Installing ClamAV on CentOS 7

Summary

The other day I was performing a system update on my CentOS desktop when it struck me that I do not have an antivirus product on my machine. Like many Linux users I rely on the fact that Linux systems are considered as less vulnerable compared to Windows systems.

As a rule I do not use this machine for general browsing or email and my main activities are confined to downloading files and software packages from semi trusted or trusted repositories. I also do not allow inbound access except for hosts coming from my internal hosts. So far these precautions seemed to have protected my machine from any virus infection.

However, I thought “..might as well load an antivirus product for added protection.”

Researching antivirus products for Linux systems, I found paid products from Kaspersky and Sophos; and ClamAV which is an open source product available for various Linux distributions. ClamAV has been acquired by Cisco when they bought Sourcefire – there is more history on the Cisco acquisition on wikipedia.

This article is a walk through of the installation for ClamAV.

Overview of installation process

ClamAV is the virus scanner and it uses a different program Freshclam for it’s virus signature database.

I have broken the installation process into sections to make the installation process easier to follow and to install the software in a staged manner.

Section 1: Install and configure ClamAV

Section 2: Update Freshclam

Section 3: ClamAV service startup

Section 4: Command line scan and check log file

As an option you can also install ClamTk which is a GUI interface for ClamAV. The GUI is less powerful than the command line but it is less challenging to use for non administrators.

Section 5: Install and run ClamTk (optional)

Section 1 : ClamAV installation for CentOS7

The steps for ClamAV installation.

1.1 Install extra packages (epel)

1.2 Update your OS and clean up

1.3 Install ClamAV software

1.4 Confirm SELinux settings and permit ClamAV access

1.5 Set up ClamAV configuration file > scan.conf

1.1: Installing epel

$ sudo yum install -y epel-release

Extra Packages for Linux (epel) is maintained by Fedora and contains many useful packages that are called by other software for functions related to sysadmin, networking, monitoring and programming. It is likely you have it on your system already from installing other software products which has a dependency on epel suite.

1.2: OS yum update

Next do a yum update followed by a clean-up of the system files.

$ sudo yum -y update

$ yum clean all

1.3: Install ClamAV and all dependencies

We are now ready to perform the product installation.

$ yum -y install ClamAV-server ClamAV-data ClamAV-update ClamAV-filesystem ClamAV ClamAV-scanner-systemd ClamAV-devel ClamAV-lib ClamAV-server-system

Once the software is installed we can move on to the configuration set up for ClamAV.

1.4: Confirm SELinux settings

SELinux is a security feature to protect linux kernel by defining permissions for how programs and daemons can access files, pipes, network sockets and so on.

If you have SELinux enabled you must make a couple of changes to allow ClamAV access to its files.

To check the status of SELinux

$ sestatus | grep enabled

SELinux status:                 enabled

If enabled then run the following commands to allow ClamAV to its files.

$ sudo setsebool -P antivirus_can_scan_system 1

$ sudo setsebool -P clamd_use_jit 1

Confirm the settings, you should see these lines

$ sudo getsebool -a | grep antivirus

antivirus_can_scan_system –> on

antivirus_use_jit –> on

1.5: Edit ClamAV configuration file

The scan.conf file is in /etc/clamd.d

$ sudo cd /etc/clamd.d

Make a backup of the file before you edit it

$ sudo cp scan.conf scan.bak

$ sudo nano scan.conf

Now make the following edits in the configuration file:-

  • Comment out Example line
  • Set user to root
  • uncomment LocalSocket
  • enable logging  — but not filelock

The following screenshots show the sections in the scan.conf to edit.

1.5.1: Comment out Example line

Add a hash at the start of the line as shown.

1.5.2: Change user from clamscan to root

1.5.3: Uncomment to use LocalSocket

Remove the hash from the start of the line.

1.5.3: Enable local logging

Section 2: Freshclam configuration

With ClamAV installed, we shall move on to the updates for the virus signatures and definitions. ClamAV uses Freshclam to manage the virus signatures updates.

Here are the steps to obtain the latest signature.

2.1 Edit Freshclam.conf

2.2 Update signatures for Freshclam

2.3 Create a Freshclam service

2.1: Set up Freshclam

2.1.1: Backup Freshclam.conf

The Freshclam configuration file is found in /etc

$ ls -al fresh*

-rw-r–r–. 1 root root 6446 Mar 28 12:57 Freshclam.conf

$ sudo cp Freshclam.conf Freshclam.bak

$sudo cp Freshclam.conf Freshclam.bak

2.1.2: Comment out the Example line

Add the hash at the start of the line as shown.

2.2 : Run Freshclam to update it’s virus signature database

$ sudo Freshclam

ClamAV update process started at Sat May 18 19:05:21 2019

main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

Downloading daily-25402.cdiff [100%]

Downloading daily-25403.cdiff [100%]

<deleted output>

Downloading daily-25453.cdiff [100%]

daily.cld updated (version: 25453, sigs: 1573758, f-level: 63, builder: raynman)

bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)

Database updated (6140101 signatures) from database.ClamAV.net (IP: 104.16.219.84)

2.2.1 Run Freshclam one more time to ensure all signatures are up to date

$ sudo Freshclam

ClamAV update process started at Sat May 18 19:06:18 2019

main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

daily.cld is up to date (version: 25453, sigs: 1573758, f-level: 63, builder: raynman

2.2.2: Duplicate scan.conf to clamd.conf – this file is reference by clamconf

$ cp /etc/clamd.d/scan.conf /etc/clamd.conf

2.3: Create Freshclam service

Go to the following system lib.

$ cd /usr/lib/systemd/system/

$ ls -al fresh*

ls: cannot access fresh*: No such file or directory

Since there is no service definition yet , you will have to create the definition,

$ sudo nano Freshclam.service

$ ls -al fresh*

-rw-r–r–. 1 root root 202 May 18 19:20 Freshclam.service

Section 3: Start services

Now let us set up ClamAV and Freshclam to run as a system services and actively checking for viruses in the background.

Now you are ready to start Freshclam and ClamAV to run as services in the background.

3.1 Start Freshclam

3.2 Start ClamAV

3.1 : Start Freshclam service

Check if Freshclam is running. If you are running it for the first time there should not be any active service.

$ sudo systemctl start Freshclam

$ sudo systemctl enable Freshclam

Created symlink from /etc/systemd/system/multi-user.target.wants/Freshclam.service to /usr/lib/systemd/system/Freshclam.service.

Now recheck that Freshclam is running as a service.

3.2 : Start ClamAV service

Check that the clamd@scan is present.

$ ls -al clam*

-rw-r–r–. 1 root root 136 Mar 28 12:54 clamd@scan.service

-rw-r–r–. 1 root root 416 Mar 28 12:54 clamd@.service

Check service status, it should show inactive.

Enable the status

$ sudo systemctl enable clamd@scan

Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.

Warning: ClamAV holds the signature in memory when it runs which consume a fair amount of memory – around 600MB. This is a known issue so make sure you monitor the memory situation with your host.

Here is how an example check for the real memory usage.

Section 4: Command line scan and check log file

Here are examples of using the command line.

4.1 Run a scan from command line

4.2 Check log file

4.1 : Run a scan from command line

To run a scan to check the root and home directories.

When scanning there is no screen output until the scan is completed unless you run it in verbose.

4.2 : Check log file

The log file is in /var/log/clamd.scan

Section 5 : Install ClamTk

ClamTk is a frontend for ClamAV (Clam Antivirus). It is intended to be an easy to use, light-weight, on-demand scanner for Linux systems.

ClamTk is meant for scan users to scan files before they send it to others.

Here is the FAQ for further reference http://clamtk.sourceforge.net/help/faq-clamtk.html

The steps to install ClamTk are:

5.1 Install ClamTk

5.2 Review settings and run a scan

5.1: Install ClamTk

Check that you have curl.

$ curl –version

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3

Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp

Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

If not install curl i.e.  sudo yum install curl.

I tried to yum install ClamTk but there was not package available, so I had to get it off github and perform an install locally.

Check for the latest version available from the Downloads page.

Perform the download and save the file in a directory of your choice. In this example I have simply use my browser default i.e. ~/Downloads directory.

Navigate to the directory and install from the package.

5.2: Review settings and run a scan

Once installation is complete, launch from the desktop.

Some further information about using ClamTk can be found at the github page specifically explaining how you can set up signature scanning for users without sudo access. Please refer if that is what you require in your setup.

Acknowledgement

Given ClamAV’s long history there many posts describing ClamAV installation. This bulk of the installation steps for this article came from a hostpresto tutorial.