Installation Clam Anti Virus (ClamAV) on DirectAdmin / CentOS

clamav

Clam AntiVirus is a popular open source (GPL) anti-virus toolkit for UNIX, designed for e-mail scanning on mail gateways. It provides a flexible and scalable multi-threaded daemon, a command line scanner and it can detect Trojan horses, viruses, malware and other malicious threats. It also comes with an advanced tool for automatic database updating via the Internet.

This article will guide you through the installation of ClamAV on a DirectAdmin based web server.

Note: This guide assumes you are familiar with SSH and basic command line navigation. These instructions apply primarily to customers who have Virtual Private Servers or Dedicated servers. If you do not have root-level access you will not be able to make these changes.

 

Installation

Login as root and enter the following commands. This will include ClamAV in the CustomBuild configuration and compile ClamAV:

cd /usr/local/directadmin/custombuild
./build update
./build set clamav yes
./build clamav

In case you get the following error when trying to start ClamAV:

[root@server ~]# /etc/init.d/clamd start
Starting clamd: LibClamAV Error: cli_loaddb(): No supported database files found in /usr/share/clamav
ERROR: Can't open file or directory
                                                          [FAILED]

or another related error:

LibClamAV Error: cl_load(): Can't get status of /usr/share/clamav

This error simply means the virus database can not be found. You can rebuild the database by using:

cd /usr/share
mkdir -p clamav
chown clamav:clamav clamav
freshclam -v

 

Configuration

Edit exim.conf and add the following before “primary_hostname =”:

av_scanner = clamd:127.0.0.1 3310

Skip the step above if you are running CustomBuild 2.0, as it adds this for you in the following file: /etc/exim.clamav.load.conf

 

In exim.conf find “check_message:”, and copy on the next line the ClamAV directives below:

deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = */defer_ok
deny message = This message contains an attachment of a type which we  do not accept (.$found_extension)
demime = bat:com:pif:prf:scr:vbs
warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Restart exim:

/etc/init.d/exim restart

Start ClamAV daemon for the first time

service clamd start (stop / restart)

To test if Clamd is running:

netstat -tap | grep clamd

Which should give an output similar to this:

tcp        0      0 localhost.local:dyna-access *:*                         LISTEN      4405/clamd

 

Clamav check script

Sometimes, the ClamAV virus database gets corrupted after an update. This prevents the ClamAV daemon from running. The script below ensures that:

  1. The ClamAV Daemon is running
  2. In case it does not, it tries to restart the daemon
  3. If this does not work, it deletes the virus database, and downloads a new one.
  4. it again attempts to restart the daemon
  5. If all this fails, an email is sent to the email address provided in the script

1. Create test File

first, create a dummy test file. This is an empty file that clamd will use to scan during the check:

cd /usr/local/directadmin/scripts/custom
echo "" > clamav.txt

2. Create shell script

Create a file with the name “clamdcheck”. This file will contain the shell script used to check ClamAV. Use: nano or vi clamdcheck. This file should be placed in the /usr/local/directadmin/scripts/custom directory. Add the script below and save the file when done:

#!/bin/sh

# path to an empty dummy test file
testfile="/usr/local/directadmin/scripts/custom/clamav.txt"

# path to the clamav database files without the ending "/"
dbfolder="/usr/share/clamav"

# path to the clamdscan executable
scan="/usr/bin/clamdscan"

# path to the freshclam executable
freshdb="/usr/bin/freshclam"

# number of times the script tries to kick start clamd
trial=10

# email of server administrator
email="user@domain.com"

# server hostname (no modification needed)
myhost=$(hostname)

# email alert subject on failure
subject="Clamd on ${myhost} is down!"

# email alert body message on failure
message="Clamd on ${myhost} is down!"

output=$($scan $testfile | grep "SCAN SUMMARY")

if [ -z "$output" ]; then
        echo "Clamd is not running!"
        echo "Now trying to start clamd..."
        for (( i=1; i<=$trial; i++ ))
        do
                echo "Trial $i..."
                /sbin/service clamd restart
                output=$($scan $testfile | grep "SCAN SUMMARY")
                if [ -n "$output" ]; then
                        break
                else
                        sleep 3
                fi
        done
        if [ -z "$output" ]; then
                echo "Clamd is still not running!"
                echo "Now trying to refresh clamav database..."
                rm -Rf $dbfolder/*
                $freshdb
                /sbin/service clamd restart
                output=$($scan $testfile | grep "SCAN SUMMARY")
                if [ -z "$output" ]; then
                        echo "Clamd is still not running!"
                        echo "$message" | mail -s "$subject" "$email"
                        echo "Giving up... email alert has been sent to administrator."
                else
                        echo "Clamd is running now!"
                fi
        else
                echo "Clamd is running now!"
        fi
else
        echo "Clamd is running!"
fi

Ensure that the paths are correct and that you have set your correct e-mail address for alerting in the bolded field.

Don’t forget to make the script executable:

chmod 755 clamdcheck

3. Setup Cronjob

Cron is a scheduling daemon that will run programs and scripts at arbitrary times or intervals. We need to setup a Cronjob to ensure our script runs at a periodic interval (don’t set it too frequent as a complete freshclam process will take some time to complete):

crontab -e

This will land you in your default editor. Add the cronjob:

15,45 * * * * /usr/local/directadmin/scripts/custom/clamdcheck > /dev/null 2>&1

Using these settings every half hour the cronjob runs. Make sure to save the file and exit

To display all cronjobs:

crontab -l

 

Automated Virus Definition updates

You can add another cronjob for automated virus definition updates:

crontab -e

The code below sets the cronjob to execute daily, at 05.38 in the morning:

38 05 * * * sudo freshclam

 

Scan Options

To check all files on the computer, displaying the name of each file:

clamscan -r /

To check all files on the computer, but only display infected files and ring a bell when found:

clamscan -r --bell -i /

To check files in the all users home directories:

clamscan -r /home

To check files in the USER home directory and move infected files to another folder:

clamscan -r --move=/home/USER/VIRUS /home/USER

To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

clamscan -r --remove /home/USER

 

Scan by using a screen session

To open a new screen session and scan the whole system run the command below. This can be handy as scans may take hours to complete:

clamscan -ril /var/log/clamscan.log /

You can detach and enter to screen session any time and check the status frequently.

You will get the scan result at the end. Only the infected files will be listed. You can find the files in “/var/log/clamscan.log”. ( grep the word FOUND ) You may either manually remove or correct these files or else run the below command that will permanently remove all infected files in your system (Make sure to run in screen session)

clamscan -ril /var/log/clamscan.log --remove /

 

To see more options:

clamscan --help
Installation Clam Anti Virus (ClamAV) on DirectAdmin / CentOS
Written by: AFRIDA YANTI
Reting: 4.9


Cheap Best Hosting is a leading provider of web hosting, shared hosting, resellers hosting, virtual private servers, vps hosting, dedicated servers and domain name registration.


Follow me on Google+ | Twitter | Facebook | Linkedin | YouTube

Share This Post

Recent Articles

Leave a Reply

© 2017 Cheap Best Hosting Blog. All rights reserved. · Entries RSS · Comments RSS
Hosting By Cheap Best Hosting