ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.
Today’s plan is to install and configure ClamAV software to perform automatic daily system scans and send emails when malware is detected.
Install ClamAV
On Debian/Ubuntu, do:
# apt-get update && apt-get install clamav clamav-freshclam
On CentOS, do:
# yum install epel-release # yum install clamav clamav-update
On Debian, start ClamAV virus database updater if it wasn’t started automatically:
# service clamav-freshclam start
Or alternatively do:
# /etc/init.d/clamav-freshclam start
The above commands will start freshclam in a daemon mode:
# ps -ef | grep fresh | grep clam
clamav 1951 1 1 17:19 ? 00:00:03 /usr/bin/freshclam -d --quiet
By default, freshclam will look for new updates every hour:
# grep -i check /etc/clamav/freshclam.conf
# Check for new database 24 times a day
Checks 24
Note that we can always update ClamAV manually by typing the following command:
# freshclam -v
Install SSMTP
To be able to send email, we’ll need something simple, something like SSMTP.
On Debian/Ubuntu, do:
# apt-get install ssmtp heirloom-mailx
On CentOS, do:
# yum install ssmtp mailx
Open the configuration file:
# vim /etc/ssmtp/ssmtp.conf
Change the following settings appropriately (make sure the details are correct):
[email protected] mailhub=mail.example.com:465 AuthUser=[USERNAME] AuthPass=[********] UseTLS=YES AuthMethod=LOGIN RewriteDomain=example.com Hostname=debian FromLineOverride=yes #enables to use mail -r option
SSMTP configuration file contains our email login details, therefore it’s a good practice to restrict access for regular users:
# chmod 0600 /etc/ssmtp/ssmtp.conf
Test if we are able to send an email:
# echo test | mail -v -s "testing ssmtp setup" [email protected] [<-] 220 mail.example.com ESMTP [->] EHLO debian [<-] 250 HELP [->] AUTH LOGIN [<-] 334 VXNlcm5hbWU6 [->] d2VibWFzdGVyQG5ldmFyLmx0 [<-] 334 UGFzc3dvcmQ6 [<-] 235 Authentication succeeded [->] MAIL FROM:<root@debian> [<-] 250 OK [->] RCPT TO:<[email protected]> [<-] 250 Accepted [->] DATA [<-] 354 Enter message, ending with "." on a line by itself [->] Received: by debian (sSMTP sendmail emulation); [->] From: "root" <root@debian> [->] Date: Fri, 17 Jan 2014 17:28:17 +0000 [->] To: [email protected] [->] Subject: testing ssmtp setup [->] User-Agent: Heirloom mailx 12.5 6/20/10 [->] MIME-Version: 1.0 [->] Content-Type: text/plain; charset=us-ascii [->] Content-Transfer-Encoding: 7bit [->] [->] test [->] . [<-] 250 OK id=1W4Cl1-0002SM-RO [->] QUIT [<-] 221 mail.example.com closing connection
All looks good so far.
Create the Daily Scan Script
We will create a new directory to store script files:
# mkdir -m 0755 /root/.myscripts
Now open a new file for the script:
# vim /root/.myscripts/clamscan_daily.sh
And add the following code:
#!/bin/bash # written by Tomas (http://www.lisenet.com) # 17/01/2014 (dd/mm/yy) # copyleft free software # LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"; EMAIL_MSG="Please see the log file attached."; EMAIL_FROM="[email protected]"; EMAIL_TO="[email protected]"; DIRTOSCAN="/home"; # Update ClamAV database echo "Looking for ClamAV database updates..."; freshclam --quiet; TODAY=$(date +%u); if [ "$TODAY" == "6" ];then echo "Starting a full weekend scan."; # be nice to others while scanning the entire root nice -n5 clamscan -ri / --exclude-dir=/sys/ &>"$LOGFILE"; else DIRSIZE=$(du -sh "$DIRTOSCAN" 2>/dev/null | cut -f1); echo "Starting a daily scan of "$DIRTOSCAN" directory. Amount of data to be scanned is "$DIRSIZE"."; clamscan -ri "$DIRTOSCAN" &>"$LOGFILE"; fi # get the value of "Infected lines" MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3); # if the value is not equal to zero, send an email with the log file attached if [ "$MALWARE" -ne "0" ];then #using heirloom-mailx below echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"; fi exit 0
Save the file. Make sure it’s executable:
# chmod 0755 /root/.myscripts/clamscan_daily.sh
You can get the most recent version of the script from GitHub (you need to have git installed):
$ git clone https://github.com/lisenet/clamav-daily
Add Script to Cron.daily
Now when we have the script, we want it to be automatically executed every day.
