Difference between revisions of "Virus Scan Shares"

From Amahi Wiki
Jump to: navigation, search
 
(34 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats on Linux. In this article, we will only be configuring ClamAV to run scheduled/on-demand scans; not resident scans.
 
ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats on Linux. In this article, we will only be configuring ClamAV to run scheduled/on-demand scans; not resident scans.
  
==== Install ====
+
'''NOTE:'''  This guidance is for Amahi 7/8, but can be easily adapted for Ubuntu.
 +
 
 +
== Install ==
 
* Install required ClamAV packages
 
* Install required ClamAV packages
 
  yum install clamav clamav-update
 
  yum install clamav clamav-update
* Edit /etc/freshclam.conf and make the following changes:
+
* Edit '''/etc/freshclam.conf''' and make the following changes:
** Comment out “Exemple”
+
** Comment out “Example”
 
** Uncomment lines
 
** Uncomment lines
 
*** “DNSDatabaseInfo current.cvd.clamav.net”
 
*** “DNSDatabaseInfo current.cvd.clamav.net”
Line 15: Line 17:
 
'''NOTE:''' ClamAV will update automatically, as part of /etc/cron.daily/freshclam.
 
'''NOTE:''' ClamAV will update automatically, as part of /etc/cron.daily/freshclam.
  
==== Configure Daily Scan ====
+
== Configure Daily Scan ==
In this example, we will configure a cronjob to scan the /home/ directory every day:
+
In this example, we will configure a cronjob to scan the Docs share every day:
* Create cron file:
+
* Create '''/etc/cron.daily/manual_clamscan''' and add the text from "a" or "b":
vim /etc/cron.daily/manual_clamscan
+
:a. <u>Scan</u> - Change SCAN_DIR to the directory that you want to scan.
* Add the following to the file above. Be sure to change SCAN_DIR to the directory that you want to scan:
 
 
  #!/bin/bash
 
  #!/bin/bash
  SCAN_DIR="/var/hda/files/Pictures"
+
  SCAN_DIR="/var/hda/files/docs"
 
  LOG_FILE="/var/log/clamav/manual_clamscan.log"
 
  LOG_FILE="/var/log/clamav/manual_clamscan.log"
 
  /usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE
 
  /usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE
 +
:b.  <u>Scan with email notifications</u> - Change SCAN_DIR to the directory that you want to scan, EMAIL and EMAIL_FROM to your email addresses.
 +
<pre>#!/bin/bash
 +
# Email alert cron job script for ClamAV
 +
# Original, unmodified script by: Deven Hillard
 +
#(http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html)
 +
# Modified to show infected and/or removed files
 +
# Directories to scan
 +
SCAN_DIR="/var/hda/files/docs"
 +
# Location of log file
 +
LOG_FILE="/var/log/clamav/manual_clamscan.log"
 +
# Uncomment to have scan remove files
 +
#AGGRESSIVE=1
 +
# Uncomment to have scan not remove files
 +
AGGRESSIVE=0
 +
# Email Subject
 +
SUBJECT="Infections detected on `hostname`"
 +
# Email To
 +
EMAIL="your.email@your.domain.com"
 +
# Email From
 +
EMAIL_FROM="clamav@server.hostname.com"
 +
check_scan () {
 +
    # If there were infected files detected, send email alert
 +
    if [ `tail -n 12 ${LOG_FILE}  | grep Infected | grep -v 0 | wc -l` != 0 ]
 +
    then
 +
    # Count number of infections
 +
        SCAN_RESULTS=$(tail -n 10 $LOG_FILE | grep 'Infected files')
 +
        INFECTIONS=${SCAN_RESULTS##* }
 +
 +
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
 +
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
 +
        echo "From: ${EMAIL_FROM}" >>  ${EMAILMESSAGE}
 +
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
 +
        echo "Importance: High" >> ${EMAILMESSAGE}
 +
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
 +
        if [ $AGGRESSIVE = 1 ]
 +
        then
 +
                echo -e "\n`tail -n $((10 + ($INFECTIONS*2))) $LOG_FILE`" >> ${EMAILMESSAGE}
 +
        else
 +
                echo -e "\n`tail -n $((10 + $INFECTIONS)) $LOG_FILE`" >> ${EMAILMESSAGE}
 +
        fi
 +
        sendmail -t < ${EMAILMESSAGE}
 +
    fi
 +
}
 +
if [ $AGGRESSIVE = 1 ]
 +
then
 +
        /usr/bin/clamscan -ri --remove $SCAN_DIR >> $LOG_FILE
 +
else
 +
        /usr/bin/clamscan -ri $SCAN_DIR >> $LOG_FILE
 +
fi
 +
check_scan</pre>
 
* Give our cron script executable permissions:
 
* Give our cron script executable permissions:
 
  chmod +x /etc/cron.daily/manual_clamscan
 
  chmod +x /etc/cron.daily/manual_clamscan
Line 29: Line 80:
 
  mkdir -p /var/log/clamav
 
  mkdir -p /var/log/clamav
 
  touch /var/log/clamav/manual_clamscan.log
 
  touch /var/log/clamav/manual_clamscan.log
 +
* (OPTIONAL) Run the script
 +
/etc/cron.daily/manual_clamscan
  
You can even run the above script to ensure that it works correctly.
+
And you’re done! That should be the minimum required to install ClamAV and Perform a daily scan of a specific directory.
  
And you’re done! That should be the minimum required to install ClamAV and Perform a daily scan of a specific directory.
+
'''NOTE:'''  You will need to enable email on your HDA to use option "b".  See [[Main_Page#Community_Tutorials|Community Tutorials]] for guidance.
  
 +
== Configure Virus Definitions Update ==
 +
The following will ensure your virus definitions are updated hourly. 
 +
* Execute the following as root user:
 +
touch /var/log/clamav/freshclam.log
 +
chmod 600 /var/log/clamav/freshclam.log
 +
chown clamupdate /var/log/clamav/freshclam.log
 +
* Set up cron job
 +
N * * * * /bin/freshclam --quiet
  
<u>Reference:</u> [https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/ How to Install ClamAV and Configure Daily Scanning on CentOS]
+
'''NOTE:''' Change N to any value between 3 and 57 for minutes. This will help prevent conflicts with other cron jobs that typically run at 0.
  
==== Using Greyhole ====
+
== Using Greyhole ==
 
You will need to do some additional setup to scan files when using Greyhole.
 
You will need to do some additional setup to scan files when using Greyhole.
  
* Set up [https://wiki.amahi.org/index.php/Mount_Shares_Locally mount shares locally]
+
* Set up [[Mount_Shares_Locally|mount shares locally]]
 
* Ensure the SCAN_DIR= <code>/mnt/samba/share</code> and not <code>/var/hda/files/share</code>
 
* Ensure the SCAN_DIR= <code>/mnt/samba/share</code> and not <code>/var/hda/files/share</code>
 +
  
 
Now when the daily scan runs, it will scan the Greyhole enabled share correctly.
 
Now when the daily scan runs, it will scan the Greyhole enabled share correctly.
 +
 +
== Incremental Daily and Full Weekly Scans ==
 +
You can expand on the above by making a daily cronjob script that only scans files changed in the last 24 hours, and a weekly cronjob script ("a" or "b" above) that does a full filesystem scan.  You may choose to do this for reasons of efficiency, as scanning only the files changed in the last 24 hours is an order of magnitude faster.  Your daily cron file would look something more like this:
 +
<pre>#!/usr/bin/env bash
 +
 +
# Variables
 +
DATE=$(date +%Y%m%d)
 +
DIR="/var/log/clamav"
 +
LIST="${DIR}/scan.$DATE"
 +
RESULTS="${DIR}/scanresults.${DATE}"
 +
# A list of partitions and/or directories to scan, in this example /, /boot and /home are on separate partitions
 +
SCANDIRS="/ /boot /home"
 +
# Number of days to keep files generated by this script.  Default is 7.
 +
LOGROTATION=7
 +
 +
# Remove files older than the number of days set with the $LOGROTATION variable.
 +
#  One might choose to comment this out and keep the files for trend-tracing, breakfix etc),
 +
find ${DIR} -name "scan*" -mtime +${LOGROTATION} -exec rm -f {} \;
 +
 +
# Generate a list of files created in the last 24 hours, this list is fed into clamscan
 +
# Because we're using -mount to prevent unwanted filesystem traversal,
 +
# you'll need to specify per partition or directory with the SCANDIRS variable.
 +
for S in ${SCANDIRS}; do
 +
find "${S}" -mount -mtime 0 >> "${LIST}"
 +
done
 +
 +
# Run clamscan against the list of files and pipe the results out to the results file
 +
# -i prints only infected files, -f is the list of files to scan, and -l is the output log
 +
clamscan -i -f "${LIST}" -l "${RESULTS}"
 +
# Send email with results (uncomment line below to enable)
 +
# mail -s "HDA Daily Virus Scan - ${DATE}" user@mail.com < ${RESULTS}
 +
</pre>
 +
 +
==References==
 +
* [https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/ How to Install ClamAV and Configure Daily Scanning on CentOS]
 +
 +
* [https://hacking.im/automated-clam-antivirus-scanning-for-centos-servers Automated Clam AntiVirus scanning for CentOS/Ubuntu/Debian servers]

Latest revision as of 01:05, 15 September 2015

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats on Linux. In this article, we will only be configuring ClamAV to run scheduled/on-demand scans; not resident scans.

NOTE: This guidance is for Amahi 7/8, but can be easily adapted for Ubuntu.

Install

  • Install required ClamAV packages
yum install clamav clamav-update
  • Edit /etc/freshclam.conf and make the following changes:
    • Comment out “Example”
    • Uncomment lines
      • “DNSDatabaseInfo current.cvd.clamav.net”
      • “DatabaseMirror db.XY.clamav.net” (replace XY with your country code)
    • Ensure line “DatabaseMirror database.clamav.net” is uncommented
  • Update ClamAV’s signatures
/usr/bin/freshclam

NOTE: ClamAV will update automatically, as part of /etc/cron.daily/freshclam.

Configure Daily Scan

In this example, we will configure a cronjob to scan the Docs share every day:

  • Create /etc/cron.daily/manual_clamscan and add the text from "a" or "b":
a. Scan - Change SCAN_DIR to the directory that you want to scan.
#!/bin/bash
SCAN_DIR="/var/hda/files/docs"
LOG_FILE="/var/log/clamav/manual_clamscan.log"
/usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE
b. Scan with email notifications - Change SCAN_DIR to the directory that you want to scan, EMAIL and EMAIL_FROM to your email addresses.
#!/bin/bash
# Email alert cron job script for ClamAV
# Original, unmodified script by: Deven Hillard
#(http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html)
# Modified to show infected and/or removed files
# Directories to scan
SCAN_DIR="/var/hda/files/docs"
# Location of log file
LOG_FILE="/var/log/clamav/manual_clamscan.log"
# Uncomment to have scan remove files
#AGGRESSIVE=1
# Uncomment to have scan not remove files
AGGRESSIVE=0
# Email Subject
SUBJECT="Infections detected on `hostname`"
# Email To
EMAIL="your.email@your.domain.com"
# Email From
EMAIL_FROM="clamav@server.hostname.com"
check_scan () {
    # If there were infected files detected, send email alert
    if [ `tail -n 12 ${LOG_FILE}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
    # Count number of infections
        SCAN_RESULTS=$(tail -n 10 $LOG_FILE | grep 'Infected files')
        INFECTIONS=${SCAN_RESULTS##* }
 
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: ${EMAIL_FROM}" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        if [ $AGGRESSIVE = 1 ]
        then
                echo -e "\n`tail -n $((10 + ($INFECTIONS*2))) $LOG_FILE`" >> ${EMAILMESSAGE}
        else
                echo -e "\n`tail -n $((10 + $INFECTIONS)) $LOG_FILE`" >> ${EMAILMESSAGE}
        fi
        sendmail -t < ${EMAILMESSAGE}
    fi
}
if [ $AGGRESSIVE = 1 ]
then
        /usr/bin/clamscan -ri --remove $SCAN_DIR >> $LOG_FILE
else
        /usr/bin/clamscan -ri $SCAN_DIR >> $LOG_FILE
fi
check_scan
  • Give our cron script executable permissions:
chmod +x /etc/cron.daily/manual_clamscan
  • Create empty log file
mkdir -p /var/log/clamav
touch /var/log/clamav/manual_clamscan.log
  • (OPTIONAL) Run the script
/etc/cron.daily/manual_clamscan

And you’re done! That should be the minimum required to install ClamAV and Perform a daily scan of a specific directory.

NOTE: You will need to enable email on your HDA to use option "b". See Community Tutorials for guidance.

Configure Virus Definitions Update

The following will ensure your virus definitions are updated hourly.

  • Execute the following as root user:
touch /var/log/clamav/freshclam.log
chmod 600 /var/log/clamav/freshclam.log
chown clamupdate /var/log/clamav/freshclam.log
  • Set up cron job
N * * * *	/bin/freshclam --quiet

NOTE: Change N to any value between 3 and 57 for minutes. This will help prevent conflicts with other cron jobs that typically run at 0.

Using Greyhole

You will need to do some additional setup to scan files when using Greyhole.


Now when the daily scan runs, it will scan the Greyhole enabled share correctly.

Incremental Daily and Full Weekly Scans

You can expand on the above by making a daily cronjob script that only scans files changed in the last 24 hours, and a weekly cronjob script ("a" or "b" above) that does a full filesystem scan. You may choose to do this for reasons of efficiency, as scanning only the files changed in the last 24 hours is an order of magnitude faster. Your daily cron file would look something more like this:

#!/usr/bin/env bash

# Variables
DATE=$(date +%Y%m%d)
DIR="/var/log/clamav"
LIST="${DIR}/scan.$DATE"
RESULTS="${DIR}/scanresults.${DATE}"
# A list of partitions and/or directories to scan, in this example /, /boot and /home are on separate partitions
SCANDIRS="/ /boot /home"
# Number of days to keep files generated by this script.  Default is 7.
LOGROTATION=7

# Remove files older than the number of days set with the $LOGROTATION variable.
#  One might choose to comment this out and keep the files for trend-tracing, breakfix etc), 
find ${DIR} -name "scan*" -mtime +${LOGROTATION} -exec rm -f {} \;

# Generate a list of files created in the last 24 hours, this list is fed into clamscan
# Because we're using -mount to prevent unwanted filesystem traversal, 
# you'll need to specify per partition or directory with the SCANDIRS variable.
for S in ${SCANDIRS}; do
	find "${S}" -mount -mtime 0 >> "${LIST}"
done

# Run clamscan against the list of files and pipe the results out to the results file
# -i prints only infected files, -f is the list of files to scan, and -l is the output log
clamscan -i -f "${LIST}" -l "${RESULTS}"
# Send email with results (uncomment line below to enable)
# mail -s "HDA Daily Virus Scan - ${DATE}" user@mail.com < ${RESULTS}

References