Linux HOWTOs

About | Home | Search

HOWTO: clamav
Description: Virus scanning tools (commandline, daemon, and milter)
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything

# Clam AntiVirus 0.97.1
# =====================
# If you use Slackware and you'd rather install a package than
# installing it from source:
# ... or use checkinstall instead of 'make install'

# If you want to uninstall ClamAV, run 'make uninstall' as root from the
# ClamAV source directory.  See the wiki for more info:

# Prerequisites:
# zlib
# bzip2
# curl (optional)
# sendmail w/ libmilter (if you want to build clamav-milter)

# If you use quota and run clamscan automatically from cron or if you run
# clamd, you should set a quota for the user that it runs as to put a cap on
# the amount of space that it can eat up with the temp files from extracted
# archives (ie. a zip file with a billion zeros in it).  Also, check out
# clamscan's --max-* options and clamd's Archive* options (set in
# clamd.conf).

# Create a clamav user and group (if they don't already exist).  If you use
# LDAP/MySQL/whatever instead of /etc/passwd and /etc/shadow for accounts, and
# you don't have a PAMified shadow package where you can just use useradd and
# groupadd to handle LDAP/MySQL/whatever for you, add a clamav user and group
# there instead of running this.
getent group | grep "^clamav:" > /dev/null || groupadd clamav
id clamav > /dev/null 2>&1 || useradd -g clamav clamav

# If you have trouble getting the tarball at the URL below, you can also
# get it here:

test -f installed/clamav-0.97.1.tar.gz &&
 mv installed/clamav-0.97.1.tar.gz .
test ! -f clamav-0.97.1.tar.gz &&

# Verify tarball w/ md5sum:
# (This came from my gpg-verified tarball)
echo "4f3fb74ff1098c25eef8e10721478c29  clamav-0.97.1.tar.gz" | md5sum -c

# Verify tarball w/ sha1sum:
# (This also came from my gpg-verified tarball)
echo "1b3a4667dcc278bc7eab38acbc0f35269aa05387  clamav-0.97.1.tar.gz" | \
 sha1sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 985A444B > /dev/null 2>&1 || gpg --recv-keys 985A444B ) &&
 wget -nc &&
  gpg --verify clamav-0.97.1.tar.gz.sig && rm clamav-0.97.1.tar.gz.sig

mkdir -p -m 0700 src
cd src
find -maxdepth 1 -type d -name "clamav-*" -exec rm -r {} \;
tar xzvf ~/clamav-0.97.1.tar.gz
cd clamav-0.97.1
test $UID = 0 && chown -R root:root .

# Read README, NEWS, and if you want a list of specific, individual changes,
# read ./ChangeLog
# If this is an upgrade, read
# If you still have unanswered questions, read the FAQ:
# and the mailing list archives:
# and check the Support page on the ClamAV web site for other options (IRC,
# the wiki, etc.).

# If you want to build clamav-milter, add --enable-milter to configure
# See './configure --help' for other options

./configure --enable-id-check

# Become root to install it

# clamd in ClamAV 0.50 and 0.51 was in /usr/local/bin, remove it if it
# exists:
test -f /usr/local/bin/clamd && rm /usr/local/bin/clamd

# As of 0.80 clamav.conf was renamed to clamd.conf (because that's what uses
# it).  If you have a clamav.conf but no clamd.conf, rename it and if you
# have a clamav.conf man page, remove it:
test -f /usr/local/etc/clamav.conf -a ! -f /usr/local/etc/clamd.conf &&
  mv -f /usr/local/etc/clamav.conf /usr/local/etc/clamd.conf
rm -f /usr/local/man/man5/clamav.conf.5

# Back up your clamd.conf and freshclam.conf, if they exist:
test -f /usr/local/etc/clamd.conf &&
 mkdir -p -m 0700 ~/backup &&
 cp -af /usr/local/etc/clamd.conf ~/backup/clamd.conf-$(date +%Y%m%d)
test -f /usr/local/etc/freshclam.conf &&
 mkdir -p -m 0700 ~/backup &&
 cp -af /usr/local/etc/freshclam.conf ~/backup/freshclam.conf-$(date +%Y%m%d)

# As of 0.90, the configuration file format has changed.  This
# script will do it for you:
# For more info read about it here:
# and you can also compare your old one against the example
# clamd.conf and freshclam.conf in the source directory.
# The main difference is that things like "LogSyslog" are now "LogSyslog
# yes".

