Use ClamAV to identify infected files under Unix.
Traditionally, antivirus concerns have been an afterthought in the Unix world. After all, Unix machines don’t have the history of being attacked by malware that Windows PCs (and Macs, to a lesser extent) have enjoyed. However, with the widespread use of heterogeneous systems, it makes sense to take a look at Unix antivirus approaches in a new light. While your Unix servers might not themselves be targeted or affected by viruses, attackers may try to use them for propagating malware to PCs on your network.
One software package that lets you scan for viruses under Unix is ClamAV (http://www.clamav.net). ClamAV is especially useful on Samba servers and on mail servers, where it can scan email attachments for virus payloads and block them before they hit a user’s inbox. And best of all, it’s free!
To get started with ClamAV, you’ll first need to create a user and group to run it under (e.g., _clamav). Then, download the source tarball, unpack it, change to the directory that it creates, and run ./configure. If you want to use ClamAV to scan email, you can add the --enable-milter option, which builds clamav-milter for you to tie in with Sendmail.
Once the configure script finishes executing, run the usual make command, and then run make install as root. You’ll then need to update ClamAV’s virus signature database by editing /usr/local/etc/freshclam.conf.
Locate the following two lines:
# Comment or remove the line below. Example
Simply comment out the Example line and run freshclam. The last line it outputs should look similar to the following, confirming that the signatures have been updated:
Database updated (60082 signatures) from database.clamav.net (IP: 199.239.233.95)
Now, you can test ClamAV by running the standalone command-line scanner clamscan. The ClamAV source tree contains some files that ClamAV will recognize as malware, so try scanning it:
# clamscan -r -l scan.txt .
./FAQ: OK
./etc/Makefile.am: OK
./etc/Makefile.in: OK
./etc/clamd.conf: OK
./etc/freshclam.conf: OK
./etc/Makefile: OK
./BUGS: OK
./NEWS: OK
./TODO: Empty file
./docs/man/sigtool.1: OK
./docs/man/clamscan.1: OK
./docs/man/clamdscan.1: OK
./docs/man/freshclam.1: OK
./docs/man/freshclam.conf.5.in: OK
./docs/man/clamd.conf.5: OK
...
./test/clam.cab: ClamAV-Test-File FOUND
./test/clam.exe: ClamAV-Test-File FOUND
./test/clam.rar: ClamAV-Test-File FOUND
./test/clam.zip: ClamAV-Test-File FOUND
./test/clam.exe.bz2: ClamAV-Test-File FOUND
----------- SCAN SUMMARY -----------
Known viruses: 60082
Engine version: 0.88.2
Scanned directories: 45
Scanned files: 757
Infected files: 5
Data scanned: 13.19 MB
Time: 33.362 sec (0 m 33 s)Now, take a look at scan.txt:
# cat scan.txt
--------------------------------------
Scan started: Sun Jun 25 21:43:00 2006
./test/clam.cab: ClamAV-Test-File FOUND
./test/clam.exe: ClamAV-Test-File FOUND
./test/clam.rar: ClamAV-Test-File FOUND
./test/clam.zip: ClamAV-Test-File FOUND
./test/clam.exe.bz2: ClamAV-Test-File FOUND
-- summary --
Known viruses: 60082
Engine version: 0.88.2
Scanned directories: 45
Scanned files: 757
Infected files: 5
Data scanned: 13.19 MB
Time: 33.362 sec (0 m 33 s)As you can see, both the clamscan output and the contents of scan.txt show the same five infected files. However, scan.txt only shows the infected files and a summary of the scan, whereas the status of every scanned file is shown in the clamscan output.
To get the ClamAV daemon (clamd) working, you’ll first need to remove or comment out the Example line from /usr/local/etc/clamd.conf, just as you did with the freshclam.conf file. Then you’ll need to tell clamd to run as the user you created earlier, using the User option. Add a line like this:
User _clamav
There are many other configuration options you can change here, and the configuration file is fully documented with comments to make choosing the right options easy. One notable configuration option is LogSyslog, which causes clamd to log any viruses that are detected via syslog.
To enable logging via syslog, simply locate the option and uncomment it. By default, clamd uses the local6 facility, but you can change this with the LogFacility option. Take a look at the syslog manpage to find other syslog facilities that you can use.
Once you’re done editing the configuration file, start clamd; just typing clamd should work. If you enabled logging via syslog, you should see something like the following in your logs:
Jun 25 22:29:12 mail clamd[15819]: Daemon started. Jun 25 22:29:12 mail clamd[15819]: clamd daemon 0.88.2 (OS: freebsd5.4, ARCH: i386, CPU: i386) Jun 25 22:29:12 mail clamd[15819]: Log file size limited to 1048576 bytes. Jun 25 22:29:12 mail clamd[15819]: Reading databases from /usr/local/share/clamav Jun 25 22:29:16 mail clamd[15819]: Protecting against 60082 viruses. Jun 25 22:29:16 mail clamd[15828]: Unix socket file /tmp/clamd Jun 25 22:29:16 mail clamd[15828]: Setting connection queue length to 15 Jun 25 22:29:16 mail clamd[15828]: Archive: Archived file size limit set to 10485760 bytes. Jun 25 22:29:16 mail clamd[15828]: Archive: Recursion level limit set to 8. Jun 25 22:29:16 mail clamd[15828]: Archive: Files limit set to 1000. Jun 25 22:29:16 mail clamd[15828]: Archive: Compression ratio limit set to 250. Jun 25 22:29:16 mail clamd[15828]: Archive support enabled. Jun 25 22:29:16 mail clamd[15828]: Archive: RAR support disabled. Jun 25 22:29:16 mail clamd[15828]: Portable Executable support enabled. Jun 25 22:29:16 mail clamd[15828]: Mail files support enabled. Jun 25 22:29:16 mail clamd[15828]: OLE2 support enabled. Jun 25 22:29:16 mail clamd[15828]: HTML support enabled. Jun 25 22:29:16 mail clamd[15828]: Self checking every 1800 seconds.
Now, try running the same AV scan with clamdscan:
# /usr/local/bin/clamdscan -l scan.txt .
/usr/home/andrew/clamav-0.88.2/./test/clam.cab: ClamAV-Test-File FOUND
/usr/home/andrew/clamav-0.88.2/./test/clam.exe: ClamAV-Test-File FOUND
/usr/home/andrew/clamav-0.88.2/./test/clam.zip: ClamAV-Test-File FOUND
/usr/home/andrew/clamav-0.88.2/./test/clam.exe.bz2: ClamAV-Test-File FOUND
----------- SCAN SUMMARY -----------
Infected files: 4
Time: 32.749 sec (0 m 32 s)Check your logs. You should see the same results reflected there:
Jun 25 22:29:31 freebsd5-vm1 clamd[15828]: /usr/home/andrew/clamav-0.88.2/./test/clam.cab: ClamAV-Test-File FOUND Jun 25 22:29:31 freebsd5-vm1 clamd[15828]: /usr/home/andrew/clamav-0.88.2/./test/clam.exe: ClamAV-Test-File FOUND Jun 25 22:29:31 freebsd5-vm1 clamd[15828]: /usr/home/andrew/clamav-0.88.2/./test/clam.zip: ClamAV-Test-File FOUND Jun 25 22:29:31 freebsd5-vm1 clamd[15828]: /usr/home/andrew/clamav-0.88.2/./test/clam.exe.bz2: ClamAV-Test-File FOUND
Finally, if you want to have Sendmail use ClamAV to scan mail, you’ll need to create a directory to hold the Unix sockets through which Sendmail, clamd, and clamav-milter will communicate:
#mkdir /var/run/clamav#chown _clamav:_clamav /var/run/clamav
Then, add the following line to /usr/local/etc/clamd.conf:
LocalSocket /var/run/clamav/clamd.sock
You’ll need to tell Sendmail to use clamav-milter to filter messages through it. Add the following to the end of your sendmail.mc file:
INPUT_MAIL_FILTER(\Qclmilter',\QS=local:/var/run/clamav/clmilter.sock, F=, \ T=S:4m;R:4m') define(\QconfINPUT_MAIL_FILTERS', \Qclmilter')
After you’ve done that, rebuild your sendmail.cf and start clamav-milter:
# /usr/local/sbin/clamav-milter -lo /var/run/clamav/clmilter.sock --external
Now, restart Sendmail. You can quickly test your new AV scanning setup by trying to send the test files included with the ClamAV distribution as attachments. You should see something similar to this in your logs:
Jun 26 00:08:03 freebsd5-vm1 sm-mta[27946]: k5Q6831t027946: Milter add: header: X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on freebsd5-vm1.nnc Jun 26 00:08:03 freebsd5-vm1 sm-mta[27946]: k5Q6831t027946: Milter add: header: X-Virus-Status: Not Scanned Jun 26 00:08:03 freebsd5-vm1 sm-mta[27946]: k5Q6831t027946: Milter: data, reject=451 4.3.2 Please try again later
The client sending the message will be blocked from doing so.
These are just a few of the possibilities for using ClamAV. For another interesting use, take a look at “Scan Network Traffic for Viruses” [Hack #118], which shows how to integrate ClamAV with Snort.