Linux Malware scanning using ClamAV

Image via Creative Commons, modified by Both.org

Introduction

There are many different ways of protecting a system, right from keeping the software up-to-date, to removing unnecessary packages, turning off unneeded services, to running a firewall etc. Amongst these one also needs to deal with malware, which needs to be detected, identified, quarantined or removed. ClamAV is an open-source antivirus engine for detecting malware and malicious software. ClamAV is available for multiple platforms like Unix, Linux, Windows, MacOS etc and works on a variety of file formats like PE executables, ELF and Mach-O to name a few. In this article we shall see how you can utilize ClamAV for your malware scanning needs.

Installation

To install ClamAV I will be using a Fedora system however the instructions should work on RHEL or any RPM based Operating systems like CentOS etc.

$ cat /etc/fedora-release
Fedora release 36 (Thirty Six)
$

We will first utilize our package manager dnf to install three packages as shown in the command line below, we will see what these packages are and its contents further.

$ dnf install clamav clamd clamav-update

Contents of packages

The first package we installed is clamav, as stated below it contains all the end-user tools which helps a user run the clamav utility to scan a system for malware. In addition it has some helpful utilities to understand malware signatures, view ClamAV configuration settings and even submit malware samples back to ClamAV.

$ rpm -qi clamav-0.103.8-3.fc36.x86_64 | grep ^Summary
Summary : End-user tools for the Clam Antivirus scanner
$
$ rpm -ql clamav-0.103.8-3.fc36.x86_64 | grep bin
/usr/bin/clambc
/usr/bin/clamconf
/usr/bin/clamdscan
/usr/bin/clamdtop
/usr/bin/clamscan
/usr/bin/clamsubmit
/usr/bin/sigtool
/usr/sbin/clamonacc
$

The next package we installed is clamav-update. New malware strains are created and released almost daily. Malware hunters have to keep up with these new variants which are analyzed and a signature is created for them. These signatures in turn help a user to detect the latest viruses. It makes sense to keep your malware signatures up-to-date. ClamAV provides a freshclam utility which checks if new signatures are available and downloads them onto your system for future scans.

$ rpm -qi clamav-update-0.103.8-3.fc36.x86_64 | grep ^Summary
Summary : Auto-updater for the Clam Antivirus scanner data-files
$
$ rpm -ql clamav-update-0.103.8-3.fc36.x86_64 | grep bin
/usr/bin/freshclam
$

And finally the clamd package which consists of the clamd daemon which allows us to run ClamAV as service in the background.

$ rpm -qi clamd-0.103.8-3.fc36.x86_64 | grep ^Summary
Summary : The Clam AntiVirus Daemon
$
$ rpm -ql clamd-0.103.8-3.fc36.x86_64 | grep bin
/usr/sbin/clamd
$

Getting latest signatures using freshclam

Once ClamAV is installed let us update the latest malware signatures using the freshclam utility as shown below. In case you have SELinux enabled you need perform the following additional step as outline in configuration settings.

$ setsebool -P antivirus_can_scan_system 1

On running freshclam you should see it updating some .cvd files which we will talk about later in the article.

$ freshclam
<snip>
ClamAV update process started at Tue Apr 4 02:44:39 2023
daily database available for download (remote version: 26864)
daily.cvd updated (version: 26864, sigs: 2028069, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 334)
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
<snip>
$

The malware signatures are stored within the /var/lib directory of your filesystems. Running the file command on the main.cvd file identifies it as a “Clam Antivirus database” file.

$ cd /var/lib/clamav/
$ pwd
/var/lib/clamav
$ ls
bytecode.cvd daily.cvd freshclam.dat main.cvd
$ file /var/lib/clamav/main.cvd
/var/lib/clamav/main.cvd: Clam AntiVirus database (with buildtime), 16 Sep 2021 08-32 -0400, version 62, 6647427 signatures, level 90, builder sigmgr, with gzip compressed data, max compression, from Unix, original size modulo 2^32 464052736
$

Explore existing signatures using sigtool

We now know where the antivirus database is located but how many malware signatures does it consist of ? sigtool is a handy utility which helps you work with malware signatures. In the output below I ran it against the main.cvd database and it showed that it contains 6647427 malware signatures followed by the MD5 hash and signature.

$ sigtool -i /var/lib/clamav/main.cvd
File: /var/lib/clamav/main.cvd
Build time: 16 Sep 2021 08:32 -0400
Version: 62
Signatures: 6647427
Functionality level: 90
Builder: sigmgr
MD5: 137eccce31aacb21b5a98bb8c21cefd6
Digital signature: twaJBls8V5q64R7QY10AatEtPNuPWoVoxTaNO1jpBg7s5jIMMXpitgG1000YLp6rb0TWkEKjRqxneGTxuxWaWm7XBjsgwX2BRWh/y4fhs7uyImdKRLzQ5y8e2EkSChegF/i8clqfn+1qetq9j4gbktJ3JZpOXPoHlyr2Dv9S/Bg
Verification OK.
$

If you wish to see the actual signatures within the database you need to unpack it first. Follow the steps below, and start by creating a new temp directory.

$ mkdir -p /tmp/sigs
$
$ cd /tmp/sigs/
$ pwd
/tmp/sigs
$

Next, use sigtool to unpack the antivirus database to the above temp directory, once unpacked you should see a bunch of files within the directory. Use any text editor to open the files and see its contents

$ sigtool --unpack /var/lib/clamav/main.cvd
COPYING main.cdb main.crb main.fp main.hdb main.hsb main.info main.ldb main.mdb main.msb main.ndb main.sfp
$ 

Scanning files and directories using clamscan

Finally, we can run clamscan against a file or a directory using -r which internally uses the signatures database to see if it found any match against the files that it scanned. There are many handy command line arguments which clamscan provides, I encourage you to read its man page for more details.

$ clamscan /usr/bin/ls
$ clamscan -r /usr/bin/
$ clamscan --log=/tmp/clamav_test_run.log -r /usr/bin

ClamAV Configuration settings

ClamAV is highly configurable as per your requirements. You can use the scan.conf file to check your current configuration and make new changes. There is also a handy clamconf utility which dumps your entire system configuration to the screen.

$ ls -l /etc/clamd.d/scan.conf
-rw-r--r--. 1 root root 26665 Feb 20 11:54 /etc/clamd.d/scan.conf
$ clamconf
Checking configuration files in /etc
Config file: clamd.d/scan.conf
------------------------------
AlertExceedsMax disabled
Config file: freshclam.conf
---------------------------
LogFileMaxSize = "1048576"
LogTime disabled
LogSyslog disabled
<< snip >>
$

Running Clamav daemon

Running ClamAV once a while is good, however remember it also ships a multithreaded clamd daemon so one can also configure it as a service which runs continuously in the background and can be managed by the systemd as shown in the example below. Also make note that if you intent to run the clamav service its best to add a service account

$ ls -l /usr/lib/systemd/system/clamd@.service
-rw-r--r--. 1 root root 398 Feb 20 11:44 /usr/lib/systemd/system/clamd@.service
$
$ systemctl status clamd@service
○ clamd@service.service - clamd scanner (service) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents
$

Conclusion

ClamAV is a healthy open source project which is actively developed and maintained by the Cisco Talos Threat Intelligence team. I have barely touched the surface of what ClamAV is capable of. I highly recommend users to check its documentation to understand its value and decide if it would be suitable for your malware scanning needs. Also check out the variety of community projects related to ClamAV that you can contribute to.