Ylab’s Guide to Linux ClamAV AntiVirus
Last update: March 10, 2021.
ClamAV – also known as Clam AntiVirus – is a pretty competent anti-virus tool. When researching it, there is to be a lot of inaccurate info and reviews out there about it. A lot of the installation information is grossly incomplete – to the point where you installed it, but are never scanning. We’ll try to fix a lot of that.
The reality of GNU/Linux is that since most people use it for free, they don’t want to pay for antivirus either. That doesn’t leave much choice.
The questions we’ll answer are:
- Is ClamAV good enough? (Hint: we think so)
- How do you install it properly?
- How do you test to ensure you got it right?
Part 1: About ClamAV
- About those anti-virus reviews…
- Our disclaimer
- Virus/threat database and updates
- Virus Scanning Types
- Real-Time: Linux systems only
- Memory and running processes
- Malicious email links
- Compressed and archive files
- ClamAV processes
Part 2: Installing and running ClamAV
- Real-world installation recommendations
- Other critical security issues
- Schedule your updates
- Verify your firewall is up
Part 3: Running ClamAV in Real-time
Part 4: Other important security measures
Part 1: About ClamAV
ClamAV is an open-source anti-virus product that’s primarily used in the Linux world – but it supports a whole bunch of other platforms. The official web site is here, and the list of systems it supports is here – Windows, Mac, SunOS, BSD and others.
There is some association between ClamAV and Cisco, as well as Talos, which is Cisco’s threat intelligence unit. Cisco is listed as the owner of the copyrights on the ClamAV website. Wikipedia says the ClamAV development remains under Talos. This association is undoubtedly a good thing. Cisco is a major provide of firewalls and other security products. It’s a good indication that ClamAV should be taken seriously.
That Wikipedia page about ClamAV has a lot of good info we will refer to.
About those anti-virus review sites…
There are innumerable anti-virus review websites out there. Many are complete crap. They may be quietly sponsored or built by one company or another, or have a bias that affects the results. Or the person doing the review might be incompetent or just looking for clicks.
A metric that can be flawed is a check of the antivirus tool against a huge database of vulnerabilities. This can be misleading because:
- Like software, viruses can become obsolete. They may just not be relevant anymore. Why check for a virus that applies to a different operating system, or an older level or operating system that your product doesn’t even support? The best vendors will cull their databases to improve performance. Note: different OS scanning can be good. Someone one sent us an Android app to load on a phone. The Windows virus scanner told us it had an Android virus!
- The types of malware are not covered by anti-virus. Maybe it’s just adware or something else. It might not be an appropriate test of the capabilities.
Others reasons reviewers will trash a product is interface, ease-of-use and other features and characteristics that are not relevant to the core anti-virus features. You’re a Linux user. You expect some difficulty.
We are not paid by anyone nor do we receive any benefit whatsoever for this work. Directly or indirectly. We don’t even have ads on the this website. Heck, we might even be incompetent. That’s why we link as much as possible to the sources where we picked up our information.
We’ve been using Linux since the days it had to be loaded from diskettes and you had to do a bunch of research for the drivers for every stupid card you had. Heck, PCs didn’t even have built-in networking or graphics cards. What we consider easy-to-use might differ from your experience.
This is free. You get what you pay for.
Virus/threat database and updates
The completeness and frequency of update of the virus database is critical for any anti-virus product. Without that, you’re dead.
ClamAV lists its detection partners here, and these partners in turn have their detection partners. Try clicking through to some of the partner web sites to see how frequently they pick up stuff. Looks good to us.
The Shadowserver Foundation may be the best source of information on the quality of virus scanners. In their most recent yearly update, ClamAV ranked 6th out of 15 Linux virus scanners – ahead of many big name commercial products.
The threat database is frequently updated – the ClamAV web site FAQ says “many times per week”. The same page says you can check for database updates “as often as 4 times per hour”. You just have to configure it to check that often – if it makes sense. You have that level of control with this product. For comparison, we use Microsoft’s own anti-virus on our Windows PCs, and it seems to get updated once to twice per day.
Virus Scanning Types
On-demand scanning is a fancy way of saying “manual”. Like when you run a full system virus scan on Windows. It’s not triggered automatically.
This is standard with all ClamAV supported systems, and for most systems, the only option.
But it doesn’t mean you have to scan the entire system. You can make it as small as one file. And that brings us to…
Real-Time/On Access: Linux Only
ClamAV refers to this as On Access Scanning. As of the date we wrote this (see date at the top of the page), it’s only available on Linux systems with a kernel version >= 3.8, which is already a few years old, and with the FANOTIFY (File Access NOTIFY) feature enabled. This web page gives you all the details on how to check if your system has the feature and how enable it. Recent Ubuntu versions have it by default.
Configuration is critical, and can be highly tuned to maximise your performance. This is a level of control you don’t get with other virus scanners.
The preferred configuration is to limit On Access scanning to the user directories. On Linux, you generally are limited to writing in your own or other user directories and to /tmp, so this, along with regular full scans, is more than reasonable.
Malicious email links
Detection of malicious links in emails was previously an option in ClamAV. It was based on a Google database that was recently changed to require licensing for commercial products.
Is this necessary? It depends. If you are using a service like Gmail for your email, then you are probably well covered by Gmail’s extensive scanning features.
If, on the other hand, you are using an open-source email server that doesn’t provide the capability, you need something.
Cisco-Talos has taken the code they previously controlled for accessing the Google database and turned it into an open-source project you can use to pull down the Google database and run the scans. It’s available here.
Memory and running processes
We can’t find any reference to this in the documentation on the ClamAV website.
Some other sites claim there is a memory scanner on the Windows version. We haven’t tried it.
Compressed and Archive Files.
ClamAV will dig through all those compress and archive ZIP, RAR, CPIO and other types, looking for infections. The list of types supported by ClamAV is as long as your arm.
Actions on detection
ClamAV offers configurable options when a threat is detected:
- Notify to simply alert you. THIS IS THE DEFAULT! DUH!
- Move to move the file to a safe directory
- Copy to leave the file in place while copying to a safe directory
- Remove to simply delete the file
- Block (only for On-Access scans): do not allow access to the file
ClamAV will not “disinfect” files as some other anti-virus products claim to do. It’s not always possible, and you have no idea what else may have been tampered with in the file. Best to just chuck it.
The links below point to the official ClamAV documentation page, so you know the information is up-to-date.
Way more detail here for the on-demand processes.
Way more detail here for the real-time on scan processes.
It all depends on how you are using your system.
Hosted email services like gmail provide excellent protection. If you are using one of these services, you may be better protected than you would be with just about any virus scanner. This is particularly the case if your email stays on those services and is not downloaded. Be sure to enable some form of two-factor authentication for all your email. It’s supported by all the major email providers.
Web browsing is the next vulnerability point. Modern browsers have a lot of protection features – if they are enabled. Check what features are available, and turn them all on. If something gets in the way, you can often turn it off for only the affected web site. At the time we write this, Brave and Firefox are our preferred choices. All major browsers have made great strides in security. Brave and Firefox are marketing themselves based on their privacy protection capabilities.
If it’s just a server running internal processes with little user interaction or internet access, and no files moving in or out, an occasional scan is probably enough. A straight clamscan is enough.
If you are actively browsing the web or allowing file movement to or from the Internet, we recommend at a minumum:
- Add the On-Access capability to all user-writeable directories. Don’t forget places like /tmp
- Twice daily scan of user-accessible directories – because something you already loaded might not have been in the virus detection database when you loaded it
- Daily or weekly scan of full system if you are not running On-Access.
Part 2: Installing and Running ClamAV
ClamAV Installation Checklist
We won’t detail the installation instructions here because:
- ClamAV’s own installation documentation is pretty good.
- It’s best to use the source documentation anyway. By the time we write our own, it could be out of date.
This is the configuration file for the virus database updates.
Adjust the following parameters:
- ReceiveTimeout: Change it to 300. The default of 30 seems to cause problems for a lot of installations. ours included.
- Checks: If you are running real-time/on-access scans, leave it at 24 (i.e. 24 times a day, or hourly). Otherwise, drop it to 6 or less. Tip: run and time a full scan on your system. The interval should be longer than the time it takes to run a full scan.
CRITICAL: Who’s running the scans? When? Where are you putting stuff?
So you install the product as a user, and run it… and you get a blizzard of messages about files being inaccessible. Probably because you are not the root user.
You need to ensure six things
- You have permission to scan the files you want to scan
- You are properly scheduling the scans
- You have permission to make the changes you want to any virus file discovered
- If you are saving (quarantining) the virus file, that it’s in a safe location.
- When you run a scan, you’re not scanning the safe quarantine location
- You have a record of the scans so you can check on things
- Run all scans as root. That way, nothing can hide
- Run them from cron on a scheduled basis
- Use the same directory /var/log/clamav to store everything, including the quarantine and log files
Create quarantine directory
Log in as root and:
- mkdir /var/log/clamav/quarantine
- chmod 600 /var/log/clamav/quarantine
If you sudo instead of logging in as root, add:
- chown root /var/log/clamav/quarantine
The chmod command removes execution privileges from the directory and makes it readable and writable only by the owner.
Run a test scan – with safe virus samples
EICAR (European Institute for Computer Antivirus Reseach Institute) publishes test virus files that are safe but detected by all the major virus scanners. You can download them from here.
We suggest dropping a couple of EICAR files in:
- A user directory
- A directory not writable by users. We used /var/log/clamav to keep things tidy.
For a first quick scan, run this command:
- clamscan /var/log
You should notice some things from the output:
- Access denied messages. This happens if you are not running as root. And on some files that are actually pointers to hardware or device drivers.
- Far too many messages. It lists every file it scans. So many that you will have trouble finding which is the virus.
- The scan file count is low compared to the number of messages. That’s because it doesn’t scan zero-length files.
- It didn’t scan any subdirectories. Because you didn’t tell it to.
Things you won’t see from the output:
- It didn’t do a thing to secure your system. The defaults action is to only identify infected files.
- The infected test file is still there, untouched. You didn’t specify an action, so it didn’t do anything.
Here’s how to properly scan:
- sudo clamscan -r –move=/var/log/clamav/quarantine -i –exclude=/var/log/clamav/quarantine /var/log
Let’s go over all the parameters we added
- sudo to run the process as root and give it access to all files
- -r: Recursive. So you also scan all the subdirectories of the directories we want to scan that we specify at the end of the command line.
- –move: This is one of the actions to take for any virus file detected. We are moving it to the directory specified. We listed the other possible actions above. Make sure your process or user has write permission to this directory.
- -i: Cut the output jabber to only log detected viruses, not the results for every file.
- –exclude: Do not scan this directory. Of course we don’t want to scan it – it’s where we are sending the quarantined files. Otherwise, it’s a vicious circle where the same files keep getting detected with every scan… and it makes more copies each time.
- /var/log is the directory we want to scan. Because we specified -r, we will scan its subdirectories. We could also scan multiple subdirectories. For example, for an intra-day scan of user directories, we could specify /tmp /home
By default, the scan will run on subdirectories that are on separate mounted file systems. If you want to eliminate scans of read-only files systems or of remotely-mounted file systems that run their own scans, you have two options:
- Specify the file systems you want to scan individually and use option –cross-fs=no to eliminate any mounts from those systems
- Specifically exclude the mount points. Each has to be specified individually. For instance, if we don’t want to scan /mnt/cdrom and /mnt/othersystem, we add:
- –exclude=/mnt/cdrom –exclude=/mnt/othersystem
Scheduling and logging scans with cron
The standard method for scheduling things in Linux is the cron system. If you don’t know how to use it… start searching.
We’ll use the same parameters as above, and send the scan output to a timestamped log file.
To do a partial scan daily at noon and a user directory scan at 5 PM, we suggest the following entries for root’s cron file:
- 0 12 * * * clamscan -r –move=/var/log/clamav/quarantine -i -l /var/log/clamav/scan_full_`
date +\%Y\%m\%d_\%H\%M\%S`.log –exclude=/var/log/clamav/quarantine /
- 0 17 * * * clamscan -r –move=/var/log/clamav/quarantine -i -l /var/log/clamav/scan_users_
`date +\%Y\%m\%d_\%H\%M\%S`.log –exclude=/var/log/clamav/quarantine /home /tmp
Remember: we are putting these entries in root‘s cronfile, so we don’t need the sudo. We could add the sudo command, but it would fail because there is no way for cron to ask you to enter your password when you run the command.
If you want to run it in another user’s cron file, a less secure method would be to add the suid bit to the clamscan command (chmod u+s /usr/bin/clamscan). We don’t recommend this because it gives any user the root privilege on the clamscan process. An example of the risk: you could scan the quarantine directory, find a virus, and bring it back to your directory!
Test, test, test
- Make sure the log files are being created by the cron runs. If they don’t show up, then the scan probably didn’t run.
- Drop copies of the EICAR files into various directories to ensure they are being caught
- Between tests, move the EICAR files from the quarantine directory back to locations where they will be caught.
- Check the freshclam log file (/var/log/freshclam.log) to ensure your freshclam database is being updated as expected.
AppArmor and SELinux considerations
AppAprmor and SELinux are file access control systems to increase security on Linux systems. The rules can get pretty convoluted and are above and beyond the normal UNIX file permissions.
AppArmor may be enabled in recent versions of Ubuntu, and SELinux is usually installed with the RedHat and Centos distributions. Both may interfere with ClamAV’s file access. For the real Linux geeks: AppArmor provides features considered similar to SELinux, but is reportedly a lot easier to configure. A lot of installations simply disable SELinux.
AppArmor ships with “profiles” to allow it to work with different software, including things like ClamAV, Firefox, OpenLDAP and others. More info here: https://wiki.ubuntu.com/Security/Features#apparmor
If you want some hand-holding, this site for Ubuntu has the most thorough installation guide we’ve found covering issues around AppArmor. This site for RedHat and Centos covers the same issues for SELinux.
3. Real-Time/On-Access Scans
We’re working on that.
4. Other critical security issues
Yes, anti-virus is important.
On Linux and other systems, other factors are may be equally or more important.
Two-factor authentication (2FA) for email and VPN access
If all you are using is a password for email access or a password and/or authentication file for your email or VPN access, your access is risky. There are far too many ways to capture your credentials.
Every major email system and most VPNs support secure 2FA mechanisms.
A text message is considered the least secure 2FA method. There are many documented and affordable ways to scan and intercept text messages.
The most secure methods are:
- A 2FA cell phone app. Google has facilities built into Android, and there is the Google Authenticator application used by services like Slack, Zoom and others. The security mechanism is usually tied to a hardware identifier built in to the phone.
- A hardware key that generates unique keys for every sign-in. Yubikey is a popular one. Yubikey and others are now supported by Gmail and Yahoo mail.
Scheduling full system updates
Possibly the most severe vulnerability for any system that can access the Internet or is in reach of a system with Internet access is the zero-day vulnerability. Malicious systems can probe ports and applications for weaknesses – and you don’t have to do anything.
For systems with general Internet access, daily or minimum weekly system updates need to be scheduled. Critical systems may need separate test systems before applying patches – but if they are exposed to the Internet, the sooner the better. Just like Microsoft has Patch Tuesday, you should be updating your software once a week.
Enabling the operating system firewall
Windows and Linux systems all have built-in firewalls.
Your firewall should be configured and enabled.
Because something may have got past your site’s main firewall to another system inside your network that can attack your system. All it takes is one careless user to bring in a malicious file through email or a browser… and then that process has access to your entire network.
Shutting down unnecessary services or using the secure equivalents
If you don’t need a service like telnet or ftp, then make sure the daemon process for it isn’t being started. Use the secure equivalent (ssh instead of telnet, and sftpd instead of ftpd.
If you only need a service occasionally, then only fire it up occasionally. Your system performance will thank you.
ClamAV is a reasonable anti-virus system for most users in configurability, capabilities and virus detection. According to Shawdowserver.org statistics, it’s definitely competitive with the commericial products.
What I love about it is that it does one thing only, and it does that good, well behaved and lightweight. It does not try to be a corporate-enterprise-antivirus-firewall-spamfilter-webfilter-adblocker-memory optimizer-mailscanner-a pack of condoms-and a fucking helmet-security-solution which hogs your resources and can’t be uninstalled.
You need to spend some time properly installing it to update it’s threat database and schedule scans as appropriate.
And don’t forget all the other system updates and your firewall.
Comment? Rage? Compliment? Indignation? Let us know here.