ClamAV is an open source antivirus tool. Its basic usage is for detecting viruses, malware, and malicious software on Linux-based machines. The threat from viruses, Trojans, and other forms of malware is real. They have grown exponentially in both quantity and in sophistication, and antivirus software have had to adopt sophisticated detection methods. While there’s no guarantee that your system will not fall victim to these unwanted bits of code, remaining mindful when using the Internet and sharing files, implementing common-sense security policies, and using an up-to-date antivirus program can go a long way in protecting you. This article will show you how to install and configure ClamAV on CentOS / RHEL 7.

Steps to install and configure ClamAV (Anti Virus) in CentOS / RHEL 7

 

Install ClamAV

To install ClamAV on CentOS / RHEL 7, we need to install the EPEL repository:

# yum install epel-release

You can follow clamav official website to get the details of installing ClamAV on other distributions

Then we can install ClamAV with all its useful tools:

# yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

 

Configure ClamAV (Anti Virus)

To configure ClamAV first of all we need to remove the example configuration, so we can make our own configuration:

# sed -i '/^Example/d' /etc/clamd.d/scan.conf

After removing the example lines, we need to do some modifications to define the TCP server type and to define the user root to execute the antivirus:

# vim /etc/clamd.d/scan.conf

The value given with LocalSocket is the socket file used by the scanner daemon for communicating with outside processes.. We uncomment the following line:

LocalSocket /var/run/clamd.scan/clamd.sock

We add those two lines at the end of the file and save:

User root
LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

To keep the ClamAV database up to date, we need to enable a tool called Freshclam. Therefore, we need to create a backup file from its configuration file:

# cp /etc/freshclam.conf /etc/freshclam.conf.bak

 

Freshclam reads its configuration from /etc/freshclam.conf. The file contains a line with the word Example to prevent users from using the defaults blindly and we must remove it or comment it out before we can use freshclam. The defaults settings are fine for our purposes and this is more of an annoyance than anything else, but it does force us to look at the file and see what behavior can be tweaked. Each directive is commented with an explanation and what the default behavior is.

# sed -i '/^Example/d' /etc/freshclam.conf

We need to run Freshclam to update the database manually and to check whether the configuration is successfully set:

# freshclam
ClamAV update process started at Tue Nov 6 15:51:59 2018
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): OK (IMS)
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Reading CVD header (daily.cvd): OK
Downloading daily-25006.cdiff [100%]
Downloading daily-25092.cdiff [100%]
Downloading daily-25093.cdiff [100%]
Downloading daily-25094.cdiff [100%]
Downloading daily-25095.cdiff [100%]
daily.cld updated (version: 25095, sigs: 2143057, f-level: 63, builder: neo)
Reading CVD header (bytecode.cvd): OK
bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
Database updated (6709397 signatures) from database.clamav.net (IP: 104.16.186.138)
NOTE:
The process outputs its progress to the terminal and you may see several error messages. For example, it may report that it was unable to download a daily file. Don’t panic; freshclam will try several mirrors. As long as it reports that main.cvd, daily.cvd, and bytecode.cvd are up to date when it’s finished you know you have the latest definitions.

We can run freshclam any time we want to make sure the definition databases are up to date, but it would be inconvenient to have to always run it manually. When launched with the -d argument, freshclam will run in the daemon mode and periodically check for updates throughout the day (every two hours by default).

 

To keep things clean, we created a service file to run freshclam and registered it with systemd:

# vim /usr/lib/systemd/system/clam-freshclam.service

Then we put the following code inside the file and save it:

[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true
RestartSec = 20sec

[Install]
WantedBy=multi-user.target

The [Unit] section defines the basic attributes of the service, such as its description and that it relies on a network connection. The [Service] section defines the service itself, ExecStart will run freshclam with the -d argument, Type lets systemd know that the process will fork and run in the background as a daemon, and Restart will have systemd monitor the service and restart it automatically if it crashes. The [Install] section defines how it will be linked when we run systemctl enable.

Reload the systemd daemon to refresh the changes

# systemctl daemon-reload

Next start and enable the freshclam service

# systemctl start clam-freshclam.service

# systemctl status clam-freshclam.service
● clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-11-06 15:56:53 IST; 3s ago
Process: 7926 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS)
Main PID: 7927 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─7927 /usr/bin/freshclam -d -c 4

Nov 06 15:56:53 node2.example.com systemd[1]: Starting freshclam scanner...
Nov 06 15:56:53 node2.example.com systemd[1]: Started freshclam scanner.
Nov 06 15:56:53 node2.example.com freshclam[7927]: freshclam daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Nov 06 15:56:53 node2.example.com freshclam[7927]: ClamAV update process started at Tue Nov 6 15:56:53 2018

If everything is running fine and there is no problem, we add it to the system startup service:

# systemctl enable clam-freshclam.service
Created symlink from /etc/systemd/system/multi-user.target.wants/clam-freshclam.service to /usr/lib/systemd/system/clam-freshclam.service.

Now again to configure ClamAV we need to create the ClamAV service file. We have an example service file that we need to copy into the system services folder. We need to change its name to something understandable. Then, we need to make some minor modifications to it:

# mv /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/clamd.service

Since we have changed the name, we need to change it at the file that uses this service as well:

# vim /usr/lib/systemd/system/[email protected]

We change the first line by removing @ to look like this:

.include /lib/systemd/system/clamd.service

At the same location, we need to change the Clamd service file:

# vim /usr/lib/systemd/system/clamd.service

We add the following lines at the end:

[Install]
WantedBy=multi-user.target

And we remove %i from both the Description and ExecStart options. Then we change them to look like the following:

Description = clamd scanner daemon
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf
TimeoutSec=5min
Restart = on-failure
RestartSec=10sec

Next start the clamv service

# systemctl start clamd.service

# systemctl status clamd.service
● clamd.service - clamd scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-11-06 19:48:17 IST; 16s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 1460 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS)
Main PID: 1461 (clamd)
CGroup: /system.slice/clamd.service
└─1461 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Nov 06 19:48:15 node2.example.com clamd[1461]: ELF support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: Mail files support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: OLE2 support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: PDF support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: SWF support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: HTML support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: XMLDOCS support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: HWP3 support enabled.
Nov 06 19:48:15 node2.example.com clamd[1461]: Self checking every 600 seconds.
Nov 06 19:48:17 node2.example.com systemd[1]: Started clamd scanner daemon.

If everything is fine then enable the clamd service

# systemctl enable clamd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/clamd.service to /usr/lib/systemd/system/clamd.service.

For a test scan of the current folder, we run the following command:

# clamscan --infected --remove --recursive ./

----------- SCAN SUMMARY -----------
Known viruses: 6702413
Engine version: 0.100.2
Scanned directories: 7
Scanned files: 9
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 25.439 sec (0 m 25 s)

Lastly I hope the steps from the article to configure ClamAV on RHEL / CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *