ClamAV

Installing (Linux)

  1. Download the latest stable release from the ClamAV Site. Full documentation for the install process is included with the distribution in the file named ./doc/clamdoc.pdf.

  2. De-compress the archive and change your working folder to the de-compressed folder

Installing for All Users

Note: the ‘All Users’ instructions have not been confirmed. They are a summary of the instructions included in the distribution.

  1. Add a clamav user and group

    groupadd clamav

    useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamav

  2. Build and install

    $ ./configure –sysconfdir=/etc $ make # make install

  3. Edit /etc/clamd.conf setting the options to suit

    vi /etc/clamd.conf

  4. Edit the configuration file, ensuring you set the location of the database (DatabaseDirectory option)

    vi /etc/freshclam.conf

  5. Run the clamd daemo

    $ clamd

Installing for Shell Account

  1. Build, specifying an install location, then install

    $ ./configure –prefix=/home/myname/clamav –disable-clamav $ make; make install

  2. Edit the configuration file, ensuring you set the location of the database (DatabaseDirectory option)

    $ vi ./etc/freshclam.conf

  3. Update the virus database

    $ ~/clamav/bin/freshclam

  4. Check the database is up-to-date by examining the date shown with the version option

    $ ~/clamav/bin/clamscan –version –database=./${DATABASE_LOCATION}

  5. Test the installation

    $ ~/clamav/bin/clamscan –database=./${DATABASE_LOCATION} ~

Scan

The following will provide a default recursive scan of /media/sda1 with logging and copying of files found to be infected.

  $ mkdir infected
  $ clamscan --recursive --suppress-ok-results --log=scan.log --copy=./infected/ /media/sda1

Trouble-Shooting

Heuristics.Phishing.Email.SpoofedDomain FOUND

If you believe this error is occurring due to a false positive, you can determine the specific part of the e-mail message the heuristic scanner has reported this scan results for, by running clamscan with the --debug option and output the results to a file to examine. E.g.

  $ clamscan --debug email.eml 2>result.txt

Search the results.txt file for a string similar to LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different or grep the file to pick out all the non-clean scan results so you can figure out what to search for:

$ egrep 'Phishing scan result:' result.txt | egrep -v 'Phishing scan result: Clean' -

Using your favourite editor, look back from the non-clean phishing scan result message for a line similar to LibClamAV debug: Phishcheck:Checking url. It seems the heuristic check is checking the reported URL for HTML A tags with a href attribute and img attribute referencing different websites. There will also be a line similar to LibClamAV debug: Looking up in regex_list: which lists the two sub-domain names. To whitelist those domain combinations, create a file named spoofing.wdb and place it in your ClamAV database directory (the one containing daily.cdv etc.) containing a line of the following pattern, where first-domain.tld and second-domain.tld are the entries reported alongside LibClamAV debug: Looking up in regex_list::

X:first-domain\.tld:second-domain\.tld

Escape any characters in the domain names that are special characters in regular expressions.

False Positives

Use VirusTotal.com to check how likely the file is a false positive.

If you think it is a false positive, submit it to ClamAV using the false positive submission form.

References

– Frank Dean - 15 Mar 2010

Related Topics: LinuxHintsAndTips, WindowsXP