This can be easily achieved by creating a daily cron job. It is assumed that the system is online 24/7 (server in this case) or at least most of the time. Otherwise anacron might be a better choice.
Let’s create a hard link as below:
# ln /root/.myscripts/clamscan_daily.sh /etc/cron.daily/clamscan_daily
Check to make sure that the hard link was created:
# ls -li /etc/cron.daily/clamscan_daily
44626 -rwxr-xr-x 2 root root 493 Jan 17 16:28 /etc/cron.daily/clamscan_daily
There is one main advantage of creating a hard link instead of a symbolic link in my particular case.
I tend to keep all custom scripts in one place for the sake of convenience and they sometimes get renamed. I usually don’t have time to walk around fixing all broken symlinks.
Nevertheless, there are quite a few other alternatives available:
- Create a symbolic link.
- Move the script file to
cron.dailyfolder. - Use crontab for script execution.
You should always choose what suits you best in one or another situation.
Troubleshoting
If you get the following error:
LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav/
Update the database manually:
# freshclam -v
Great post!! Thank you very much!
I’m glad it helped you.
I have had a little problem with this: MAIL_TO=”[email protected]”; but echo “$EMAIL_TO”; … but now it works fine: thank you very much!
Marco
You’re welcome Marco.
Hey there @Marco Campagna said that problem he fixed
please Let me know How to set email Notification
Clam Av is already installed
Hi Tomas,
I had a little problem with HTML tags…
In your code you have this :
MAIL_TO="[email protected]";and this :
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";so the script don’t works for me, I had an error message like this :
Send options without primary recipient specified.So I modified
MAIL_TO="[email protected]";to
EMAIL_TO="[email protected]";and it works fine! Thank you again!
Marco
Hi Marco, yes, sorry, that was a silly typo. I fixed it, thanks.
I checked, and it does not appear on GitHub.
Is there any option to add a log rotate function?
Right now my directory /var/log/clamav is filling up with clamscan reports.
Hi Erik. I don’t see why you cannot use something like this:
/var/log/clamav/clamav.log { size 1k copytruncate rotate 4 }Add to
logrotate.confand you’re good to go.Thanks so much! It’s work from A to Z! And I tried only one time
Hello, nice post but please i keep getting the below error. Can you please assist?
/etc/cron.hourly/clamscan_hourly: line 28: clamscan: command not found
Do you have clamscan installed? If so, then check the location of the binary file, “whereis clamscan” should do. It might not be in your PATH. What distribution are use running on?
why does this script wisely exclude /sys but not /dev ?
I like to scan devices on insertion.
Hi There
Thanks for sharing this – I’ve got past a few niggles but this one is confusing me!
clamscan_daily.sh: 27: [: Illegal number:
This is relating to the following command:
if [ “$MALWARE” -ne “0” ];then
Any help greatly appreciated :-) I’m running Debian on a RPi
Thanks Scott
What’s the value stored in $MALWARE? I suspect it’s something but a number.
hi, this error appear
/etc/cron.daily/clamscan_daily
Looking for ClamAV database updates…
Starting a daily scan of /home directory.
Amount of data to be scanned is 44G.
/etc/cron.daily/clamscan_daily: line 29: /var/log/clamav/clamav-2019-05-07.log: No such file or directory
tail: cannot open ‘/var/log/clamav/clamav-2019-05-07.log’ for reading: No such file or directory
/etc/cron.daily/clamscan_daily: line 36: [: : integer expression expected
Does your log folder
/var/log/clamavexist? What’s the ownership of the folder?Really helpful. Thanks