Skip to content

Instantly share code, notes, and snippets.

@monsieurDuke

monsieurDuke/clamav-ubuntu.md

Last active July 3, 2024 23:28
Show Gist options
  • Save monsieurDuke/4ede5b61b1ffab49e4e801fef85166c4 to your computer and use it in GitHub Desktop.
Save monsieurDuke/4ede5b61b1ffab49e4e801fef85166c4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
clamav-ubuntu.md

ClamAV Setup: Ubuntu

Intro

  • Default Version : v0.103.11 LTS (Ubuntu 22.04 & 20.04) , v0.103.8 (Ubuntu 18.04)
  • Latest Version : v1.3.1 (clamav-1.3.1.linux.x86_64.deb)
  • Port : 3310 / tcp
  • Req. RAM : 3 - 4 GB
  • Req. CPU : 1 CPU @ 2.0Ghz
  • Req. Disk Space : 5 GB
  • Signature Update Interval : 30 mins

Keterangan simbol saat pengaksesan text file melalui nano : ~ changes , - comment / deletion , + addition

  • Terdapat perbedaan PATH pada instalasi ClamAV antara package manager dengan repositori GitHub, yaitu pada binary dari /usr/[s]bin/ menjadi /usr/local/[s]bin/, serta pada config dari /etc/clamav/ menjadi /usr/local/etc/
  • Pastikan sistem memiliki konfigurasi File Access Notification, FANOTIFY, dengan status aktif. ClamAV menggunakan konfigurasi tersebut untuk dapat melakukan real-time scanning & blocking terhadap file yang diakses . Apabila kedua opsi berisi is not set, cek troubleshoot

Setup ClamAV

Install & Config

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install clamav clamav-daemon unzip wget curl
sudo mkdir -p /var/isolate
sudo chmod 640 /etc/clamav/freshclam.conf
sudo nano /etc/clamav/freshclam.conf 
  ~ LogSyslog true
  ~ TestDatabases no
  ~ Checks 48
sudo nano /etc/clamav/clamd.conf
  - # LocalSocket /var/run/clamav/clamd.ctl
  - # LocalSocketGroup clamav
  - # LocalSocketMode 666 
  ~ User root   
  ~ LogSyslog true
  + TCPSocket 3310
  + TCPAddr 127.0.0.1
  + OnAccessIncludePath /home
  + OnAccessExcludePath /var/log
  + OnAccessExcludePath /var/isolate
  + OnAccessPrevention yes
  + OnAccessExcludeUname clamav
  + OnAccessExtraScanning yes
sudo nano /lib/systemd/system/clamav-daemon.service
  ~ StandardOutput=journal  
sudo systemctl daemon-reload
sudo systemctl enable clamav-daemon.service clamav-freshclam.service
sudo systemctl stop clamav-daemon.service clamav-freshclam.service

Upgrade Version

cd ~
wget https://github.com/Cisco-Talos/clamav/releases/download/clamav-1.3.1/clamav-1.3.1.linux.x86_64.deb
sudo dpkg -i ./clamav-1.3.1.linux.x86_64.deb
which clamd freshclam clamdscan clamonacc
sudo nano /lib/systemd/system/clamav-daemon.service
  ~ ExecStart=/usr/local/sbin/clamd --foreground=true

sudo nano /lib/systemd/system/clamav-freshclam.service
  ~ ExecStart=/usr/local/bin/freshclam -d --foreground=true
sudo cp /etc/clamav/*.conf /usr/local/etc/

On-Access Scanning

cat /boot/config-[kernel]-generic | grep FANOTIFY
  CONFIG_FANOTIFY=y
  CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
sudo touch /usr/local/sbin/start-clamonacc.sh
sudo chmod 777 /usr/local/sbin/start-clamonacc.sh
sudo nano /usr/local/sbin/start-clamonacc.sh
  + #!/bin/bash
  + PATH="$(printenv PATH)"
  + pidof clamonacc | { read msg; kill -9 $msg; } 2>> /tmp/reboot_test.log
  + /usr/local/sbin/clamonacc --move=/var/isolate/ --log=/var/log/clamav/clamav-scan.log --config-file=/etc/clamav/clamd.conf

Nightly File System Scanning

sudo touch /usr/local/sbin/start-clamdscan.sh
sudo chmod 777 /usr/local/sbin/start-clamdscan.sh
sudo nano /usr/local/sbin/start-clamdscan.sh
  + #!/bin/bash
  + PATH="$(printenv PATH)"
  + /usr/local/bin/clamdscan --move=/var/isolate/ --log=/var/log/clamav/clamav-scan.log --config-file=/etc/clamav/clamd.conf --stream /home/ /opt/ /tmp/

Schedulling

sudo crontab -e
  + * * * * * /usr/local/sbin/start-clamonacc.sh 2>> /tmp/clamav-dump.log
  + 0 0 * * * /usr/local/sbin/start-clamdscan.sh 2>> /tmp/clamav-dump.log
sudo crontab -l
sudo systemctl restart clamav-daemon.service clamav-freshclam.service
sudo systemctl status clamav-daemon.service clamav-freshclam.service

Setup Sandbox

Install & Config

sudo apt-get install firejail
sudo chown -R root:clamav /var/isolate/
sudo chmod -R 730 /var/isolate/  
sudo cp ~/.bashrc /var/isolate/
sudo nano /etc/firejail/sandbox.profile
  + seccomp
  + net none
  + ipc-namespace
  + caps.drop all
  + x11 none
  + private /var/isolate/

Testing

curl https://secure.eicar.org/eicar.com.txt > ~/eicar.txt
sudo su
firejail --profile=/etc/firejail/sandbox.profile

Audit

journalctl -xe
ps axjf | grep clam
sudo tail -f /tmp/clamav-dump.log
sudo tail -f /var/log/clamav/clamav.log
sudo tail -f /var/log/clamav/clamav-scan.log
sudo tail -f /var/log/clamav/freshclam.log
mem() { ps -eo rss,pid,euser,args:100 --sort %mem | grep -v grep | grep -i $@ | awk '{printf $1/1024 " MB"; $1=""; print }'; }
mem cron
mem clamd
mem clamonacc
mem freshclam

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment