Ubuntu – How to scan on-access with Clamav in v14.04

clamav

I try to use clamav for on-access virus scanning for my home directory and all mounted drives.
I found some rather old instructions here, and adjusted them.

Since dazuko was replaced by fanotify, the parameters in clamd.conf are slightly different.
Here are my relevant clamd.conf entries:

ScanOnAccess true
# ClamukoScanOnOpen true
# ClamukoScanOnExec true
OnAccessIncludePath /home
OnAccessIncludePath /mnt
OnAccessIncludePath /media
VirusEvent /opt/clamdazer %v &

If I restart clamd (by "sudo invoke-rc.d clamav-daemon restart"), the log has the following:

ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
ScanOnAccess: clamd must be started by root

What am I doing wrong?

Edit: I tried to change the "User clamav" line to "User root", but then the start of clamd will fail with "ERROR: initgroups() failed".

I found some bug reports which maybe relevant here: Ubuntu Bug #1404762 and Debian bug #749027 (I can only post 2 links).

Unfortunately, I did not succeed using the solutions described there. To me, it seems, on-access scanning presently does not work at all.

Best Answer

Actually you already there. You already done Installing the clam-av, we need a little tweak to make the clamd run as root.

Since this thread already ages. I will summarize the correct things you have done. This is just for step-by-step how to install ClamAV and made it on-access.

First we must install the correct version. Only clamav version > 0.98 have a ifanotify capability for the on-access scan. This ifanotify replace the deprecated dazuko kernel module See more @ ClamAV Blog used by older ClamAV version.

STEP 1 - Installation

If you running on 14.04 you may add this ppa for the latest version

ppa:teward/clamav

Then update the apt to refresh the apt cache

sudo apt-get update

Run the following command to install the ClamAV

sudo apt-get install clamav clamav-daemon

If the ClamAV already installed don't forget to update the ClamAV database by running

sudo freshclam

At this step, we already have the ClamAV on our machine. But wait, we need to make it do the on-access scan right? Sure!

STEP 2 - Configuration

Now open the ClamAV configuration file (clamd.conf). I am using ubuntu 16.04 LTS and it's located on /etc/clamav/clamd.conf (you can use nano, or vi to edit the file, but make sure you are have the privilege to edit the file).

sudo nano /etc/clamav/clamd.conf

Then you will see all of predifined parameters there.

Now look at the configuration file for this parameter

ScanOnAccess false

Change it to

ScanOnAccess true

Now there is two option to include the directory for the on-access scan. First include the directory as mounted, and the second one as the include directory.

Still on the configuration file, add the following parameter for mounted option

OnAccessMountPath /

This will include all directory or path inside your machine. In other words, it would watch and scan all of your machine directory. But you can add more than one "OnAccessMountPath", by this you can define your own.

OnAccessMountPath /home
OnAccessMountPath /opt
OnAccessMountPath /var
etc...

The second one you can include the directory more specific using "OnAccessIncludePath"

OnAccessIncludePath /home/{youruser}/Desktop
OnAccessIncludePath /home/{youruser}/Documents
OnAccessIncludePath /home/{youruser}/Downloads
OnAccessIncludePath /home/{youruser}/Emulation
OnAccessIncludePath /home/{youruser}/Music
OnAccessIncludePath /home/{youruser}/Pictures
OnAccessIncludePath /home/{youruser}/Public
OnAccessIncludePath /home/{youruser}/Video

And then don't forget to add the following parameter in the end of the configuration paramater

OnAccessPrevention false
OnAccessExtraScanning true
OnAccessExcludeUID 0

(Optional but recomended) You can add your own script to handle the event when the virus found such delete or move the infected file, and do some log. To do this you can add "VirusEvent" parameter in the configuration file. You can add like I do

VirusEvent /opt/clamav-utils/clamd-response

And create a new bash file called "clamd-response" under /opt/clamav-utils or anywhere you like.

Here the script of clamd-response

#!/bin/sh

echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log
rm $CLAM_VIRUSEVENT_FILENAME
sudo -u yourUserName DISPLAY=:0.0 notify-send "Virus Found $CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been removed"

The script will remove the infected file, do the log, and send OSD notification to your desktop. Note: If the OSD Notification doesn't show up, try to delete

sudo -u yourUserName

and just leave

DISPLAY=:0.0 notify-send "Virus Found $CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been removed"

Now we need to make the clamd (clamav daemon) to run as root. Still on the configuration file look for this parameter

User clamav

Change it into

User root

Now save and close the file. Next we need to prevent app armor prevented clamd run as root.

STEP 3 - Give clamd ability run as ROOT

First we need to install app armor utils by run this command

sudo apt install apparmor-utils

Then run this command to complain about clamd disability run as root

sudo aa-complain clamd

Just restart your machine, and ClamAV should be run as on-access now.

Related Solutions

Ubuntu – How to auto-scan any plugged in usb storage device with clamav

This is an automated script. Just run it as root. You can change the command executed by editing /usr/bin/doOnUSBinsert.

#!/bin/bash
#doOnUSBinsert_0.2.sh
#Author : Totti
# Make it executable by running 'sudo chmod  x doOnUSBinsert_0.2.sh'


if ! [ -f /etc/udev/rules.d/80-doOnUSBinsert.rules ]
then        # rule not added
   cp "$0" /usr/bin/doOnUSBinsert
   chmod u x /usr/bin/doOnUSBinsert

#   echo 'SUBSYSTEM=="usb", ACTION=="add", RUN ="/path/to/script.sh"' | sudo tee     /etc/udev/rules.d/80-clamscan.rules
   echo 'SUBSYSTEM=="usb", ACTION=="add", RUN ="/usr/bin/doOnUSBinsert & "' | tee     /etc/udev/rules.d/80-doOnUSBinsert.rules
   if  [ $? -eq 0 ]
   then
     echo 'Rule Successfully added. See file "/usr/bin/doOnUSBinsert" if you wish to edit the command'
     exit 0
    else
     echo 'ERROR while adding rule'
     exit 1
   fi
fi



lfile="/tmp/doOnUSBinsert.log"     # udev
lfile2="/tmp/clamscanFromUdev.log"   # clamscan
lfile3="/tmp/doOnUSBinsert_mount.log"   # mount


main ()
{
sleep 12  # let the partitions to mount

   #cat /proc/$$/environ | tr '�' 'n' >> /tmp/udevEnvirn.txt
echo "found $ID_SERIAL"   >> "$lfile"
  cat /etc/mtab | grep "^$part_c"   >> "$lfile.3"

if [ "$ID_SERIAL"x = 'x' ]
then
 echo "Exiting on empty ID_SERIAL"   >> "$lfile"
 exit 1
fi

#Eg: ID_SERIAL --> /dev/disk/by-id/usb-sandisk....42343254343543
#i=0
echo 'searching partitions'   >> "$lfile"

for partitionPath in  $( find /dev/disk/by-id/ -name "*$ID_SERIAL*part*" )
do
  echo "current partition = $partitionPath"   >> "$lfile"
 # part[i  ]="$( readlink -f "$partition" )"        # Eg Output: /dev/sdb1     , /dev/sdb2
  part_c="$( readlink -f $partitionPath )"   
  mpoint="$( cat /etc/mtab | grep "^$part_c"  | awk '{print $2}' )"

  echo "partitionPath= $partitionPath, part = $part_c, mountpoint=  $mpoint"  >>     "$lfile"

  echo "Scaning -->  $mpoint"  >> "$lfile.2"
  ############################################
  clamscan -r --bell "$mpoint"/*  >> "$lfile.2"
  #############################################
done
}


main &
echo ______________________________________  >> "$lfile"
exit 0

Security – How to Scan for Viruses with ClamAV

Terminal

At first you have to update the virus definitions with:

sudo freshclam

Then you can scan for viruses.

clamscan OPTIONS File/Folder

If necessary start with root permissions: sudo clamscan.

Examples:

To check all files on the computer, displaying the name of each file:
```
clamscan -r /
```
To check all files on the computer, but only display infected files and ring a bell when found:
```
clamscan -r --bell -i /
```
To scan all files on the computer but only display infected files when found and have this run in the background:
```
clamscan -r -i / &
```
Note - Display background process's status by running the jobs command.
To check files in the all users home directories:
```
clamscan -r /home
```
To check files in the USER home directory and move infected files to another folder:
```
clamscan -r --move=/home/USER/VIRUS /home/USER
```
To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
```
clamscan -r --remove /home/USER
```
To see more options:
```
clamscan --help
```

See:

Latest documentation: PDF | HTML
ClamAV official Wiki
Ubuntu Wiki

Graphical User Interface: ClamTK

ClamTk is a frontend for ClamAV. You can install it via Terminal with:

sudo apt-get install clamtk

You can get the latest version from Bitbucket as Debian package.

There is also a PPA (Outdated):

sudo apt-add-repository ppa:landronimirc/clamtk
sudo apt-get update && sudo apt-get install clamtk

clamtk screenshot

Scan Menu: Here you can choose a file, folder or a device for scanning

clamtk scan menu screenshot

View Menu:

clamtk view menu screenshot

Quarantine Menu:

clamtk quarantine menu screenshot

Advanced Menu:

clamtk advanced menu screenshot

Help Menu: Here you can check for updates.

clamtk help menu screenshot