You are Here:
Linux Lite 4.6 RC1 has been released. See the Release Announcements section for more information.



How to install clamav with on-access ability

Author (Read 2183 times)

0 Members and 4 Guests are viewing this topic.

How to install clamav with on-access ability
« on: November 08, 2018, 12:34:29 PM »
 

alchemist

  • New to Forums
  • *
  • 7
    Posts
  • Country: 00
  • Reputation: 0

  • Linux Lite: 2.8 32bit

  • CPU: Intel Pentium M processor 1.73 GHz

  • MEMORY: 2Gb

  • VIDEO CARD: Mesa DRI Intel(R) 915GM x86/MMX/SSE2
HowTo install clamav with on-access scan.

The last stable version of Clamav, clamav-0.100.2, comes with a disactivated on-access scan capability.
The only on-access ability is to block the execution of a known virus and send a message to the clamav.log.
After an installation of clamav-daemon this can be done for example by inserting the following in the clamd.conf file:
--------------------------------------------------
User root
ScanOnAccess True
OnAccessIncludePath /"a_path_of_your_choise"
OnAccessPrevention true
--------------------------------------------------
The feature "VirusEvent" of clamd.conf that would permit to trigger an executable script that could delete a virus,
 move it to a quarantine or send a message to the screen or to a log file, is not working.
The reason is found in the file "onaccess_fan.c" of the source (clamav-0.100.2.tar.gz).
(see https://bbs.archlinux.org/viewtopic.php?id=237489)
After extracting the source and opening "onaccess_fan.c" with an editor you can find at the line 81:

if (scan) {
        if (onas_scan(fname, fmd->fd, &virname, tharg->engine, tharg->options, extinfo) == CL_VIRUS) {
            /* TODO : FIXME? virusaction forks. This could be extraordinarily problematic, lead to deadlocks,
             * or at the very least lead to extreme memory consumption. Leaving disabled for now.*/
            //virusaction(fname, virname, tharg->opts);
            res.response = FAN_DENY;
        }

"virusaction" is commented out with two slashes // [ //virusaction(fname, virname, tharg->opts); ]
As the developer advises removing the two slashes can be problematic.

Taking a risk, I uncommented it and installed clamav on a Linux Lite 2.8 distribution based on Ubuntu 14.04 trusty, using a 3.19.0-80-generic kernel and it worked for me well as like with others (see link above).
It can now move viruses to a quarantine, delete them, send a message all ON-ACCESS.
Probably in the future the bug will be fixed but when and still for free? Who can be sure.
So for those interested and accept the risk, I offer a brief step by step installation guide, without taking any responsibility if any smoke arises from your machine.

1) Uninstall completely clamav and clamav-daemon if it was previously installed.
   on my debian distribution:
   dpkg purge clamav clamav-daemon (I prefer using the Synaptic Package Manager because it is more detailed)

2) Download the source.
   https://www.clamav.net/downloads/production/clamav-0.100.2.tar.gz

3) Unpack it in a directory of your choise.
   $ tar -xvf clamav-0.100.2.tar.gz

4) Download and install the following 3 packages if they are missing: check libxml2-dev libssl-dev (I did it through Synaptic)

5) Uncomment the "onaccess_fan.c" file.
   - Enter the clamav-0.100.2 directory.
   - Open the file clamd/onaccess_fan.c with an editor. (I use vim: $vim clamd/onaccess_fan.c)
   - Remove the two slashes (//) in the line "//virusaction(fname, virname, tharg->opts);"
   so it becomes: "virusaction(fname, virname, tharg->opts);"
   - Save and exit the editor.

6) Install clamav from the source.
   (see https://www.clamav.net/documents/installing-clamav)
   I did the following:
   - Enter the clamav-0.100.2 directory with the line command.
   - Change to root (sudo su) and execute the following:
   - ./configure
   - ./make
   - ./make check
   - ./make install

7) Configure clamd. I give the following example (see the clamd.conf manual).
   - Open the clamd.conf file with an editor and put or change the following features:
   User root
   ScanOnAccess true
   OnAccessIncludePath /path_to_directory_to_protect
   OnAccessExcludeUID 0
   OnAccessPrevention true
   OnAccessExtraScanning false
   VirusEvent /opt/clamav-utils/clamd-response
   - save and exit

8) Write the clamd-response script.
   In this example it will give a virus notification to a log file, move the virus to a quarantine and a notification appears on the screen.
   - make a directory /opt/clamav-utils/
   - write with an editor the following in a file named "clamd-response" in the directory /opt/clamav-utils/ and save it.
----------------------------------
#!/bin/sh
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log
mv $CLAM_VIRUSEVENT_FILENAME /opt/clamav-utils/clamd_quarantine/
sudo -u MyUserName DISPLAY=:0.0 notify-send "Virus Found $CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been moved to quarantine"
----------------------------------
ATTENTION: "MyUserName" must be changed to your user name!

9) make an empty file /var/log/clamav/infected.log

10) start the clamd daemon: # clamd start.

It is done!

But there is still a bug. The OnAccessScan does not scan the sub-directories.
The feature "OnAccessExtraScanning", even if set "true" doesn't work.
The following message appears in the clamav.log:
----------------------------------
ScanOnAccess: OnAccessExtraScanning was requested, but has been disabled due to a known issue with thread resource cleanup.
The OnAccessExtraScanning feature will be re-enabled in a future release when the issue is resolved.
For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048
----------------------------------
So we hope it will soon be resolved.



 


Tags:
 


Linux Lite 4.6 RC1 has been released. See the Release Announcements section for more information.