ClamAV

http://phpmaster.com/zf-clamav/

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including flexible and scalable multi-threaded daemon, a command-line scanner, and advanced tools for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

Features:

  • Fast scanning
  • On-access scanning (Linux and FreeBSD only)
  • Detects over 750,000 viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and other threats
  • Built-in bytecode interpreter allows the ClamAV signature writers to create and distribute very complex detection routines and remotely enhance the scanner's functionality.
  • Scan within archives and compressed files (also protects against archive bombs) …
  • Support portable executable (32/64-bit) files compressed or obfuscated with …
  • Support ELF and Mach-O files (both 32- and 64-bit)
  • Support almost all mail file formats
  • Support for other special files / formats …
  • Advanced database updater with support for scripted updates, digital signatures, and DNS based database version queries.

Support:

If you have trouble installing or using ClamAV, try asking on our mailing lists:

  1. clamav-announce*lists.clamav.net - info about new version, moderated
  2. clamav-users*list.clamav.net - user questions
  3. clamav-devel*lists.clamav.net - technical questions
  4. clamav-virusdb*list.clamav.net - database update announcements, moderated

You can subscribe and search the mailing list archive at http://www.clamav.net/support/ml/

Alternatively you can try asking on the #clamav IRC channel. Launch you favorite IRC client and type:

/server irc.freenode.net
/join #clamav

Requirements:

  • zlib and zlib-devel
  • bzip2 and bzip2-devel (optional, but highly recommended)
  • check unit testing framework (http://check.sourceforge.net)
  • gcc, or g++, or gcc-c++

Installation:

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
tar -xvzf clamav-x.yz.tar.gz
cd clamav-x.yz
./configure --enable-milter --enable-check
make
make check
make install

To recursively scan the source directory:

clamscan -r -l scan.txt clamav-x.yz

It should find some test files in clamav-x.yz/test directory. The scan result will be save in scan.txt log file.

To test clamd, start i, and use clamdscan (or connect directly to its socket and run the SCAN command):

clamdscan -l scan.txt clamav-x.yz

Please note that the scanned files must be accessible by the user running clamd or you will get an error.

Auto-updating:

freshclam is automatic database update tool for Clam AntiVirus. It can work in two mode:

  • interactive - on demand from command line
  • daemon - silently in the background

freshclam is an advanced tool: it supports

  1. scripted updates (instead of transfering the whole CVD file at each update, it only transfers the differences between the latest and the current database via a special script)
  2. database version checks through DNS
  3. proxy servers (with authentication)
  4. digital signature and various error scenarios

Quick test: run freshclam (as superuser) with no parameters and check the output. If everything is OK, you may create the log file /var/log (owned by clamav or another user freshclam will be running as):

touch /var/log/freshclam.log
chmod 600 /var/log/freshclam.log
chown clamav /var/log/freshclam.log

Now edit freshclam.conf and point the UpdateLogFile directive to /var/log/freshclam.log, and run freshclam in daemon mode:

freshclam -d

The other way is to use cron. You have to add the following line to the crontab of root or clamav user:

N * * * * /usr/local/bin/freshclam --quiet

to check for a new database every hour. N should be between 3 and 57. Please don't choose any multiple of 10, because there are already to many clients using those time slots.

Proxy settings are only configurable via the configuration file and freshclam will require strict permission settings for the config file when HTTPProxyPassword is turned on:

HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass

The DatabaseMirror directive in the config file specifies the database server freshclam will attempt (up to MaxAttempts times) to download the database. The default database mirror is database.clamav.net but multiple directives are allowed. In order to download the database from the closest mirror you should configure freshclam to use db.xx.clamav.net where xx represents your country code. For example, if your server is in "Ascension Island", you should have the following lines included in freshclam.conf:

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.ac.clamav.net
DatabaseMirror database.clamav.net

The second entry acts as a fallback in case the connection to the first mirror fails. The full list of two-letters country codes is available at http://www.iana.org/cctld/cctld-whois.htm

ClamAV Active Malware Report:

The ClamAV Active Malware Report feature uses freshclam to send summary data to our server about the malware that has been detected. This data is then use to generate real-time reports on active malware. These reports, along with geographical and historical trends, will be published on http://www.clamav.net

The more data that we receive from ClamAV users, the more reports, and the better the quality of the reports, will be. To enable the submission of data to us for use in the Active Malware Report, enable SubmitDetectionStats in freshclam.conf, and LogTime and LogFile in clamd.conf. You should only enable this feature if you're using clamd to scan incoming data in your environment.

