Using Linux as a Virus Prevention for Windows PC's

\/4A · 11-21-2013, 01:16 PM

Hi,

A friend has a small printing press and uses Windows PC's for making their artworks. Their clients bring designs on flash disks and for this reason they're always having problems with viruses even though having regular updates of their anti-virus.

I suggested they place one Linux PC which they would use to scan and clear (all virus threats) all incoming flash disks with ClamAV before inserting them into any of the Windows PC's.

For this reason I've setup a PC with Fedora 19 (Gnome) and installed ClamAV.

I'm trying to update ClamAV but experience the following error:

Code:

[graphic@localhost ~]$ sudo freshclam
ERROR: Can't create temporary directory /var/lib/clamav/clamav-2fb4c1db1706cd9384187cdfa60f7bd4.tmp
Hint: The database directory must be writable for UID 990 or GID 988

Would really appreciate some help on this, pls.

schneidz · 11-21-2013, 01:25 PM

can you show us the output of:

Code:

stat /var/lib/clamav/

TobiSGD · 11-21-2013, 01:28 PM

As the error message states, freshclam tries to write to /var/lib/clamav/ as an unprivileged user with the UID 990 and the GID 988. To do that either the user with that ID or the group with that ID have to have write access to that directory, which seems not to be the case on your system. Just change the ownership of that directory, for example with

Code:

sudo chown 990:988 /var/lib/clamav

\/4A · 11-21-2013, 02:09 PM

Quote:

Originally Posted by schneidz

can you show us the output of:

Code:

stat /var/lib/clamav/

Thanks. Here's the result:

Code:

  File: ‘/var/lib/clamav/’
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 1310887     Links: 2
Access: (0755/drwxr-xr-x)  Uid: (   64/ UNKNOWN)   Gid: (   64/ UNKNOWN)
Context: system_u:object_r:antivirus_db_t:s0
Access: 2013-10-09 07:28:47.000000000 -0400
Modify: 2013-11-21 13:12:30.262520471 -0500
Change: 2013-11-21 14:04:22.078393657 -0500
 Birth: -
[graphic@localhost ~]$

\/4A · 11-21-2013, 02:12 PM

Quote:

Originally Posted by TobiSGD

As the error message states, freshclam tries to write to /var/lib/clamav/ as an unprivileged user with the UID 990 and the GID 988. To do that either the user with that ID or the group with that ID have to have write access to that directory, which seems not to be the case on your system. Just change the ownership of that directory, for example with

Code:

sudo chown 990:988 /var/lib/clamav

Thanks. It works.
It did however give some warnings though:

Code:

[graphic@localhost ~]$ sudo freshclam
ClamAV update process started at Thu Nov 21 15:09:57 2013
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
WARNING: getfile: daily-17942.cdiff not found on remote server (IP: 130.59.10.36)
WARNING: getpatch: Can't download daily-17942.cdiff from database.clamav.net
WARNING: getfile: daily-17942.cdiff not found on remote server (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-17942.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-17942.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 18143, sigs: 527027, f-level: 63, builder: jesler)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 233, sigs: 44, f-level: 63, builder: dgoddard)
Database updated (2951296 signatures) from database.clamav.net (IP: 130.59.10.36)
[graphic@localhost ~]$ sudo freshclam
ClamAV update process started at Thu Nov 21 15:10:35 2013
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
daily.cvd is up to date (version: 18143, sigs: 527027, f-level: 63, builder: jesler)
bytecode.cvd is up to date (version: 233, sigs: 44, f-level: 63, builder: dgoddard)
[graphic@localhost ~]$

\/4A · 11-21-2013, 02:15 PM

How can I configure ClamAV in such a way that when a virus (or threat) is discovered in a flash disk, it repairs (or removes the virus) and not the (infected) file itself?
I'm fearing that their client could bring an infected file and ClamAV would end up deleting the file (GOSH, that would be terrible).

schneidz · 11-21-2013, 02:32 PM

not sure... would making a dd image of the drive before-hand make sense ?

\/4A · 11-22-2013, 12:34 AM

Don't think anything techie would be possible - they're just being introduced to Linux and anything techie would put them off.

It's really funny that ClamAV just deletes infected files instead of repairing them (or have I been given wrong info?)

\/4A · 11-24-2013, 01:12 AM

I just did a scan of an infected USB Flash and guess what. ClamAV said it was clean even though I updated ClamAV's virus signatures before running the scan.

devnull10 · 11-24-2013, 04:44 PM

Maybe an obvious question (and I don't know the answer to!) but does the linux version of clamav detect windows viruses?

suicidaleggroll · 11-24-2013, 06:16 PM

Quote:

Originally Posted by devnull10

Maybe an obvious question (and I don't know the answer to!) but does the linux version of clamav detect windows viruses?

Yes, that's its main use, since Linux virii are almost non-existent.

Quote:

Originally Posted by \/4A

I just did a scan of an infected USB Flash and guess what. ClamAV said it was clean even though I updated ClamAV's virus signatures before running the scan.

As you said before, even the Windows virus scan doesn't catch them either. It could be something that's too new for clam to pick up, just like the Windows AV they're currently using.