Results 1 to 15 of 15

Thread: Installing clamav, is this correct?

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839

    Installing clamav, is this correct?

    I want to change clamav from update.script to the one mentioned in options.conf of custombuild.

    Now I used this guide from Sellerone, to remove the update.script installation:
    http://www.directadmin.com/forum/sho...976#post221976
    (However in the first "find" line the last / must not be there).

    I also disabled the changes I made in exim.conf mentioned in the first post of update.script.

    After that, I installed clamav using the guide of Sellerone which is the same here:
    http://help.directadmin.com/item.php?id=370

    So far so good.

    Now in some posts I see users have this line in their exim.conf:

    Code:
    av_scanner = clamd:/var/run/clamav/clamd
    The /var/run/clamav directory is present again in my system after building with custombuild.
    However, the directory is empty.

    And the DA help does not tell me to put this line in exim.conf, but use this one:
    Code:
    av_scanner = clamd:127.0.0.1 3310
    Which line is best, and if /var/run/clamav/clamd is not used anymore, why is the /var/run/clamav still made by Custombuild?"

    Next to that I got this warning when clamd was restarted during installation:
    LibClamAV Warning: *** The virus database is older than 7 days! ***
    LibClamAV Warning: *** Please update it as soon as possible. ***
    How do I update the database now I used the custombuild instllation? And is there a way to do this automatically?
    Greetings, Richard.

  2. #2
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    If clamav is listening on 3310 use the port way ( i still does use that ).

    It just depend on your clamd.conf file

    so, netstat -ant | grep :3310 for check where is listening.

    in clamd.conf you should have:

    # TCP port address.
    # Default: no
    TCPSocket 3310

    # TCP address.
    # By default we bind to INADDR_ANY, probably not wise.
    # Enable the following to provide some degree of protection
    # from the outside world.
    # Default: no
    TCPAddr 127.0.0.1

    in exim.conf you should have:

    av_scanner = clamd:127.0.0.1 3310


    Regarding updates make sure freshclam is started, that should be the "update manger" for virus definitions

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  3. #3
    Join Date
    Apr 2009
    Posts
    1,952
    Is there also any how-to on how to setup cron job so that clamav weekly scan server?

  4. #4
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    There are no how-to but here two scripts i made:

    >cat scan.sh
    clamscan -r -i /home/
    >cat scan_remove.sh
    clamscan -r -i --remove /home/

    The first just scan the system without remove infected files (not useful on cron), the second scan and remove the infected file.

    So, a cron line should be (presuming you save the file in /root)

    0 1 * * 0 root /root/scan_remove.sh >/dev/null 2>&1

    in /etc/crontab

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  5. #5
    Join Date
    Apr 2009
    Posts
    1,952
    Thanks! So if I only want to scan weekly without removing anything but only want report on email, then I can create a file like:

    Code:
    /root/clam_scan.sh
    Wich have this content:

    Code:
    >cat scan.sh
    clamscan -r -i /home/
    Then add this new line to bottom of file /etc/crontab :

    Code:
    0 1 * * 0 root /root/clam_scan.sh >/dev/null 2>&1
    I will test this on a server later today.

  6. #6
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    This setup will not send any report via email, you need to change the cron to mail the result instead of dev/null

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    Thank you Sellerone.
    I used the default setup, so the line I put in exim.conf is correct.

    But I discovered freshclam was not running.
    I started it now. But it's strange that it's not started with the building of clamav by custombuild.

    And there is no chkconfig made for freshclam either.
    Can I just do a chkconfig --add freshclam to have it work after a reboot, is that sufficient?

    I needed to make some changes for clamd.pid and /usr/share/clamav in the conf files to make things work.

    So it's not really as it should be. I also wonder why Custombuild is not using the default directory /usr/local/share/clamav instead of /usr/share/clamav.
    Last edited by Richard G; 05-19-2012 at 05:57 AM. Reason: Fixed some problems
    Greetings, Richard.

  8. #8
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    When I run the virusscan script you made, my system is using enormous cpu load:
    Code:
    25056 root      25   0  153m 122m 3256 R 89.2  1.5   5:56.92 clamscan
    As you can see here it's 89.2% but I've also seen it at 100% and 95%.

    Is there no way to reduce this cpu load during a scan?
    Greetings, Richard.

  9. #9
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    On my box there is freshclam:

    freshclam 0ff 1ff 2n 3n 4n 5n 6ff

    Yes you can add it manually.

    Regarding the CPU load, dont know, on my box also take a lot of CPU % (about 60%) but on a 12core system that's not a problem to me.

    Never needed to change pid or whatever, the only thing should be that you didnt remove the /etc/init.d/clamd and freshclamd before using custombuild so if error was on restart was cause custombuild didnt overwrite the startup scripts.

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  10. #10
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    the only thing should be that you didnt remove the /etc/init.d/clamd and freshclamd before using custombuild
    Could be indeed. Because I searched for clamav, not for freshclam and clamd.

    But how is freshclam and clamd started then otherwise?
    I think I'm going to delete everything and try again.
    Custombuild did not add it to chkconfig either.
    Greetings, Richard.

  11. #11
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    Yep i misswrote the help for you forgetting about freshclam...

    Dont know how it worked on reboot for you, i got both...

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  12. #12
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    Thanks for the help Sellerone.
    I now removed custombuild clamav, then manually all clam*, freshclam, libclam* and stuff I found from clamav.

    Restated clamav to yes in options.conf and build clamav again. This time all worked fine, your scripts are working fine, no adjustment of the config was needed and chkconfig already contained the freshclam and clamd settings.

    So I think you were correct in presuming that the custombuild clam did not overwrite the /etc/rc.d/init.d statements and some other clamav stuff which I might have not deleted before.

    Working like a charm now.
    I also use the custom clamdcheck script for checking if clamd is still running. I presume this is still needed to check if clamd is running. I found a link to that script in the help section of directadmin where the installation of clamav is written.
    Greetings, Richard.

  13. #13
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    Is there a possibility to change your script to only remove the infected file? It now works like this:
    /home/reseller/user_backups/username.tar.gz: Email.Trojan-202 FOUND
    /home/reseller/user_backups/username.tar.gz: Removed.
    For a fact I now this email trojan is in an email message in the Maildir folder. If I scan to remove the homedir directory, it will only remove that email. But the user_backups are also scanned and if something is found, the complete backup is removed.
    Greetings, Richard.

  14. #14
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    Sorry i dont know how to dont scan zipped file, maybe clamscan --help would help.

    Otherwise, do like me, put backups in a different location (ex. i use /backups)

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  15. #15
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    You can configure not to scan zipped files via clamd.conf if I'm not mistaken.
    However, zipped files should be scanned, that's not the problem. I thought there was a way to only remove the infected file, not the complete zipfile, but maybe that's not possible.
    Storing the backups in another location is a solution indeed.

    Thanks for your help again with all this!
    Greetings, Richard.

Similar Threads

  1. ClamAV not reporting correct version
    By americanintel in forum 3rd Party Software
    Replies: 1
    Last Post: 04-26-2011, 11:15 AM
  2. [Clamav-announce] announcing ClamAV 0.95.2
    By Meesterlijk in forum 3rd Party Software Version Updates
    Replies: 0
    Last Post: 06-11-2009, 12:49 AM
  3. [Clamav-announce] announcing ClamAV 0.93rc1
    By CoolZero in forum Required Software Version Updates
    Replies: 0
    Last Post: 03-04-2008, 03:43 AM
  4. [Clamav-announce] announcing ClamAV 0.91.2
    By CoolZero in forum Required Software Version Updates
    Replies: 3
    Last Post: 08-24-2007, 01:10 AM
  5. installing clamav
    By matthewventura in forum System-Level Technical Discussion
    Replies: 1
    Last Post: 06-06-2006, 03:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •