There is a common perception that there are no viruses on the Linux platform - which to a large extent is true. But what happens when you get a mail attachment which you would like to forward to your windows machine so you can open it with your favorite proprietary software? And what if this attachment is infected by a virus? This is where the anti virus solutions for linux comes into the picture.
ClamAV is a free GPLed anti-virus solution which provides a lot of advantages when installed in Linux. Sticking to the philosophy of linux, it contains a set of command line tools which can be used to check if a file on your system is infected by a virus.
The installation is quite simple as executing a single command as follows:# yum install clamavOR
# apt-get install clamavClamAV basically installs three binary tools on your system (in the /usr/bin directory), them being :
freshclam - As you know an anti-virus solution is only as good as the latest virus updates it has. This tool is used to update the virus databases on your system. It downloads the latest virus updates from the internet and keeps your anti-virus solution upto date.
clamscan - This is the tool that actually checks your files to see if they are infected.sigtool - When you download the latest virus updates from the net, there should be a way of verifying the validity of the update. This is achieved by the sigtool. It is used to verify the digital signatures of databases and list virus signature names among other things.
This is how I use this wonderful package to my advantage. I have installed Linux alongside windows and boot via Grub bootloader (most people do). I have a FAT and NTFS partition on my harddrive which I have mounted in /mnt/C:/ and /mnt/D:/ . To check all the files in my windows partition, I just enter the command as follows (you don't have to be root to run this command):
$ clamscan --bell -r --log=/home/ravi/virus_log -i /mnt/D:/The above command will scan my /mnt/D:/ directory (FAT32 partition) recursively (-r) and log (--log) the result in the virus_log file, will beep (--bell) each time a virus has been detected and only print (-i) infected files to the output.
clamscan can scan a wide variety of files including archive files (rar, zip, tar, deb, jar, arj ), your mails, html files ... In fact just about any file on your system.
For instance, if I want to scan a tar file, I will enter the following command:
$ clamscan --tar=/bin/tar myfile.tgzSame is the case for other archives. You pass the path of the archive tool in the command line.
Usually clamscan will recurse through a maximum depth of 15 levels if the -r option is used. But you can set the depth of recursion using the --max-dir-recursion option.
$ clamscan -r --max-dir-recursion=4 ~ravi/.Here is another example of how you check only the text files on your harddisk for virus infection.
$ find . -iname \*.txt -exec clamscan -r -i {} \;Updating the virus database
You will agree with me that the usefulness of an anti-virus solution is only as good as its virus definition files. With ClamAV, it is very easy to update the database. All it takes is executing the command :
# freshclamAnd ClamAV will download the latest virus definition files from the internet and update your database. You can also run the above command as a daemon as follows:
# freshclam -dUsually you don't have to run this command yourselves. When you install ClamAV on your machine, it creates a user and group named 'clamav' and also creates a cron job to update on a regular basis, the virus database on your machine.
ClamAV has been developed targeting firms running mail servers in mind and so is designed to check for virus on the fly. If you manage a mail server, you can integrate it with sendmail or any other mail server to check your incoming and outgoing emails for viruses.
Advantages of Clamav over other Anti-Virus suites
- The one and only GPLed Anti-Virus solution available with an unbeatable price tag (Free).
- Multi architecture and multi OS support. Clamav is available for MacOS, Windows, Linux and other Unix variants.
- Simple command line usage - which does away with memory bloat that other anti-virus solutions carry around. I still remember the times when my windows 98 machine would slow to a crawl when an antivirus package was installed on it.
- Can be linked with other linux commands to create powerful filters to check just a subset of files on your machine.
- You can automate the whole process of virus detection and prevention.
- Easy installation and uninstallation - I remember the trouble I had in uninstalling Norton Antivirus from my windows 98 machine a few years back. When I tried to uninstall Norton Antivirus, it said I should uninstall "Live Update" first and when I tried uninstalling the latter, it complained that "Norton Antivirus" was running and should be uninstalled first - in short a catch 22 situation - the only way out being a clean re-installation of windows OS. Clamav doesn't have any such problems.
- Lots of third party softwares with in-built support for ClamAV. For example, DansGuardian virus patch is a GPL addon that takes the virus scanning capabilities of ClamAV and integrates them into the content filtering web proxy DansGuardian.
What? You don't want to install the Clam Antivirus package just yet ? No problem, there is a Online scanning tool available from ClamAV which will help you scan a file on your harddisk without installing it.
Fig: The output of running clamscan on my machine.
19 comments:
This is a very interesting stuff you have written. I really enjoyed reading it. Not many people know about ClamAV - I didn't until I read your post.
btw, I am a regular visitor to your site and I keep track of most articles that you write.
Bob Wilson
NY
Thats a nice piece of information you have provided today.
Kamesh.
May I suggest a topic. I would like to see a post on different types of linux distros out there and your personal favorite (and why you have arrived at that conclusion etc.).
I am a recent linux convert and personally I like Gentoo and debian (though I am using CentOS at work right now).
Regards,
Kamesh
Ravi,
Isn't there a GUI to work w/ClamAV, or in Linux it's only by CLI?
And to Windows users, there's a ClamAV version, w/GUI for this system: ClamWin. The website for the project is:
http://www.clamwin.com
@ Carlos Alberto Pinto Peixoto Bastos Santos: there's a front-end GUI for ClamAV in Linux, it's called KlamAV. ;-)
http://klamav.sourceforge.net/
Carlos,
There is also a ClamAV front-end for Windows called ClamWin [http://www.clamwin.com/]
It is interesting that some are only finding out about ClamAV. I have been using Clam now for over a year and that I find it to be a very good scanner.
About my only gripe is that it is very slow, but then again it still gets the job done, and how better can that get?
I would like to read some reviews about linux viruses themselves (how many, how effective, how do they spread, how to protect etc.)
You didn't find any weak spots with ClamAV?
I've used ClamWin for Windows, but didn't really stick with it.
The virus database update downloads seemed to be rather huge (which is a pain if on a slow connection). Is this the case for Linux as well? I'm not sure, but I suspect a new database was downloaded everytime, rather than just an incremental diff.
Also, there is no "resident" shied, as provided by other (non-open source) solutions (like Avast and AVG). But that is probably not an issue for Linux.
/Hugo Heden
Hi,
ClamAV uses a large file with all the historic signatures (main.cvd) and a smaller file (daily.cvd) that is always downloaded in full when a new version is available. This file is only downloaded when necessary and the check to know whether it has been updated is very efficient (text field in DNS). It has to be, since server resources are scarce.
daily.cvd is currently 173312kB. Of course this will take something like a minute, maybe 2 on dialup, but I can't imagine commercial scanners' updates would be so much smaller.
I use ClamAV on email servers, so for me it's not a big deal that it might be slow. It catches all the viruses and even detects phishing attempts. Great! A virus scanner that doesn't limit itself to viruses. On most systems I use it in tandem with BitDefender 7.0, which can be used at no cost on Linux. There are very few viruses that are only picked up by BitDefender. The more recent ones are always detected by both scanners. ClamAV is very quick with its updates. (And I set Freshclam to check for updates every hour, all those mail servers run their own DNS, so the load on Freshclams mirrors is negligeable)
ClamAV now has 41000 signatures. Before the summer when I started using it, the number was around 33000. That's an amazing increase and it's not stopping.
Thank you ClamAV crew!!! You are doing a great job. I'm doing something back by putting a lot of time into wiktionary.org. And that's what I like about OSS. Everybody can do what he's good at and enjoys and something gets build up for the greater good of all.
It is true that ClamWin has no on access scanning abilities, so on Windows it's not so very useful without that. Of course, there, the speed of the engine really does matter. Oh well, there are some scanners that can be used for free for home use and nobody is forcing anybody to stay with Windows and its many ailments
Cheers,
Jo
i dont know to clean virus, just scan?
/.mozilla-thunderbird/r9w5kair.default/Mail/Local Folders/Inbox: Worm.SomeFool.Gen-1 FOUND
do you have idea?
I am trying to update my clamav software on my redhat server. I first have to uninstall the old version. I cannot find any info on how to uninstall clamav from a redhat machine. You wouldn't happen to have any info on that, would you?
Thanks in advance.
Andrew
great article on why antivirus is necessary on your Linux Distro. The author compares antivirus software to having medical insurance! Nice.
http://www.asktheadmin.com/2007/07/question-do-i-need-to-have-antivirus.html
http://clamtk.sourceforge.net/
this is a gui for clam scan on linux
You should check out the free antivirus solutions out there also, including AVG, F-Prot 2007 version, and Free Norton by Symantec etc. The latter is a bit hard to find, I don't know the official link, but I found a website which links to it here at free norton. I have tried AVG too, and have personally preferred to use AVG for about 3 years now, but I find it too resource intensive - even when I turn off automatic scanning. Although I only have a P3 550 Mhz PC, i would expect AVG to run a bit more smoothly. Anyway, my 2 cents.
Does anyone one know of online linux virus scan websites. I found this website here with windows online scanning links but, haven't stumbled on any yet. Thanks.
"About my only gripe is that it is very slow, but then again it still gets the job done, and how better can that get?"
try using clamdscan - it uses the resident clamd process and saves the overhead of loading the database into memory for each file. Typically from 4 seconds per file to .4.
Duncan
I use clamwin, cos i use windows
this antivirus is good
they have updte daily
I love Clamwin
Jamber
Hi,
I found three versions of CLAMAV in the machine. How to know which version the system is using presently?
Post a Comment