{"id":6209,"date":"2024-07-07T02:10:00","date_gmt":"2024-07-07T06:10:00","guid":{"rendered":"https:\/\/www.both.org\/?p=6209"},"modified":"2024-07-01T10:16:41","modified_gmt":"2024-07-01T14:16:41","slug":"linux-malware-scanning-using-clamav","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=6209","title":{"rendered":"Linux Malware scanning using ClamAV"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

Image via Creative Commons, modified by Both.org<\/p>\n\n\n\n

Introduction<\/strong><\/h2>\n\n\n\n

There are many different ways of protecting a system, right from keeping the software up-to-date, to removing unnecessary packages, turning off unneeded services, to running a firewall etc. Amongst these one also needs to deal with malware, which needs to be detected, identified, quarantined or removed. ClamAV is an open-source antivirus engine<\/strong> for detecting malware and malicious software. ClamAV is available for multiple platforms like Unix, Linux, Windows, MacOS etc and works on a variety of file formats<\/u><\/a> like PE executables, ELF and Mach-O to name a few. In this article we shall see how you can utilize ClamAV for your malware scanning needs.<\/p>\n\n\n\n

Installation<\/strong><\/h2>\n\n\n\n

To install ClamAV I will be using a Fedora system however the instructions should work on RHEL or any RPM based Operating systems like CentOS etc.<\/p>\n\n\n\n

