linux

Client Security – ClamAV

This config gets on access scanning running with the official clamAV virus definitions.

Basic Config

This config gets on access scanning running with the official clamAV virus definitions.

Reqs:

On-access scanning, requires a system running a Linux kernel (version >= 3.8) with fanotify compiled in. Check the kernel configuration for fanotify’s presence by running:

$ cat /boot/config-<kernel_version> | grep FANOTIFY

Results if fanotify is available:

CONFIG_FANOTIFY=y

Results if fanotify can prevent malicious file access attempts:

CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

The latter is required to block infected files being opened.

Also check:

cat /proc/sys/fs/inotify/max_user_watches

should be 65k which is max number of dirs inotify can watch… if you need more read up on how to up this setting.

Unfortunately for on access scanning to work correctly clamAV must run as root user. Hence having a well configured AppArmor profile is a must. This guide will help configure this.

Install main components

sudo apt-get install clamav clamav-daemon clamav-freshclam

Configure clamd

apparmor needs tweaks for this to work

sudo vi /etc/apparmor.d/usr.sbin.clamd
# add these:
capability sys_admin,
/proc/sys/fs/inotify/max_user_watches r,
# / r, # triggers apparmor but not having the right does not seem to impact operation

Enabling and verifying

Now enable the apparmor profile and start the demon. Check with status a little later that it started correctly.

sudo aa-enforce clamd
sudo service clamav-daemon start

If it all worked you should see something like this:


● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-12-12 19:28:15 CST; 8s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           http://www.clamav.net/lang/en/doc/
 Main PID: 12484 (clamd)
   CGroup: /system.slice/clamav-daemon.service
           └─12484 /usr/sbin/clamd --foreground=true

Dec 12 19:28:23 thinkpad-t460 clamd[12484]: SWF support enabled.
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: HTML support enabled.
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: XMLDOCS support enabled.
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: HWP3 support enabled.
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: Self checking every 3600 seconds.
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: preventing access attempts on malicious files.
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Max file size limited to 943718400 bytes
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Protecting directory '/home/fred/Downloads' (and all sub-d
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Protecting directory '/home/fred/Documents' (and all sub-d
Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Extra scanning and notifications enabled.

Required Advanced Config

For much larger signature pool refer to this:

https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL

This is a must have, but should only best up after the basic configuration has been confirmed to be working.

and see https://github.com/extremeshok/clamav-unofficial-sigs#supported-operating-systems about 1/4th of the way down for directions how to activate MalwarePatrol and SecuriteInfo free files. For more help with the config files to get MalwarePatrol working refer to relevant section here https://wiki.archlinux.org/index.php/ClamAV and then update this guide so fools can follow it too.

Download the latest archive

wget -q --no-check-certificate https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip -O /tmp/clamav-unofficial-sigs.zip
cd /tmp
unzip clamav-unofficial-sigs.zip
mkdir -p /usr/local/sbin/
cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/
chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
chown root:root /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir -p /var/log/clamav-unofficial-sigs/
mkdir -p /etc/clamav-unofficial-sigs/
cp /tmp/clamav-unofficial-sigs-master/config/os.ubuntu.conf /etc/clamav-unofficial-sigs/os.conf
cp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/user.conf
cp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/master.conf
cp -f /tmp/clamav-unofficial-sigs-master/systemd/*.* /etc/systemd/

* Edit the /etc/clamav-unofficial-sigs/master.conf, os.conf , user.conf files

Sort out MalwarePatrol

Usage of MalwarePatrol 2015 free clamav signatures : https://www.malwarepatrol.net

* Sign up for a free account : https://www.malwarepatrol.net/signup-free.shtml
* You will recieve an email containing your password/receipt number
* Enter the receipt number into the config malwarepatrol_receipt_code: replacing YOUR-RECEIPT-NUMBER with your receipt number from the email

Add receipt code to /etc/clamav-unofficial-sigs/user.conf

Sort out SecuriteInfo

Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com

* Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup
* You will recieve an email to activate your account and then a followup email with your login name
* Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
* Click on the Setup tab
* You will need to get your unique identifier from one of the download links, they are individual for every user

       5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
       5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb

       Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
* Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link

Add signature number to /etc/clamav-unofficial-sigs/user.conf

Finishing up

Uncomment in user.conf

#user_configuration_complete="yes"
/usr/local/sbin/clamav-unofficial-sigs.sh --install-all
  • Edit the /etc/logrotate.d/clamav-unofficial-sigs file
  • Edit the /etc/cron.d/clamav-unofficial-sigs file
%d bloggers like this: