Installation & Configuration of ClamAV Antivirus on Ubuntu 18.04

But I thought Linux (and Macs) aren’t affected by Viruses?

What is covered in this article?

What is ClamAV Antivirus?

Prerequisites for following this tutorial

Components of ClamAV

Memory Requirements Disclaimer

Installation & Configuration of ClamAV (without On-Access Scanning)

sudo apt-get install clamav-daemon
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
ubuntu@ip-172-31-81-67:~$ tail /var/log/clamav/clamav.log 
Sun Jun 28 19:08:32 2020 -> Portable Executable support enabled.
Sun Jun 28 19:08:32 2020 -> ELF support enabled.
Sun Jun 28 19:08:32 2020 -> Mail files support enabled.
Sun Jun 28 19:08:32 2020 -> OLE2 support enabled.
Sun Jun 28 19:08:32 2020 -> PDF support enabled.
Sun Jun 28 19:08:32 2020 -> SWF support enabled.
Sun Jun 28 19:08:32 2020 -> HTML support enabled.
Sun Jun 28 19:08:32 2020 -> XMLDOCS support enabled.
Sun Jun 28 19:08:32 2020 -> HWP3 support enabled.
Sun Jun 28 19:08:32 2020 -> Self checking every 3600 seconds.
ubuntu@ip-172-31-81-67:~$ ls -l /var/run/clamav/clamd.ctl
srw-rw-rw- 1 clamav clamav 0 Jun 28 19:08 /var/run/clamav/clamd.ctl
cd ~
sudo clamdscan
ubuntu@ip-172-31-81-67:~$ sudo clamdscan
/home/ubuntu/.lesshst: Access denied. ERROR
/home/ubuntu/.viminfo: Access denied. ERROR
/home/ubuntu/.ssh: lstat() failed: Permission denied. ERROR
/home/ubuntu/.gnupg: lstat() failed: Permission denied. ERROR
/home/ubuntu/.cache: lstat() failed: Permission denied. ERROR
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 5
Time: 0.017 sec (0 m 0 s)
sudo clamdscan --fdpass
ubuntu@ip-172-31-81-67:~$ sudo clamdscan --fdpass
/home/ubuntu: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.015 sec (0 m 0 s)
wget www.eicar.org/download/eicar.com
sudo clamdscan --fdpass
ubuntu@ip-172-31-81-67:~$ sudo clamdscan --fdpass
/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.005 sec (0 m 0 s)
sudo mkdir /root/quarantine
echo "0 1 * * 0 root /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /" | tee /etc/cron.d/clamdscan
sudo /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /
----------- SCAN SUMMARY -----------
Infected files: 2
Total errors: 44083
Time: 40.186 sec (0 m 40 s)
ubuntu@ip-172-31-81-67:~$ sudo grep FOUND /var/log/clamav/clamdscan.log 
/home/ubuntu/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/root/quarantine/eicar.com: Win.Test.EICAR_HDB-1 FOUND
ubuntu@ip-172-31-81-67:~$ sudo grep ERROR /var/log/clamav/clamdscan.log | cut -d":" -f2 | grep "^ " | sort | uniq -c | sort -k1 -n
918 Access denied. ERROR
7669 Can't read file ERROR
ubuntu@ip-172-31-81-67:~$ sudo grep WARNING /var/log/clamav/clamdscan.log | cut -d":" -f3 | grep "^ " | sort | uniq -c | sort -k1 -n
260 Not supported file type
ubuntu@ip-172-31-81-67:~$ sudo grep ERROR /var/log/clamav/clamdscan.log | cut -d"/" -f2 | cut -d"/" -f1 | sort | uniq -c | sort -k1 -n
10 proc
402 var
43410 sys
ubuntu@ip-172-31-81-67:~$ sudo grep "WARNING:" /var/log/clamav/clamdscan.log | cut -d"/" -f2 | cut -d"/" -f1 | sort | uniq -c | sort -k1 -n
1 sys
1 var
33 run
79 snap
147 dev
ubuntu@ip-172-31-81-67:~$ sudo grep "^/var/" /var/log/clamav/clamdscan.log | cut -d"/" -f3 | cut -d"/" -f2 | sort | uniq -c | sort -k1 -n
402 lib
ubuntu@ip-172-31-81-67:~$ sudo grep "^/var/" /var/log/clamav/clamdscan.log | cut -d"/" -f4 | cut -d"/" -f3 | sort | uniq -c | sort -k1 -n
402 lxcfs
ubuntu@ip-172-31-81-67:~$ sudo grep "^/var/" /var/log/clamav/clamdscan.log | cut -d"/" -f5 | cut -d"/" -f4 | sort | uniq -c | sort -k1 -n
402 cgroup
ubuntu@ip-172-31-81-67:~$ sudo grep "^/var/" /var/log/clamav/clamdscan.log | cut -d"/" -f6 | cut -d"/" -f5 | sort | uniq -c | sort -k1 -n
67 blkio
134 devices
201 memory
printf "ExcludePath ^/proc\nExcludePath ^/sys\nExcludePath ^/run\nExcludePath ^/dev\nExcludePath ^/snap\nExcludePath ^/var/lib/lxcfs/cgroup\nExcludePath ^/root/quarantine\n" | sudo tee -a /etc/clamav/clamd.conf
sudo systemctl restart clamav-daemon
sudo /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /
ubuntu@ip-172-31-81-67:~$ sudo /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /
--------------------------------------
/snap: Excluded
/run: Excluded
/dev: Excluded
/proc: Excluded
/sys: Excluded
/root/quarantine: Excluded
/var/lib/lxcfs/cgroup: Excluded
WARNING: /var/lib/lxd/unix.socket: Not supported file type
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 235.497 sec (3 m 55 s)

Caveat of ClamAV’s On-Access Scanning

echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches
echo "fs.inotify.max_user_watches = 524288" | sudo tee -a /etc/sysctl.conf
ERROR: ClamCom: TIMEOUT while waiting on socket (recv)
--------------------------------------
ClamInotif: watching '/var' (and all sub-directories)
ClamInotif: excluding '/var/log' (and all sub-directories)
ERROR: ClamInotif: could not watch path '/var', 3
ubuntu@ip-172-31-81-67:~$ sudo find /var -exec stat -c%F {} \; | sort | uniq
directory
regular empty file
regular file
socket
symbolic link
ubuntu@ip-172-31-81-67:~$ sudo find /var -print -exec stat -c%F {} \; | grep "^socket" -B1
/var/lib/lxd/unix.socket
socket
ubuntu@ip-172-31-81-67:~$ ls /var/lib
AccountsService landscape python
amazon logrotate snapd
apt lxcfs sudo
clamav lxd systemd
cloud man-db ubuntu-release-upgrader
command-not-found misc ucf
dbus mlocate unattended-upgrades
dhcp os-prober update-manager
dpkg pam update-notifier
git plymouth ureadahead
grub polkit-1 usbutils
initramfs-tools private vim
ubuntu@ip-172-31-81-67:~$ ls /var/
backups crash local log opt snap tmp
cache lib lock mail run spool
ClamInotif: DELETE - removing /tmp/clamav-2af11edb31faecf2304c166ac46a0e27.tmp/rfc2397 from /tmp/clamav-2af11edb31faecf2304c166ac46a0e27.tmp with wd:921
Clamonacc: onas_clamonacc_exit(), signal 11
ERROR: Clamonacc: clamonacc has experienced a fatal error, if you continue to see this error, please run clamonacc with --debug and report the issue and crash report to the developpers
Clamonacc: attempting to stop event consumer thread ...
sudo mkdir -p /var/clamav/tmp
sudo chown clamav:root /var/clamav/tmp
sudo chmod 770 /var/clamav/tmp
printf "TemporaryDirectory /var/clamav/tmp" | sudo tee -a /etc/clamav/clamd.conf
/bin/grep: Can't open file or directory ERROR
ClamMisc: internal issue (client failed to scan)
/bin/ps: Can't open file or directory ERROR
ClamMisc: internal issue (client failed to scan)
/bin/grep: Can't open file or directory ERROR
ClamMisc: internal issue (client failed to scan)
/bin/ps: Can't open file or directory ERROR
ClamMisc: internal issue (client failed to scan)
sudo aa-complain /usr/sbin/clamd
sudo apt-get install apparmor-utils
for i in {1..8788}; do echo " test file contents " >> test_file.txt; done
ubuntu@ip-172-31-81-67:~$ for i in {1,2,3}; do sudo sync; echo $i | sudo tee -a /proc/sys/vm/drop_caches; done
1
2
3
ubuntu@ip-172-31-81-67:~$ time cat test_file.txt &>/dev/null # No Cache
real 0m0.010s
user 0m0.002s
sys 0m0.000s
ubuntu@ip-172-31-81-67:~$ time cat test_file.txt &>/dev/null # Cache
real 0m0.002s
user 0m0.001s
sys 0m0.001s
ubuntu@ip-172-31-81-67:~$ for i in {1,2,3}; do sudo sync; echo $i | sudo tee -a /proc/sys/vm/drop_caches; done
1
2
3
ubuntu@ip-172-31-81-67:~$ time cat test_file.txt &>/dev/null # No Cache
real 0m0.023s
user 0m0.003s
sys 0m0.000s
ubuntu@ip-172-31-81-67:~$ time cat test_file.txt &>/dev/null # Cache
real 0m0.031s
user 0m0.002s
sys 0m0.000s

Setup & Configuring ClamAV On-Access Scanning

printf "OnAccessIncludePath /home\nOnAccessIncludePath /var/www\nOnAccessExcludeUname clamav\nOnAccessExcludeRootUID true" | sudo tee -a /etc/clamav/clamd.conf
# /etc/systemd/system/clamonacc.service
[Unit]
Description=ClamAV On Access Scanner
Requires=clamav-daemon.service
After=clamav-daemon.service syslog.target network.target

[Service]
Type=simple
User=root
ExecStart=/usr/bin/clamonacc -F --log=/var/log/clamav/clamonacc --move=/root/quarantine
Restart=on-failure
RestartSec=120s

[Install]
WantedBy=multi-user.target
Restart=on-failure
RestartSec=120s
ERROR: ClamClient: could not connect to remote clam daemon, Couldn't connect to server
ERROR: Clamonacc: daemon is local, but a connection could not be established
# /etc/systemd/system/clamonacc.service
[Unit]
Description=ClamAV On Access Scanner
Requires=clamav-daemon.service
After=clamav-daemon.service syslog.target network.target

[Service]
Type=simple
User=root
ExecStartPre=/bin/bash -c "while [ ! -S /var/run/clamav/clamd.ctl ]; do sleep 1; done"
ExecStart=/usr/bin/clamonacc -F --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine

[Install]
WantedBy=multi-user.target
sudo clamonacc --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log --move=/root/quarantine
ubuntu@ip-172-31-81-67:~$ sudo tail /var/log/clamav/clamonacc.log 
--------------------------------------
ClamInotif: watching '/home' (and all sub-directories)
ClamInotif: watching '/var/www' (and all sub-directories)
sudo mkdir /var/www/html/testfolder
sudo chown ubuntu /var/www/html/testfolder
cd /var/www/html/testfolder
wget www.eicar.org/download/eicar.com
ls -l
ubuntu@ip-172-31-81-67:/var/www/html/testfolder$ ls -l
total 0
ubuntu@ip-172-31-81-67:/var/www/html/testfolder$ sudo ls /root/quarantine
eicar.com
ubuntu@ip-172-31-81-67:/var/www/html/testfolder$ sudo tail /var/log/clamav/clamonacc.log
--------------------------------------
ClamInotif: watching '/home' (and all sub-directories)
ClamInotif: watching '/var/www' (and all sub-directories)
/var/www/html/testfolder/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/var/www/html/testfolder/eicar.com: moved to '/root/quarantine/eicar.com'
sudo kill `ps auxf | grep clamonacc | grep -v "grep" | awk '{print $2}'`
sudo systemctl enable clamonacc
sudo systemctl start clamonacc

In Conclusion

Founder at Lockdrop | CISSP | AWS-SAP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store