Table of Contents

Redhat - Anti Virus - Install ClamAV

clamav is an anti-virus application.

The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.

Install ClamAV

On RHEL, CentOS or Scientific Linux, you only need to install the clamav package:

yum install clamav

Update the database

The below two commands will restart the freshclam daemon (which auto updates the database) and then does a manual update of the definitions.

sudo /etc/init.d/clamav-freshclam restart
sudo /usr/bin/freshclam

The daily scan

The below cronjob will run a virus database definition update (so that the scan always has the most recent definitions) and afterwards run a full scan which will only report when there are infected files on the system. It also does not remove the infected files automatically, you have to do this manually. This way you make sure that it does not delete /bin/bash by accident.

## This should be a root cronjob.
30 01 * * * /usr/bin/freshclam --quiet; /usr/bin/clamscan --recursive --no-summary --infected / 2>/dev/null

The 2>/dev/null options keeps the /proc and such access denied errors out of the report. The infected files however are still found and reported.

Also make sure that your cron is configured so that it mails you the output of the cronjobs. The manual page will help you with that.

This is how a sample email looks if you have an infection:

/tmp/eicar.zip: Eicar-Test-Signature FOUND
/tmp/eicar.com: Eicar-Test-Signature FOUND

Extra: the targeted scan

The below cronjob is an example and you should adapt it as required. It updates the virus definitions and scans the folder /var/www/sites/uploader.com/public-html/uploads/ two times per hour, and if it found any files it removes them.

## This should be a root cronjob.
*/29 * * * * /usr/bin/freshclam --quiet; /usr/bin/clamscan --recursive --no-summary --infected --remove /var/www/sites/uploader.com/public-html/uploads 2>/dev/null

This is how a sample email might look like:

/var/www/sites/uploader.com/public-html/uploads/eicar.zip: Eicar-Test-Signature FOUND
/var/www/sites/uploader.com/public-html/uploads/eicar.zip: Removed.
/var/www/sites/uploader.com/public-html/uploads/eicar.com: Eicar-Test-Signature FOUND
/var/www/sites/uploader.com/public-html/uploads/eicar.com: Removed.