Compiling and installing ClamAV on Ubuntu

For most folks using open source, maintaining antivirus software on a Linux desktop is something perhaps a little over the top.

I know it is a popularly held opinion that Linux doesn't need much of a virus scanner installed.

But even so, I do have some partly built Windows machines that could still be exposed to viruses, if they came across on my Linux browser. Who knows what lurks within an innocent download?

With this in mind, I installed ClamAV on my main day-to-day (slow, low electrical power) Ubuntu desktop, and took advantage of compiling it from source for better scanning throughput, rather than using the pre-built Ubuntu packages available via apt-get.

ClamAV : https://www.clamav.net/
ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

https://en.wikipedia.org/wiki/Clam_AntiVirus

While doing this, I made some some installation notes that others may find helpful...

Unpacking and documentation

From the above site I downloaded the release file: clamav-0.99.2.tar.gz and unpacked it into the directory: ~/Downloads/clamav-0.99.2

Here I found several README (& INSTALL etc...) documents, and a further 'clamdoc.pdf' file in the docs subdirectory.

Referring to those documents, the following installation workflow was the minimum for me to get it all compiled, scanning and updating definitions.

Security

ClamAv requires its own group and user account.

# groupadd clamav
# useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamav

(lock this account)
# passwd -l clamav

Compiling

$ ./configure --sysconfdir=/etc
$ make

(Lots of warning messages but it should eventually compile OK.)

$ sudo make install

(note “$ sudo make uninstall” will undo this)

(Run post make checks.)

$ make check

The database directory location

Clamconf shows information about the configuration, in particular the hard-coded location of the Database Directory. For Ubuntu, this is the directory: /usr/local/share/clamav.

# cd /usr/local/share
# mkdir clamav
# chown clamav:clamav clamav
# chmod 775 clamav

Configure Freshclam

Freshclam retrieves updates from ClamAV's servers. To create a logfile for this

# touch /var/log/freshclam.log
# chown clamav:clamav /var/log/freshclam.log
# chmod 660 /var/log/freshclam.log

To configure

# cd /etc
# cp freshclam.conf.sample freshclam.conf
# vi freshclam.com

1. comment out 'Example'

# Comment or remove the line below.
# Example

2. Enable UpdateLogFile

   # Path to the log file (make sure it has proper permissions)
   # Default: disabled
   UpdateLogFile /var/log/freshclam.log
   

To check if the updates work

$ sudo freshclam
ClamAV update process started at Sat Mar 18 11:46:00 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Downloading daily-23213.cdiff [100%]
Downloading daily-23214.cdiff [100%]
daily.cld updated (version: 23214, sigs: 1824356, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 291, sigs: 55, f-level: 63, builder: neo)
Database updated (6043201 signatures) from database.clamav.net (IP: 130.59.113.36)

(This might need doing a couple of times, if download expiry notices occur.)

Test clamscan virus scanning

To test if this works

$ cd ~/Downloads
$ clamscan -r -l scan.txt clamav-0.99.2

It should find some test files in the test subdirectory.

...
clamav-0.99.2/test/clam.exe.html: Clamav.Test.File-6 FOUND
clamav-0.99.2/test/clam.ea06.exe: Clamav.Test.File-6 FOUND
clamav-0.99.2/test/clam.mail: Clamav.Test.File-6 FOUND
clamav-0.99.2/test/clam-yc.exe: Clamav.Test.File-6 FOUND
clamav-0.99.2/test/clam.tnef: Clamav.Test.File-6 FOUND
...

This scan result will also be saved in the scan.txt log file.

Configure Clamd

Clamd is an entirely optional helper daemon, primarily intended to assist applications in running automated scans, using a simple set of control commands issued through a unix socket. The details for this are in clamdoc.pdf.

To configure it

# cd /etc
# cp clamd.conf.sample clamd.conf
# vi clamd.conf

1. comment out 'Example'

# Comment or remove the line below.
# Example

2. Enable LocalSocket mode

   # The daemon can work in local mode, network mode or both.
   # Due to security reasons we recommend the local mode.
   
   # Path to a local socket file the daemon will listen on.
   # Default: disabled (must be specified by a user)
   
   LocalSocket /tmp/clamd.socket
   

Testing Clamd

To test if clamd works, use clamdscan.

$ clamd
(start the daemon, if not already running)

$ cd ~/Downloads
$ clamdscan -l scan.txt clamav-0.99.2

clamdscan is a similar command to clamscan but connects as a client to the running clamd daemon.

$ clamdscan -l scan.txt clamav-0.99.2
--------------------------------------
/home/../Downloads/clamav-0.99.2/test/clam.cab: Clamav.Test.File-6 FOUND
/home/../Downloads/clamav-0.99.2/test/clam.exe: Clamav.Test.File-6 FOUND
/home/../Downloads/clamav-0.99.2/test/clam.zip: Clamav.Test.File-6 FOUND
/home/../Downloads/clamav-0.99.2/test/clam.arj: Clamav.Test.File-6 FOUND
/home/../Downloads/clamav-0.99.2/test/clam.exe.rtf: Clamav.Test.File-6 FOUND
...

From the manual,

“Please note that the scanned files must be accessible by the user running clamd or you will get an error.”

A smaller functional test on the local socket can be done with netcat.

$ echo "SCAN /home/../Downloads/clamav-0.99.2/test" | nc -U /tmp/clamd.socket

/home/../Downloads/clamav-0.99.2/test/clam.cab: Clamav.Test.File-6 FOUND

Enabling both clamd and freshclam daemons with systemd

Reboot after entering the following

$ sudo systemctl enable clamav-daemon
$ sudo systemctl enable clamav-freshclam

Then, check both clamd and freshclam daemons are running

$ ps aux | grep clam
root 09:43 ...     0:36 /usr/local/sbin/clamd --foreground=true
clamav  09:43 ...  0:00 /usr/local/bin/freshclam -d --foreground=true

To check logged status messages for freshclam, enter the following.

$ sudo systemctl status clamav-freshclam
-------------------------------------------
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor
   Active: active (running) since Sat 2017-04-29 18:14:42 BST; 1h 12min ago
     Docs: man:freshclam(1)
           man:freshclam.conf(5)
           http://www.clamav.net/lang/en/doc/
 Main PID: 929 (freshclam)
   CGroup: /system.slice/clamav-freshclam.service
           └─929 /usr/local/bin/freshclam -d --foreground=true

Apr 29 18:14:55 freshclam[929]: ClamAV update process started at Sat Apr
Apr 29 18:14:55 freshclam[929]: WARNING: Can't query current.cvd.clamav.
Apr 29 18:14:55 freshclam[929]: WARNING: Invalid DNS reply. Falling back
Apr 29 18:14:55 freshclam[929]: Reading CVD header (main.cvd): WARNING: 
Apr 29 18:14:55 freshclam[929]: WARNING: Can't read main.cvd header from
Apr 29 18:14:55 freshclam[929]: Trying again in 5 secs...
Apr 29 18:15:00 freshclam[929]: ClamAV update process started at Sat Apr
Apr 29 18:15:00 freshclam[929]: main.cvd is up to date (version: 57, sig
Apr 29 18:15:00 freshclam[929]: daily.cld is up to date (version: 23341,
Apr 29 18:15:00 freshclam[929]: bytecode.cvd is up to date (version: 296
lnes 1-20/20 (END)

The freshclam daemon can be stopped and started using the following commands.

$ sudo systemctl stop clamav-freshclam
. . .
$ sudo systemctl start clamav-freshclam

To be continued ...

Yes, I'd like to get the on-access scanning working, but that's quite enough for the time being. Let's try and walk first ;-)