Rev 2ClamAV Antivirus Server
ClamAV is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates.
Setup and configuration have been tested on following OS with version:
How-to build ClamAV from source will be added in upcoming release.
- Ubuntu- 18.04, 20.04 (Focal Fossa), Windows 10, Windows Server 2019
- ClamAV- 0.102.4, 0.104
Dependencies for Ubuntu 20.04
gcc cmake make pkg-config python3 python3-pip python3-pytest valgrind check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
devInstall ClamAV from source
First install the required dependencies.
server@ubuntu:~$ sudo apt-get update && \ sudo apt-get -y upgrade && \ sudo apt-get install -y gcc cmake make pkg-config python3 python3-pip python3-pytest valgrind \ check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev \ libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev
Next run the following command.
server@ubuntu:~$ python3 -m pip install --user cmake
Import ClamAV signing key
You can find the public ClamAV key hereopen in new window under Talos PGP Public Key.
Create a new .asc file and paste the public key into it and save.
server@ubuntu:~$ touch clamav.asc && nano clamav.asc
Once you've saved the
clamav.asc file proceed to import the key.
server@ubuntu:~$ gpg --import clamav.asc
You should see that the public key Talos from Cisco Systems Inc. has been imported.
gpg: key 609B024F2B3EDD07: public key "Talos (Talos, Cisco Systems Inc.) <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
Now lets edit the key.
server@ubuntu:~$ gpg --edit-key 609B024F2B3EDD07
When you get prompted type trust and select option 5 (I trust ultimately).
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/609B024F2B3EDD07 created: 2021-03-30 expires: 2023-03-30 usage: SC trust: unknown validity: unknown sub rsa4096/73966F3B446077EC created: 2021-03-30 expires: 2023-03-30 usage: E [ unknown] (1). Talos (Talos, Cisco Systems Inc.) <email@example.com> gpg> trust pub rsa4096/609B024F2B3EDD07 created: 2021-03-30 expires: 2023-03-30 usage: SC trust: unknown validity: unknown sub rsa4096/73966F3B446077EC created: 2021-03-30 expires: 2023-03-30 usage: E [ unknown] (1). Talos (Talos, Cisco Systems Inc.) <firstname.lastname@example.org> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa4096/609B024F2B3EDD07 created: 2021-03-30 expires: 2023-03-30 usage: SC trust: ultimate validity: unknown sub rsa4096/73966F3B446077EC created: 2021-03-30 expires: 2023-03-30 usage: E [ unknown] (1). Talos (Talos, Cisco Systems Inc.) <email@example.com> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> quit
Before you build ClamAV download both the source along with the signature to verify its validity.
server@ubuntu:~$ wget https://www.clamav.net/downloads/production/clamav-0.104.0.tar.gz && \ wget https://www.clamav.net/downloads/production/clamav-0.104.0.tar.gz.sig && \ gpg --verify clamav-0.104.0.tar.gz.sig clamav-0.104.0.tar.gz
The output should say its a good signature from Cisco.
gpg: Signature made Wed 01 Sep 2021 05:52:12 PM UTC gpg: using RSA key 609B024F2B3EDD07 gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) <firstname.lastname@example.org>" [ultimate]
Proceed to extract and build.
This may take a while due to running the build tests.
server@ubuntu:~$ tar -xvzf clamav-0.104.0.tar.gz && \ cd clamav-0.104.0/ && \ mkdir build && cd build && \ cmake .. \ -D CMAKE_INSTALL_PREFIX=/usr \ -D CMAKE_INSTALL_LIBDIR=lib \ -D APP_CONFIG_DIRECTORY=/etc/clamav \ -D DATABASE_DIRECTORY=/var/lib/clamav && \ cmake --build . && \ ctest && \ sudo cmake --build . --target install && \ rm clamav-0.104.0.tar.gz && rm clamav-0.104.0.tar.gz.sig
Install from repository
In this tutorial we will install the ClamAV Antivirus Server (the clamav-daemon
192.168.0.1) as a own server/virtual machine. We'll also use the multiscan option, so the more cores the faster your scans will perform. The clients (
192.168.0.3) will not use the regular
clamavscan but rather the
clamdscan and listen to the ClamAV Antivirus Server's TCP socket instead of the local clients unix socket. This approach will also enable us to only keep the ClamAV defintion database up-to-date on the master server.
First download the ClamAV scanner and the ClamAV daemon.
server@ubuntu:~$ sudo apt-get install clamav clamav-daemon
Proceed to stop freshclam the automatic database update tool for ClamAV.
server@ubuntu:~$ sudo systemctl stop clamav-freshclam
Next run freshclam to update to the latest definition database.
server@ubuntu:~$ sudo freshclam
Once you've ran the freshclam command you can check the log
/var/log/clamav/freshclam.log for the current status and then start freshclam again.
server@ubuntu:~$ cat /var/log/clamav/freshclam.log Sat Apr 10 17:51:37 2021 -> daily.cvd database is up to date (version: 26136, sigs: 3969743, f-level: 63, builder: raynman) Sat Apr 10 17:51:37 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Sat Apr 10 17:51:37 2021 -> bytecode.cvd database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2) server@ubuntu:~$ sudo systemctl start clamav-freshclam
Now we'll update the ClamAV daemon configuration to make the server listen to TCP socket 3310.
server@ubuntu:~$ sudo nano /etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst #To reconfigure clamd run #dpkg-reconfigure clamav-daemon #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav TCPSocket 3310
Restart ClamAV to apply the new changes.
server@ubuntu:~$ sudo systemctl restart clamav-daemon.service
To confirm that ClamAV listen to TCP port 3310 run the command below (requires
server@ubuntu:~$ netstat -lnp | grep -E "(clam|3310)" (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:3310 0.0.0.0:* LISTEN - tcp6 0 0 :::3310 :::* LISTEN - unix 2 [ ACC ] STREAM LISTENING 73674 - /var/run/clamav/clamd.ctl
Make sure that the firewall settings are in place and that the correct ports are opened for any ClamAV client. See the Firewall settings section for more information.
Keep virus definitions up-to-date
To keep the ClamAV Antivirus Server definition database up-to-date you can configure freshclam when to check for new definitions. The default is set to 24 times per day. If you want to edit this you can define the times per day for freshclam to check for new updates.
server@ubuntu:~$ sudo nano /etc/clamav/freshclam.conf
# Check for new database 24 times a day Checks 24
You can use the
clamdtop command-line tool when you've installed ClamAV on your clients. This tool enables you to monitor the ClamAV daemon performance and client connections during scan.
server@ubuntu:~$ clamdtop _____/ /___ _____ ___ ____/ / /_____ ____ / ___/ / __ `/ __ `__ \/ __ / __/ __ \/ __ \ / /__/ / /_/ / / / / / / /_/ / /_/ /_/ / /_/ / \___/_/\__,_/_/ /_/ /_/\__,_/\__/\____/ .___/ /_/ Connecting to: /var/run/clamav/clamd.ctl
Install ClamAV on Ubuntu 20.04.
client@ubuntu:~$ sudo apt-get install clamav clamav-daemon
Next stop and disable the ClamAV daemon (as we will forward the traffic to the ClamAV server). The virus definitions database is managed on the server so you need to stop and disable the freshclam service as well.
client@ubuntu:~$ sudo systemctl stop clamav-daemon.service client@ubuntu:~$ sudo systemctl stop clamav-freshclam.service client@ubuntu:~$ sudo systemctl disable clamav-daemon.service client@ubuntu:~$ sudo systemctl disable clamav-freshclam.service
Continue to configure the
clamdscan which share configuration file with the ClamAV daemon.
client@ubuntu:~$ sudo nano /etc/clamav/clamd.conf
LocalSocket /var/run/clamav/clamd.ctl line and add the
TCPSocket 3310 along with the server
#Automatically Generated by clamav-daemon postinst #To reconfigure clamd run #dpkg-reconfigure clamav-daemon #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details #LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav TCPSocket 3310 TCPAddr 192.168.0.1
When running a scan use the
multiscan option to enable multihread reading. You can also set it to
quiet if you're going to use the
log option. You can also create a
file list for all the directories to scan.
client@ubuntu:~$ sudo clamdscan --multiscan --quiet --file-list= --log=
First download the ClamAV Windows Installeropen in new window (version 0.102.4). Right-click the executable file
ClamAV-0.102.4.exe and select
Run as Administrator.
Select destination location.
Proceed to click the
Once the installation is complete click the
Run PowerShell as administrator and make sure you're in the correct path
C:\WINDOWS\system32. Navigate to the ClamAV directory by entering
cd 'C:\Program Files\ClamAV\.
Now copy the ClamAV daeomon configuration and rename it to
clamd.conf and open the file in WordPad.
client@windows:~PS$ copy .\conf_examples\clamd.conf.sample .\clamd.conf client@windows:~PS$ write.exe .\clamd.conf
Example line and add the
TCPSocket along with the server
TCPAddr and save.
## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # The daemon on Windows only supports unsecured TCP sockets. # Due to security reasons make sure that your IP & port is not # exposed to the open internet. # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. This option can be specified multiple # times if you want to listen on multiple IPs. IPv6 is now supported. # Default: no TCPAddr 192.168.0.1
You may fast test the configuration running a scan in the current directory.
Running a more complete scan, like during the Ubuntu set up, use the
multiscan option to enable multithread reading. Set the output to
quiet in case you will use the
log option. As priorly mentioned you may also define a
file list of all the directories you wish to include in the scan.
client@windows:~PS$ .\clamdscan.exe --multiscan --quiet --file-list= --log=
The firewall being used is UFW (Uncomplicated Firewall). It is set by default to deny incoming traffic, allow outgoing traffic and allow port 22 (OpenSSH). Read more about UFW hereopen in new window.
server@ubuntu:~$ sudo ufw default deny incoming server@ubuntu:~$ sudo ufw default allow outgoing server@ubuntu:~$ sudo ufw allow 22 server@ubuntu:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
server@ubuntu:~$ sudo ufw allow proto tcp from 192.168.0.2 to any port 3310 comment "ClamAV client 1" server@ubuntu:~$ sudo ufw allow proto tcp from 192.168.0.3 to any port 3310 comment "ClamAV client 2"
If you want to allow TCP connection to port 3310 for the entire subnet apply the following UFW rule.
server@ubuntu:~$ sudo ufw allow proto tcp from 192.168.0.0/24 to any port 3310 comment "ClamAV clients"
In case you'll need help troubleshooting or support for ClamAV you can sign up for their mailing list at ClamAV usersopen in new window.
Atomic Protector, is an upgrade from Atomic Secured Linux and Atomic Workload Protection products, provides maximum security and compliance for systems in on-premise, cloud and hybrid environments all in a single pane of glass you can run anywhere. Features include compliance and vulnerability management, reporting, intrusion prevention, file integrity monitoring, memory protection and exploit prevention, vulnerability shielding, web application and API protection, application control, and more.