# If you have a Slackware package for ClamAV installed:
# (stop sendmail too if you use clamav-milter)
test -x /etc/rc.d/rc.clamav-milter && /etc/rc.d/rc.clamav-milter stop
test -x /etc/rc.d/rc.clamav && /etc/rc.d/rc.clamav stop
test -x /sbin/removepkg && /sbin/removepkg clamav clamav-milter

# If freshclam or clamd are running, you should stop them now.  ...and if
# you run MIMEDefang or anything else that uses clamd, you should stop it
# too (or temporarily set it to stop using clamd).
# If you, for example, run ClamAV on a production mail server and you can't
# stop them at the moment, skip the first few lines and just run 'make
# install' and ldconfig, then make sure there aren't any old files left over
# in /usr/local/lib/libclamav* and /usr/local/share/clamav/ and that the
# symlinks in /usr/local/lib ( point to the correct real files
# (

rm -f /usr/local/lib/*
test -d /usr/local/share/clamav &&
 ( cd /usr/local/share/clamav ; rm -f viruses.db viruses.db2 )
make install

# Make sure ownership of the virus db directory is OK, so freshclam can write
# to it (way back when, older versions left it owned by root:root).  If you
# specify 'User' in your clamd.conf and/or 'DatabaseOwner' in your
# freshclam.conf (see below), make sure you use that username here instead of
# 'clamav'.  If you don't do this, the following line will be enough:
# chown -R clamav /usr/local/share/clamav
# This will grab the user out of the freshclam configuration file.
CLAMUSER=$(test -f /usr/local/etc/freshclam.conf &&
        egrep "^DatabaseOwner " /usr/local/etc/freshclam.conf |
        awk '{ print $2 }')
test -n "$CLAMUSER" && chown -R "$CLAMUSER" /usr/local/share/clamav

# If you just upgraded ClamAV from a previous installation and you need to
# restart freshclam, clamd, MIMEDefang, etc. ASAP or your users will come
# after you, you can do that now.  Just keep in mind that you'll have to
# restart freshclam or clamd if you change their configuration as you continue
# below.  If this is a new installation, you'll need to do a few other things
# first.

# If you're using clamd with MIMEDefang, you might want a configuration
# file that looks something like this.  I run MIMEDefang as the 'mdefang' user
# (the default is 'defang') and my spooldir is /ram/MIMEDefang (yours may be
# /var/spool/MIMEDefang).
test -f /usr/local/etc/clamd.conf &&
 mv -f /usr/local/etc/clamd.conf /usr/local/etc/clamd.conf.old
cat << PENGUINSRCOOL > /usr/local/etc/clamd.conf
LogSyslog yes
PidFile /ram/MIMEDefang/
LocalSocket /ram/MIMEDefang/clamd.sock
FixStaleSocket yes
User mdefang

# Read through the sample clamd.conf in /usr/local/etc and 'man clamd.conf'
# for details about the various configuration options

# If you use clamd, MIMEDefang, etc. with sendmail and need a start/stop
# script, grab my rc.sendmail  See the top for options.
cd /etc/rc.d
test -f rc.sendmail && mv -f rc.sendmail rc.sendmail.old
chmod 600 rc.sendmail.old
chmod 755 rc.sendmail

# To run freshclam, the virus signature updater, either add an entry to
# root's crontab (it'll drop privs to the clamav user), or run freshclam as
# a daemon.  Either way, as of version 0.66 you can now specify configuration
# options in freshclam.conf  Here's an example of mine on a server that runs
# MIMEDefang.  See the sample freshclam.conf (in /usr/local/etc or in the
# ClamAV source directory under etc) and 'man freshclam.conf' for more info.
test -f /usr/local/etc/freshclam.conf &&
 mv -f /usr/local/etc/freshclam.conf /usr/local/etc/freshclam.conf.old
cat << PENGUINSRCOOL > /usr/local/etc/freshclam.conf
DatabaseOwner mdefang
Checks 24
UpdateLogFile /var/log/freshclam.log
LogSyslog yes
NotifyClamd /usr/local/etc/clamd.conf

# If you have UpdateLogFile set in your freshclam.conf, do this to make sure
# that freshclam can write to the specified log file.  If you specify a
# "DatabaseOwner" in freshclam.conf, the log file must be writeable by that
# user (ie. 'mdefang' as above).  Long ago it used to be referred to as
# clam-update.log, if that exists, this will rename it.
test -f /var/log/clam-update.log &&
 mv /var/log/clam-update.log /var/log/freshclam.log
touch /var/log/freshclam.log
chown clamav:root /var/log/freshclam.log
chmod 640 /var/log/freshclam.log

# If your system has logrotate, tell it to rotate freshclam.log
test -d /etc/logrotate.d &&
 cat << EOF > /etc/logrotate.d/clamav
/var/log/freshclam.log {
    rotate 6
    #create 0640 clamav root

## I run it as a daemon and suggest it.
# If you want to run freshclam from cron, you run a recent version of
# Slackware (or anything else that uses /etc/cron.(hourly|daily|...),
# directories, you could do this to have freshclam run once an hour:
echo '#!/bin/sh' > /etc/cron.hourly/freshclam
echo '/usr/local/bin/freshclam --quiet' >> /etc/cron.hourly/freshclam
chmod 700 /etc/cron.hourly/freshclam
# If you want to run it from cron and you don't have those directories set
# up, you can add a standard crontab entry like this.  This example would
# run it every three hours at 24 minutes after the hour.  Replace the 24 here
# with a random number between 1 and 59 so the mirrors don't all get hit at
# the same time.  Run 'crontab -e' as root to edit root's crontab.
# 24 */3 * * *	/usr/local/bin/freshclam --quiet
# ...or you can add something like this to /etc/rc.d/rc.local so freshclam
# will run as a daemon and will start on boot-up.  Don't forget to run it
# now to start it up, unless you're about to reboot for some reason.
# if [ -x /usr/local/bin/freshclam ]; then
#   echo "Starting ClamAV's freshclam..."
#   /usr/local/bin/freshclam -d
# fi

## If you built clamav-milter, it was installed into /usr/local/sbin.
## Set a LocalSocket option in your /usr/local/etc/clamd.conf specifying
## where you want the clamd socket to go.  This is the socket that
## clamd uses to talk to other apps, like clamav-milter.
# LocalSocket /var/run/clamav/clamd.sock
## Then add this to your (if it wraps here, it should be all on
## one line).  The socket referred to here is the one that clamav-milter uses
## to talk to sendmail.  If you already have other milters set in there, put
## the INPUT_MAIL_FILTER lines in the order that you want the milters to be
## called.  If you use INPUT_MAIL_FILTER (instead of MAIL_FILTER), you don't
## need a confINPUT_MAIL_FILTERS definition in there.
# INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
## then re-generate your (run 'make install-cf' or whatever you
## normally do).
## Next, create the directory to put the socket into:
# install -m 700 -u clamav -d /var/run/clamav
## And in your startup scripts, makes sure you start clamd before
## clamav-milter.  If you use my rc.sendmail script, it will do that for you.
## Now HUP sendmail and it should start filtering your mail through
## clamav-milter.

# Make sure your non-root user can remove the source later
chown -R $USER .
chmod -R u+w .

# Become yourself again

mkdir -p -m 0700 installed
rm -f installed/clamav-*.tar.*
mv clamav-0.97.1.tar.gz installed/

Back to the list

Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>