ClamAV arghh..

mike2010 · 01-24-2014, 03:17 PM

I thought ClamAV was something simple I could 'Yum Install ClamAv' and it would work by running

Code:

clamscan -r /

. But I guess not.

I see in the config file /etc/freshclam.conf ...everything is 'commented' there..

currently looks like this :

Quote:

##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##

# Comment or remove the line below.
Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M

# Log time with each message.
# Default: no
#LogTime yes

# Enable verbose logging.
# Default: no
#LogVerbose yes

# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL

# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes

# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav

# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes

# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
#DatabaseMirror db.XY.clamav.net

# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror db.us.clamav.net
DatabaseMirror db.local.clamav.net

# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5

# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes

# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no

# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb

# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString

# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd

# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf

# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command

# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command

# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command

# Don't fork into background.
# Default: no
#Foreground yes

# Enable debug messages in libclamav.
# Default: no
#Debug yes

# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60

# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60

# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes

# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# Freshclam will connect to clamd in order to get recent statistics.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf

# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code

# This option enables support for our "Personal Statistics" service.
# When this option is enabled, the information on malware detected by
# your clamd installation is made available to you through our website.
# To get your HostID, log on http://www.stats.clamav.net and add a new
# host to your host list. Once you have the HostID, uncomment this option
# and paste the HostID here. As soon as your freshclam starts submitting
# information to our stats collecting service, you will be able to view
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
# http://www.clamav.net/support/faq/faq-cctts/
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id

# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it's mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://code.google.com/support/bin/a...y?answer=70015
# and http://safebrowsing.clamav.net for more information.
# Default: disabled
#SafeBrowsing yes

# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes

# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors. Here you can find a list of available databases:
# http://www.clamav.net/download/cvd/3rdparty
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2

(could I get some help...like what is mandatory just to get it working the first time. Do I need to create databases and stuff ? )

bathory · 01-24-2014, 03:50 PM

Hi,

You need to comment out or remove the line

Quote:

Example

in both /etc/freshclam.conf and /etc/clamd.conf
After that run freshclam to fetch the latest virus definitions

Regards

mike2010 · 01-27-2014, 07:46 PM

Quote:

Originally Posted by bathory

Hi,

You need to comment out or remove the line

Example

in both /etc/freshclam.conf and /etc/clamd.conf
After that run freshclam to fetch the latest virus definitions

Regards

I removed it from /etc/freshclam.conf , but didn't notice the file /etc/clamd.conf anywhere.

can someone else answer...don't I have to manually create the database or something ?

It was a default install via 'Yum Install ClamAv'

All I did so far was remove that 'example' text.

seems like more needs to be done, and I don't feel like filling out a new account to ask the question on ClamAv forums.

error I get when trying to run :

Quote:

LibClamAV Error: cli_loaddb(): No supported database files found in /var/clamav
ERROR: Can't open file or directory

thanks

currently there are no files in /var/clamav

bathory · 01-28-2014, 12:48 AM

Quote:

Originally Posted by mike2010

I removed it from /etc/freshclam.conf , but didn't notice the file /etc/clamd.conf anywhere.

can someone else answer...don't I have to manually create the database or something ?

It was a default install via 'Yum Install ClamAv'

All I did so far was remove that 'example' text.

seems like more needs to be done, and I don't feel like filling out a new account to ask the question on ClamAv forums.

error I get when trying to run :
LibClamAV Error: cli_loaddb(): No supported database files found in /var/clamav
ERROR: Can't open file or directory

thanks

currently there are no files in /var/clamav

As I 've told you above, after fixing freshclam.conf, you have to run

Code:

freshclam

in order to download the latest virus definitions and thus create the databases needed.

mike2010 · 01-28-2014, 02:42 PM

thx bathory..

but argh.. looks like I got a problem

Quote:

----------- SCAN SUMMARY -----------
Known viruses: 3092508
Engine version: 0.98
Scanned directories: 26404
Scanned files: 167457
Infected files: 52
Total errors: 4106
Data scanned: 8197.20 MB
Data read: 10313.51 MB (ratio 0.79:1)
Time: 1209.681 sec (20 m 9 s)

maybe their just viruses caught in unopened emails ?

trying to find the location of these infections. But var/log/clamav/freshclam.log only displays the following :

Quote:

ERROR: NotifyClamd: Can't find or parse configuration file /etc/clamd.conf

I'm surprised it even did the whole scan with this error. guessing i should comment out the #logfile part...so it logs more ? it took a good 15 minutes for a whole scan, so i'm guessing I should set it pretty large ? once again, the conf file is in first post. And I would like to know the location of these infections.

i appreciate the help.

mike2010 · 01-28-2014, 05:14 PM

using the following command...

Quote:

clamscan -r / | grep FOUND >> /var/log/found.log

hopefully it'll move all FOUND to specified log file.

mike2010 · 01-28-2014, 06:26 PM

tu hut, the only viruses found were in the test folder of clamav.... is this kinda normal ?

example

Quote:

/usr/share/doc/clamav-0.98.1/test/clam.cab: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clamjol.iso: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam-petite.exe: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam_cache_emax.tgz: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam-wwpack.exe: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.bin-be.cpio: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.bin-le.cpio: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam-fsg.exe: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.mail: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam-upx.exe: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.bz2.zip: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.exe.binhex: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.odc.cpio: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.exe.mbox.uu: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.newc.cpio: ClamAV-Test-File FOUND
/usr/share/doc/clamav-0.98.1/test/clam.exe.mbox.base64: ClamAV-Test-File FOUND

John VV · 01-29-2014, 12:18 AM

mike2010

this is a bit ODD

you stated that you used yum to install it

the odd bit is that in RHEL,CentOS,fedora,SUSE that "example" line in both those files IS already commented out

and that TEST folder is not installed
those "tests" are in the source code build
and are in the build folder
and are ONLY used to test your source build to make sure it is working

what OS are you using ?
and are you using the default base repo
clamav is in the cent,fedora,suse base and updates repo

allend · 01-29-2014, 05:09 AM

Just a heads up that the OP has a system that is known to have been pwned. Oddity is to be expected. http://www.linuxquestions.org/questi...le-4175491769/

mike2010 · 01-29-2014, 11:27 AM

Quote:

Originally Posted by allend

Just a heads up that the OP has a system that is known to have been pwned. Oddity is to be expected. http://www.linuxquestions.org/questi...le-4175491769/

yes, but that culprit has been successfully removed.

john if you google just the first line :

Quote:

/usr/share/doc/clamav-0.98.1/test/clam.cab: ClamAV-Test-File FOUND

you'll see i'm not the only one. (first result)

plus , another reason why many may not see these showing up...is they don't have root permissions to scan the whole server "/" directory. Most have just the "public_home" stuff.

but yea, these 'test' viruses or whatever shouldn't be included in the install.