Difference between revisions of "Virus Scan Shares"

From Amahi Wiki
Jump to: navigation, search
Line 91: Line 91:
 
* Set up [https://wiki.amahi.org/index.php/Mount_Shares_Locally mount shares locally]
 
* Set up [https://wiki.amahi.org/index.php/Mount_Shares_Locally mount shares locally]
 
* Ensure the SCAN_DIR= <code>/mnt/samba/share</code> and not <code>/var/hda/files/share</code>
 
* Ensure the SCAN_DIR= <code>/mnt/samba/share</code> and not <code>/var/hda/files/share</code>
 +
  
 
Now when the daily scan runs, it will scan the Greyhole enabled share correctly.
 
Now when the daily scan runs, it will scan the Greyhole enabled share correctly.

Revision as of 00:10, 20 July 2014

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats on Linux. In this article, we will only be configuring ClamAV to run scheduled/on-demand scans; not resident scans.

Install

  • Install required ClamAV packages
yum install clamav clamav-update
  • Edit /etc/freshclam.conf and make the following changes:
    • Comment out “Example”
    • Uncomment lines
      • “DNSDatabaseInfo current.cvd.clamav.net”
      • “DatabaseMirror db.XY.clamav.net” (replace XY with your country code)
    • Ensure line “DatabaseMirror database.clamav.net” is uncommented
  • Update ClamAV’s signatures
/usr/bin/freshclam

NOTE: ClamAV will update automatically, as part of /etc/cron.daily/freshclam.

Configure Daily Scan

In this example, we will configure a cronjob to scan the Docs share every day:

  • Create /etc/cron.daily/manual_clamscan and add the text from "a" or "b":
a. Scan - Change SCAN_DIR to the directory that you want to scan.
#!/bin/bash
SCAN_DIR="/var/hda/files/docs"
LOG_FILE="/var/log/clamav/manual_clamscan.log"
/usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE
b. Scan with email notifications - Change SCAN_DIR to the directory that you want to scan, EMAIL and EMAIL_FROM to your email addresses.
#!/bin/bash
# Email alert cron job script for ClamAV
# Original, unmodified script by: Deven Hillard
#(http://www.digitalsanctuary.com/tech-blog/debian/automated-clamav-virus-scanning.html)
# Modified to show infected and/or removed files
# Directories to scan
SCAN_DIR="/var/hda/files/docs"
# Location of log file
LOG_FILE="/var/log/clamav/manual_clamscan.log"
# Uncomment to have scan remove files
#AGGRESSIVE=1
# Uncomment to have scan not remove files
AGGRESSIVE=0
# Email Subject
SUBJECT="Infections detected on `hostname`"
# Email To
EMAIL="your.email@your.domain.com"
# Email From
EMAIL_FROM="clamav@server.hostname.com"
check_scan () {
    # If there were infected files detected, send email alert
    if [ `tail -n 12 ${LOG_FILE}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
    # Count number of infections
        SCAN_RESULTS=$(tail -n 10 $LOG_FILE | grep 'Infected files')
        INFECTIONS=${SCAN_RESULTS##* }
 
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
        echo "From: ${EMAIL_FROM}" >>  ${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        if [ $AGGRESSIVE = 1 ]
        then
                echo -e "\n`tail -n $((10 + ($INFECTIONS*2))) $LOG_FILE`" >> ${EMAILMESSAGE}
        else
                echo -e "\n`tail -n $((10 + $INFECTIONS)) $LOG_FILE`" >> ${EMAILMESSAGE}
        fi
        sendmail -t < ${EMAILMESSAGE}
    fi
}
if [ $AGGRESSIVE = 1 ]
then
        /usr/bin/clamscan -ri --remove $SCAN_DIR >> $LOG_FILE
else
        /usr/bin/clamscan -ri $SCAN_DIR >> $LOG_FILE
fi
check_scan
  • Give our cron script executable permissions:
chmod +x /etc/cron.daily/manual_clamscan
  • Create empty log file
mkdir -p /var/log/clamav
touch /var/log/clamav/manual_clamscan.log
  • (OPTIONAL) Run the script
/etc/cron.daily/manual_clamscan

And you’re done! That should be the minimum required to install ClamAV and Perform a daily scan of a specific directory.


NOTE: You will need to enable email on your HDA to use option "b". See Community Tutorials for guidance.

Using Greyhole

You will need to do some additional setup to scan files when using Greyhole.


Now when the daily scan runs, it will scan the Greyhole enabled share correctly.

References