Sunday, December 25, 2005

ClamAV: Antivirus for linux

There are only two Linux viruses and neither has been found alive in the wild. On the other hand, there are eighteen bazillion infectious viruses on Windows and that number grows steadily every day, that doesn’t mean you shouldn’t ignore anti-virus software.

unlike some popular commercial anti-virus products for Windows, the Linux equivalents aren’t CPU and memory hogs.One of the best free (as in speech and beer) Linux anti-virus packages is ClamAV. Installing ClamAV is really simple. Most distributions have binaries available, or if you’re distro supports apt-get

just type:
# apt-get install clamav

I have a Mandrake and for installation all i did was :

[root@mybox rkhunter]# urpmi clamav
To satisfy dependencies, the following packages are going to be installed (2 MB):
clamav-0.61-0.20030829.1mdk.i586
clamav-db-0.61-0.20030829.1mdk.i586
libclamav1-0.61-0.20030829.1mdk.i586
Is this OK? (Y/n) y
medium "contrib" uses an invalid list file:
mirror is probably not up-to-date, trying to use alternate method

ftp://ftp.is.co.za/mirror/mandrivalinux/official/9.2/contrib/i586/./clamav-0.61-0.20030829.1mdk.i586.rpm
ftp://ftp.is.co.za/mirror/mandrivalinux/official/9.2/contrib/i586/./clamav-db-0.61-0.20030829.1mdk.i586.rpm
ftp://ftp.is.co.za/mirror/mandrivalinux/official/9.2/contrib/i586/./libclamav1-0.61-0.20030829.1mdk.i586.rpm
The following packages have bad signatures:
/var/cache/urpmi/rpms/clamav-0.61-0.20030829.1mdk.i586.rpm: Invalid signature ((SHA1) DSA sha1 md5 (GPG) (MISSING KEY) GPG#604aa4e4 NOT OK)
/var/cache/urpmi/rpms/clamav-db-0.61-0.20030829.1mdk.i586.rpm: Invalid signature ((SHA1) DSA sha1 md5 (GPG) (MISSING KEY) GPG#604aa4e4 NOT OK)
/var/cache/urpmi/rpms/libclamav1-0.61-0.20030829.1mdk.i586.rpm: Invalid signature ((SHA1) DSA sha1 md5 (GPG) (MISSING KEY) GPG#604aa4e4 NOT OK)
Do you want to continue installation ? (y/N) y
installing /var/cache/urpmi/rpms/clamav-0.61-0.20030829.1mdk.i586.rpm /var/cache/urpmi/rpms/libclamav1-0.61-0.20030829.1mdk.i586.rpm /var/cache/urpmi/rpms/clamav-db-0.61-0.20030829.1mdk.i586.rpm
Preparing... ##################################################
1:libclamav1 ##################################################
2:clamav-db ##################################################
3:clamav ##################################################

Thats it

If you’re lucky enough to use a Debian-based distro, ClamAV sets itself up. If you’re using another distro, you may have to create a new user named clamav, change a few permissions, and set up a few cron jobs. For detailed instructions, see the Clam AntiVirus User Manual at http://www.clamav.net/doc/latest/html/.


No one wants to have to think about anti-virus software once it’s installed. Any good anti-virus package should automatically update itself with new virus definitions, the more often the better. In addition, the anti-virus software should perform a full system scan at a regularly scheduled interval. Finally, integration with email software is vital: the best place to intercept new viruses is at this common point of entry.
ClamAV can handle all of these tasks. ClamAV runs freshclam to check for updates. By default, Debian systems run freshclam runs hourly. If you want to change that number, simply edit the Checks line in /etc/clamav/freshclam.conf.
To check your system, ClamAV uses clamscan. There are a wealth of options available for clamscan; to see them, use man clamscan. A quick and dirty way to scan your home directory is to use clamscan as follows:
[root@mybox rkhunter]# clamscan -ri --move=/tmp/virus /home/sriram/

----------- SCAN SUMMARY -----------
Known viruses: 9586
Scanned directories: 6
Scanned files: 18
Infected files: 0
Data scanned: 0.14 MB
I/O buffer size: 131072 bytes
Time: 0.857 sec (0 m 0 s)

[root@mybox rkhunter]#

The –r option tells ClamAV to recursively scan your directory and every other directory and file in it, while –i makes things a bit quieter, telling ClamAV to only print the names of infected files it finds. If a virus is found in a file, ClamAV moves the file to /tmp/virus/, but that directory must already exist before clamscan starts working. Set up a cron job to create /tmp/virus/ and run clamscan and you have an automated way to keep your system clean and healthy.

Many Linux email clients already support ClamAV directly, including KMail (which allows you to pick the anti-virus program of your choice) and Sylpheed Claws. Others, such as Evolution, require you to manually create filters that pipe email through ClamAV. (C’mon, Evolution (and others)! Let us specify ClamAV or other anti-virus programs directly!)

There are windowed interfaces for ClamAV, if you really want them (check out the enormous list at http://www.clamav.net/3rdparty.html). There are also lots of other programs and libraries that interface with ClamAV, including php-clamav (which allows ClamAV to work with PHP), python-clamav (ditto, but for Python), and clamav-milter (which scans messages processed by sendmail).

If you want to protect your Linux server or desktop from viruses, give ClamAV a look. It’s a powerful, well-supported open source project, and it just keeps getting better and better.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)