
The requirement here is to scan the file server files offline on a frequent basis, and as such
clamd is not used in this case.
freshclam has a configuration file called
freshclam.conf in the
/usr/local/etc directory. In this case the following configuration is used:
DatabaseDirectory /var/db/clamav UpdateLogFile /var/log/clamav/freshclam.log LogFileMaxSize 2M LogTime yes LogVerbose yes LogRotate yes LogSyslog yes LogFacility LOG_DAEMON PidFile /var/run/clamav/freshclam.pid DatabaseOwner clamav DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror database.clamav.net MaxAttempts 5 ScriptedUpdates yes CompressLocalDatabase no Checks 12 ConnectTimeout 60 ReceiveTimeout 1800 TestDatabases yes SafeBrowsing yes Bytecode yes
man freshclam.conf for the details on each configuration line.
As we have the configuration file in place we can enable
$ sudo sysrc clamav_freshclam_enable="YES" $ sudo service clamav-freshclam start
We see that
freshclam has done its job after a couple of minutes: the
freshclam daemon has downloaded the virus signature database files in the
$ sudo ls -sla /var/db/clamav/ total 426584 8 drwxr-xr-x 2 clamav clamav 512 Feb 12 09:16 . 8 drwxr-xr-x 20 root wheel 1024 Feb 12 08:34 .. 584 -rw-r--r-- 1 clamav clamav 296388 Feb 12 09:16 bytecode.cvd 114880 -rw-r--r-- 1 clamav clamav 58780434 Feb 12 09:13 daily.cvd 230272 -rw-r--r-- 1 clamav clamav 117859675 Feb 12 09:15 main.cvd 80832 -rw-r--r-- 1 clamav clamav 41321567 Feb 12 09:16 safebrowsing.cvd
As time progresses you should see these files updated on a regular basis, based on the settings in the
man freshclam.conf file (see above).
ClamAV comes with its own virus databases. It is also possible to add other, third party, virus signature databases to the ClamAV configuration. One such company is SecuriteInfo. It provides a lot of additional antiviral signatures for ClamAV. SecuriteInfo provides a Basic, free of charge, subscription and a paid Professional subscription. You can sign up here.
To use the SecuriteInfo virus signatures, login and then copy and paste the lines in the Setup tab to your
After restarting the
$ sudo service clamav-freshclam restart
you should see the SecuriteInfo signature database files in the
$ sudo ls -sla /var/db/clamav/securiteinfo*.* 19136 -rw-r--r-- 1 clamav clamav 9747767 Mar 31 18:15 /var/db/clamav/securiteinfo.hdb 8 -rw-r--r-- 1 clamav clamav 3705 Mar 31 18:15 /var/db/clamav/securiteinfo.ign2 21440 -rw-r--r-- 1 clamav clamav 10917490 Mar 30 11:52 /var/db/clamav/securiteinfoandroid.hdb 14016 -rw-r--r-- 1 clamav clamav 7133239 Mar 31 12:13 /var/db/clamav/securiteinfoascii.hdb 6912 -rw-r--r-- 1 clamav clamav 3491255 Mar 31 12:12 /var/db/clamav/securiteinfohtml.hdb 624832 -rw-r--r-- 1 clamav clamav 319751462 Mar 30 12:07 /var/db/clamav/securiteinfoold.hdb 552 -rw-r--r-- 1 clamav clamav 281588 Mar 30 12:08 /var/db/clamav/securiteinfopdf.hdb
Now we have our virus databases, we can scan some directories and files. But before we do that we create a directory to store infected files found by our scan:
$ sudo mkdir /var/db/clamav/quarantine $ sudo chown clamav:clamav /var/db/clamav/quarantine
Now we can scan a directory recursively using the
clamscan tool including writing a log:
$ sudo clamscan -r --log=/var/db/clamav/scan.log --move=/var/db/clamav/quarantine /path/to/Directory/To/Scan
For more options of the
clamscan tools see
man clamscan. You can easily write a
shell script to make this task more clever. But that is left to the reader.
Some (other) resources about this subject: