Wiki

User Tools

Site Tools

Trace:
ubuntu:anti_virus:install_clamav

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ubuntu:anti_virus:install_clamav [2020/06/09 20:51] – [Scan for a virus] peterubuntu:anti_virus:install_clamav [2022/06/13 10:10] (current) peter
Line 1: Line 1:
 ====== Ubuntu - Anti Virus - Install ClamAV ====== ====== Ubuntu - Anti Virus - Install ClamAV ======
  
-clamav is an anti-virus application.+**clamav** is an anti-virus application.
  
 The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.  The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files. 
Line 9: Line 9:
 ===== Install ClamAV ===== ===== Install ClamAV =====
  
-First we update the package repository:+Firstupdate the package repository:
  
 <code bash> <code bash>
Line 15: Line 15:
 </code> </code>
  
-Now we install the clamav scanner, the daemon and the database updater.+Now install the clamav scanner, the daemon and the database updater.
  
 <code bash> <code bash>
 sudo apt install clamav clamav-daemon clamav-freshclam sudo apt install clamav clamav-daemon clamav-freshclam
 </code> </code>
- 
-You can also install the **clamav-data** package, but the clamav-freshclam package is another (easier) way to update your virus definitions. 
  
 <WRAP info> <WRAP info>
 +**NOTE:**  You can also install the **clamav-data** package, but the clamav-freshclam package is another (easier) way to update your virus definitions.
 +
 On RHEL, CentOS or Scientific Linux, you only need to install the clamav package: On RHEL, CentOS or Scientific Linux, you only need to install the clamav package:
  
Line 63: Line 63:
 ===== The daily scan ===== ===== The daily scan =====
  
-The below cronjob will run a virus database definition update (so that the scan always has the most recent definitions) and afterwards run a full scan which will only report when there are infected files on the system.  It also does not remove the infected files automatically, you have to do this manually.  This way you make sure that it does not delete **/bin/bash** by accident.+The below cronjob will run a virus database definition update (so that the scan always has the most recent definitions) and afterwards run a full scan which will only report when there are infected files on the system.   
 + 
 +It also does not remove the infected files automatically, you have to do this manually.  This way you make sure that it does not delete **/bin/bash** by accident.
  
 <code bash> <code bash>
Line 70: Line 72:
 </code> </code>
  
-The **2>/dev/null** options keeps the **/proc** and such access denied errors out of the report.  The infected files however are still found and reported.+<WRAP info> 
 +**NOTE:**  The **2>/dev/null** options keeps the **/proc** and such access denied errors out of the report. 
 + 
 +The infected files however are still found and reported. 
 + 
 +</WRAP>
  
 Also make sure that your cron is configured so that it mails you the output of the cronjobs.  The manual page will help you with that. Also make sure that your cron is configured so that it mails you the output of the cronjobs.  The manual page will help you with that.
Line 85: Line 92:
 ===== Extra: the targeted scan ===== ===== Extra: the targeted scan =====
  
-The below cronjob is an example and you should adapt it as required.  It updates the virus definitions and scans the folder /var/www/sites/uploader.com/public-html/uploads/ two times per hour, and if it found any files it removes them.+The below cronjob is an example and you should adapt it as required. 
 + 
 +  It updates the virus definitions and scans the folder /var/www/sites/uploader.com/public-html/uploads/ two times per hour, and if it found any files it removes them.
  
 <code bash> <code bash>
Line 102: Line 111:
  
 ---- ----
 +
 +
 +===== Possible finds =====
 +
 +The scan can detect these "viruses":
 +
 +  * PUA.Script.Packed-1 FOUND
 +  * PUA.Script.Packed-2 FOUND
 +
 +In fact, this is not a virus.
 +
 +  * PUA - Possibly Unwanted Applications.
 +  * Script.Packed - The script is packed (archived).
 +
 +
 +To disable detection of PUA use an additional parameter:
 +
 +<code bash>
 +--detect-pua=no
 +</code>
 +
 +And to enable detection of PUA:
 +
 +<code bash>
 +--detect-pua=yes
 +</code>
 +
 +Example:
 +
 +<code bash>
 +sudo clamscan -r -i --detect-pua=yes /
 +</code>
 +
 +----
 +
 +===== Possible errors =====
 +
 +==== ERROR 1 ====
 +
 +When you update the virus signature database, it can return this error message:
 +
 +<code bash>
 +freshclam
 +</code>
 +
 +returns:
 +
 +<code bash>
 +ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).
 +ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
 +</code>
 +
 +This is because the user was running freshclam without certain rights.
 +
 +This is solved by running freshclam with sudo:
 +
 +<code bash>
 +sudo freshclam
 +</code>
 +
 +----
 +
 +==== ERROR 2 ====
 +
 +Scanning can return this error message:
 +
 +<code bash>
 +LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0
 +LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0
 +LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
 +LibClamAV Error: fmap_readpage: pread error: Input/output error
 +</code>
 +
 +For this to not happen, you must to exclude from scanning several directories, like so:
 +
 +<code bash>
 +sudo clamscan -ir --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc /
 +</code>
 +
 +
ubuntu/anti_virus/install_clamav.1591735866.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki