ClamAV AntiVirus is widely used on linux servers. It has an efficient antivirus engine to detect trojans, viruses, malware, phishing and other threats. By default, ClamAV provides some antivirus signatures that are updated through its standard repository, however, mainly on Web Servers, with PHP, Python etc… where all kinds of applications are installed, including WordPress, Joomla… or MailServers that receive phishing, viruses , trojans, in the most diverse files and formats, additional signatures are necessary for ClamAV.
On the Web there are several projects and sites that offer free or paid subscriptions to ClamAV, however it is very important to identify the quality of these subscriptions, it is quite common to find subscriptions that will generate what we call a “false positive”.
eXtremeSHOK through GitHub created a project named ClamAV-unofficial-sigs that gathers several trusted signatures, available on the web for ClamAV, keeping everything always up to date.
In addition to the signatures available through the project, we are going to add part of the trusted signatures that we use with our Linux Server Management clients.
Let’s go through the step-by-step guide for the correct installation and configuration of ClamAV-unofficial-sigs on CentOS and CloudLinux servers.
Install the epel-release repository
yum -y update
yum -y install epel-release
yum -y updateCheck your firewall and open the ports if necessary:
rsync: TCP porta 873 wget/curl : TCP porta 443
Install ClamAV and components:
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemdConfigure SELinux to allow Clamav (If Selinux is enabled)
** Make sure Selinux is enabled. If it is disabled skip this step .
sestatusIf the result is enable, proceed (if disable, skip to ClamAV user):
setsebool -P antivirus_can_scan_system 1
setsebool -P clamd_use_jit 1Create the group and user for ClamAV
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamavCreate directory, change group and user to ClamAV
mkdir /var/clamav
chown clamav.clamav /var/clamavRemoving Example
sed -i '/^Example$/d' /etc/clamd.d/scan.confEdit the scan.conf file
nano /etc/clamd.d/scan.confFind LocalSocket and replace with:
LocalSocket /var/run/clamd.scan/clamd.sock/gThen in the linux shell paste the block below:
cat << EOF > /etc/tmpfiles.d/clamav.conf
/var/run/clamd.scan 0755 clam clam
EOF
mv /usr/lib/systemd/system/clamd\@scan.service /usr/lib/systemd/system/clamd\@scan.old
cat << EOF > /usr/lib/systemd/system/clamd\@scan.service
# Run the clamd scanner
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target
[Service]
Type = simple
ExecStart = /usr/sbin/clamd --foreground=yes
Restart = on-failure
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
Nice = 19
PrivateTmp = true
MemoryLimit=500M
CPUQuota=50%
[Install]
WantedBy = multi-user.target
EOF
systemctl daemon-reloadConfiguring FreshClam, paste the block below:
sed -i '/^Example$/d' /etc/freshclam.conf
sed -i '/REMOVE ME/d' /etc/sysconfig/freshclam
cat << EOF > /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target
[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d
Restart = on-failure
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
Nice = 19
PrivateTmp = true
[Install]
WantedBy = multi-user.target
EOF
systemctl daemon-reload
freshclam
systemctl enable clam-freshclam.service
systemctl start clam-freshclam.serviceEnable, Start and check if everything is ok with status:
systemctl enable clamd@scan
systemctl start clamd@scan
systemctl status clamd@scanInstalling Dependencies:
yum -y install bind-utils rsync Installing clamav-unofficial-sigs :
mkdir -p /usr/local/sbin/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh; chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
mkdir -p /etc/clamav-unofficial-sigs/
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/user.conf -O /etc/clamav-unofficial-sigs/user.confIf your linux distribution is CentOS 7/8 or Almalinux 8/9 or CloudLinux 7/8/9 copy and paste the instructions below:
os_conf="os.centos7-atomic.conf"
wget "https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/os/${os_conf}" -O /etc/clamav-unofficial-sigs/os.conf**Note: for other Linux distributions, access the link below, and under “Operating System Specific Install”, select the best option for your Linux. clamav-unofficial-sigs
Before moving on to the next step, sign up for two sites that offer excellent subscriptions to ClamAV.
1 – MalwarePatrol Free
Create your free account at: https://www.malwarepatrol.net/free-guard-upgrade-option/
Your browser will display “Password/Receipt:”
Save this information, we will need it in the next step.
2 – SecuriteInfo Free
Create your free account at: https://www.securiteinfo.com/clients/customers/signup
You will receive an email with a link to activate your account, after activation, you will receive another email with your username and password to login to the site.
Log in and go to: https://www.securiteinfo.com/clients/customers/account
Click on Setup tab, you will see a URL in front of DatabaseCustomURL
We need to find your individual identifier which is made up of a string of 128 characters.
In the url in front of DatabaseCustomURL copy the sequence after
https://www.securiteinfo.com/get/signatures/
until “/”
Save this information, we will use it in the next step.
The other repositories used by clamav-unofficial-sigs do not require registration, just for knowledge, I will quote them below:
Yara Rules: https://github.com/Yara-Rules/rules
Urlhaus: https://urlhaus.abuse.ch/
Linux Malware Detect Subscriptions: https://www.rfxn.com/projects/linux-malware-detect/
** There are many free signatures for ClamAV on the web, unfortunately many generate false positives in the detection of Virus/Malware. It is very important to verify in the community and other means the trust of these new signatures.
Let’s add two new additional signatures repositories for ClamAV in the configuration file that we will cover next.
MailOrder: https://www.mailborder.com/
MalwareExpert: https://malware.expert/
Signature configuration for Clamav:
Edit the user.conf file:
nano /etc/clamav-unofficial-sigs/user.confLocate and remove the # from the following lines:
securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"Replace YOUR-SIGNATURE-NUMBER with the 128-character code you saved by following the steps above in SecuriteInfo Free
Next we’ll add a few more signatures.
find and remove the # from the lines:
declare -a additional_dbs=(
#ftp://ftp.example.net/pub/sigs.ndb
#http://www.example.org/sigs.ldb
)delete the bold (gray) lines above and paste the content below:
http://cdn.malware.expert/malware.expert.ndb
http://cdn.malware.expert/malware.expert.hdb
http://cdn.malware.expert/malware.expert.ldb
http://cdn.malware.expert/malware.expert.fp
http://sigs.mailborder.com/sigwhitelist.ign2
http://sigs.mailborder.com/sanesecurity.ftm
http://sigs.mailborder.com/junk.ndb
http://sigs.mailborder.com/jurlbl.ndb
http://sigs.mailborder.com/phish.ndb
http://sigs.mailborder.com/rogue.hdb
http://sigs.mailborder.com/scam.ndb
http://sigs.mailborder.com/spamimg.hdb
http://sigs.mailborder.com/spamattach.hdb
http://sigs.mailborder.com/blurl.ndb
http://sigs.mailborder.com/foxhole_generic.cdb
http://sigs.mailborder.com/foxhole_filename.cdb
http://sigs.mailborder.com/malwarehash.hsb
http://sigs.mailborder.com/hackingteam.hsb
http://sigs.mailborder.com/winnow_malware.hdb
http://sigs.mailborder.com/winnow_malware_links.ndb
http://sigs.mailborder.com/winnow_extended_malware.hdb
http://sigs.mailborder.com/winnow.attachments.hdb
http://sigs.mailborder.com/winnow_bad_cw.hdb
http://sigs.mailborder.com/bofhland_cracked_URL.ndb
http://sigs.mailborder.com/bofhland_malware_URL.ndb
http://sigs.mailborder.com/bofhland_phishing_URL.ndb
http://sigs.mailborder.com/bofhland_malware_attach.hdb
http://sigs.mailborder.com/crdfam.clamav.hdb
http://sigs.mailborder.com/porcupine.ndb
http://sigs.mailborder.com/porcupine.hsb
http://sigs.mailborder.com/spam.ldb
http://sigs.mailborder.com/spear.ndb
http://sigs.mailborder.com/spearl.ndb
http://sigs.mailborder.com/foxhole_js.cdbRun the Script below to download all signatures for the first time and finalize some settings. This process may take a while, wait until the end.
/usr/local/sbin/clamav-unofficial-sigs.sh --forceThe following Script will install instructions to keep the system and signatures up to date:
/usr/local/sbin/clamav-unofficial-sigs.sh --install-cronThe following script will install instructions for logrotate for clamav-unofficial-sigs:
/usr/local/sbin/clamav-unofficial-sigs.sh --install-logrotate
/usr/local/sbin/clamav-unofficial-sigs.sh --install-man
Final Note: Server Management HelpSysAdmin customers have these and many other trusted signatures for ClamAV.
See more: How to install Crowdsec
See more: Almalinux x Rock Linux
Veja mais: Almalinux e Rock Linux