Client Security - ClamAV
Basic Config
This config gets on access scanning running with the official clamAV virus definitions.
Reqs:
On-access scanning, requires a system running a Linux kernel (version >= 3.8) with fanotify compiled in. Check the kernel configuration for fanotify’s presence by running:
$ cat /boot/config- | grep FANOTIFYResults if fanotify is available:
CONFIG_FANOTIFY=yResults if fanotify can prevent malicious file access attempts:
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=yThe latter is required to block infected files being opened.
Also check:
cat /proc/sys/fs/inotify/max_user_watchesshould be 65k which is max number of dirs inotify can watch… if you need more read up on how to up this setting.
Unfortunately for on access scanning to work correctly clamAV must run as root user. Hence having a well configured AppArmor profile is a must. This guide will help configure this.
Install main components
sudo apt-get install clamav clamav-daemon clamav-freshclamConfigure clamd
apparmor needs tweaks for this to work
sudo vi /etc/apparmor.d/usr.sbin.clamd# add these:capability sys_admin,/proc/sys/fs/inotify/max_user_watches r,# / r, # triggers apparmor but not having the right does not seem to impact operationEnabling and verifying
Now enable the apparmor profile and start the demon. Check with status a little later that it started correctly.
sudo aa-enforce clamdsudo service clamav-daemon startIf it all worked you should see something like this:
● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2017-12-12 19:28:15 CST; 8s ago Docs: man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/ Main PID: 12484 (clamd) CGroup: /system.slice/clamav-daemon.service └─12484 /usr/sbin/clamd --foreground=trueDec 12 19:28:23 thinkpad-t460 clamd[12484]: SWF support enabled.Dec 12 19:28:23 thinkpad-t460 clamd[12484]: HTML support enabled.Dec 12 19:28:23 thinkpad-t460 clamd[12484]: XMLDOCS support enabled.Dec 12 19:28:23 thinkpad-t460 clamd[12484]: HWP3 support enabled.Dec 12 19:28:23 thinkpad-t460 clamd[12484]: Self checking every 3600 seconds.Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: preventing access attempts on malicious files.Dec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Max file size limited to 943718400 bytesDec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Protecting directory '/home/fred/Downloads' (and all sub-dDec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Protecting directory '/home/fred/Documents' (and all sub-dDec 12 19:28:23 thinkpad-t460 clamd[12484]: ScanOnAccess: Extra scanning and notifications enabled.Required Advanced Config
For much larger signature pool refer to this:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL
This is a must have, but should only best up after the basic configuration has been confirmed to be working.
and see https://github.com/extremeshok/clamav-unofficial-sigs#supported-operating-systems about 1/4th of the way down for directions how to activate MalwarePatrol and SecuriteInfo free files. For more help with the config files to get MalwarePatrol working refer to relevant section here https://wiki.archlinux.org/index.php/ClamAV and then update this guide so fools can follow it too.
Download the latest archive
wget -q --no-check-certificate https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip -O /tmp/clamav-unofficial-sigs.zipcd /tmpunzip clamav-unofficial-sigs.zipmkdir -p /usr/local/sbin/cp /tmp/clamav-unofficial-sigs-master/clamav-unofficial-sigs.sh /usr/local/sbin/chmod 755 /usr/local/sbin/clamav-unofficial-sigs.shchown root:root /usr/local/sbin/clamav-unofficial-sigs.shmkdir -p /var/log/clamav-unofficial-sigs/mkdir -p /etc/clamav-unofficial-sigs/cp /tmp/clamav-unofficial-sigs-master/config/os.ubuntu.conf /etc/clamav-unofficial-sigs/os.confcp /tmp/clamav-unofficial-sigs-master/config/user.conf /etc/clamav-unofficial-sigs/user.confcp /tmp/clamav-unofficial-sigs-master/config/master.conf /etc/clamav-unofficial-sigs/master.confcp -f /tmp/clamav-unofficial-sigs-master/systemd/*.* /etc/systemd/* Edit the /etc/clamav-unofficial-sigs/master.conf, os.conf , user.conf filesSort out MalwarePatrol
Usage of MalwarePatrol 2015 free clamav signatures : https://www.malwarepatrol.net
* Sign up for a free account : https://www.malwarepatrol.net/signup-free.shtml
* You will recieve an email containing your password/receipt number
* Enter the receipt number into the config malwarepatrol_receipt_code: replacing YOUR-RECEIPT-NUMBER with your receipt number from the email
Add receipt code to /etc/clamav-unofficial-sigs/user.conf
Sort out SecuriteInfo
Usage of SecuriteInfo 2015 free clamav signatures : https://www.securiteinfo.com
* Sign up for a free account : https://www.securiteinfo.com/clients/customers/signup
* You will recieve an email to activate your account and then a followup email with your login name
* Login and navigate to your customer account : https://www.securiteinfo.com/clients/customers/account
* Click on the Setup tab
* You will need to get your unique identifier from one of the download links, they are individual for every user
5.1. The 128 character string is after the http://www.securiteinfo.com/get/signatures/
5.2. Example https://www.securiteinfo.com/get/signatures/your_unique_and_very_long_random_string_of_characters/securiteinfo.hdb
Your 128 character authorisation signature would be : your_unique_and_very_long_random_string_of_characters
* Enter the authorisation signature into the config securiteinfo_authorisation_signature: replacing YOUR-SIGNATURE-NUMBER with your authorisation signature from the link
Add signature number to /etc/clamav-unofficial-sigs/user.conf
Finishing up
Uncomment in user.conf
#user_configuration_complete="yes"/usr/local/sbin/clamav-unofficial-sigs.sh --install-all- Edit the /etc/logrotate.d/clamav-unofficial-sigs file
- Edit the /etc/cron.d/clamav-unofficial-sigs file