I’m going to explain how to install the open source anti-virus software clamv on CentOS 6 systems. It will take two parts. In the first I will try to describe its subsystems, in the second I will provide an Ansible role to automate it.
Well mostly because there isn’t much choice. I tried AVG’s product but it didn’t work. Plus it has even worse primary documentation than clamav–i.e., none! I wanted to try Bitdefender’s Linux version but they haven’t responded to the license request. If they ever do I’ll give it a try. That leaves clamav.
Even though it may not be necessary and at best only marginally effective, I want to install clamav as part of a layered approach to security. All my systems will have A/V as well as SELinux, auditd, iptables, and OSSEC (more articles on those coming soon). Plus, the automated CM tools will run regularly to reset any unwanted changes and I’ll throw in frequent scanning with Nessus and log mining with the Logstash/Elasticsearch/Kibana.
It is astonishingly hard to discover what the main components of clamav actually do. Their manual doesn’t say and Google links to a multitude of frequently wrong answers. I hope this will not be one of them. I have tried hard to get this right.
There are a bunch of clamav related packages in the EPEL repository. The key ones are:
clamd is the demon installed by the package of the same name. It is a service that runs constantly in the background, doing, I am pretty sure, absolutely nothing. You use another component called
clamdscan to actually scan for viruses.
clamdscan is not a demon which means you have to run it using
cron. Apparently it sends files to
clamd for actual testing.
I had a lot of trouble with this
clamd/clamdscan duo so I don’t use them. I understand that for email scanning they may be a more efficient method. I use a commercial security appliance for this purpose so I didn’t test it.
freshclam is the application that updates your virus signature database. It can run as a normal application or as a demon. It has its own configuration file at
/etc/freshclam.conf . Both the demon and non-demon version use this config file. I run
cron. I found the
cron method easier to manage. One update per day is enough.
clamscan is the program that actually scans your drive for viruses. It is non-demonic so just right for
clamscan does not need
clamd. It checks files against the database updated by
freshclam. To use it simply schedule it at a time when system use is low. Be sure to
nice it in the
clamscan has no configuration file so you must set all its parameters in the run command.
A minimal install require:
- Install the
- Configure the
That’s really all you need.
In part 2 I’ll show my Ansible script and tell you whether or not I could get the unofficial-sigs database working.