$ cat \/etc\/fedora-release<\/strong>\nFedora release 36 (Thirty Six)\n$<\/code><\/pre>\n\n\n\n
We will first utilize our package manager dnf to install three packages as shown in the command line below, we will see what these packages are and its contents further.<\/p>\n\n\n\n
$ dnf install clamav clamd clamav-update<\/strong><\/code><\/pre>\n\n\n\n
Contents of packages<\/strong><\/h2>\n\n\n\n
The first package we installed is clamav, as stated below it contains all the end-user tools which helps a user run the clamav utility to scan a system for malware. In addition it has some helpful utilities to understand malware signatures, view ClamAV configuration settings and even submit malware samples back to ClamAV.<\/p>\n\n\n\n
$ rpm -qi clamav-0.103.8-3.fc36.x86_64 | grep ^Summary<\/strong>\nSummary : End-user tools for the Clam Antivirus scanner\n$\n$ rpm -ql clamav-0.103.8-3.fc36.x86_64 | grep bin<\/strong>\n\/usr\/bin\/clambc\n\/usr\/bin\/clamconf\n\/usr\/bin\/clamdscan\n\/usr\/bin\/clamdtop\n\/usr\/bin\/clamscan\n\/usr\/bin\/clamsubmit\n\/usr\/bin\/sigtool\n\/usr\/sbin\/clamonacc\n$<\/code><\/pre>\n\n\n\n
The next package we installed is clamav-update. New malware strains are created and released almost daily. Malware hunters have to keep up with these new variants which are analyzed and a signature is created for them. These signatures in turn help a user to detect the latest viruses. It makes sense to keep your malware signatures up-to-date. ClamAV provides a freshclam utility which checks if new signatures are available and downloads them onto your system for future scans.<\/p>\n\n\n\n
$ rpm -qi clamav-update-0.103.8-3.fc36.x86_64 | grep ^Summary<\/strong>\nSummary : Auto-updater for the Clam Antivirus scanner data-files\n$\n$ rpm -ql clamav-update-0.103.8-3.fc36.x86_64 | grep bin<\/strong>\n\/usr\/bin\/freshclam\n$<\/code><\/pre>\n\n\n\n
And finally the clamd package which consists of the clamd daemon which allows us to run ClamAV as service in the background.<\/p>\n\n\n\n
$ rpm -qi clamd-0.103.8-3.fc36.x86_64 | grep ^Summary<\/strong>\nSummary : The Clam AntiVirus Daemon\n$\n$ rpm -ql clamd-0.103.8-3.fc36.x86_64 | grep bin<\/strong>\n\/usr\/sbin\/clamd\n$<\/code><\/pre>\n\n\n\n
Getting latest signatures using freshclam<\/strong><\/h2>\n\n\n\n
Once ClamAV is installed let us update the latest malware signatures using the freshclam utility as shown below. In case you have SELinux enabled you need perform the following additional step as outline in configuration settings<\/u><\/a>.<\/p>\n\n\n\n
$ setsebool -P antivirus_can_scan_system 1<\/strong><\/code><\/pre>\n\n\n\n
On running freshclam you should see it updating some .cvd files which we will talk about later in the article.<\/p>\n\n\n\n
$ freshclam<\/strong>\n<snip>\nClamAV update process started at Tue Apr 4 02:44:39 2023\ndaily database available for download (remote version: 26864)\ndaily.cvd updated (version: 26864, sigs: 2028069, f-level: 90, builder: raynman)\nmain database available for download (remote version: 62)\nmain.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)\nbytecode database available for download (remote version: 334)\nbytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)\n<snip>\n$<\/code><\/pre>\n\n\n\n
The malware signatures are stored within the \/var\/lib directory of your filesystems. Running the file command on the main.cvd file identifies it as a “Clam Antivirus database” file.<\/p>\n\n\n\n
$ cd \/var\/lib\/clamav\/<\/strong>\n$ pwd<\/strong>\n\/var\/lib\/clamav\n$ ls<\/strong>\nbytecode.cvd daily.cvd freshclam.dat main.cvd\n$ file \/var\/lib\/clamav\/main.cvd<\/strong>\n\/var\/lib\/clamav\/main.cvd: Clam AntiVirus database (with buildtime), 16 Sep 2021 08-32 -0400, version 62, 6647427 signatures, level 90, builder sigmgr, with gzip compressed data, max compression, from Unix, original size modulo 2^32 464052736\n$<\/code><\/pre>\n\n\n\n
Explore existing signatures using sigtool<\/strong><\/h2>\n\n\n\n
We now know where the antivirus database is located but how many malware signatures does it consist of ? sigtool is a handy utility which helps you work with malware signatures. In the output below I ran it against the main.cvd database and it showed that it contains 6647427 malware signatures followed by the MD5 hash and signature.<\/p>\n\n\n\n
$ sigtool -i \/var\/lib\/clamav\/main.cvd<\/strong>\nFile: \/var\/lib\/clamav\/main.cvd\nBuild time: 16 Sep 2021 08:32 -0400\nVersion: 62\nSignatures: 6647427\nFunctionality level: 90\nBuilder: sigmgr\nMD5: 137eccce31aacb21b5a98bb8c21cefd6\nDigital signature: twaJBls8V5q64R7QY10AatEtPNuPWoVoxTaNO1jpBg7s5jIMMXpitgG1000YLp6rb0TWkEKjRqxneGTxuxWaWm7XBjsgwX2BRWh\/y4fhs7uyImdKRLzQ5y8e2EkSChegF\/i8clqfn+1qetq9j4gbktJ3JZpOXPoHlyr2Dv9S\/Bg\nVerification OK.\n$<\/code><\/pre>\n\n\n\n
If you wish to see the actual signatures within the database you need to unpack it first. Follow the steps below, and start by creating a new temp directory.<\/p>\n\n\n\n
$ mkdir -p \/tmp\/sigs<\/strong>\n$\n$ cd \/tmp\/sigs\/<\/strong>\n$ pwd<\/strong>\n\/tmp\/sigs\n$<\/code><\/pre>\n\n\n\n
Next, use sigtool to unpack the antivirus database to the above temp directory, once unpacked you should see a bunch of files within the directory. Use any text editor to open the files and see its contents<\/p>\n\n\n\n
$ sigtool --unpack \/var\/lib\/clamav\/main.cvd<\/strong>\nCOPYING main.cdb main.crb main.fp main.hdb main.hsb main.info main.ldb main.mdb main.msb main.ndb main.sfp\n$ <\/code><\/pre>\n\n\n\n
Scanning files and directories using clamscan<\/strong><\/h2>\n\n\n\n
Finally, we can run clamscan against a file or a directory using -r which internally uses the signatures database to see if it found any match against the files that it scanned. There are many handy command line arguments which clamscan provides, I encourage you to read its man page for more details.<\/p>\n\n\n\n
$ clamscan \/usr\/bin\/ls<\/strong>\n$ clamscan -r \/usr\/bin\/<\/strong>\n$ clamscan --log=\/tmp\/clamav_test_run.log -r \/usr\/bin<\/strong><\/code><\/pre>\n\n\n\n
ClamAV Configuration settings<\/strong><\/h2>\n\n\n\n
ClamAV is highly configurable as per your requirements. You can use the scan.conf file to check your current configuration and make new changes. There is also a handy clamconf utility which dumps your entire system configuration to the screen.<\/p>\n\n\n\n
$ ls -l \/etc\/clamd.d\/scan.conf<\/strong>\n-rw-r--r--. 1 root root 26665 Feb 20 11:54 \/etc\/clamd.d\/scan.conf\n$ clamconf<\/strong>\nChecking configuration files in \/etc\nConfig file: clamd.d\/scan.conf\n------------------------------\nAlertExceedsMax disabled\nConfig file: freshclam.conf\n---------------------------\nLogFileMaxSize = \"1048576\"\nLogTime disabled\nLogSyslog disabled\n<< snip >>\n$<\/code><\/pre>\n\n\n\n
Running Clamav daemon<\/strong><\/h2>\n\n\n\n
Running ClamAV once a while is good, however remember it also ships a multithreaded clamd daemon so one can also configure it as a service which runs continuously in the background and can be managed by the systemd as shown in the example below. Also make note that if you intent to run the clamav service its best to add a service account<\/u><\/a><\/p>\n\n\n\n
$ ls -l \/usr\/lib\/systemd\/system\/clamd@.service<\/strong>\n-rw-r--r--. 1 root root 398 Feb 20 11:44 \/usr\/lib\/systemd\/system\/clamd@.service\n$\n$ systemctl status clamd@service<\/strong>\n\u25cb clamd@service.service - clamd scanner (service) daemon\nLoaded: loaded (\/usr\/lib\/systemd\/system\/clamd@.service; disabled; vendor preset: disabled)\nActive: inactive (dead)\nDocs: man:clamd(8)\nman:clamd.conf(5)\nhttps:\/\/www.clamav.net\/documents<\/a>\n$<\/code><\/pre>\n\n\n\n
Conclusion<\/strong><\/h2>\n\n\n\n
ClamAV is a healthy open source project which is actively developed and maintained by the Cisco Talos Threat Intelligence team. I have barely touched the surface of what ClamAV is capable of. I highly recommend users to check its documentation<\/u><\/a> to understand its value and decide if it would be suitable for your malware scanning needs. Also check out the variety of community projects<\/u><\/a> related to ClamAV that you can contribute to.<\/p>\n","protected":false},"excerpt":{"rendered":"
Image via Creative Commons, modified by Both.org Introduction There are many different ways of protecting a system, right<\/p>\n","protected":false},"author":490,"featured_media":6224,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[471,90,5,75],"tags":[470,261],"class_list":["post-6209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-anti-malware","category-in-depth","category-linux","category-security","tag-clamav","tag-security"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/6209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/490"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6209"}],"version-history":[{"count":7,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/6209\/revisions"}],"predecessor-version":[{"id":6222,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/6209\/revisions\/6222"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/6224"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}