Security - ClamAV Free AntiVirus Software

SignalQ Sites:
NetAdminTools - Coprolite - NoNIC - SpotBridge - NAW
RoboCoop - AreWeDown - SolarPower - SysAdminTools
Xfig - Gold Loaf - GeekPapa - FixGMC - MCJ - FixRambler

Categories:
·GNU/Linux
·Homebrew designs
·Perl
·Administration
·Backup/Recovery
·Bugs/Fixes
·Certification
·Database
·Email
·File/Print
·Hardware
·Information Grab Bag
·Interoperability
·GNU/Linux ABCs
·Monitoring
·Name Resolution
·Network Services
·Networking
·Remote Control
·Security
·Desktop
·Web
·BSD
·Solaris
·GIAGD
·REALbasic
·All Categories

ClamAV Free AntiVirus Software
Topic: Security Posted:2005-10-31
Printer Friendly:

ClamAV is a GPL virus scanner that will integrate with mail servers, scan filesystems from the command line, and automatically update its virus signatures. There are many ports of ClamAV to various platforms, including Windows. This article will show how to compile and install ClamAV for a single user on GNU/Linux. First, we grab the tarball and decompress:

 
[usr-1@srv-1 ~]$ tar -tzf clamav-0.87.tar.gz | head -n 3
clamav-0.87/
clamav-0.87/docs/
clamav-0.87/docs/man/
[usr-1@srv-1 ~]$ tar -xzf clamav-0.87.tar.gz
[usr-1@srv-1 ~]$ cd clamav-0.87

Let's configure:

[usr-1@srv-1 clamav-0.87]$ ./configure --prefix=/home/usr-1/clamav 
--disable-clamav
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
creating target.h - canonical system defines
.
.
.
checking pthread.h presence... yes
checking for pthread.h... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for zlib installation... /usr
configure: error: The installed zlib version may contain a security bug. Please 
upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with 
--disable-zlib-vcheck but DO NOT REPORT any stability issues then!
[usr-1@srv-1 clamav-0.87]$

Hrmphh. Let's verify our zlib version:

[root@srv-1 usr-1]# rpm -qa | grep zlib
zlib-1.2.1.2-1.2
zlib-devel-1.2.1.2-1.2
[root@srv-1 usr-1]#

We are OK. Here is the Red Hat Security Announcement. Although the version is old, Red Hat folks have backported the fix. We need to configure with --disable-zlib-vcheck:

[usr-1@srv-1 clamav-0.87]$ ./configure --prefix=/home/usr-1/clamav 
--disable-clamav --disable-zlib-vcheck
.
.
.
config.status: creating clamav-config.h
config.status: executing depfiles commands
[usr-1@srv-1 clamav-0.87]$

Let's compile and install:

[usr-1@srv-1 clamav-0.87]$ make
make  all-recursive
make[1]: Entering directory `/home/usr-1/clamav-0.87'
Making all in libclamav
make[2]: Entering directory `/home/usr-1/clamav-0.87/libclamav'
if /bin/sh ../libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I
.
.
.
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/usr-1/clamav-0.87/clamav-milter'
make[2]: Entering directory `/home/usr-1/clamav-0.87'
make[2]: Leaving directory `/home/usr-1/clamav-0.87'
make[1]: Leaving directory `/home/usr-1/clamav-0.87'
[usr-1@srv-1 clamav-0.87]$
[usr-1@srv-1 clamav-0.87]$ make install
Making install in libclamav
make[1]: Entering directory `/home/usr-1/clamav-0.87/libclamav'
make[2]: Entering directory `/home/usr-1/clamav-0.87/libclamav'
test -z "/home/usr-1/clamav/lib" || mkdir -p -- "/home/usr-1/clamav/lib"
.
.
.
/usr/bin/install -c -m 644 'libclamav.pc' 
'/home/usr-1/clamav/lib/pkgconfig/libclamav.pc'
make[2]: Leaving directory `/home/usr-1/clamav-0.87'
make[1]: Leaving directory `/home/usr-1/clamav-0.87'
[usr-1@srv-1 clamav-0.87]$

Let's run a scan:

[usr-1@srv-1 ~]$ ~/clamav/bin/clamscan m*
mbox: OK
message.scr: Worm.SomeFool.P FOUND
minicom.log: OK
monart: OK
mysqlinstall: OK
----------- SCAN SUMMARY -----------
Known viruses: 40192
Engine version: 0.87
Scanned directories: 0
Scanned files: 9
Infected files: 1
Data scanned: 0.64 MB
Time: 1.389 sec (0 m 1 s)
[usr-1@srv-1 ~]$

It floored us that message.scr, an attachment we found in our email box this morning was a worm. Who would have thought? One thing that was particularly tricky about this is that it looked like a bounce from an email that we sent. The headers looked OK in the messages source, and the only thing to view to see what the bounce was in the rendered message was message.scr. Some nice social engineering, really.

Let's compress the file and rerun the scan:

[usr-1@srv-1 ~]$ gzip message.scr
[usr-1@srv-1 ~]$ ls mess*
message.scr.gz
[usr-1@srv-1 ~]$ ~/clamav/bin/clamscan m* 
mbox: OK
message.scr.gz: Worm.SomeFool.P FOUND
minicom.log: OK
monart: OK
mysqlinstall: OK
----------- SCAN SUMMARY -----------
Known viruses: 40192
Engine version: 0.87
Scanned directories: 0
Scanned files: 9
Infected files: 1
Data scanned: 0.64 MB
Time: 1.458 sec (0 m 1 s)
[usr-1@srv-1 ~]$

ClamAV works fine detecting the virus within a compressed file.

ClamAV also can run as a daemon and integrate with email systems, etc., and this will require a more complicated install; however, you can use the above to reasonably safely check ClamAV out. It might also be useful on a virus-riddled Windows network to bring up a GNU/Linux box that is much less likely to be infected so you can do some scans of your network.

Please read our Terms of Use
Microsoft, Windows, Windows XP, Windows 2003, Windows 2000, and NT are either trademarks or registered trademarks of Microsoft Corporation. NetAdminTools.com is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2008 NetAdminTools.com

Created by:

MCJ CMS