Antivirus with ClamAV on Ubuntu 14.04 Server

Running regular antivirus scans on your server is never a bad idea.  One of the easiest ways to accomplish this is via the Clam AV utility.

Clam AV can be run in two ways.  Either as a background daemon via clamdscan, which depends on clamd, or on-demand via clamscan.  Because clamd runs in the background and doesn’t have to be reloaded each time, using it will usually reduce both scanning time, CPU load, and memory usage.

Clamd listens for incoming connections on Unix and/or TCP socket and scans files or directories. It reads the configuration file /etc/clamav/clamd.conf and can have most of its behavior defined that way. Alternatively, Clamscan needs to load the virus database each time it is run, and has its config information passed via arguments to the command.

To install Clam AV, run the following:

sudo apt-get install clamav clamav-daemon -y

Now it’s time to run the initial configuration process – it will ask you a whole bunch of questions which will define the base behavior of ClamAV on your system.  You can pretty much go with defaults, but read the explanation of each to make your final determination.  These will include questions about what socket to listen on, whether to scan emails, how much to do concurrently, filesize limits, etc:

sudo dpkg-reconfigure clamav-base

Once installed, you will want to grab the most recent virus definitions:

sudo freshclam

…and start the daemon.

sudo /etc/init.d/clamav-daemon start

It will start automatically and run in the background thereafter, and will scan any uploaded files.  If you want to have it actively scan certain directories nightly, you can cron a script.

Below is a cronnable example of a script you can run nightly to scan specific folders (here, /home, /etc, and /var/www) for issues

#!/bin/sh
rm -R /var/log/nightly-clamav-scan.log
touch /var/log/nightly-clamav-scan.log
clamdscan /home/ /etc/ /var/www/ --infected --multiscan --fdpass --log=/var/log/nightly-clamav-scan.log

Here is what the man page has to say about the options we added:

–infected – Only print infected files. (clamd)

–multiscan – In the multiscan mode clamd will attempt to scan the directory contents in parallel using available threads. This option is especially useful on multiprocessor and multi-core  systems. If you pass more than one file or directory in the command line, they are put in a queue and sent  to  clamd  individually. This means, that single files are always scanned by a single thread.  Similarly, clamdscan will wait for clamd to finish a directory scan  (performed in multiscan mode) before sending request to scan  another  directory. This option can be combined with –fdpass (see below). (clamdscan)

–fdpass – Pass the file descriptor permissions to clamd. This is useful if clamd is running as a different user as it is faster than streaming the file to clamd. Only available if connected to clamd via local(unix) socket. (clamdscan)

–log – Save scan report to FILE. (clamd)

Now, make this script executable (edit your path as needed):

chmod +x /path/to/script.sh

…and  cron it to run each night to scan the appropriate folders, logging any results to the log file specified.  To enable the scheduling, fire up crontab:

crontab -e

…and add this line and save it to schedule it to run at midnight each night:

0 0 * * * /bin/sh /path/to/script.sh

Related Links:

  • Terrance Grant

    Thanks for the write-up!

  • xjlin0

    Are there ways to limit the resource clamav use? or at least lower its priority? Thanks!