Solved

ClamAV install on Debian

Posted on 2006-06-14
17
858 Views
Last Modified: 2008-02-01
I would like to install ClamAV on a Debian Sarge machine.  I have read some sites that help but I am not completely sure how it gets installed and how to configure it.  One suspected issue was multiple conf files for freshclam and the other conf file. (clamd ?)  Anyway, I see it can be installed through aptitude (although it needs to be updated via added apt source.)  But what is the best way to configure it?  I would like to just install it and see how it works out.  Do some scanning, etc.  This is a test machine running LAMP and some other smaller test programs.  At this time, I am open to exploring Clamav on one machine and learning the ropes.

I have done the basic google search for guides so I have seen some of the standard ones...
0
Comment
Question by:orestyle1
  • 9
  • 8
17 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 300 total points
ID: 16912373
Personally, this is one of those packages where I'd highly recommend installing from source from www.clamav.net

What I do is download it, untar it, cd into the directory, then run ./configure.  This will find any missing dependencies you have.  Install those packages via apt-get.  Once you successfully run the configure script, run make, then make install.

The configs should be under /usr/local/etc/freshclam.conf and /usr/local/etc/clamd.conf.
I don't use Debian but I assume you want to start them on boot up.  You'll need to write a script and place it in the right dir to have it start up on boot.  I believe its something like /etc/rc.local

If you have any problems getting it installed, let me know.  And after you get it installed, the config files are highly commented.  Just poke around in them and you should be good.  Let me know when you get to that point though.  There are a couple of lines that have to be configured so freshclam can notify clamd of updates.
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16913143
Great.  So, here is where I am now (or was until I reinstalled) I downloaded the ClamAV (current ver 88?) and ran tar -zxvf ClamAV.  Then ran the ./configure command.  The only issue I received was for zlib and zlib-dev.  Researching it I found that there are actually several files I needed (zlib1g, zlib1g-dev, libbz2-dev, libgmp3, libgmp3-dev) So after aptituding those I ran the ./configure script again.  No errors.  Then the make, then make install.  So seemed to install.  One thing I think might have helped out was having checkinstall do the make file.  So, I could do the freshclam with no errors, but when running clamd I was getting errors about virus signatures (something like that) being out of date.  How those get updated I have yet to learn.  I think I am at that point of the configuation files.  After installing the source, I installed from aptitude.  So at that point I had two installations.  I then removed the aptitude install then tried to poke around the system and remove the source install, but it seems to be deeply installed on my system.  

Anyway.  I think I'm at the conf files and seem to need some explination on how to configure them.  I would eventually like to set up a postfix server and have clamav scan email (mailserver software install integrated with clamav?) but at this point I just want to understand how this works and some of the more well known ways of administering this software.

0
 
LVL 1

Author Comment

by:orestyle1
ID: 16913243
Just another thought, when I install it through the .deb package, I get asked questions that I didn't see during the source install.  Questions like having clamav run as daemon, ways to access updates, etc.  

Also, the default installation dirs.  Do those fill up with the virus updates, or are they overwritten each time they are downloaded?  Just looking ahead.  And last question.  Should this be a stand alone machine?  I am basically going to  have a LAMP, Email, Thin Client, and one or two other servers running eventually.  Can it run on one of those machines or should it run seperate?  
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16913270
clamd will give an error if it knows its outdated pretty much everytime its used.  freshclam actually updates the defs and then should notify clamd.
you should be running freshclam and clamd from /usr/local/bin now.

The config changes you need to make so that freshclam will notify clamd is this

freshclam.conf
---------------------------------------------------------------
Checks 288
NotifyClamd /usr/local/etc/clamd.conf
---------------------------------------------------------------
NotifyClamd just needs to point to the clamd.conf file you are using
Checks just says how many times per day you check for updates.  I do every 5 minutes on my mail servers.  Most likely a little over zealous, but then I'm a little more paranoid than most too.

clamd.conf should be good right out of the box
when you run them do the following

/usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
/usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf --quiet --daemon

clamd just needs to know the path of the config file for its parameters.  freshclam needs to be given the --daemon switch or it only runs once; also needs the config path.  --quiet just makes it so only errors are output instead of stdoutput

as for tieing clamav to postfix, I do it thru Amavisd.  I found it to be pretty easy, but other people like mailscanner and others as well.

After you do what I told you above its just a matter of reading the config file and seeing what other options you can play with.  Anything else, let me know
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16913348
>>Just another thought, when I install it through the .deb package, I get asked questions that I didn't see during the source install.  >>Questions like having clamav run as daemon, ways to access updates, etc.  
I'm assuming it stepping you thru doing an initial config.  The reason I highly recommend installing from source is that when clamd says its out of date, all you have to do is go to clamav.net which will always have the newest version (there may not be a .deb package out immediately), then you just quick run the ./configure, make, make install, run freshclam and your good again. No config changes or anything


>>Also, the default installation dirs.  Do those fill up with the virus updates, or are they overwritten each time they are downloaded?  
No.  There are only two files used:  main.cvd and daily.cvd.  Both of these are in the home directory of the user running freshclam (of course I'm assuming you can choose where you store these).  So they are overwritten.

>>Just looking ahead.  And last question.  Should this be a stand alone machine?  I am basically going to  have a LAMP, Email, Thin Client, >>and one or two other servers running eventually.  Can it run on one of those machines or should it run seperate?  
I run mine on the machine.  Clamav is pretty effeciently ran from what I can see so I wouldn't worry about running it on the same machine.  Also, it just makes life easier in a lot of situations.  When you tie it into Postfix, you can consider it.  Reason I say that is because (like I said before I use Amavisd) Amavisd can tie Spamassassin in as well.  Spamassassin can be very CPU intensive if handling a lot of email per day: >15000 (but of course depends on machine you run it on too.  So you can have postfix relay all its mail to a different filter box, then have that box relay it back to the postfix box for delivery.  But that's another issue altogether
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16914371
so would it be better to use Amavisd (which I assume is a antivirus software) when using Postfix, or would it be just as easy to install mailscanner for that type of configuration?  I have assumed that ClamAV was the best out there.  Also, how do you know that ClamAV is actually working?  I tried to scan the directory where I downloaded the test files for ClamAV (I assume they are a form of EICAR (sp) virus for testing) but when I ran the test, it came up clean.  Also, I am currently using Panda, so I only know how that software works.  Does ClamAV work in the same way where if a virus is found it blocks it, or deletes it (next version).  And notifying the admin of a found virus, is that done through the local mail?  I know I am asking more questions than originally posted, thus am increasing points to compensate for any additional information you give..  

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16914534
Amavisd is not Antivirus.  Basically the way it works is email gets passed to it on a given port.  Then Amavisd checks that email for viruses (if configured to do so) by the AV daemons that it is configured to use.  It can also do the same for spam by using Spamassassin.  It can also completely block email or just label it.  You then also configure it to relay to a certain IP and port after it is done doing what it does.

Also, you are correct.  ClamAV is the best out there (kind of amazing when you think how much Symantec and McAfee make off of AV products that theirs are so much worse than a completely free product).  If you have Panda installed, run that against the file.  Does it say it is a virus.  If so, then run it against Clamav.  Also, make sure to run freshclam first to make sure that your defs are up-to-date.  You should get output like the following:

[user@host viruses]# clamscan account-details.zip
account-details.zip: Worm.Mytob.BZ FOUND

----------- SCAN SUMMARY -----------
Known viruses: 60025
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.05 MB
Time: 1.697 sec (0 m 1 s)


Notifying of a virus to a sender or the potential recipient is the job of Amavisd (or the package you use).  ClamAV just scans a file, says yes or no to there being a virus and if yes, then which virus.  The notification portion is apart of amavisd config though.  However, that is a different issue.  For now, lets just make sure that your clamav install is working.
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16916403
Ok, installed ClamAV from source.  

I ran freshclam and got this:

ClamAV update process started at Thu Jun 15 15:17:46 2006
main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm)
daily.cvd is up to date (version: 1542, sigs: 1914, f-level: 8, builder: ccordes)

Running clamd it takes me to another command prompt.  

I have also ran clamscan and received the following prompts (scanning downloads dir)

Known viruses: 60030
Engine version: 0.88.2
Scanned directories: 1
Scanned files: 35
Infected files: 1
Data scanned: 2.88 MB
Time: 4.249 sec (0 m 4 s)

So, seems to be scanning...  Does all this look correct?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16916874
yup...after you get both clamd and freshclam running in daemon mode, then you can check to make sure they are running, by typing this:
ps aux | grep clam
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16922157
OK, ran the following:

# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
# chown clamav /var/log/freshclam.log

then modified freshclam.conf to reflect the logfile

Next, ran freshclam -d

ps aux | grep clam

root     20331  0.0  1.4 22776 13228 ?       Ss   Jun15   0:02 clamd
clamav   22656  0.0  0.0  2468  892 ?        Ss   10:19   0:00 freshclam -d

So more questions:

1.  Now clamav will start everytime I log into the system, or everytime the system is started?
2.  Will clamav now scan the system automatically?  Does it prevent the system from becoming infected or just let you know when it has?  

Are there any other issues I might need to be aware of that was overlooked or is vage in the clamav documentation?  

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16922249
add these two lines to the /etc/rc.local file

/usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
/usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf --quiet --daemon


Then they will start on bootup.

clamav will never scan the system automatically if you want that then you need to put a clamscan command into cron.  it only identifies when it is already infected (although I wouldn't worry about that; not exactly a lot of linux viruses out there).

i don't think there are any other issues really, its mostly where do you want to use it.  right now you have it to the point where it is successfully installed and useable.  clamd opens a port so that another daemon can pass it data and clamd says if its infected or not.  freshclam running will keep your defs upto date.  When you get to needing to tie it into other programs post another question and either myself or somone else should be able to help you out.
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16922576
Well, I did a scan on my Deb machine and got this info:

Known viruses: 60042
Engine version: 0.88.2
Scanned directories: 2691
Scanned files: 21917
Infected files: 6
Data scanned: 506.62 MB
Time: 287.538 sec (4 m 47 s)

Not sure what the infected files are but this was a scan of the entire HD

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16922623
what was the exact command you used.  by default it should list the files that are infected
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16922815
clamscan -r
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16922828
sorry

clamscan -r /

this scan would run on the whole system.  Seem it is identifying the testfiles too.  But not listing them.  
0
 
LVL 1

Author Comment

by:orestyle1
ID: 16922851
perhaps man clamav will explain how to list out the infected files?  I did the -r just out of interest to see if anything existed on the entire drive.  But I suspect the testfiles are what the clamav is squaking about.

Anyway, I gave more points, and should have given more because of all the advice and explanations given.  Will remember your name for next time...

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16924001
that's odd.  I use the same command as you, but mine list out.  I would make the same assumption you did about the ones that got identified though.  Not sure why its not listing though.  Its always listed by default for me.  I actually have to give it the "--quiet" switch to keep input from printing.

but ya, check out the man page for clamscan to see what flag options you have.  Can't believe Debian would make it react that different than my Mandriva box though
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now