The only private data that is transfered is an IP address, which is used to create the geographical data. The size of the data that is sent is small. It contains just the filename, malware name, and time of detection. The data is sent in set of 10 records, up to 50 records per session.

clamd:

clamd is a multi-threaded daemon that use libclamav to scan files for viruses. It may work in one or both mode listening on:

  • Unix (local) socket
  • TCP socket

The daemon is fully configurable via the clamd.conf file (man clamd.conf).

clamd recognizes the following commands:

  • PING: Check the daemon's state (should reply with "PONG")
  • VERSION: Print program and database versions
  • RELOAD: Reload the databases
  • SHUTDOWN: Perform a clean exit
  • SCAN file/directory: Scan file or directory (recursively) with archive support enabled (a full path is required)
  • RAWSCAN file/directory: Scan file or directory (recursively) with archive and special file support disabled (a full path is required)
  • CONTSCAN file/directory: Scan file or directory (recursively) with archive support enabled and don't stop the scanning when a virus is found
  • MULTISCAN file/directory: Scan file in a standard way or scan directory (recursively) using multiple threads (to make the scanning faster on SMP machines)
  • INSTREAM: It is mandatory to prefix this command with n or z. Scan a stream of data. The stream is sent to clamd in chunks, after INSTREAM, on the same socket on which the command was sent. This avoids the overhead of establishing new TCP connections and problems with NAT. The format of the chunk is: <length><data> where length is the size of the following data in bytes expressed as a 4 byte unsigned integer in network byte order and <data> is the actual chunk. Streaming is terminated by sending a zero-length chunk. Do not exceed StreamMaxLength as defined in clamd.conf.
  • FILDES: It is mandatory to newline terminate this command, or prefix with n or z. This command only works on Unix domain sockets. Scan a file descriptor. After issuing a FILDES command, a subsequent rfc2292/bsd4.4 style packet (with at least one dummy character) is sent to clamd carrying the file descriptor to be scanned inside the ancillary data. Alternatively, the file descriptor may be sent in the same packet, including the extra character.
  • STATS: It is mandatory to newline terminate this command, or prefix with n or z. It is recommended to only use the z prefix. On this command, clamd provides statistics about the scan queue, contents of scan queue, and memory usage
  • IDSESSION,END: It is mandatory to prefix this command with n or z. Also, all commands inside IDSESSION must be prefixed. Start/end a clamd session. Within a session, multiple SCAN, INSTREAM, FILDES, VERSION, STATS commands can be sent on the same socket without opening new connections. Replies from clamd will be in the form <id>: <response> where <id> is the request number (in ASCII, starting from 1) and <response> is the usual clamd reply. The reply lines have the same delimiter as the corresponding command had. Clamd will process the commands asynchronously, and reply as soon as it has finished processing. Clamd requires clients to read all the replies it sent, before sending more commands to prevent send() deadlocks. The recommended way to implement a client that use IDSESSION is with non-blocking socket, and a select()/poll() loop: whenever send would block, sleep in select/poll until either you can write more data, or read more replies. Note that using non-blocking sockets without the select/poll loop and alternating recv()/send() doesn't comply with clamd's requirements. If clamd detects that a client has deadlocked, it will close the connection. Note that clamd may close an IDSESSION connection too if the client does not follow the protocol's requirements.

It is recommended to prefix clamd commands with the letter z (for example zSCAN) to indicate that the command will be delimited by a NULL character and that clamd should continue reading command data until a NULL character is read. The null delimiter assures that the complete command and its entire argument will be processed as a single command. Alternatively, commands may be prefixed with the letter n (for example, nSCAN) to use a newline character as the delimiter. Clamd replies will honour the requested terminator in turn. If clamd does not recognize the command, or the command does not follow the requirements specified below, it will reply with an error message, and close the connection.

Clamd can handle the following signals:

  • SIGTERM: perform a clean exit
  • SIGHUP: reopen the log file
  • SIGUSR2: reload the database

Clamd should not be started in the background using the shell operator & or external tools. Instead, you should run and wait for clamd to load the database and daemonize itself.

clamdscan:

clamdscan is a simple clamd client. In many cases you can use it as a clamscan replacement however you must remember:

  • It only depends on clamd
  • Although it accepts the same command line options as clamscan, most of them are ignored because they must be enabled directly in clamd (via clamd.conf)
  • In TCP mode, scanned files must be accessible for clamd. In LocalSocket mode, clamdscan will try to workaround this limitation by using FILDES

Clamuko:

Clamuko is a special thread in clamd that performs on-access scanning under Linux and FreeBSD and shares internal virus database with the daemon. You must follow some important rules:

  • Always stop the daemon cleanly - using the SHUTDOWN command or SIGTERM signal, otherwise you may lose access to the files until the system is restarted
  • Never protect the directory your mail-scanner software uses for attachment unpacking. Access to all infected files will be automatically blocked and the scanner (including clamd) will not be able to detect any viruses. Therefore, all infected mails may be delivered.

For example, to protect the whole system add the following line to clamd.conf:

ClamukoScanOnAccess
ClamukoIncludePath /
ClamukoExcludePath /proc
ClamukoExcludePath /temporary/dir/of/your/mail/scanning/software

You can also use clamuko to protect files on Samba/Netatalk but far more better and safe idea to use samba-vscan module.  NFS is not supported because Dazuko doesn't intercept NFS access calls.

__**clamscan:**__

clamscan writes all regular program messages to stdout and errors/warning to stderr.  You can use the option --stdout to redirect all program messages to stdout.  Warning and error messages from libclamav are always printed to stderr.

__**libclamav:**__

libclamav provides an easy and effective way to add a virus protection into your software.  The library is thread-safe and transparently recognizes and scans within archives, mail files, MS Office document files, executables and other special formats.

libclamav includes a DLP module which can detect credit card and social securit numbers inside text files.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License