Pages

Wednesday, March 15, 2017

Fedora 25: First test with clamav antivirus.

This is a short tutorial about how to use ClamAV antivirus on Fedora 25.
First, you need to install it with this commands:
[root@localhost mythcat]# dnf install clamav.x86_64 
...

[root@localhost mythcat]# dnf install clamav-update.x86_64
...
Make settings into your /etc/freshclam.conf file. I used awk tool to show you my settings from /etc/freshclam.conf:
[root@localhost mythcat]# awk -F: '/^[^#]/ { print $1 }' /etc/freshclam.conf | uniq 
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/freshclam.log
LogFileMaxSize 2M
LogTime yes
LogVerbose yes
LogSyslog yes
LogFacility LOG_MAIL
LogRotate yes
DatabaseOwner clamupdate
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 5
ScriptedUpdates yes
DetectionStatsCountry country-code
SafeBrowsing yes
Update the ClamAV antivirus with :
[root@localhost mythcat]# /usr/bin/freshclam
ClamAV update process started at Wed Mar 15 13:42:07 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 195.30.97.3)
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
Trying host database.clamav.net (212.7.0.71)...
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host database.clamav.net (IP: 212.7.0.71)
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 23205, sigs: 1789155, f-level: 63, builder: neo)
Downloading safebrowsing.cvd [100%]
safebrowsing.cvd updated (version: 45693, sigs: 2756150, f-level: 63, builder: google)
Downloading bytecode-279.cdiff [100%]
Downloading bytecode-280.cdiff [100%]
Downloading bytecode-281.cdiff [100%]
Downloading bytecode-282.cdiff [100%]
Downloading bytecode-283.cdiff [100%]
Downloading bytecode-284.cdiff [100%]
Downloading bytecode-285.cdiff [100%]
Downloading bytecode-286.cdiff [100%]
Downloading bytecode-287.cdiff [100%]
Downloading bytecode-288.cdiff [100%]
Downloading bytecode-289.cdiff [100%]
Downloading bytecode-290.cdiff [100%]
Downloading bytecode-291.cdiff [100%]
bytecode.cld updated (version: 291, sigs: 55, f-level: 63, builder: neo)
Database updated (8764150 signatures) from database.clamav.net (IP: 157.25.5.183)
Now you can run it on Fedora 25 folder with this.
[root@localhost mythcat]# clamscan 
/home/mythcat/.bash_logout: OK
/home/mythcat/.bash_profile: OK
...
----------- SCAN SUMMARY -----------
Known viruses: 8758441
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 54
Infected files: 0
Data scanned: 71.80 MB
Data read: 189.96 MB (ratio 0.38:1)
Time: 13.968 sec (0 m 13 s)
This tool comes with many options and features for Fedora workstations and server. Just read the documentation and make your changes. To check all files on the computer, but only display infected files and ring a bell when found:
clamscan -r --bell -i / 
To check files in the all users home directories:
clamscan -r /home 
If you got this error:
LibClamAV Warning: fmap_readpage: pread fail: ... 
Then this comes from sysfs and is a virtual file system provided by the Linux kernel and need to be excluded with this arg:
--exclude-dir="^/sys"
--exclude-dir=^/sys  --exclude-dir=^/dev --exclude-dir=^/proc 
My result of scan ( the file FOUND is not a virus) :
/home/mythcat/devil-linux-1.8.0-rc2-x86_64/install-on-usb.exe: Win.Trojan.Delfiles-17 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9042471
Engine version: 0.99.2
Scanned directories: 98653
Scanned files: 570740
Infected files: 1
Data scanned: 29750.14 MB
Data read: 48591.70 MB (ratio 0.61:1)
Time: 3819.053 sec (63 m 39 s)