Link to home
Start Free TrialLog in
Avatar of orestyle1
orestyle1

asked on

ClamAV install on Debian

I would like to install ClamAV on a Debian Sarge machine.  I have read some sites that help but I am not completely sure how it gets installed and how to configure it.  One suspected issue was multiple conf files for freshclam and the other conf file. (clamd ?)  Anyway, I see it can be installed through aptitude (although it needs to be updated via added apt source.)  But what is the best way to configure it?  I would like to just install it and see how it works out.  Do some scanning, etc.  This is a test machine running LAMP and some other smaller test programs.  At this time, I am open to exploring Clamav on one machine and learning the ropes.

I have done the basic google search for guides so I have seen some of the standard ones...
ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of orestyle1
orestyle1

ASKER

Great.  So, here is where I am now (or was until I reinstalled) I downloaded the ClamAV (current ver 88?) and ran tar -zxvf ClamAV.  Then ran the ./configure command.  The only issue I received was for zlib and zlib-dev.  Researching it I found that there are actually several files I needed (zlib1g, zlib1g-dev, libbz2-dev, libgmp3, libgmp3-dev) So after aptituding those I ran the ./configure script again.  No errors.  Then the make, then make install.  So seemed to install.  One thing I think might have helped out was having checkinstall do the make file.  So, I could do the freshclam with no errors, but when running clamd I was getting errors about virus signatures (something like that) being out of date.  How those get updated I have yet to learn.  I think I am at that point of the configuation files.  After installing the source, I installed from aptitude.  So at that point I had two installations.  I then removed the aptitude install then tried to poke around the system and remove the source install, but it seems to be deeply installed on my system.  

Anyway.  I think I'm at the conf files and seem to need some explination on how to configure them.  I would eventually like to set up a postfix server and have clamav scan email (mailserver software install integrated with clamav?) but at this point I just want to understand how this works and some of the more well known ways of administering this software.

Just another thought, when I install it through the .deb package, I get asked questions that I didn't see during the source install.  Questions like having clamav run as daemon, ways to access updates, etc.  

Also, the default installation dirs.  Do those fill up with the virus updates, or are they overwritten each time they are downloaded?  Just looking ahead.  And last question.  Should this be a stand alone machine?  I am basically going to  have a LAMP, Email, Thin Client, and one or two other servers running eventually.  Can it run on one of those machines or should it run seperate?  
clamd will give an error if it knows its outdated pretty much everytime its used.  freshclam actually updates the defs and then should notify clamd.
you should be running freshclam and clamd from /usr/local/bin now.

The config changes you need to make so that freshclam will notify clamd is this

freshclam.conf
---------------------------------------------------------------
Checks 288
NotifyClamd /usr/local/etc/clamd.conf
---------------------------------------------------------------
NotifyClamd just needs to point to the clamd.conf file you are using
Checks just says how many times per day you check for updates.  I do every 5 minutes on my mail servers.  Most likely a little over zealous, but then I'm a little more paranoid than most too.

clamd.conf should be good right out of the box
when you run them do the following

/usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
/usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf --quiet --daemon

clamd just needs to know the path of the config file for its parameters.  freshclam needs to be given the --daemon switch or it only runs once; also needs the config path.  --quiet just makes it so only errors are output instead of stdoutput

as for tieing clamav to postfix, I do it thru Amavisd.  I found it to be pretty easy, but other people like mailscanner and others as well.

After you do what I told you above its just a matter of reading the config file and seeing what other options you can play with.  Anything else, let me know
>>Just another thought, when I install it through the .deb package, I get asked questions that I didn't see during the source install.  >>Questions like having clamav run as daemon, ways to access updates, etc.  
I'm assuming it stepping you thru doing an initial config.  The reason I highly recommend installing from source is that when clamd says its out of date, all you have to do is go to clamav.net which will always have the newest version (there may not be a .deb package out immediately), then you just quick run the ./configure, make, make install, run freshclam and your good again. No config changes or anything


>>Also, the default installation dirs.  Do those fill up with the virus updates, or are they overwritten each time they are downloaded?  
No.  There are only two files used:  main.cvd and daily.cvd.  Both of these are in the home directory of the user running freshclam (of course I'm assuming you can choose where you store these).  So they are overwritten.

>>Just looking ahead.  And last question.  Should this be a stand alone machine?  I am basically going to  have a LAMP, Email, Thin Client, >>and one or two other servers running eventually.  Can it run on one of those machines or should it run seperate?  
I run mine on the machine.  Clamav is pretty effeciently ran from what I can see so I wouldn't worry about running it on the same machine.  Also, it just makes life easier in a lot of situations.  When you tie it into Postfix, you can consider it.  Reason I say that is because (like I said before I use Amavisd) Amavisd can tie Spamassassin in as well.  Spamassassin can be very CPU intensive if handling a lot of email per day: >15000 (but of course depends on machine you run it on too.  So you can have postfix relay all its mail to a different filter box, then have that box relay it back to the postfix box for delivery.  But that's another issue altogether
so would it be better to use Amavisd (which I assume is a antivirus software) when using Postfix, or would it be just as easy to install mailscanner for that type of configuration?  I have assumed that ClamAV was the best out there.  Also, how do you know that ClamAV is actually working?  I tried to scan the directory where I downloaded the test files for ClamAV (I assume they are a form of EICAR (sp) virus for testing) but when I ran the test, it came up clean.  Also, I am currently using Panda, so I only know how that software works.  Does ClamAV work in the same way where if a virus is found it blocks it, or deletes it (next version).  And notifying the admin of a found virus, is that done through the local mail?  I know I am asking more questions than originally posted, thus am increasing points to compensate for any additional information you give..  

Amavisd is not Antivirus.  Basically the way it works is email gets passed to it on a given port.  Then Amavisd checks that email for viruses (if configured to do so) by the AV daemons that it is configured to use.  It can also do the same for spam by using Spamassassin.  It can also completely block email or just label it.  You then also configure it to relay to a certain IP and port after it is done doing what it does.

Also, you are correct.  ClamAV is the best out there (kind of amazing when you think how much Symantec and McAfee make off of AV products that theirs are so much worse than a completely free product).  If you have Panda installed, run that against the file.  Does it say it is a virus.  If so, then run it against Clamav.  Also, make sure to run freshclam first to make sure that your defs are up-to-date.  You should get output like the following:

[user@host viruses]# clamscan account-details.zip
account-details.zip: Worm.Mytob.BZ FOUND

----------- SCAN SUMMARY -----------
Known viruses: 60025
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.05 MB
Time: 1.697 sec (0 m 1 s)


Notifying of a virus to a sender or the potential recipient is the job of Amavisd (or the package you use).  ClamAV just scans a file, says yes or no to there being a virus and if yes, then which virus.  The notification portion is apart of amavisd config though.  However, that is a different issue.  For now, lets just make sure that your clamav install is working.
Ok, installed ClamAV from source.  

I ran freshclam and got this:

ClamAV update process started at Thu Jun 15 15:17:46 2006
main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm)
daily.cvd is up to date (version: 1542, sigs: 1914, f-level: 8, builder: ccordes)

Running clamd it takes me to another command prompt.  

I have also ran clamscan and received the following prompts (scanning downloads dir)

Known viruses: 60030
Engine version: 0.88.2
Scanned directories: 1
Scanned files: 35
Infected files: 1
Data scanned: 2.88 MB
Time: 4.249 sec (0 m 4 s)

So, seems to be scanning...  Does all this look correct?
yup...after you get both clamd and freshclam running in daemon mode, then you can check to make sure they are running, by typing this:
ps aux | grep clam
OK, ran the following:

# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
# chown clamav /var/log/freshclam.log

then modified freshclam.conf to reflect the logfile

Next, ran freshclam -d

ps aux | grep clam

root     20331  0.0  1.4 22776 13228 ?       Ss   Jun15   0:02 clamd
clamav   22656  0.0  0.0  2468  892 ?        Ss   10:19   0:00 freshclam -d

So more questions:

1.  Now clamav will start everytime I log into the system, or everytime the system is started?
2.  Will clamav now scan the system automatically?  Does it prevent the system from becoming infected or just let you know when it has?  

Are there any other issues I might need to be aware of that was overlooked or is vage in the clamav documentation?  

add these two lines to the /etc/rc.local file

/usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
/usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf --quiet --daemon


Then they will start on bootup.

clamav will never scan the system automatically if you want that then you need to put a clamscan command into cron.  it only identifies when it is already infected (although I wouldn't worry about that; not exactly a lot of linux viruses out there).

i don't think there are any other issues really, its mostly where do you want to use it.  right now you have it to the point where it is successfully installed and useable.  clamd opens a port so that another daemon can pass it data and clamd says if its infected or not.  freshclam running will keep your defs upto date.  When you get to needing to tie it into other programs post another question and either myself or somone else should be able to help you out.
Well, I did a scan on my Deb machine and got this info:

Known viruses: 60042
Engine version: 0.88.2
Scanned directories: 2691
Scanned files: 21917
Infected files: 6
Data scanned: 506.62 MB
Time: 287.538 sec (4 m 47 s)

Not sure what the infected files are but this was a scan of the entire HD

what was the exact command you used.  by default it should list the files that are infected
clamscan -r
sorry

clamscan -r /

this scan would run on the whole system.  Seem it is identifying the testfiles too.  But not listing them.  
perhaps man clamav will explain how to list out the infected files?  I did the -r just out of interest to see if anything existed on the entire drive.  But I suspect the testfiles are what the clamav is squaking about.

Anyway, I gave more points, and should have given more because of all the advice and explanations given.  Will remember your name for next time...

that's odd.  I use the same command as you, but mine list out.  I would make the same assumption you did about the ones that got identified though.  Not sure why its not listing though.  Its always listed by default for me.  I actually have to give it the "--quiet" switch to keep input from printing.

but ya, check out the man page for clamscan to see what flag options you have.  Can't believe Debian would make it react that different than my Mandriva box though