LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Linux Answers > Security
User Name
Password

Notices

By beginningubuntu at 2007-04-18 06:41
This is one of the most important guides on LinuxQuestions.org, but also one of the most useless. It describes how to install comprehensive virus scanning software for desktop Linux users.

It's a useless guide because we all know that there are no Linux viruses "in the wild", which is to say, actively infecting computers. But that's not to say the situation will stay that way. With the unexpectedly poor showing of the latest version of Windows, more and more people are turning to Linux. Virus authors are sure to follow.

The guide below looks at installing the open source ClamTK software, and is extracted from Chapter 9 of Beginning Ubuntu Linux, Second Edition (published April 2007). The entire chapter looks at security, including common-sense Linux security measures and also configuring a bullet-proof firewall.



The guide is written for Ubuntu Edgy Eft (6.10), but with minor adapting should be good for all other versions, including the up-coming Feisty Fawn (7.04).

Adding Virus Scanning to Ubuntu
The following instructions describe how to install ClamTk, which is a graphical front-end for the Clam AntiVirus (ClamAV) antivirus program (http://www.clamav.net). Clam AntiVirus is an open source, industrial-strength antivirus scanner designed to work on all kinds of computers and operating systems. It detects Windows and even Macintosh viruses, as well as the minority Linux and Unix viruses. This has obvious benefits if you share files with Windows users—you can inform your friends and colleagues if any files they give you are infected (and bask in the warm feeling that arises when you realize the viruses can't affect your system!).

Clam AntiVirus's only drawback is that it is limited just to virus scanning. It isn't able to disinfect files, like the more sophisticated virus scanners available for Windows. However, it should be noted that disinfection rarely works very well.

I discuss the options for dealing with infected files later, but first I discuss installing ClamTk and performing virus scans.

Installing ClamTk
You must install Clam AntiVirus first, and then install the ClamTk graphical front-end separately. This is because, at the time of this writing, there is a bug in the Clam AntiVirus software package for Ubuntu 6.10 that means a minor extra step is necessary to install it.

Note These bugs may have been fixed by the time you read this. However, the following instructions will still work fine.

Start by opening a terminal window (Applications -> Accessories -> Terminal). At the command prompt in the window that appears, type the following:

Code:
sudo apt-get install clamav
This will download and install not only Clam AntiVirus but also some of its dependencies. Once the download and installation have completed, look at the last lines of the command output. If they read similar to the following lines, then enter sudo apt-get install clamav once again to complete the installation successfully:

Code:
Errors were encountered while processing: 
ClamAV-base 
ClamAV-freshclam 
ClamAV 
E: Sub-process /usr/bin/dpkg returned an error code (1)
If you don't see the error message, then there's no need to repeat the command.

Following this, install ClamTk using the following command:

Code:
sudo apt-get install clamtk
This will also install a number of additional dependency packages.

Caution clamav and clamtk are contained in the Ubuntu “universe” repository, which isn't activated by default. You can find instructions showing how to activate this online, or by following the instructions in Chapter 8 of Beginning Ubuntu Linux, Second Edition, under the “Setting Up Online Software Repositories” heading.

Updating the Clam AntiVirus Database
Before you scan for viruses, you should update the virus database. This should be done every time you scan and can be done using the ClamTk program.

Note When you installed Clam AntiVirus, it added a background service called freshclam that periodically downloads updates for Clam AntiVirus's database. However, manually updating before scanning is also a good idea, to ensure you're always using the very latest version of the database at the time of scanning.

In order to update the database, ClamTk needs to access system files, so it needs to be run with root powers. To do this, open a Terminal window by clicking Accessories -> Terminal. Then type gksu clamtk, and press Enter. Enter your password when prompted.

Note gksu is like sudo, in that it gives the program you specify administrator powers, except that it's used for GUI applications.

Click Help -> Update Signatures. Updating can take a few moments, and you'll see a progress report in the ClamTk window beneath the toolbar.

Note When Clam AntiVirus is first installed, it automatically grabs the latest database file, so ClamTk will probably report it's already up to date the first time an update is run.

It's also possible to update Clam AntiVirus without using ClamTk—just type sudo freshclam in a terminal window.

Note When updating using the freshclam command, you might see a warning that your version of Clam AntiVirus is out of date. This is because the Ubuntu packages are sometimes a version or two behind the main release. However, this isn't a significant issue, and Clam AntiVirus will still be able to scan for viruses, and virus definitions will stay up to date.

Scanning for Viruses
With Windows virus scanners, you might be used to performing whole system scans. This isn't advisable with Clam AntiVirus, because it simply isn't designed for that task. Instead, Clam AntiVirus is designed to scan user files, such as documents.

Note In actual fact, Clam AntiVirus is primarily designed to be used in concert with a mail server and to scan incoming or outgoing mail attachments. See the “about” page at the Clam AntiVirus web site.

You can try performing a full system scan, but in my tests, several false positives were identified, meaning that Clam AntiVirus identified innocent files as containing viruses. For more details about this, see the “Dealing with Infections” section later in this excerpt.

Because of this, it's best to use Clam AntiVirus simply to scan your personal files for viruses, which is to say, those within your /home directory. Bear in mind that this is where all files you import to your computer will likely be placed, so this is where an infection is most likely to be found.

To scan your personal files, follow these instructions:
  1. Start ClamTk by clicking Applications -> Accessories -> Virus Scanner.

  2. Before starting the scan, it's useful to ensure hidden files are scanned. After all, a virus is likely to try to hide, rather than make its presence obvious! This can be done by clicking Options -> Scan Hidden Files (.*).

    Note Resist the temptation at this stage to select Delete Infected Files on the Options menu. This is because ClamTk might return a false positive—a file that it thinks contains a virus but that is actually perfectly safe. It's better to deal with viruses after they've been found on a one-by-one basis, rather than automatically.

  3. Although there's a button on the toolbar that lets you scan your /home directory with a single click, it won't scan recursively, which is to say, it won't scan any folders (or folders of folders) within your /home directory. This isn't much use, so to perform a recursive scan of your /home directory, click File -> Recursive Scan. Then click the OK button on the Select a Directory (Recursive Scan) file open dialog box. This will select your /home directory. Of course, you can also select any other folder to scan at this stage.

  4. The scan will start. Depending on the quantity of files in your /home directory and their sizes, it may take some time. You'll see a live status report beneath the toolbar, showing what file is currently being scanned. When the status line reads Scanning Complete, the scan has finished. Running along the bottom of the window will be a complete status report, showing the number of files scanned and the number of viruses found, if any. See the screenshot below for an example. If any viruses are found, move on to the “Dealing with Infections” section.




Dealing with Infections
If any viruses are found they will be listed in the ClamTk program window. The type of virus that's allegedly infecting the file will be listed under the Status column. See the screenshot below for an example.

Be aware that ClamTk sometimes reports a virus when it simply can't access a particular file, perhaps because of file permission problems. If this is the case, you'll see Access Denied or Can't Open Directory in the Status column. You can ignore these files.

Tip If you really want to scan such files, run ScanTk with superuser powers: open a terminal window (Applications -> Accessories -> Terminal), and type gksu scantk.



Entries in the list can be right-clicked and quarantined or deleted. Quarantining is where the file is moved to a special directory for inspection or deletion later on, and you can manage quarantined files using the Quarantine -> Maintenance menu.

While the impulse might be to simply delete the file, you should be cautious. Be aware that ClamTk might be reporting a false positive—a file that it thinks is infected with a virus, but which isn't. This is rare but can happen. If you do find a file you know is a false positive, right-click it and select Quarantine. Then click Quarantine -> Maintenance, and in the list, select the file, and click False Positive. This will ensure it's ignored next time you scan.

So what should you do if you find a file is infected? First, don't panic! Remember that practically all viruses that Clam AntiVirus is likely to find are targeted at Windows systems and don't affect Linux.

Note If we assume there are 120,000 viruses for Windows and 50 for Linux, then in theory, there's 99.999% chance that any virus Clam AntiVirus finds will be a Windows virus!

Next, look at the name of the virus under the Status heading, and look it up online to learn more about it. This is the point at which you'll learn if it's a Linux virus and, if so, its potential impact on your system.

In the example shown in the screenshot, the virus ClamTk found is called HTML.Phishing.Gold, so I searched for this using Google. It transpires that this isn't a threat to Linux.

Note In addition to searching for HTML.Phishing.Gold, I also added “ClamAV” to the search string to see if there was any specific information. This is where I might have learned if the report was a false positive.

If the file is located in your Firefox cache, as in my example, then there's nothing to worry about, and the file can be deleted with impunity—just right-click and select Delete from the menu. In fact, this is where you're most likely to find virus infections, because this is where all the files are temporarily downloaded when you're browsing the web (including HTML files, images, and so on). But, once again, you should remember that most nefarious web sites that attempt to spread virus infections are targeted at Windows users, usually via security holes within Internet Explorer. As a Linux user using the Firefox web browser, you have far less to worry about.


  



All times are GMT -5. The time now is 02:29 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration