ClamAV is an open source antivirus tool. Its basic usage is for detecting viruses, malware, and malicious software on Linux-based machines. The threat from viruses, Trojans, and other forms of malware is real. They have grown exponentially in both quantity and in sophistication, and antivirus software have had to adopt sophisticated detection methods. While there’s no guarantee that your system will not fall victim to these unwanted bits of code, remaining mindful when using the Internet and sharing files, implementing common-sense security policies, and using an up-to-date antivirus program can go a long way in protecting you. This article will show you how to install and configure ClamAV on CentOS / RHEL 7.
To install ClamAV on CentOS / RHEL 7, we need to install the EPEL repository:
# yum install epel-release
You can follow clamav official website to get the details of installing ClamAV on other distributions
Then we can install ClamAV with all its useful tools:
# yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Configure ClamAV (Anti Virus)
To configure ClamAV first of all we need to remove the
example configuration, so we can make our own configuration:
# sed -i '/^Example/d' /etc/clamd.d/scan.conf
After removing the
example lines, we need to do some modifications to define the TCP server type and to define the user root to execute the antivirus:
# vim /etc/clamd.d/scan.conf
The value given with
LocalSocket is the socket file used by the scanner daemon for communicating with outside processes.. We uncomment the following line:
We add those two lines at the end of the file and save:
User root LocalSocket /var/run/clamd.<SERVICE>/clamd.sock
To keep the ClamAV database up to date, we need to enable a tool called
Freshclam. Therefore, we need to create a backup file from its configuration file:
# cp /etc/freshclam.conf /etc/freshclam.conf.bak
Freshclam reads its configuration from
/etc/freshclam.conf. The file contains a line with the word
Example to prevent users from using the defaults blindly and we must remove it or comment it out before we can use freshclam. The defaults settings are fine for our purposes and this is more of an annoyance than anything else, but it does force us to look at the file and see what behavior can be tweaked. Each directive is commented with an explanation and what the default behavior is.
# sed -i '/^Example/d' /etc/freshclam.conf
We need to run
Freshclam to update the database manually and to check whether the configuration is successfully set:
# freshclam ClamAV update process started at Tue Nov 6 15:51:59 2018 WARNING: Can't query current.cvd.clamav.net WARNING: Invalid DNS reply. Falling back to HTTP mode. Reading CVD header (main.cvd): OK (IMS) main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Reading CVD header (daily.cvd): OK Downloading daily-25006.cdiff [100%] Downloading daily-25092.cdiff [100%] Downloading daily-25093.cdiff [100%] Downloading daily-25094.cdiff [100%] Downloading daily-25095.cdiff [100%] daily.cld updated (version: 25095, sigs: 2143057, f-level: 63, builder: neo) Reading CVD header (bytecode.cvd): OK bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) Database updated (6709397 signatures) from database.clamav.net (IP: 18.104.22.168)
We can run freshclam any time we want to make sure the definition databases are up to date, but it would be inconvenient to have to always run it manually. When launched with the
-d argument, freshclam will run in the daemon mode and periodically check for updates throughout the day (every two hours by default).
To keep things clean, we created a service file to run freshclam and registered it with systemd:
# vim /usr/lib/systemd/system/clam-freshclam.service
Then we put the following code inside the file and save it:
[Unit] Description = freshclam scanner After = network.target [Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 4 Restart = on-failure PrivateTmp = true RestartSec = 20sec [Install] WantedBy=multi-user.target
[Unit] section defines the basic attributes of the service, such as its description and that it relies on a network connection. The
[Service] section defines the service itself,
ExecStart will run freshclam with the -d argument, Type lets systemd know that the process will fork and run in the background as a daemon, and Restart will have systemd monitor the service and restart it automatically if it crashes. The
[Install] section defines how it will be linked when we run systemctl enable.
systemd daemon to refresh the changes
# systemctl daemon-reload
Next start and enable the
# systemctl start clam-freshclam.service # systemctl status clam-freshclam.service ● clam-freshclam.service - freshclam scanner Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2018-11-06 15:56:53 IST; 3s ago Process: 7926 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS) Main PID: 7927 (freshclam) CGroup: /system.slice/clam-freshclam.service └─7927 /usr/bin/freshclam -d -c 4 Nov 06 15:56:53 node2.example.com systemd: Starting freshclam scanner... Nov 06 15:56:53 node2.example.com systemd: Started freshclam scanner. Nov 06 15:56:53 node2.example.com freshclam: freshclam daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Nov 06 15:56:53 node2.example.com freshclam: ClamAV update process started at Tue Nov 6 15:56:53 2018
If everything is running fine and there is no problem, we add it to the system startup service:
# systemctl enable clam-freshclam.service Created symlink from /etc/systemd/system/multi-user.target.wants/clam-freshclam.service to /usr/lib/systemd/system/clam-freshclam.service.
Now again to configure ClamAV we need to create the ClamAV service file. We have an example service file that we need to copy into the system services folder. We need to change its name to something understandable. Then, we need to make some minor modifications to it:
# mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service
Since we have changed the name, we need to change it at the file that uses this service as well:
# vim /email@example.com
We change the first line by removing
@ to look like this:
At the same location, we need to change the Clamd service file:
# vim /usr/lib/systemd/system/clamd.service
We add the following lines at the end:
And we remove
%i from both the Description and
ExecStart options. Then we change them to look like the following:
Description = clamd scanner daemon ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf TimeoutSec=5min Restart = on-failure RestartSec=10sec
Next start the
# systemctl start clamd.service # systemctl status clamd.service ● clamd.service - clamd scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-11-06 19:48:17 IST; 16s ago Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Process: 1460 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS) Main PID: 1461 (clamd) CGroup: /system.slice/clamd.service └─1461 /usr/sbin/clamd -c /etc/clamd.d/scan.conf Nov 06 19:48:15 node2.example.com clamd: ELF support enabled. Nov 06 19:48:15 node2.example.com clamd: Mail files support enabled. Nov 06 19:48:15 node2.example.com clamd: OLE2 support enabled. Nov 06 19:48:15 node2.example.com clamd: PDF support enabled. Nov 06 19:48:15 node2.example.com clamd: SWF support enabled. Nov 06 19:48:15 node2.example.com clamd: HTML support enabled. Nov 06 19:48:15 node2.example.com clamd: XMLDOCS support enabled. Nov 06 19:48:15 node2.example.com clamd: HWP3 support enabled. Nov 06 19:48:15 node2.example.com clamd: Self checking every 600 seconds. Nov 06 19:48:17 node2.example.com systemd: Started clamd scanner daemon.
If everything is fine then enable the clamd service
# systemctl enable clamd.service Created symlink from /etc/systemd/system/multi-user.target.wants/clamd.service to /usr/lib/systemd/system/clamd.service.
For a test scan of the current folder, we run the following command:
# clamscan --infected --remove --recursive ./ ----------- SCAN SUMMARY ----------- Known viruses: 6702413 Engine version: 0.100.2 Scanned directories: 7 Scanned files: 9 Infected files: 0 Data scanned: 0.01 MB Data read: 0.00 MB (ratio 2.00:1) Time: 25.439 sec (0 m 25 s)
Lastly I hope the steps from the article to configure ClamAV on RHEL / CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.