Sunday, April 22, 2012

ClamAV on Debian Linux

When considering an antivirus program, I chose ClamAV because it was open-source.

I decided to install the latest version of this antivirus program. The version number was 0.97.4. I installed the program from source code.

Below are 13 steps:

Step 1: Download

I downloaded clamav-0.97.4.tar.gz on this page.

I verified this file using gpg. To use gpg, I got the public key on this page, or it could be downloaded here. I also downloaded the signature (.sig file) for the file.

Step 2: Verify

To import the key, I typed:
gpg --import tkojm.gpg

I saw:

gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 985A444B: public key "Tomasz Kojm " imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

To verify the file, I typed:
gpg --verify clamav-0.97.4.tar.gz.sig  clamav-0.97.4.tar.gz

I saw:

gpg: Signature made Thu 15 Mar 2012 06:15:24 AM HKT using DSA key ID 985A444B
gpg: Good signature from "Tomasz Kojm "
gpg:                 aka "Tomasz Kojm "
gpg:                 aka "Tomasz Kojm "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0DCA 5A08 407D 5288 279D  B434 5482 2DC8 985A 444B

I used another method to check the file. I typed:
md5sum clamav-0.97.4.tar.gz

I saw:
dc1e5abc093b11f120e4eac94a7f78aa  clamav-0.97.4.tar.gz

I used one more method to check the file. I typed:
sha256sum clamav-0.97.4.tar.gz

I saw:
958dd09c9da9ceb50c9e556b3ced9cbdf40e836d2bdc98286ce96e84fd4a5a53  clamav-0.97.4.tar.gz

I searched the Internet for the md5sum and sha256sum values. I thought that the websites should be trusted. These values matched! I have more reasons to say that the file should be trusted!

Step 3: Housekeeping

I began uninstalling the previous version first to make sure that the old files were properly deleted.

apt-get remove --purge clamav

Step 4: Extract files
Then, I started installing ClamAV:

tar xzf clamav-0.97.4.tar.gz
cd clamav-0.97.4

Step 5: Add a user
I added a user for the program to run under this account:
adduser clamav --no-create-home --disabled-password

I saw:

Adding user `clamav' ...
Adding new group `clamav' (1003) ...
Adding new user `clamav' (1003) with group `clamav' ...
Not creating home directory `/home/clamav'.
Changing the user information for clamav
Enter the new value, or press ENTER for the default
    Full Name []: clamav
    Room Number []:
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n] y

I typed y above to say yes.

Step 6: Check the system
I typed:
./configure --enable-experimental

Step 7: Build the binary files
Afterwards, I typed:

I saw:

  CXX    FastISel.lo
  CXX    FunctionLoweringInfo.lo
  CXX    InstrEmitter.lo
  CXX    LegalizeDAG.lo
  CXX    LegalizeFloatTypes.lo
  CXX    LegalizeIntegerTypes.lo
  CXX    LegalizeTypes.lo
  CXX    LegalizeTypesGeneric.lo
  CXX    LegalizeVectorOps.lo
  CXX    LegalizeVectorTypes.lo
  CXX    ScheduleDAGList.lo
  CXX    ScheduleDAGRRList.lo
  CXX    ScheduleDAGSDNodes.lo
  CXX    SelectionDAG.lo
  CXX    SelectionDAGBuilder.lo

Step 8: Install the program
I typed:

make install

I saw:

make[2]: Entering directory ...
make[2]: Leaving directory ...

Step 9: Change the settings
I typed:

cat /usr/local/etc/freshclam.conf | sed -e s/Example// | tee /usr/local/etc/freshclam.conf

cat /usr/local/etc/clamd.conf | sed -e s/Example// | tee /usr/local/etc/clamd.conf

I saw:
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
# Default: TrustSigned
#BytecodeSecurity TrustSigned

# Set bytecode timeout in miliseconds.
# Default: 5000
# BytecodeTimeout 1000

Step 10: Link the files
I typed:


What is ldconfig? According to "man ldconfig",  ldconfig  creates,  updates, and removes the necessary links and cache (for use by the run-time  linker,  to  the most recent shared libraries found in the directories specified on the command line, in the file  /etc/,  and in  the  trusted  directories (/usr/lib and /lib).

Step 11: Update the download sites
I typed:

gedit /usr/local/etc/freshclam.conf

I added:

The country codes used were kr, jp and ru. Other country codes might be used if they were close enough. Choosing the countries nearby should reduce the bandwidth. Country codes are available here.

I saved the file.

Step 12: Update the virus definitions
To update the antivirus program, I started:


Step 13: Scan files
To scan for computer viruses, I typed:

clamscan -r --infected --log='/home/pathToFile/scanVirusLog.txt' /home

What does the line above mean? ClamAV recursively scans the files in the /home folder. -r means recursively and this means all the files and folders in that /home folder. --infected means that only the infected files are listed. --log is for storing the list of infected files in this case.


Clam AntiVirus

Clam AntiVirus Mirrors

Installing ClamAV latest from source

New freshclam error

Compiling and installing software from source in Linux

Using trust to validate keys

No comments: