Instalar both clamav and daemon sudo apt-get install clamav clamav-daemon
Start the freshclam service sudo systemctl start clamav-freshclam.service or service clamav-freshclam start
Keep checking its status sudo systemctl status clamav-freshclam.service or tail -f /var/log/clamav/freshclam.log until you get a Database updated message
● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-10-10 11:41:44 WEST; 3min 1s ago
Docs: man:freshclam(1)
man:freshclam.conf(5)
https://www.clamav.net/documents
Main PID: 29214 (freshclam)
CGroup: /system.slice/clamav-freshclam.service
└─29214 /usr/bin/freshclam -d --foreground=true
Oct 10 11:41:55 wazuh freshclam[29214]: Thu Oct 10 11:41:55 2019 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Oct 10 11:41:57 wazuh freshclam[29214]: Thu Oct 10 11:41:57 2019 -> *Can't query main.58.105.1.0.2606470000000000000000006810da54.ping.clamav.net
Oct 10 11:41:58 wazuh freshclam[29214]: Thu Oct 10 11:41:58 2019 -> Downloading daily.cvd [100%]
Oct 10 11:42:39 wazuh freshclam[29214]: Thu Oct 10 11:42:39 2019 -> daily.cvd updated (version: 25597, sigs: 1807543, f-level: 63, builder: raynman)
Oct 10 11:42:41 wazuh freshclam[29214]: Thu Oct 10 11:42:41 2019 -> *Can't query daily.25597.105.1.0.2606470000000000000000006810da54.ping.clamav.net
Oct 10 11:42:41 wazuh freshclam[29214]: Thu Oct 10 11:42:41 2019 -> Downloading bytecode.cvd [100%]
Oct 10 11:42:42 wazuh freshclam[29214]: Thu Oct 10 11:42:42 2019 -> bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Oct 10 11:42:44 wazuh freshclam[29214]: Thu Oct 10 11:42:44 2019 -> *Can't query bytecode.331.105.1.0.2606470000000000000000006810da54.ping.clamav.net
Oct 10 11:42:49 wazuh freshclam[29214]: Thu Oct 10 11:42:49 2019 -> Database updated (6373886 signatures) from db.local.clamav.net (IP: 2606:4700::6810:da54)
Oct 10 11:42:49 wazuh freshclam[29214]: Thu Oct 10 11:42:49 2019 -> ^Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directoryAfter this start the clamd service sudo systemctl start clamav-daemon.service or service clamav-daemon start
Check the status sudo systemctl status clamav-daemon.service or service clamav-daemon status to see if everything is OK
● clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf
Active: active (running) since Thu 2019-10-10 11:46:58 WEST; 8s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 29426 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Process: 29423 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=0/SUCCESS)
Main PID: 29429 (clamd)
CGroup: /system.slice/clamav-daemon.service
└─29429 /usr/sbin/clamd --foreground=true
Oct 10 11:46:58 wazuh systemd[1]: Starting Clam AntiVirus userspace daemon...
Oct 10 11:46:58 wazuh systemd[1]: Started Clam AntiVirus userspace daemon.Open the configuration file vi /etc/clamav/clamd.conf and change the directive ScanMail to false since we do not have email servers
Create a script file vi /home/devel/scripts/clamav-scan.sh with the following:
#!/bin/bash
NOW="$(date +"%d-%m-%Y")"
clamdscan /home /backups /var/www/html --fdpass --infected --multiscan --log=/var/log/clamav/scan/clamav-$NOW.logChange the folders to scan as needed
Make it executable sudo chmod +x /home/devel/scripts/clamav-scan.sh
Create a folder to hold the scan logs sudo mkdir /var/log/clamav/scan
Add and entry to root cron sudo crontab -e change the execution time as needed
0 3 * * * /home/devel/scripts/clamav-scan.shEdit the ossec configuration file sudo vi /var/ossec/etc/ossec.conf and add the following inside the
<ossec_config>
...
<localfile>
<log_format>syslog</log_format>
<location>/var/log/clamav/clamav.log</location>
</localfile>
</ossec_config>Restart the agent sudo /var/ossec/bin/ossec-control restart
Create a EICAR test file sudo vi /tmp/eicar.txt with the content
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Run a scan sudo clamdscan /tmp/ --infected --multiscan
If everything is OK delete the file sudo rm /tmp/eicar.txt
Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to make your changes.
Powered by Grav + with by Trilby Media.