About Archive Other Contact

How to install and configure ClamAv on FreeBSD

A FreeBSD based file server is part of the SoCruel.NU infrastructure for some time now. All the devices accessing the file server have anti-virus software installed and configured. But the file server itself has not. So I decided to install and configure ClamAV on this file server. ClamAV is an open source anti-virus engine using different virus signature databases and is used in a variety situations including protecting end points. ClamAV is in the FreeBSD ports tree so the installation part is easy!

Technical requirements

The following requirements have to be in place to be able to implement what is described in this post:

Install the ClamAv software

We use the package system of FreeBSD to install the ClamAV software:

$ sudo pkg install clamav

The package also installs a clamav user and group. And it creates 2 files in the /usr/local/etc/rc.d directory: clamav-clamd and clamav-freshclam. clamd scans files or directories on demand and freshclam updates the virus databases. The requirement here is to scan the file server files offline on a frequent basis, and as such clamd is not used in this case.

Configure freshclam

freshclam has a configuration file called freshclam.conf in the /usr/local/etc directory. In this case the following configuration is used:

DatabaseDirectory /var/db/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogFileMaxSize 2M
LogTime yes
LogVerbose yes
LogRotate yes
LogSyslog yes
LogFacility LOG_DAEMON
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner clamav
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 5
ScriptedUpdates yes
CompressLocalDatabase no
Checks 12
ConnectTimeout 60
ReceiveTimeout 1800
TestDatabases yes
SafeBrowsing yes
Bytecode yes

Please see man freshclam.conf for the details on each configuration line.

Enable freshclam

As we have the configuration file in place we can enable freshclam:

$ sudo sysrc clamav_freshclam_enable="YES"
$ sudo service clamav-freshclam start

We see that freshclam has done its job after a couple of minutes: the freshclam daemon has downloaded the virus signature database files in the /var/db/clamav directory:

$ sudo ls -sla /var/db/clamav/
total 426584
     8 drwxr-xr-x   2 clamav  clamav        512 Feb 12 09:16 .
     8 drwxr-xr-x  20 root    wheel        1024 Feb 12 08:34 ..
   584 -rw-r--r--   1 clamav  clamav     296388 Feb 12 09:16 bytecode.cvd
114880 -rw-r--r--   1 clamav  clamav   58780434 Feb 12 09:13 daily.cvd
230272 -rw-r--r--   1 clamav  clamav  117859675 Feb 12 09:15 main.cvd
 80832 -rw-r--r--   1 clamav  clamav   41321567 Feb 12 09:16 safebrowsing.cvd

As time progresses you should see these files updated on a regular basis, based on the settings in the man freshclam.conf file (see above).

Add other signatures

ClamAV comes with its own virus databases. It is also possible to add other, third party, virus signature databases to the ClamAV configuration. One such company is SecuriteInfo. It provides a lot of additional antiviral signatures for ClamAV. SecuriteInfo provides a Basic, free of charge, subscription and a paid Professional subscription. You can sign up here.

To use the SecuriteInfo virus signatures, login and then copy and paste the lines in the Setup tab to your freshclam.conf file:

DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfo.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfo.ign2
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//javascript.ndb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//spam_marketing.ndb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfohtml.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfoascii.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfoandroid.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfoold.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures//securiteinfopdf.hdb

After restarting the freshclam service:

$ sudo service clamav-freshclam restart

you should see the SecuriteInfo signature database files in the /var/db/clamav directory:

$ sudo ls -sla /var/db/clamav/securiteinfo*.*
 19136 -rw-r--r--  1 clamav  clamav    9747767 Mar 31 18:15 /var/db/clamav/securiteinfo.hdb
     8 -rw-r--r--  1 clamav  clamav       3705 Mar 31 18:15 /var/db/clamav/securiteinfo.ign2
 21440 -rw-r--r--  1 clamav  clamav   10917490 Mar 30 11:52 /var/db/clamav/securiteinfoandroid.hdb
 14016 -rw-r--r--  1 clamav  clamav    7133239 Mar 31 12:13 /var/db/clamav/securiteinfoascii.hdb
  6912 -rw-r--r--  1 clamav  clamav    3491255 Mar 31 12:12 /var/db/clamav/securiteinfohtml.hdb
624832 -rw-r--r--  1 clamav  clamav  319751462 Mar 30 12:07 /var/db/clamav/securiteinfoold.hdb
   552 -rw-r--r--  1 clamav  clamav     281588 Mar 30 12:08 /var/db/clamav/securiteinfopdf.hdb

Run clamscan

Now we have our virus databases, we can scan some directories and files. But before we do that we create a directory to store infected files found by our scan:

$ sudo mkdir /var/db/clamav/quarantine
$ sudo chown clamav:clamav /var/db/clamav/quarantine

Now we can scan a directory recursively using the clamscan tool including writing a log:

$ sudo clamscan -r --log=/var/db/clamav/scan.log --move=/var/db/clamav/quarantine /path/to/Directory/To/Scan

For more options of the clamscan tools see man clamscan. You can easily write a shell script to make this task more clever. But that is left to the reader.

Resources

Some (other) resources about this subject:

Updated: April 13, 2020