Like it or not, viruses are a real part of running a server, even a CentOS 7 server. Linux has a great option for a virus scanner called ClamAV. It is available for many versions of Linux, but the default configuration files are poorly written and do not work in their default settings. You must create your own /etc/clamd.conf and /etc/freshclam.conf files in order for it to run properly. You may also need to create a couple of users (one for scanning and one for updating, it’s best to use two separate users). You also have to change the permissions on the log files to allow these two users to write to the log files. It is not particularly difficult, but I did not find any good documentation for CentOS 7 or RedHat 7. So here’s how I did it.
Unfortunately, netcat (or simply nc) is required to install ClamAV. I hope they remove that requirement at some point in the future as having netcat on a system just adds another vector of attack. But, netcat is easily found and installed from the CentOS/RedHat install media or the default repos.
yum install nc
Next, use the EPEL repo to install the ClamAV program. See my blog on installing EPEL if you need assistance.
yum –disablerepo=* –enablerepo=epel install clamav clamav-scanner clamav-scanner-systemd clamav-server clamav-server-systemd clamav-update
Then, if the install did not already create them, create a couple of new users, clamscan and clamupdate:
useradd –shell /sbin/nologin clamscan
useradd –shell /sbin/nologin clamupdate
We are almost done. We need to create the configuration files now. You can use my config files and just change the settings you need to change. Use man clamd.conf for help understanding the different options. Or you can see the same thing at linux.die.net
Here is my /etc/clamd.conf file:
# /etc/clamd.conf file created by Justin Roysdon @ Yum Technology
# Comment or remove the line below.
#ExampleLogFile /var/log/clamd.log
LogFileUnlock no
LogFileMaxSize 2M
LogTime yes
LogClean no
LogSyslog no
LogVerbose yes
ExtendedDetectionInfo yes
# PidFile
# TemporaryDirectory
DatabaseDirectory /var/lib/clamav/
OfficialDatabaseOnly no
LocalSocket yes
LocalSocketGroup clamav
#LocalSocketMode
FixStaleSocket yes
#TCPSocket no
#TCPAddr no
MaxConnectionQueueLength 200
MaxThreads 10
ReadTimeout 120
CommandReadTimeout 5
SendBufTimeout 500
MaxQueue 100
IdleTimeout 30
#Exclude Path
MaxDirectoryRecursion 15
FollowDirectorySymlinks no
CrossFilesystems yes
FollowFileSymlinks no
SelfCheck 1800
VirusEvent no
ExitOnOOM no
User clamscan
AllowSupplementaryGroups no
Foreground no
Debug yes
LeaveTemporaryFiles no
StreamMaxLength 10M
StreamMinPort 1024
StreamMaxPort 2048
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeUnsigned no
BytecodeTimeout 5000
DetectPUA no
#ExcludePUA CATEGORY
#IncludePUA CATAGORY
AlgorithmicDetection yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables no
ScanOLE2 yes
OLE2BlockMacros no
ScanPDF yes
ScanHTML yes
ScanMail yes
ScanPartialMessages no
PhishingSignatures yes
PhishingScanURLs yes
PhishingAlwaysBlockSSLMismatch no
PhishingAlwaysBlockCloak no
HeuristicScanPrecedence no
StructuredDataDetection no
StructuredMinCreditCardCount 3
StructuredMinSSNCount 3
StructuredSSNFormatNormal yes
StructuredSSNFormatStripped no
ScanArchive yes
ArchiveBlockEncrypted no
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
Most of these are the default settings. But change them to suit you needs.
Next is the config file for freshclam.conf which has the configurations for freshclam which updates the virus definiton files. My conf file does not deviate from the default by much, but here it is in case you want to use it.
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
### Comment or remove the line below.
#Example# Path to the database directory.
# WARNING: It must match clamd.conf’s directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/freshclam.log# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use ‘M’ or ‘m’ for megabytes (1M = 1m = 1048576 bytes)
# and ‘K’ or ‘k’ for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don’t use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M# Log time with each message.
# Default: no
LogTime yes# Enable verbose logging.
# Default: no
LogVerbose yes# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes# Specify the type of syslog messages – please refer to ‘man syslog’
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
LogRotate yes# This option allows you to save the process identifier of the daemon
# Default: disabled
PidFile /var/run/freshclam.pid# By default when started freshclam drops privileges and switches to the
# “clamav” user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamupdate
DatabaseOwner clamupdate# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you’re configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
DNSDatabaseInfo current.cvd.clamav.net# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
#DatabaseMirror db.XY.clamav.net# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It’s used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5# With this option you can control scripted updates. It’s highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS’es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command# Don’t fork into background.
# Default: no
#Foreground yes# Enable debug messages in libclamav.
# Default: no
#Debug yes# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# Freshclam will connect to clamd in order to get recent statistics.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code# This option enables support for our “Personal Statistics” service.
# When this option is enabled, the information on malware detected by
# your clamd installation is made available to you through our website.
# To get your HostID, log on http://www.stats.clamav.net and add a new
# host to your host list. Once you have the HostID, uncomment this option
# and paste the HostID here. As soon as your freshclam starts submitting
# information to our stats collecting service, you will be able to view
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
# http://www.clamav.net/documentation.html#cctts
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it’s mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV’s mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google’s
# terms of use. See http://www.google.com/transparencyreport/safebrowsing
# and http://www.clamav.net/documentation.html#safebrowsing
# for more information.
# Default: disabled
#SafeBrowsing yes# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors.
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
Now that the configuration files are set as you need them, it is time to make sure the permissions are correct on the log files.
chmod 660 /var/log/freshclam.log
chmod 660 /var/log/clamd.log
chgrp clamupdate /var/log/freshclam.log
chgrp clamscan /var/log/clamd.log
You should be able to run freshclam to download the latest virus definition files. This needs to be done as root.
sudo freshclam
Next we can scan the system for viruses to test and make sure we do not have any errors in the config files.
sudo clamscan -r /
You should get a report with a “Scan Summary” at the bottom telling you if it detected any viruses. At this point you may want to set up some cron jobs to automatically scan your system, and to download the new definition files. I recommend at least once a day, but your mileage may vary.
Please post your comments or questions. As usual, if you need help, just ask. The technicians at Yum Technology are happy to assist. If you would rather have us come out and configure things for you, just contact us and we will be happy to do it.
