There are many virus scanners available for Linux, although Linux is generally immune to virus's. These virus scanners can be used to scan files and folders for virus's and also to scan email for virus's. One that I like to use is clamav. There are both linux and Windows clients available and it is free. The Windows client even has some features not available on other Windows virus scanners, such as the ability to do hourly updates and the ability to send an email notification in the event it detects an infected file or email. However, this tutorial will focus specifically on using the Linux version of clamav along with some of the gui's available, and an easy way to configure pop/imap mail clients such as kmail, thunderbird, and evolution to use clamav.

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

INSTALLATION

Clamav is available for most, if not all, Linux distributions in the package format they use (deb, rpm, source code, etc). You should use the method that your distribution uses to install clamav. Clamav is also available for download directly from the web site at http://www.clamav.net and is provided in many popular formats for debian, suse, redhat, fedora, mandriva, gentoo, and pardus distributions.

There is also a clamav 3rd party tools page which offers downloads for clamav to interface with MTA, POP3, Web & FTP, On Access Scanning, Mail User Agent, Bindings for Programming Languages, and Misc other.

CONFIGURATION

I couldn't possibly cover every single type of clamav installation in this article, so I will just point you to the configuration files. The two critical files you will want to take a look at after you get clamav installed are:

1. clamd.conf - configures the settings related to the main program
   
2. freshclam.conf - configures settings related to updates of the virus database

On my computer, both of these files were located in /etc/ They may be different for your distribution, so you can use the commands locate to try to find them if they are not there. You may need to also update the locate/slocate database using updatedb command too. Both files are very well documented and the format and settings should be pretty easy to follow. I generally set a few options for archived files, depth of archives to scan (archives within archives), max size of archives to scan, I enable syslog logging in addition to the default logging options, and I change the default virus database update from 12 times per day (every other hour) to 24 times per day (every hour).

The distribution that I use comes with an init script to start the clamd daemon. When it starts, it also starts the freshclam daemon that updates the virus signatures. I would assume most distributions include the same functionality. So, after it is installed and configured, the next thing we need to do is start the daemons and also add them to the default runtime so they get started at boot. I use gentoo/sabayon linux and the method for those distributions is like this:

Once I have added it to my default runlevel, I can now start the service using:

Other distributions will likely use different methods for setting the runtime of services. Consult the documentation for those distributions on how to start-stop services and how to add them to the runlevels.

After we have the services started, we can check out log files to make sure they are started:

# cat /var/log/messages | grep clamd
Jan 30 01:08:43 urf clamd[29081]: clamd daemon 0.92 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 30 01:08:43 urf clamd[29081]: Running as user clamav (UID 102, GID 409)
Jan 30 01:08:43 urf clamd[29081]: Log file size limited to 1048576 bytes.
Jan 30 01:08:43 urf clamd[29081]: Reading databases from /var/lib/clamav
Jan 30 01:08:43 urf clamd[29081]: Not loading PUA signatures.
Jan 30 01:08:48 urf clamd[29081]: Loaded 367760 signatures.
Jan 30 01:08:48 urf clamd[29081]: Unix socket file /var/run/clamav/clamd.sock
Jan 30 01:08:48 urf clamd[29081]: Setting connection queue length to 15
Jan 30 01:08:48 urf clamd[29081]: Archive: Archived file size limit set to 26214400 bytes.
Jan 30 01:08:48 urf clamd[29081]: Archive: Recursion level limit set to 10.
Jan 30 01:08:48 urf clamd[29081]: Archive: Files limit set to 1500.
Jan 30 01:08:48 urf clamd[29081]: Archive: Compression ratio limit set to 250.
Jan 30 01:08:48 urf clamd[29081]: Archive: Limited memory usage.
Jan 30 01:08:48 urf clamd[29081]: Archive support enabled.
Jan 30 01:08:48 urf clamd[29081]: Algorithmic detection enabled.
Jan 30 01:08:48 urf clamd[29081]: Portable Executable support enabled.
Jan 30 01:08:48 urf clamd[29081]: ELF support enabled.
Jan 30 01:08:48 urf clamd[29081]: Mail files support enabled.
Jan 30 01:08:48 urf clamd[29081]: Mail: Recursion level limit set to 64.
Jan 30 01:08:48 urf clamd[29081]: OLE2 support enabled.
Jan 30 01:08:48 urf clamd[29081]: PDF support enabled.
Jan 30 01:08:48 urf clamd[29081]: HTML support enabled.
Jan 30 01:08:48 urf clamd[29081]: Self checking every 1800 seconds.

[/code]

After you have had the services running for a while, you can also verify that freshclam is providing the updates to the virus database which by default is every two hours. I always set mine to update every hour.

[code]
# cat /var/log/messages | grep freshclam
Jan 30 01:08:43 urf freshclam[29090]: freshclam daemon 0.92 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 30 01:08:43 urf freshclam[29090]: ClamAV update process started at Wed Jan 30 01:08:43 2008
Jan 30 01:08:48 urf freshclam[29090]: main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
Jan 30 01:08:48 urf freshclam[29090]: daily.inc is up to date (version: 5600, sigs: 28408, f-level: 21, builder: ccordes)
Jan 30 01:08:48 urf freshclam[29090]: --------------------------------------
Jan 30 02:08:48 urf freshclam[29090]: Received signal: wake up
Jan 30 02:08:48 urf freshclam[29090]: ClamAV update process started at Wed Jan 30 02:08:48 2008
Jan 30 02:08:48 urf freshclam[29090]: main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
Jan 30 02:08:48 urf freshclam[29090]: daily.inc is up to date (version: 5600, sigs: 28408, f-level: 21, builder: ccordes)

[/code]

You can use a handy file included with clamav to show your current configuration settings. The file is clamconf. It will simply print out the current configuration and can be used when asking for help or support with clamav. It can be run as root and normal users. Here is an example:

[code]
$ clamconf
/etc/clamd.conf: clamd directives
------------------------------
LogFile = "/var/log/clamav/clamd.log"
LogFileUnlock = no
LogFileMaxSize = 1048576
LogTime = yes
LogClean = no
LogVerbose = no
LogSyslog = yes
LogFacility = "LOG_MAIL"
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory not set
ScanPE = yes
ScanELF = yes
DetectBrokenExecutables = no
ScanMail = yes
MailFollowURLs = no
MailMaxRecursion = 64
PhishingSignatures = yes
PhishingScanURLs = yes
PhishingAlwaysBlockCloak = no
PhishingAlwaysBlockSSLMismatch = no
PhishingRestrictedScan = yes
DetectPUA = no
AlgorithmicDetection = yes
ScanHTML = yes
ScanOLE2 = yes
ScanPDF = yes
ScanArchive = yes
ArchiveMaxFileSize = 26214400
ArchiveMaxRecursion = 10
ArchiveMaxFiles = 1500
ArchiveMaxCompressionRatio = 250
ArchiveLimitMemoryUsage = yes
ArchiveBlockEncrypted = no
ArchiveBlockMax = no
DatabaseDirectory = "/var/lib/clamav"
TCPAddr not set
TCPSocket not set
LocalSocket = "/var/run/clamav/clamd.sock"
MaxConnectionQueueLength = 15
StreamMaxLength = 10485760
StreamMinPort = 1024
StreamMaxPort = 2048
MaxThreads = 10
ReadTimeout = 120
IdleTimeout = 30
MaxDirectoryRecursion = 15
FollowDirectorySymlinks = no
FollowFileSymlinks = no
ExitOnOOM = no
Foreground = no
Debug = no
LeaveTemporaryFiles = no
FixStaleSocket = yes
User = "clamav"
AllowSupplementaryGroups = no
SelfCheck = 1800
VirusEvent not set
ClamukoScanOnAccess not set
ClamukoScanOnOpen not set
ClamukoScanOnClose not set
ClamukoScanOnExec not set
ClamukoIncludePath not set
ClamukoExcludePath not set
ClamukoMaxFileSize = 5242880
DevACOnly not set
DevACDepth not set

/etc/freshclam.conf: freshclam directives
------------------------------
LogFileMaxSize = 1048576
LogTime = yes
LogVerbose = no
LogSyslog = yes
LogFacility = "LOG_MAIL"
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav"
Foreground = no
Debug = no
AllowSupplementaryGroups = no
DatabaseOwner = "clamav"
Checks = 24
UpdateLogFile = "/var/log/clamav/freshclam.log"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "database.clamav.net"
MaxAttempts = 3
ScriptedUpdates = yes
HTTPProxyServer not set
HTTPProxyPort not set
HTTPProxyUsername not set
HTTPProxyPassword not set
HTTPUserAgent not set
NotifyClamd = "/etc/clamd.conf"
OnUpdateExecute not set
OnErrorExecute not set
OnOutdatedExecute not set
LocalIPAddress not set
ConnectTimeout = 30
ReceiveTimeout = 30

Engine and signature databases
------------------------------
Engine version: 0.92
Database directory: /var/lib/clamav
main db: Format: .cvd, Version: 45, Build time: Sun Dec  9 10:50:53 2007
daily db: Format: .inc, Version: 5622, Build time: Thu Jan 31 06:00:29 2008

[/code]

USAGE

There are several binary files provided with clamav that allow you to do various things with clamavm such as configuring clamav, scan various files, email, etc. Here is a list of all binary files:

1. /usr/bin/clamav-config
2. /usr/bin/clamconf
3. /usr/bin/clamdscan
4. /usr/bin/clamscan
5. /usr/bin/freshclam
6. /usr/bin/sigtool
7. /usr/sbin/clamd

You can have a look at the man page for the commands above to find out what each of them do. The one I want to show you for this article in particular is clamscan which allows you to scan files and directories for viruses.

