Monday, November 21, 2005

ClamAV - The free Anti Virus solution for Windows on Linux

There is a common perception that there are no viruses on the Linux platform - which to a large extent is true. But what happens when you get a mail attachment which you would like to forward to your windows machine so you can open it with your favorite proprietary software? And what if this attachment is infected by a virus? This is where the anti virus solutions for linux comes into the picture.
ClamAV is a free GPLed anti-virus solution which provides a lot of advantages when installed in Linux. Sticking to the philosophy of linux, it contains a set of command line tools which can be used to check if a file on your system is infected by a virus.
The installation is quite simple as executing a single command as follows:

# yum install clamav
(for RedHat based systems)
# apt-get install clamav
(for Debian based systems)

ClamAV basically installs three binary tools on your system (in the /usr/bin directory), them being :
freshclam - As you know an anti-virus solution is only as good as the latest virus updates it has. This tool is used to update the virus databases on your system. It downloads the latest virus updates from the internet and keeps your anti-virus solution upto date.
clamscan - This is the tool that actually checks your files to see if they are infected.
sigtool - When you download the latest virus updates from the net, there should be a way of verifying the validity of the update. This is achieved by the sigtool. It is used to verify the digital signatures of databases and list virus signature names among other things.

This is how I use this wonderful package to my advantage. I have installed Linux alongside windows and boot via Grub bootloader (most people do). I have a FAT and NTFS partition on my harddrive which I have mounted in /mnt/C:/ and /mnt/D:/ . To check all the files in my windows partition, I just enter the command as follows (you don't have to be root to run this command):
$ clamscan --bell -r --log=/home/ravi/virus_log -i /mnt/D:/

The above command will scan my /mnt/D:/ directory (FAT32 partition) recursively (-r) and log (--log) the result in the virus_log file, will beep (--bell) each time a virus has been detected and only print (-i) infected files to the output.

clamscan can scan a wide variety of files including archive files (rar, zip, tar, deb, jar, arj ), your mails, html files ... In fact just about any file on your system.

For instance, if I want to scan a tar file, I will enter the following command:

$ clamscan --tar=/bin/tar  myfile.tgz
Same is the case for other archives. You pass the path of the archive tool in the command line.

Usually clamscan will recurse through a maximum depth of 15 levels if the -r option is used. But you can set the depth of recursion using the --max-dir-recursion option.
$ clamscan -r --max-dir-recursion=4 ~ravi/.

Here is another example of how you check only the text files on your harddisk for virus infection.
$ find . -iname \*.txt -exec clamscan -r -i {} \;

Updating the virus database
You will agree with me that the usefulness of an anti-virus solution is only as good as its virus definition files. With ClamAV, it is very easy to update the database. All it takes is executing the command :
# freshclam

And ClamAV will download the latest virus definition files from the internet and update your database. You can also run the above command as a daemon as follows:
# freshclam -d
Usually you don't have to run this command yourselves. When you install ClamAV on your machine, it creates a user and group named 'clamav' and also creates a cron job to update on a regular basis, the virus database on your machine.

ClamAV has been developed targeting firms running mail servers in mind and so is designed to check for virus on the fly. If you manage a mail server, you can integrate it with sendmail or any other mail server to check your incoming and outgoing emails for viruses.

Advantages of Clamav over other Anti-Virus suites
  1. The one and only GPLed Anti-Virus solution available with an unbeatable price tag (Free).
  2. Multi architecture and multi OS support. Clamav is available for MacOS, Windows, Linux and other Unix variants.
  3. Simple command line usage - which does away with memory bloat that other anti-virus solutions carry around. I still remember the times when my windows 98 machine would slow to a crawl when an antivirus package was installed on it.
  4. Can be linked with other linux commands to create powerful filters to check just a subset of files on your machine.
  5. You can automate the whole process of virus detection and prevention.
  6. Easy installation and uninstallation - I remember the trouble I had in uninstalling Norton Antivirus from my windows 98 machine a few years back. When I tried to uninstall Norton Antivirus, it said I should uninstall "Live Update" first and when I tried uninstalling the latter, it complained that "Norton Antivirus" was running and should be uninstalled first - in short a catch 22 situation - the only way out being a clean re-installation of windows OS. Clamav doesn't have any such problems.
  7. Lots of third party softwares with in-built support for ClamAV. For example, DansGuardian virus patch is a GPL addon that takes the virus scanning capabilities of ClamAV and integrates them into the content filtering web proxy DansGuardian.
What? You don't want to install the Clam Antivirus package just yet ? No problem, there is a Online scanning tool available from ClamAV which will help you scan a file on your harddisk without installing it.

No comments: