Sometimes I have a need to scan the files over the Internet given their urls. I didn't find any information about this capacity at the documentation of ClamAV. Does it allow to do that? How do I get the result of scanning?
Ubuntu – Scan a file over the Internet by its url using ClamAV
clamavremote
Related Solutions
Maybe it isn't designed to run in background.
Yes, it is. The wiki shows methods running it as a daemon and as a scanner:
Run ClamAV as a Daemon
Install clamav-daemon. You can then use clamdscan where you would previously have used clamscan. Lots of programs, especially e-mail servers, can connect to a ClamAV daemon. This speeds up virus scanning as the program is always in memory.
The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.
Let ClamAV listen for Incoming Scans
There are cases where you may want ClamAV daemon to act as a scanner for other systems, so you don't have to run everything locally on the system.
To do this, you simply have to modify the clamd.conf file and add TCPSocket PORTNUMBER and TCPAddr IPADDRESS arguments to the clamd.conf file and reload the daemon. The daemon will then accept connections to it via the IP address and Port combination you specify.
I just want good protection for my system.
Linux is fundamentally different from Windows so we did not inherit the problems Windows (still) faces. Our system has been set up as a multi-user system: more than 1 user at the same time is expected to use it. This means we have a security model built into our system since some users are not expected to see all the content or be able to do what they want on our systems. That also hinders malware to abuse your system.
Yes, it does not make Linux invulnerable. But as long as it is easier to infect millions of Windows system than to infect 1 Linux machine we win. Only if your machine is targeted specifically (when you run a game server for instance) you need to take precautions. But those are: create regular backups, use a good password, use a router, keeping an eye on the CVE tracker, keeping your system up to date and not installing software you do not need. All things you should do any way.
- Have you used other software showing better protection than ClamAV?
Yes (1st part: as a system admin for 30+ systems I have examined several virus scanners and root kit detectors and also made an assessment about threat risks when not using one) and no (2nd part). But the no is not because ClamAV is so good: it is as bad as any other virus scanner. Virus scanners all have such a low success rate that they are useless. When near 100% of all claims it claims to be a virus are false, I can't use it.
- Are there any "enhancements" possible to increase the threat detection in ClamAV, since it is lightweight? (I have seen some websites suggesting to add their threat signatures to the ClamAV list. Is this safe?)
See for instance the "signatures.pdf" in the "doc" dir of ClamAV on how to upload extra virus signatures.
But this is only useful when you actually find a virus as the 1st person. The virus definition file gets updates pretty regularly so I doubt there is anything to improve.
- Overall (and this is important), below you can find additional tasks which can be performed for hardened protection, without slowing down the machine.
This is a question on its own and has also no relation to virus scanners.
- Encrypt your system.
- Do not install software that allows you to use FTP, Telnet, rlogin and rsh services
- Minimize the software installed: don't use it? Remove it.
- Keep your system up to date.
- Use strong passwords and password aging.
Important:
The protection of your system does not come from anti-virus software; it comes from how you treat your system. If you ever do find a virus you are too late: removing a virus is not enough as your system has been compromized and needs to be re-installed from a proven clean backup. You always have to assume they got your admin password.
Best Answer
To scan a file you have to download it. You can only scan it on the server if it is your server and you have remote access to it. So if you want to download it from the terminal and run a scan as soon as it is downloaded, you should use a command like:
or if you don't need the file after download, you can pipe it to clamscan:
The above will still download the file, the only difference is that it won't store it on your storage. (So your bandwith will be still used during the process, and if you decide that the file is clean, you have to redownload it if you need it on your pc.)
If you don't want to download it, then you have to use a cloud service which downloads and scans it for you, e.g virustotal does it and it scans the file with ClamAV also. Virustotal also has a public API which you can use to initiate scans from your terminal or from any program you write.
If it is your server with clamAV installed on it and you have
ssh
access to it, then you justssh
to the server and scan the file just like you would scan it on your client. You can use somwthing like:Of course this depends on your server root (
/var/www
) and whether there are other settings on the server which should be taken into an account when reconstructing the filepath from the URL, but because you know how your server is set up you can do it.