Clamscan can be run from a shell, or from a script. Other graphical user interfaces can also call this command to perform virus scans. The clamscan command uses this format when invoked:

clamscan [options] [file/directory/-]

Here are some examples taken straight from the man page:

EXAMPLES

(0) Scan a single file:

clamscan file

(1) Scan a current working directory:

clamscan

(2) Scan all files (and subdirectories) in /home:

clamscan -r /home

(3) Load database from a file and limit disk usage to 50 MB:

clamscan -d /tmp/newclamdb --max-space=50m -r /tmp

(4) Scan a data stream:

cat testfile | clamscan -

(5) Scan a mail spool directory:

clamscan -r /var/spool/mail

Here is a common example I will provide that is not in the man page:

# clamscan --recursive --log=/tmp/clamscan.log /home

AUTOMATING SCANS

For many users, scanning for virus's from a command line on a regular basis is not very easy even though writing a cron job to perform regular virus scans is not very hard. Performing regular scans of virus's won't be done because most users don't want to run a virus scan from a shell, or because they are intimidated in creating a cron job to perform regular scans. To solve this issue, let me just give you some examples of how you can automate these tasks.

First, you need to determine if you will be doing system-wide scans, which would require root user privileges or if you are simply scanning files in your home directory or another directory you have at least read access.

Using the last example above that I provided, we can also set this to be automatically done every day at 6AM using cron. Every user of a linux machine has the ability to set their own commands to be run at specific times. The way this is done is very easy (see the man crontab entry if you are getting errors or for more information on using crontab -- some distributions simply require you to be a member of the crontab or cron group while others use the /etc/cron.allow and /etc/cron.deny files):

# crontab -e

The command above opens the crontab in editor mode for the current user. You add a crontab entry like this to run a scan of your home directory recursively every day at 6AM and to log only infected files (each line is wrapped for easier reading, however, the entire command should be on one line -- replace username with your user name -- the --exclude option is optional and needs to be entered for each file or directory you don't want scanned):

[code]
0   6   *   *   *   username   /usr/bin/clamscan --recursive
                           --infected
                           --exclude /home/username/some_file
                           --exclude /home/username/some_directory
                           --log=/var/log/clamscan.log
                           /home/username
[/code]

If you would like to instead have the results emailed to you, you could use this method:

[code]
0   6   *   *   *   username   /usr/bin/clamscan --recursive
                           --infected
                           --exclude /home/username/some_file
                           --exclude /home/username/some_directory
                           --log=/var/log/clamscan.log
                           /home/username | sendmail -t user@domain.com
[/code]

You could also use shorter code, however, I used the longer names above to make it easier to read:

[code]
0   6   *   *   *   username   /usr/bin/clamscan -r -i
                           -l=/var/log/clamscan.log
                           /home/username
[/code]

GRAPHICAL USER INTERFACES (GUI)

Some people like the ability to do point-and-click virus scans. So, for this, there are many graphical user interfaces that will work with clamav. I won't go over installing each of them, however, I will provide some information about what is available and allow you to chose which one you want to use.

Klamav - a graphical user interface made to integrate into the KDE desktop environment (but will also work with others such as gnome, fluxbox, etc) which allows manual scanning, updating clamav virus signatures, quarantine management, righ-click file scanning, scheduling automatic scanning, virus information and research, and email scanning via kmail klamscan.

clamtk - is a GUI front-end for ClamAV using gtk2-perl. It is designed to be an easy-to-use frontend for Linux systems. It allows the same features as klamav - right click scanning, scheduling, virus management/quarantine, updating virus signatures, etc.

TESTING

How do you know if your virus scanner is working? Well, I created a simple test file which consists of a folder called test-virus and inside the folder are 4 files: 

test-virus/eicar.com
test-virus/eicar_com.zip
test-virus/eicarcom2.zip
test-virus/eicar.com.txt

These are simply the industry standard EICAR virus test files.  You can download this archive to your home folder and extract it and then use this command to test it:

[code] /usr/bin/clamscan --recursive --infected --log=/var/log/clamscan.log /home/username/test-virus [/code]

The results should be:

[code] /home/username/test-virus/eicar.com: Eicar-Test-Signature FOUND /home/username/test-virus/eicar_com.zip: Eicar-Test-Signature FOUND /home/username/test-virus/eicarcom2.zip: Eicar-Test-Signature FOUND /home/username/test-virus/eicar.com.txt: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 369703 Engine version: 0.92 Scanned directories: 1 Scanned files: 4 Infected files: 4 Data scanned: 0.00 MB Time: 5.323 sec (0 m 5 s) [/code]

You can also test against the .tar.gz archive like this:

[code] /usr/bin/clamscan --recursive --infected --log=/var/log/clamscan.log /home/username/test-virus.tar.gz [/code]

and the results should be:

[code] /home/username/test-virus.tar.gz: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 369703 Engine version: 0.92 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 4.936 sec (0 m 4 s) [/code]

Notice in the above message that when testing an archive, if a single virus is found the scan stops and does not scan the remaining files.  This option can be changed in the configuration files.

Don't forget to delete the virus-test.tar.gz archive and the test-virus folder from your system or you will get false positives once you start virus scans.