How to install and configure ClamAv on FreeBSD

A FreeBSD based file server is part of the SoCruel.NU infrastructure for some time now. All the devices accessing the file server have anti-virus software installed and configured. But the file server itself has not. So I decided to install and configure ClamAV on this file server. ClamAV is an open source anti-virus engine using different virus signature databases and is used in a variety situations including protecting end points. ClamAV is in the FreeBSD ports tree so the installation part is easy!

Technical requirements

The following requirements have to be in place to be able to implement what is described in this post:

an up to date and supported FreeBSD system version 11.x or 12.x

Install the ClamAv software

We use the package system of FreeBSD to install the ClamAV software:

$ sudo pkg install clamav

The package also installs a clamav user and group. And it creates 2 files in the /usr/local/etc/rc.d directory: clamav-clamd and clamav-freshclam . clamd scans files or directories on demand and freshclam updates the virus databases. The requirement here is to scan the file server files offline on a frequent basis, and as such clamd is not used in this case.

Configure freshclam

freshclam has a configuration file called freshclam.conf in the /usr/local/etc directory. In this case the following configuration is used:

DatabaseDirectory /var/db/clamav UpdateLogFile /var/log/clamav/freshclam.log LogFileMaxSize 2M LogTime yes LogVerbose yes LogRotate yes LogSyslog yes LogFacility LOG_DAEMON PidFile /var/run/clamav/freshclam.pid DatabaseOwner clamav DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror database.clamav.net MaxAttempts 5 ScriptedUpdates yes CompressLocalDatabase no Checks 12 ConnectTimeout 60 ReceiveTimeout 1800 TestDatabases yes SafeBrowsing yes Bytecode yes

Please see man freshclam.conf for the details on each configuration line.

Enable freshclam

As we have the configuration file in place we can enable freshclam :

$ sudo sysrc clamav_freshclam_enable="YES" $ sudo service clamav-freshclam start

We see that freshclam has done its job after a couple of minutes: the freshclam daemon has downloaded the virus signature database files in the /var/db/clamav directory:

$ sudo ls -sla /var/db/clamav/ total 426584 8 drwxr-xr-x 2 clamav clamav 512 Feb 12 09:16 . 8 drwxr-xr-x 20 root wheel 1024 Feb 12 08:34 .. 584 -rw-r--r-- 1 clamav clamav 296388 Feb 12 09:16 bytecode.cvd 114880 -rw-r--r-- 1 clamav clamav 58780434 Feb 12 09:13 daily.cvd 230272 -rw-r--r-- 1 clamav clamav 117859675 Feb 12 09:15 main.cvd 80832 -rw-r--r-- 1 clamav clamav 41321567 Feb 12 09:16 safebrowsing.cvd

As time progresses you should see these files updated on a regular basis, based on the settings in the man freshclam.conf file (see above).

Add other signatures

ClamAV comes with its own virus databases. It is also possible to add other, third party, virus signature databases to the ClamAV configuration. One such company is SecuriteInfo. It provides a lot of additional antiviral signatures for ClamAV. SecuriteInfo provides a Basic, free of charge, subscription and a paid Professional subscription. You can sign up here.

To use the SecuriteInfo virus signatures, login and then copy and paste the lines in the Setup tab to your freshclam.conf file:

DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfo.hdb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfo.ign2 DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /javascript.ndb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /spam_marketing.ndb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfohtml.hdb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfoascii.hdb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfoandroid.hdb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfoold.hdb DatabaseCustomURL https://www.securiteinfo.com/get/signatures/ /securiteinfopdf.hdb

After restarting the freshclam service:

$ sudo service clamav-freshclam restart

you should see the SecuriteInfo signature database files in the /var/db/clamav directory:

$ sudo ls -sla /var/db/clamav/securiteinfo*.* 19136 -rw-r--r-- 1 clamav clamav 9747767 Mar 31 18:15 /var/db/clamav/securiteinfo.hdb 8 -rw-r--r-- 1 clamav clamav 3705 Mar 31 18:15 /var/db/clamav/securiteinfo.ign2 21440 -rw-r--r-- 1 clamav clamav 10917490 Mar 30 11:52 /var/db/clamav/securiteinfoandroid.hdb 14016 -rw-r--r-- 1 clamav clamav 7133239 Mar 31 12:13 /var/db/clamav/securiteinfoascii.hdb 6912 -rw-r--r-- 1 clamav clamav 3491255 Mar 31 12:12 /var/db/clamav/securiteinfohtml.hdb 624832 -rw-r--r-- 1 clamav clamav 319751462 Mar 30 12:07 /var/db/clamav/securiteinfoold.hdb 552 -rw-r--r-- 1 clamav clamav 281588 Mar 30 12:08 /var/db/clamav/securiteinfopdf.hdb

Run clamscan

Now we have our virus databases, we can scan some directories and files. But before we do that we create a directory to store infected files found by our scan:

$ sudo mkdir /var/db/clamav/quarantine $ sudo chown clamav:clamav /var/db/clamav/quarantine

Now we can scan a directory recursively using the clamscan tool including writing a log:

$ sudo clamscan -r --log=/var/db/clamav/scan.log --move=/var/db/clamav/quarantine /Directory/To/Scan

For more options of the clamscan tools see man clamscan . You can easily write a shell script to make this task more clever. But that is left to the reader.

Resources

Some (other) resources about this subject: