Skip to content

ClamAV with Extra 3rd Party Signatures

Installing and Configuring ClamAV

First install the necessary packages:

sudo apt install clamav clamav-daemon libclamunrar9

The daemon is a permanent process running on your system waiting for connections from other programs. That makes it faster than starting a process to scan email attachments time and again. The libclamunrar7 package allows it to scan RAR achives. The default configuration works well so there is nothing to do.

ClamAV comes with the "freshclam" daemon that does these updates automatically, but after a fresh installation you may want to save time and download the patterns manually once. Stop the freshclam daemon and do an update:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-daemon

Check the service status:

sudo service clamav-daemon status

Better Detection Signatures

The virus detection rate of ClamAV can be further improved by utilising the ClamAV Unofficial Signatures script.

Warning: This will significantly increase your RAM consumption so it's possibly best that youleave this step if your resources are limited.

The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. The script will also generate and install cron, logrotate, and man files.

All these commands should be ran as root.

Enter a sudo shell:

sudo -s

First install clamav-unofficial-sigs:

wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh
chmod 700 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir -p /etc/clamav-unofficial-sigs/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/user.conf -O /etc/clamav-unofficial-sigs/user.conf
os_conf="os.ubuntu.conf"
wget "https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/os/${os_conf}" -O /etc/clamav-unofficial-sigs/os.conf

Run the script once as root:

/usr/local/sbin/clamav-unofficial-sigs.sh --force

Install logrotate and man files:

/usr/local/sbin/clamav-unofficial-sigs.sh --install-logrotate
/usr/local/sbin/clamav-unofficial-sigs.sh --install-man

Install systemd configs:

mkdir -p /etc/systemd/system/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/systemd/clamav-unofficial-sigs.service -O /etc/systemd/system/clamav-unofficial-sigs.service
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/systemd/clamav-unofficial-sigs.timer -O /etc/systemd/system/clamav-unofficial-sigs.timer
systemctl daemon-reload
systemctl enable clamav-unofficial-sigs.service
systemctl enable clamav-unofficial-sigs.timer
systemctl start clamav-unofficial-sigs.timer

If the above worked successfully you can now check which additional signatures ClamAV recognizes:

clamscan --debug 2>&1 /dev/null | grep "loaded"

Further Reading:

https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/README.md
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/config/master.conf
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/config/user.conf
https://sanesecurity.com/

A Simple Cron Script

The following script will scan all directories specified in the DIRTOSCAN variable. Change these as appropriate. It will only send an email out if it detects a virus. Save the file as /usr/local/sbin/clamscan.sh

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="clamav-daily@example.com";
EMAIL_TO="admin@example.com";
DIRTOSCAN="/var/www /var/mail/vmail /var/nc_data /home/git/gitea-repositories/ /tmp /usr/share/nginx /var/cache/nginx";

for S in ${DIRTOSCAN}; do
    DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

    echo "Starting a daily scan of "$S" directory.
    Amount of data to be scanned is "$DIRSIZE".";

    clamscan --follow-dir-symlinks=2 -ri "$S" >> "$LOGFILE";

    #Directories can also be excluded - an example of usage is below:
    #clamscan --follow-dir-symlinks=2 --exclude=/home/user/spam --exclude=/home/user2/stuff -ri "$S" >> "$LOGFILE";

    # get the value of "Infected lines"
    MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

    # if the value is not equal to zero, send an email with the log file attached
    if [ "$MALWARE" -ne "0" ];then
    # using heirloom-mailx below
        echo "$EMAIL_MSG"|mail -A "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
    fi
done

# Clean old logfiles
find /var/log/clamav/clamav-2* -mtime +30 -exec rm {} \;

exit 0

Set this up as a cronjob:

sudo crontab -e

30 1 * * * /usr/local/sbin/clamscan.sh > /dev/null 2>&1

The above will set the script to run daily at 1.30am

Another Example Script

The first script does a full scan which can take a long time to run. This next script (designed to run daily) searches only for files that have had their content modified in the last 36 hours.

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="clamav@example.com";
EMAIL_TO="admin@example.com";

# Find all hidden files (prefixed with a dot) modified in the last 36 hours. Exclude locations with -not -path. Add to /tmp/filelist.txt
find / -type f -not -path "/sys/*" -not -path "/run/*" -not -path "/var/www/*" -not -path "/usr/share/postfixadmin/*" -not -path "/usr/share/phpmyadmin/*" -not -path "/usr/local/maldetect/*" -name ".*" -newermt '36 hours ago' ! -executable  >> /tmp/filelist.txt

# Find all executable files modified in the last 36 hours. Exclude locations with -not -path. Add to /tmp/filelist.txt
find / -type f -not -path "/var/www/*" -not -path "/proc/*" -not -path "/usr/local/maldetect/*" -newermt '36 hours ago' -executable >> /tmp/filelist.txt

# Find all files modified in the last 36 hours from a list of locations including /var/www and /tmp. Add to /tmp/filelist.txt
find /var/www /usr/share/postfixadmin /usr/share/phpmyadmin /home/git/gitea-repositories/ /tmp /var/cache /var/tmp -type f -newermt '36 hours ago' >> /tmp/filelist.txt

# Sort the list and remove duplicates. New list sent to /tmp/filelist2.txt
sort /tmp/filelist.txt | uniq >> /tmp/filelist2.txt

# use clamdscan rather than clamscan as it scans faster due to parallelization
clamdscan --fdpass -m -f /tmp/filelist2.txt >> "$LOGFILE";

# get the value of "Infected lines"
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

# if the value is not equal to zero, send an email with the log file attached
if [ "$MALWARE" -ne "0" ];then
    # using heirloom-mailx below
    echo "$EMAIL_MSG"|mail -A "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
fi

# Clean up files
rm /tmp/filelist.txt
rm /tmp/filelist2.txt

# Clean old logfiles
find /var/log/clamav/clamav-2* -mtime +30 -exec rm {} \;

exit 0