Clam AntiVirus (commonly ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner.
Despite the myth, Linux operative systems do get troubled with Virus. They can take down your website, steal data from your database, provoke downtime and havoc. If running email servers, an anti-virus should always be present to prevent the spread of malicious files and other scams.
To install ClamAV on CentOS, we must first install the EPEL repository (Extra Packages for Entreprise Linux). This repository is a free community based repository from the Fedora team which provides 100% high quality software packages for Entreprise Linux distributions such as RHEL (Red Hat Entreprise Linux), CentOS and Scientific Linux.
Preflight & ClamAV Installation Steps
Preparing your installation
Let’s start checking if our system is up-to-date:
yum update -y
And next lets install the EPEL repository:
yum install -y epel-release
Code language: Shell Session (shell)Entreprise Linux systems have SELinux (Security Enhanced Linux) installed by default. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
SELinux supports three states:
- Enforcing – SELinux policy is enforced;
- Permissive – SELinux prints warnings and logs instead of enforcing;
- Disabled – No SELinux policy is loaded;
SELinux should be enabled on all production servers. For debugging purposes we will set this to Permissive.
Let’s start by check the SELinux status:
getenforce
Enforcing
Code language: Shell Session (shell)To change the SELinux state persistently we edit its config file and reboot afterwards. The config file is located at /etc/selinux/config
vim /etc/selinux/config
Code language: Shell Session (shell)file content
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Code language: Vim Script (vim)If your SELinux state is other than disabled, you must enable antivirus_can_scan_system so ClamAV can access all files on disk and update its definition files:
setsebool -P antivirus_can_scan_system 1
Code language: Shell Session (shell)This step is required as SELinux will block access to the files required for ClamAV to operate.
If not, you may be confronted with errors such as:
During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission deniedCode language: Shell Session (shell)Installing ClamAV
Next lets install ClamAV with the following command:
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Code language: Shell Session (shell)Configuring the ClamD daemon
First we must enable the clamd configuration file located in /etc/clamd.d/scan.conf
The following commands will perform the following:
- enable the configuration file
- configure the correct directory for the socket
- set the ClamAV user
sed -i '/^Example/d' /etc/clamd.d/scan.conf
sed -i 's,LocalSocket /var/run/clamd.<SERVICE>/clamd.sock,LocalSocket /var/run/clamd.scan/clamd.sock,g' /etc/clamd.d/scan.conf
sed -i 's, User <USER>,User clamscan,g' /etc/clamd.d/scan.conf
Code language: Shell Session (shell)Enable Freshclam
Freshclam helps keeping the ClamAV database up-to-date. To enable it, we must enable as well.
Perform the following commands:
cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i 's/^Example/d' /etc/freshclam.conf
Code language: Shell Session (shell)As we don’t get a service file to enable Freshclam to run as daemon, so we must create one:
touch /usr/lib/systemd/system/clam-freshclam.service
vim /usr/lib/systemd/system/clam-freshclam.service
Code language: Shell Session (shell)Paste the following content:
# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target
[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true
[Install]
WantedBy=multi-user.target
Code language: Vim Script (vim)To start the service while enabling it to start automatically:
systemctl enable --now clam-freshclam
Code language: Shell Session (shell)You can verify the status of the freshclam service by running the following command:
systemctl status clam-freshclam
Code language: Shell Session (shell)Output
● clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-01-08 18:40:52 BST; 1h 59min ago
Main PID: 979 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─979 /usr/bin/freshclam -d -c 4
Jan 12 18:40:52 web.server.com systemd[1]: Starting freshclam scanner...
Jan 12 18:40:52 web.server.com freshclam[979]: freshclam daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 12 18:40:52 web.server.com freshclam[979]: ClamAV update process started at Mon Sep 23 18:40:52 2019
Jan 12 18:40:52 web.server.com freshclam[979]: main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jan 12 18:40:52 web.server.com systemd[1]: Started freshclam scanner.
Jan 12 18:40:52 web.server.com freshclam[979]: daily.cld is up to date (version: 25581, sigs: 1776056, f-level: 63, builder: raynman)
Jan 12 18:40:52 web.server.com freshclam[979]: bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Jan 12 18:40:52 web.server.com freshclam[979]: --------------------------------------Code language: Shell Session (shell)Now, finally, we simply have to enable the clamd@scan service, which will invoke the [email protected] that requires no alterations.
systemctl enable --now clamd@scan
Code language: Shell Session (shell)And to verify the status of the clamd@scan service:
systemctl status clamd@scan
Code language: Shell Session (shell)Output
● [email protected] - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
Active: activating (start) since Mon 2018-01-08 19:20:51 BST; 1h 0min ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Control: 1171 (clamd)
CGroup: /system.slice/system-clamd.slice/[email protected]
└─1171 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
Jan 12 19:20:51 web.server.com systemd[1]: Starting Generic clamav scanner daemon...
Jan 12 19:20:51 web.server.com clamd[1171]: Received 0 file descriptor(s) from systemd.
Jan 12 19:20:51 web.server.com clamd[1171]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 12 19:20:51 web.server.com clamd[1171]: Running as user clamscan (UID 994, GID 988)
Jan 12 19:20:51 web.server.com clamd[1171]: Log file size limited to 1048576 bytes.
Jan 12 19:20:51 web.server.com clamd[1171]: Reading databases from /var/lib/clamav
Jan 12 19:20:51 web.server.com clamd[1171]: Bytecode: Security mode set to "TrustSigned".Code language: Shell Session (shell)Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment.
