ClamAV is a GPL virus scanner that will integrate with mail servers, scan filesystems from the command line, and automatically update its virus signatures. There are many ports of ClamAV to various platforms, including Windows. This article will show how to compile and install ClamAV for a single user on GNU/Linux. First, we grab the tarball and decompress:
[usr-1@srv-1 ~]$ tar -tzf clamav-0.87.tar.gz | head -n 3 clamav-0.87/ clamav-0.87/docs/ clamav-0.87/docs/man/ [usr-1@srv-1 ~]$ tar -xzf clamav-0.87.tar.gz [usr-1@srv-1 ~]$ cd clamav-0.87 |
Let’s configure:
[usr-1@srv-1 clamav-0.87]$ ./configure --prefix=/home/usr-1/clamav --disable-clamav checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu creating target.h - canonical system defines . . . checking pthread.h presence... yes checking for pthread.h... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for zlib installation... /usr configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stability issues then! [usr-1@srv-1 clamav-0.87]$ |
Hrmphh. Let’s verify our zlib version:
[root@srv-1 usr-1]# rpm -qa | grep zlib zlib-1.2.1.2-1.2 zlib-devel-1.2.1.2-1.2 [root@srv-1 usr-1]# |
We are OK. Here is the Red Hat Security Announcement. Although the version is old, Red Hat folks have backported the fix. We need to configure with –disable-zlib-vcheck:
[usr-1@srv-1 clamav-0.87]$ ./configure --prefix=/home/usr-1/clamav --disable-clamav --disable-zlib-vcheck . . . config.status: creating clamav-config.h config.status: executing depfiles commands [usr-1@srv-1 clamav-0.87]$ |
Let’s compile and install:
[usr-1@srv-1 clamav-0.87]$ make make all-recursive make[1]: Entering directory `/home/usr-1/clamav-0.87' Making all in libclamav make[2]: Entering directory `/home/usr-1/clamav-0.87/libclamav' if /bin/sh ../libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I . . . make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/home/usr-1/clamav-0.87/clamav-milter' make[2]: Entering directory `/home/usr-1/clamav-0.87' make[2]: Leaving directory `/home/usr-1/clamav-0.87' make[1]: Leaving directory `/home/usr-1/clamav-0.87' [usr-1@srv-1 clamav-0.87]$ [usr-1@srv-1 clamav-0.87]$ make install Making install in libclamav make[1]: Entering directory `/home/usr-1/clamav-0.87/libclamav' make[2]: Entering directory `/home/usr-1/clamav-0.87/libclamav' test -z "/home/usr-1/clamav/lib" || mkdir -p -- "/home/usr-1/clamav/lib" . . . /usr/bin/install -c -m 644 'libclamav.pc' '/home/usr-1/clamav/lib/pkgconfig/libclamav.pc' make[2]: Leaving directory `/home/usr-1/clamav-0.87' make[1]: Leaving directory `/home/usr-1/clamav-0.87' [usr-1@srv-1 clamav-0.87]$ |
Let’s run a scan:
[usr-1@srv-1 ~]$ ~/clamav/bin/clamscan m* mbox: OK message.scr: Worm.SomeFool.P FOUND minicom.log: OK monart: OK mysqlinstall: OK ----------- SCAN SUMMARY ----------- Known viruses: 40192 Engine version: 0.87 Scanned directories: 0 Scanned files: 9 Infected files: 1 Data scanned: 0.64 MB Time: 1.389 sec (0 m 1 s) [usr-1@srv-1 ~]$ |
It floored us that message.scr, an attachment we found in our email box this morning was a worm. Who would have thought? One thing that was particularly tricky about this is that it looked like a bounce from an email that we sent. The headers looked OK in the messages source, and the only thing to view to see what the bounce was in the rendered message was message.scr. Some nice social engineering, really.
Let’s compress the file and rerun the scan:
[usr-1@srv-1 ~]$ gzip message.scr [usr-1@srv-1 ~]$ ls mess* message.scr.gz [usr-1@srv-1 ~]$ ~/clamav/bin/clamscan m* mbox: OK message.scr.gz: Worm.SomeFool.P FOUND minicom.log: OK monart: OK mysqlinstall: OK ----------- SCAN SUMMARY ----------- Known viruses: 40192 Engine version: 0.87 Scanned directories: 0 Scanned files: 9 Infected files: 1 Data scanned: 0.64 MB Time: 1.458 sec (0 m 1 s) [usr-1@srv-1 ~]$ |
ClamAV works fine detecting the virus within a compressed file.
ClamAV also can run as a daemon and integrate with email systems, etc., and this will require a more complicated install; however, you can use the above to reasonably safely check ClamAV out. It might also be useful on a virus-riddled Windows network to bring up a GNU/Linux box that is much less likely to be infected so you can do some scans of your network.
