#1 2017-11-25 01:19:55

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Quick and easy antivirus - useful if you share files

Hey guys,

I recently installed clamav, not because I'm worried about getting a virus or malware on my linux partition, but because I'm worried about sharing files with a windows machine, and would prefer to scan this stuff before moving any of it over. Setting up clamav is pretty easy though poorly documented, so I figured I'd throw together a quick howto.

First, install clamav

sudo apt get update
sudo apt-get install clamav clamav-daemon

Next, we need to update our locale in a configuration file which should allow us to download the latest virus definitions. We'll need to switch off the clamav-freshclam daemon, modify the configuration file, run 'freshclam' to get our definitions up to date (the first time), and then turn the daemon back on.

sudo systemctl stop clamav-freshclam
sudo nano /etc/clamav/freshclam.conf

Find this line:

DatabaseMirror db.local.clamav.net

And replace 'local' with your country code, i.e.

DatabaseMirror db.us.clamav.net

One thing of note in this file is the "Checks" number. 24 (default) represents a 24 hour interval between self-updates of virus definitions. Adjust if necessary.

Save, and exit.

Let's update those definitions.

sudo freshclam

Now we can turn the daemon back on.

sudo systemctl start clamav-freshclam

Now you can manually scan files, and clean those dirty torrents! Use clamscan from the command line. man clamscan is your friend, here. I actually use a gui, clamtk, which you can install via apt. It works a treat. I periodically scan my downloads directory, dropbox, and music directory.

Let me know if this works for you. Thanks!

martix

Kim Jong-un Stunt Double

Registered: 2016-02-19

Posts: 1,267

Re: Quick and easy antivirus - useful if you share files

Thanks for bringing it up!

Do you have maybe Libreoffice installed and getting these messages?

ClamAV is suggesting that there is something wrong with those .xba files.

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Quick and easy antivirus - useful if you share files

Hm, interesting. I actually hadn't scanned that directory, I only scanned things that I downloaded off the open internet (i.e., not from debian repos). I'll take a look and see what clamav says.

martix

Kim Jong-un Stunt Double

Registered: 2016-02-19

Posts: 1,267

Re: Quick and easy antivirus - useful if you share files

Ok, thx. As a sidenote: I had "Scan for PUAs" checked. Some sites are suggesting that they are false positives and scan should be preferred without PUAs.

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Quick and easy antivirus - useful if you share files

With latest Debian Stretch, I didn't turn up any results for those files. I guess that's a good thing. Presumably my AV definitions are more up to date and as such these were probably temporary false positives.

johnraff

nullglob

From: Nagoya, Japan

Registered: 2015-09-09

Posts: 12,654

Website

Re: Quick and easy antivirus - useful if you share files

I might add that the clamav daemon uses a lot of RAM - of my 4GB it takes ~13%.
For on-demand scanning of certain files or directories, how important is it to have the daemon installed?

---

...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )

Introduction to the Bunsenlabs Boron Desktop

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Quick and easy antivirus - useful if you share files

Good question. I don't think it's necessary, but you'd have to write a cronjob to manually update the AV definitions. On-demand scanning should work regardless.

I'm going to research this a bit. I hadn't realized it was so memory hungry.

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Quick and easy antivirus - useful if you share files

Circling back, according to Ubuntu's ClamAV page, clamd is an in memory system scanner. So to answer your question, it doesn't look important to have running.

So I guess I'll switch it off as well Just need to write a cronjob to update the definitions, simple enough. Thanks for teeing that up johnraff.

johnraff

nullglob

From: Nagoya, Japan

Registered: 2015-09-09

Posts: 12,654

Website

Re: Quick and easy antivirus - useful if you share files

I'm not sure if a cronjob is needed - freshclam is updating the definitions regularly on my system anyway. Have a look at /var/log/clamav/freshclam.log. I see daily checks and frequent updates.

Also messages: "ERROR: NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf" presumably because I removed clamav-daemon, but not a problem, I'm guessing.

---

...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )

Introduction to the Bunsenlabs Boron Desktop

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Quick and easy antivirus - useful if you share files

Quick interesting tidbit - I just tested an installer for imgburn which I read some people suggest sneaks malware. clamscan detected it. Looks like a good intermediary option before putting stuff on my Windows laptop

BLizgreat!

Resident Babbler - vll!

Registered: 2015-10-03

Posts: 1,217

Re: Quick and easy antivirus - useful if you share files

Good thread Cloverskull ...

2 cents, John nopers would find that completely unacceptable, being gnu/Linux no doubt gazillion ways to schedule autoscans or periodic scans which then shut the AV afterwards, think reasonable precautions are important here. Have babbled about this innumerous times because yeah, it's shocking how many nixers will say ohhhh you don't need AV-etc on gnu/Linux and these people are dual-booting with 1 or more window$ Os or systems they admin with window$ onboard themselves. Network shares etc etc.

Errrr ... way to think things through there champ ! Personally when did use window$ wouldn't/couldn't stand having to have 42 Sec/AV/malware etc etc etc progs running at all times, though somewhat knew what I was doing too. Though that's the actual reason I ended up really giving gnu/Linux a try, XP got infected with a rootkit and took me 3friggin dys to get rid of the thing. At that point said, dammit ... this gnu/Linux thing I played with 10yrs ago is immune to all this crap !

Supplemental babble ( hope Cloverskull doesn't mind and don't think he would.) There's a buncha good live anti-vir scanners for gnu/Linux, runs/updates from RAM + thumbdrive and takes any booted OS out of the equation. Too lazy to google up some links, plenty readily available. An assoc thing with this, is programs like Sardu or multiboot for usb-drives and or why I've long been a fan of rw-cd/dvds. Using a whole usb drive (or cd-dvd)for one app or iso imo is stupid, shrugs.

In fact take the BL-Hydrogen live iso, it creates 1 nice partition and left the rest of my 15gb t-drive unallocated, so being the dork I am, I created a 2nd fat32 formatted partition in this space and am using it to store additional iso's and OS's tar.gz backups on. Why waste the space ? Hydrogen still runs fine in live-session and doesn't care about the data on the other partition. In fact if wanted to extract the BL-Hydrogen iso, could no doubt fiddle around with it's grub.cfg file or etc, requash it and very likely get it to be able to boot all those other iso's too. Haven't done it, so just a likely theory atm.

Finally have read this used to be somewhat of a widely held gnu/Linux courtesy among the gnu/Linux communities and no doubt still is some places. That being it was considered the right thing to do to scan files and etc for window$ nasties as a courtesy and in attempting to be a considerate netizen. In the case of a dual/multiboot window$ + Nix system, guess someone could fortify it on the window$ OS-end vs pulling double duty and having the same redundant work being also done on their gnu/Linux install(s).

Lol ... having babbled/typed all this, I went exclusively gnu/Linux now and presently don't bother with anti-vir, installed or live scanners atm. Though know I should for all the reasons above. It's likely the right thing to do. Same time ... someone out there, who get's one more infection or catches one more web nasty thanks to M$'s craptasticness, might decide hey, I'M FRIGGIN SICK OF THIS CRAP, what else is available ? Hmmmm ... gnu/Linux ? Immune to ... ? Hey why don't I give it a try ?

So am I really doing them a favor by protecting them from their next window$ infection, or doing them a disservice ? Ah I protected you this time, M$ will never protect you, so it's only a matter of time. I'll leave that up to bigger n better minds to mull over.

Last edited by BLizgreat! (2017-11-30 04:19:57)

cloverskull

Member

Registered: 2015-10-01

Posts: 348

Re: Quick and easy antivirus - useful if you share files

Following up, I've found this to be an excellent way to pre-stage things downloaded from dubious locations before moving them to my windows box.

Furthermore, you can use unofficial AV signatures. There's a howto here:

https://github.com/extremeshok/clamav-u … escription

I also have the free MalwarePatrol signatures, you just have to sign up and they update every 72 hours.

Good call @johnraff, btw, for tipping me off to the unnecessary clamav-daemon (clamd) process. This thing was eating up like 20% of the RAM on my box!