{"id":1161,"date":"2012-08-28T08:49:55","date_gmt":"2012-08-28T00:49:55","guid":{"rendered":"http:\/\/rmohan.com\/?p=1161"},"modified":"2012-08-28T08:49:55","modified_gmt":"2012-08-28T00:49:55","slug":"clamav-virus-scanning","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1161","title":{"rendered":"ClamAV Virus Scanning"},"content":{"rendered":"

Thankfully Linux isn\u2019t a platform which has a significant problem with Viruses, however it is always better to be safe than sorry. Luckily ClamAV is an excellent free anti-virus solution for Linux servers. However, at least on RedHat Enterprise 5 (RHEL5) the default install doesn\u2019t offer any automated scanning and alerting. So here is what I\u2019ve done:<\/p>\n

The following steps assume you are using RHEL5, but should apply to other Linux distributions as well.<\/p>\n

First, you\u2019ll want to install ClamAV:<\/h2>\n
\n
\n\n\n\n
\n
\n
yum <\/code>install<\/code> clamav clamav-db clamd<\/code><\/div>\n
\/etc\/init<\/code>.d<\/code>\/clamd<\/code> start<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

On RHEL5 at least this automatically sets up a daily cron job that uses freshclam to update the virus definitions, so that\u2019s good.<\/p>\n

Next I recommend removing the test virus files, although you can save this until after you test the rest of the setup:<\/p>\n

\n
\n\n\n\n
\n
\n
rm<\/code> -rf <\/code>\/usr\/share\/doc\/clamav-0<\/code>.95.3<\/code>\/test\/<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Now we want to setup our automation. I have a daily cron job that scans the entire server which can take several minutes, and then an hourly cron job that only scans files which were created or modified within the last hour. This should provide rapid notification of any infection without bogging your server down for 5 minutes every hour. The hourly scans run in a couple of seconds.<\/p>\n

Each scanning script then checks the scan logs to see if there were any infected files found, and if so immediately sends you a notification e-mail (you could set this address to your mobile phone\u2019s SMS account if you wanted).<\/p>\n

The Daily Scan:<\/h2>\n
\n
\n\n\n\n
\n
\n
emacs <\/code>\/etc\/cron<\/code>.daily<\/code>\/clamscan_daily<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Paste in:<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n<\/td>\n
\n
\n
#!\/bin\/bash<\/code><\/div>\n
\u00a0<\/div>\n
# email subject<\/code><\/div>\n
SUBJECT=<\/code>\"VIRUS DETECTED ON `hostname`!!!\"<\/code><\/div>\n
# Email To ?<\/code><\/div>\n
EMAIL=<\/code>\"me@domain.com\"<\/code><\/div>\n
# Log location<\/code><\/div>\n
LOG=<\/code>\/var\/log\/clamav\/scan<\/code>.log<\/code><\/div>\n
\u00a0<\/div>\n
check_scan () {<\/code><\/div>\n
\u00a0<\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code># Check the last set of results. If there are any \"Infected\" counts that aren't zero, we have a problem.<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> [ `<\/code>tail<\/code> -n 12 ${LOG}\u00a0 | <\/code>grep<\/code> Infected | <\/code>grep<\/code> -<\/code>v<\/code> 0 | <\/code>wc<\/code> -l` != 0 ]<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>then<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>EMAILMESSAGE=`mktemp <\/code>\/tmp\/virus-alert<\/code>.XXXXX`<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"To: ${EMAIL}\"<\/code> >>\u00a0 ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"From: alert@domain.com\"<\/code> >>\u00a0 ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"Subject: ${SUBJECT}\"<\/code> >>\u00a0 ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"Importance: High\"<\/code> >> ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"X-Priority: 1\"<\/code> >> ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"`tail -n 50 ${LOG}`\"<\/code> >> ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>sendmail -t < ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>fi<\/code><\/div>\n
\u00a0<\/div>\n
}<\/code><\/div>\n
\u00a0<\/div>\n
clamscan -r \/ --exclude-<\/code>dir<\/code>=<\/code>\/sys\/<\/code> --quiet --infected --log=${LOG}<\/code><\/div>\n
\u00a0<\/div>\n
check_scan<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n
\n
\n\n\n\n
\n
\n
chmod<\/code> +x <\/code>\/etc\/cron<\/code>.daily<\/code>\/clamscan_daily<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The Hourly Scan:<\/h2>\n
\n
\n\n\n\n
\n
\n
emacs <\/code>\/etc\/cron<\/code>.hourly<\/code>\/clamscan_hourly<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Paste in:<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n<\/td>\n
\n
\n
#!\/bin\/bash<\/code><\/div>\n
\u00a0<\/div>\n
# email subject<\/code><\/div>\n
SUBJECT=<\/code>\"VIRUS DETECTED ON `hostname`!!!\"<\/code><\/div>\n
# Email To ?<\/code><\/div>\n
EMAIL=<\/code>\"me@domain.com\"<\/code><\/div>\n
# Log location<\/code><\/div>\n
LOG=<\/code>\/var\/log\/clamav\/scan<\/code>.log<\/code><\/div>\n
\u00a0<\/div>\n
check_scan () {<\/code><\/div>\n
\u00a0<\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code># Check the last set of results. If there are any \"Infected\" counts that aren't zero, we have a problem.<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> [ `<\/code>tail<\/code> -n 12 ${LOG}\u00a0 | <\/code>grep<\/code> Infected | <\/code>grep<\/code> -<\/code>v<\/code> 0 | <\/code>wc<\/code> -l` != 0 ]<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>then<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>EMAILMESSAGE=`mktemp <\/code>\/tmp\/virus-alert<\/code>.XXXXX`<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"To: ${EMAIL}\"<\/code> >>\u00a0 ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"From: alert@domain.com\"<\/code> >>\u00a0 ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"Subject: ${SUBJECT}\"<\/code> >>\u00a0 ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"Importance: High\"<\/code> >> ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"X-Priority: 1\"<\/code> >> ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>echo<\/code> \"`tail -n 50 ${LOG}`\"<\/code> >> ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>sendmail -t < ${EMAILMESSAGE}<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>fi<\/code><\/div>\n
\u00a0<\/div>\n
}<\/code><\/div>\n
\u00a0<\/div>\n
find<\/code> \/ -not -wholename <\/code>'\/sys\/*'<\/code> -and -not -wholename <\/code>'\/proc\/*'<\/code> -mmin -61 -<\/code>type<\/code> f -print0 | <\/code>xargs<\/code> -0 -r clamscan --exclude-<\/code>dir<\/code>=<\/code>\/proc\/<\/code> --exclude-<\/code>dir<\/code>=<\/code>\/sys\/<\/code> --quiet --infected --log=${LOG}<\/code><\/div>\n
check_scan<\/code><\/div>\n
\u00a0<\/div>\n
find<\/code> \/ -not -wholename <\/code>'\/sys\/*'<\/code> -and -not -wholename <\/code>'\/proc\/*'<\/code> -cmin -61 -<\/code>type<\/code> f -print0 | <\/code>xargs<\/code> -0 -r clamscan --exclude-<\/code>dir<\/code>=<\/code>\/proc\/<\/code> --exclude-<\/code>dir<\/code>=<\/code>\/sys\/<\/code> --quiet --infected --log=${LOG}<\/code><\/div>\n
check_scan<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n
\n
\n\n\n\n
\n
\n
chmod<\/code> +x <\/code>\/etc\/cron<\/code>.hourly<\/code>\/clamscan_hourly<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Protected System<\/h2>\n

You should now have a well protected system with low impact to system performance and rapid alerting. Anti-Virus is only one piece of protecting a server, but hopefully this makes it easy to implement for everyone.<\/p>\n","protected":false},"excerpt":{"rendered":"

Thankfully Linux isn\u2019t a platform which has a significant problem with Viruses, however it is always better to be safe than sorry. Luckily ClamAV is an excellent free anti-virus solution for Linux servers. However, at least on RedHat Enterprise 5 (RHEL5) the default install doesn\u2019t offer any automated scanning and alerting. So here is what […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1161"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1161"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1161\/revisions"}],"predecessor-version":[{"id":1163,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1161\/revisions\/1163"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}