Clamav

• Arch wiki

Setup

Install clamav and other malware definition files (clamav-unofficial-sigs is outdated):

pamac install clamav python-fangfrisch

Add user to clamav group:

sudo usermod -a -G clamav varac
newgrp clamav

Configure malware definition services:

sudo touch /var/log/clamav/freshclam.log
sudo chown clamav:clamav /var/log/clamav/freshclam.log
sudo freshclam
sudo systemctl enable clamav-freshclam.service
sudo systemctl start clamav-freshclam.service

Start clamav in daemon mode:

sudo systemctl enable clamav-daemon.service
sudo systemctl start clamav-daemon.service

Additional malware definitions

These packages ship additional malware definition files:

• fangfrisch
• clamav-unofficial-sigs is outdated

fangfrisch

• Config: /etc/fangfrisch/fangfrisch.conf
• db: /var/lib/fangfrisch/db.sqlite

Setup:

pamac install clamav python-fangfrisch
sudo -u clamav /usr/bin/fangfrisch --conf /etc/fangfrisch/fangfrisch.conf initdb
sudo systemctl enable fangfrisch.timer
sudo systemctl start fangfrisch.timer

Test

$ curl https://secure.eicar.org/eicar.com.txt | clamscan -
...
stdin: Win.Test.EICAR_HDB-1 FOUND

On-Access scanning

• Clamav docs: On-Access Scanning
• Arch wiki: OnAccessScan
• Systemd service: systemctl status clamav-clamonacc.service
• Logs: /var/log/clamav/clamonacc.log
• Quarantine dir: /root/quarantine

On-Access scanning setup

• FANOTIFY needs to be enabled in the kernel (which is enabled in default Arch linux/Manjaro kernels): zgrep FANOTIFY /proc/config.gz

First, edit the /etc/clamav/clamd.conf configuration file by adding the following to the end of the file (see config in the Arch wiki: On-Access Scanning). Don't forget to adjust all mount points.

Next, allow the clamav user to run notify-send as any user with custom environment variables via sudo:

sudo vi /etc/sudoers.d/clamav

and paste the following content:

# https://wiki.archlinux.org/title/ClamAV#OnAccessScan
clamav ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send

Edit clamav-clamonacc.service:

sudo systemctl edit clamav-clamonacc.service

and insert:

[Service]
ExecStart=
ExecStart=/usr/sbin/clamonacc -F --fdpass --log=/var/log/clamav/clamonacc.log

systemctl enable clamav-clamonacc.service
systemctl start clamav-clamonacc.service

On-Access scanning test

wget https://secure.eicar.org/eicar.com.txt
cat eicar.com.txt

Issue: VirusEvent does not trigger