ShareWiz Ultra Secure Server Setup
Anti-Virus Security
Setup Anti-Virus
Install the ClamAV AntiVirus application (highly recommended)
Issue the following command:
sudo aptitude install clamav clamav-docs clamav-freshclam clamav-daemon
clamav is an anti-virus application.
The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.
Configure ClamAV
If you are using an HTTP proxy to connect to the internet you will have to edit the file /etc/clamav/freshclam.conf adding:
Issue the following command:
sudo vi /etc/clamav/freshclam.conf
…and modify as follows:
HTTPProxyServer serveraddress
HTTPProxyPort portnumber
Update the virus definitions
Issue the following command:
sudo freshclam
Check if the clamav-daemon is running
Issue the following command:
sudo ps ax| grep [c]lamd
Modify AppArmor Settings for ClamAV
Issue the following command:
sudo vi /etc/apparmor.d/usr.sbin.clamd
…and edit the directories and files to monitor.
This is covered in the apparmor section of /usr/share/doc/clamav/README.Debian.gz (at the end). You should update your profile to authorize scanning where you need it to happen. See the App Armor Wiki and the linked pages for details.
/etc/apparmor.d/usr.sbin.clamd is the profile that needs to be modified for your use case.
In short: clamdscan uses clamav-daemon to scan for files. When you run clamdscan /path/to/file, in the background it just 'orders' the clamav-daemon to open that file and scan it. Because of Apparmor, clamav-daemon doesn't have the read permissions to open any file in any random directory.
You may have to adjust clamav daemon's apparmor profile to give permissions to other folders. Look for apparmor messages in the logfile (usually you do a grep for 'audit' in /var/log/messages).
Reload AppArmor Profiles
Issue the following command:
sudo /etc/init.d/apparmor restart
Create a Test Virus File
Issue the following command:
sudo vi /tmp/eicar.txt
...and populate it with the following data:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The file eicar.txt is a standard test virus
The following string is the standard Eicar Test Signature:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Scan for Viruses Manually
Issue the following command:
sudo clamscan
Examples:
- To check files in the all users home directories: clamscan -r /home
- To check all files on the computer, displaying the name of each file: clamscan -r /
- To check all files on the computer, but only display infected files and ring a bell when found: clamscan -r --bell -i /
ClamAV can only read files that the user running it can read. If you want to check all files on the system, use the sudo command.
To test for the test virus file created above, scan the /tmp directory using clamscan -r /tmp.
Check the Logs
When ClamAV has scanned all the files you asked it to, it will report a summary:
----------- SCAN SUMMARY -----------
Known viruses: 33840
Scanned directories: 145
Scanned files: 226
Infected files: 1
Data scanned: 54.22 MB
I/O buffer size: 131072 bytes
Time: 20.831 sec (0 m 20 s)
Remove files affected by a virus
Add the "--remove" option to the clamscan command.
Issue the following command:
sudo clamscan --remove
Schedule ClamAV to run automatically
It is recommended to have the weekly antivirus scan of the system performed by a cron job.
Issue the following command:
sudo vi /etc/cron.weekly/clamav-sharewiz
...and populate the file with:
#!/bin/bash
#
# Perform a scan of the system for viruses
clamscan -r --bell -i --exclude-dir=^/proc --exclude-dir=^/sys / |
mail -aFrom:clamav@`hostname`.sharewiz.net -s "Weekly antivirus scan for `hostname`.sharewiz.net" sysadmin@sharewiz.net
The /proc and /sys directories are excluded from the scan as these don’t contain normal files, but instead are virtual file systems.
...and we set the file permission using the command:
You can also use the at command to schedule clamscan or freshclam.
Execute the following command if not running as a daemon:
at 3:30 tomorrow
at>clamscan -i / | mail sysadmin@sharewiz.net
at> job 3 at 2012-12-11 03:30
This schedules a ClamAV scan to happen on the root (/) directory at 3:30 AM tomorrow. The output (showing only infected files) will be sent to you by e-mail.