ClamAV has been the most used antivirus for Linux. And being open source can add the advantage of modifying the scan and display results as per the needs. Here is a link that explains more about ClamAV – Link. Installing ClamAV is one of the easiest tasks that can be performed to get one step towards security. In this post, I have mentioned instructions to install ClamAV and script to send an email when malware is found. Let’s get started.
Note: This a script for Redhat based Linux distro.
- Install Epel repository. More info on Epel repo – Link
sudo yum -y install epel-release- Now it will install ClamAV and it’s optional components. Feel free to only install ClamAV.
sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd- Now let’s edit freshclam config file using the following command to remove “Example” word from it.
sudo sed -i '/^Example$/d' /etc/freshclam.conf- This command will edit another freshclam file to start an auto-update for definition files.
sudo sed -i '/REMOVE ME/d' /etc/sysconfig/freshclam- If you have installed the ClamAV daemon. Use this command to remove the word “Example” from the config file.
sudo sed -i '/^Example$/d' /etc/clamd.d/scan.conf- This command will update the scan.conf file to define the local socket file location.
sudo sed -i -e 's/#LocalSocket \/var\/run\/clamd.scan\/clamd.sock/LocalSocket \/var\/run\/clamd.scan\/clamd.sock/g' /etc/clamd.d/scan.conf- Now let’s update the ClamAV malware definition.
sudo freshclam- For example, if you want to scan the /home directory use the following command.
sudo clamscan -r /homeNow here are some links that can be helpful for installation and scan technics.
- https://linux.die.net/man/1/clamscan
- https://hostpresto.com/community/tutorials/how-to-install-clamav-on-centos-7/
Let’s head for the script to send mail about ClamAV scan results. Note: You have to do the email settings first. Here is my instructions for email settings – Link
#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="clamav-daily@example.com";
EMAIL_TO="you-email@example.com";
DIRTOSCAN="/home/user";
for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
echo "Starting a daily scan of "$S" directory.
Amount of data to be scanned is "$DIRSIZE".";
clamscan -ri "$S" >> "$LOGFILE";
# get the value of "Infected lines"
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
# if the value is not equal to zero, send an email with the log file attached
if [ "$MALWARE" -ne "0" ];then
# using heirloom-mailx below
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
fi
done
exit 0EMAIL_MSG=”Please see the log file attached.”;
EMAIL_FROM=”clamav-daily@example.com”;
EMAIL_TO=”you-email@example.com”;
DIRTOSCAN=”/home/user”;
Change following the above variables as per your ClamAV environment.
For help with this post email me:- x786@protonmail.ch
Do you have email settings configurations ?
I have a added GitHub link for script to setup the sendmail.