Installing clamav, is this correct?

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,558
Location
Maastricht
I want to change clamav from update.script to the one mentioned in options.conf of custombuild.

Now I used this guide from Sellerone, to remove the update.script installation:
http://www.directadmin.com/forum/showthread.php?t=22587&p=221976#post221976
(However in the first "find" line the last / must not be there).:)

I also disabled the changes I made in exim.conf mentioned in the first post of update.script.

After that, I installed clamav using the guide of Sellerone which is the same here:
http://help.directadmin.com/item.php?id=370

So far so good.

Now in some posts I see users have this line in their exim.conf:

Code:
av_scanner = clamd:/var/run/clamav/clamd

The /var/run/clamav directory is present again in my system after building with custombuild.
However, the directory is empty.

And the DA help does not tell me to put this line in exim.conf, but use this one:
Code:
av_scanner = clamd:127.0.0.1 3310

Which line is best, and if /var/run/clamav/clamd is not used anymore, why is the /var/run/clamav still made by Custombuild?"

Next to that I got this warning when clamd was restarted during installation:
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
How do I update the database now I used the custombuild instllation? And is there a way to do this automatically?
 
If clamav is listening on 3310 use the port way ( i still does use that ).

It just depend on your clamd.conf file

so, netstat -ant | grep :3310 for check where is listening.

in clamd.conf you should have:

# TCP port address.
# Default: no
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1

in exim.conf you should have:

av_scanner = clamd:127.0.0.1 3310


Regarding updates make sure freshclam is started, that should be the "update manger" for virus definitions

Regards
 
Is there also any how-to on how to setup cron job so that clamav weekly scan server?
 
There are no how-to but here two scripts i made:

>cat scan.sh
clamscan -r -i /home/
>cat scan_remove.sh
clamscan -r -i --remove /home/

The first just scan the system without remove infected files (not useful on cron), the second scan and remove the infected file.

So, a cron line should be (presuming you save the file in /root)

0 1 * * 0 root /root/scan_remove.sh >/dev/null 2>&1

in /etc/crontab

Regards
 
Thanks! So if I only want to scan weekly without removing anything but only want report on email, then I can create a file like:

Code:
/root/clam_scan.sh

Wich have this content:

Code:
>cat scan.sh
clamscan -r -i /home/

Then add this new line to bottom of file /etc/crontab :

Code:
0 1 * * 0 root /root/clam_scan.sh >/dev/null 2>&1

I will test this on a server later today.
 
This setup will not send any report via email, you need to change the cron to mail the result instead of dev/null

Regards
 
Thank you Sellerone.
I used the default setup, so the line I put in exim.conf is correct.

But I discovered freshclam was not running.
I started it now. But it's strange that it's not started with the building of clamav by custombuild.

And there is no chkconfig made for freshclam either.
Can I just do a chkconfig --add freshclam to have it work after a reboot, is that sufficient?

I needed to make some changes for clamd.pid and /usr/share/clamav in the conf files to make things work.

So it's not really as it should be. I also wonder why Custombuild is not using the default directory /usr/local/share/clamav instead of /usr/share/clamav.
 
Last edited:
When I run the virusscan script you made, my system is using enormous cpu load:
Code:
25056 root      25   0  153m 122m 3256 R 89.2  1.5   5:56.92 clamscan

As you can see here it's 89.2% but I've also seen it at 100% and 95%.

Is there no way to reduce this cpu load during a scan?
 
On my box there is freshclam:

freshclam 0:eek:ff 1:eek:ff 2:eek:n 3:eek:n 4:eek:n 5:eek:n 6:eek:ff

Yes you can add it manually.

Regarding the CPU load, dont know, on my box also take a lot of CPU % (about 60%) but on a 12core system that's not a problem to me.

Never needed to change pid or whatever, the only thing should be that you didnt remove the /etc/init.d/clamd and freshclamd before using custombuild so if error was on restart was cause custombuild didnt overwrite the startup scripts.

Regards
 
the only thing should be that you didnt remove the /etc/init.d/clamd and freshclamd before using custombuild
Could be indeed. Because I searched for clamav, not for freshclam and clamd.

But how is freshclam and clamd started then otherwise?
I think I'm going to delete everything and try again.
Custombuild did not add it to chkconfig either.
 
Yep i misswrote the help for you forgetting about freshclam...

Dont know how it worked on reboot for you, i got both...

Regards
 
Thanks for the help Sellerone.
I now removed custombuild clamav, then manually all clam*, freshclam, libclam* and stuff I found from clamav.

Restated clamav to yes in options.conf and build clamav again. This time all worked fine, your scripts are working fine, no adjustment of the config was needed and chkconfig already contained the freshclam and clamd settings.

So I think you were correct in presuming that the custombuild clam did not overwrite the /etc/rc.d/init.d statements and some other clamav stuff which I might have not deleted before.

Working like a charm now.
I also use the custom clamdcheck script for checking if clamd is still running. I presume this is still needed to check if clamd is running. I found a link to that script in the help section of directadmin where the installation of clamav is written.
 
Is there a possibility to change your script to only remove the infected file? It now works like this:
/home/reseller/user_backups/username.tar.gz: Email.Trojan-202 FOUND
/home/reseller/user_backups/username.tar.gz: Removed.
For a fact I now this email trojan is in an email message in the Maildir folder. If I scan to remove the homedir directory, it will only remove that email. But the user_backups are also scanned and if something is found, the complete backup is removed.
 
Sorry i dont know how to dont scan zipped file, maybe clamscan --help would help.

Otherwise, do like me, put backups in a different location (ex. i use /backups)

Regards
 
You can configure not to scan zipped files via clamd.conf if I'm not mistaken.
However, zipped files should be scanned, that's not the problem. I thought there was a way to only remove the infected file, not the complete zipfile, but maybe that's not possible.
Storing the backups in another location is a solution indeed.

Thanks for your help again with all this!
 
Back
Top