Assalam-u-alaikum,

This article was written, almost a year ago. But is being placed here on public demand. Hopefully it will serve as a guide to implementation/integration of CLAMAV with Samba. Also note that this is more of a BLOG than a howto. So make sure you read the full article before deciding which parts of it to use.

Creation Date: 20070721
Last updated: 20070721
OS: CENTOS 5.0
SAMBA: 3.0.23c (Came built in CENTOS 5.0 ,RPM format)
CLAMAV: 0.91.1 (From source code)
SAMBA-VSCAN: 0.3.6b from Help and ideas from: <http://www.gentoo.org/doc/en/quick-samba-howto.xml> AND google.

Install SAMBA:

[root@fileserver ~]# rpm -qa | grep -i samba  
samba-common-3.0.23c-2  
samba-client-3.0.23c-2  
system-config-samba-1.2.39-1.el5  
samba-3.0.23c-2  
[root@fileserver ~]#  

Get SAMBA-VSCAN from openantivirus project website http://sourceforge.net/project/showfiles.php?group_id=10590 or http://www.openantivirus.org/projects.php :

[root@fileserver ~]# wget http://nchc.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6b.tar.bz2  
--21:37:41--  http://nchc.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6b.tar.bz2  
Resolving nchc.dl.sourceforge.net... 211.79.61.10, 2001:e10:5c00:1::10  
Connecting to nchc.dl.sourceforge.net|211.79.61.10|:80... connected.  
HTTP request sent, awaiting response... 200 OK  
Length: 164471 (161K) [application/x-tar]  
Saving to: `samba-vscan-0.3.6b.tar.bz2'  
  
100%[==========================================================>] 164,471     28.7K/s   in 6.6s  
  
21:37:49 (24.3 KB/s) - `samba-vscan-0.3.6b.tar.bz2' saved [164471/164471]  
  

Install CLAMAV:

YUM repository:

http://crash.fce.vutbr.cz/yum-repository.html

rpm --import Petr.Kristof-GPG-KEY  
cp Petr.Kristof-GPG-KEY /etc/pki/rpm-g  
  
wget http://crash.fce.vutbr.cz/crash-hat.repo  
cp crash-hat.repo /etc/yum.repos.d/  
  
[root@fileserver ~]# yum install clamav  
Loading "installonlyn" plugin  
Setting up Install Process  
Setting up repositories  
crash-hat                 100% |=========================|  951 B    00:00  
Reading repository metadata in from local files  
primary.xml.gz            100% |=========================|  23 kB    00:04  
crash-hat : ################################################## 90/90  
Added 90 new packages, deleted 0 old in 1.41 seconds  
Parsing package install arguments  
Resolving Dependencies  
--> Populating transaction set with selected packages. Please wait.  
---> Downloading header for clamav to pack into transaction set.  
clamav-0.90.3-1.i386.rpm  100% |=========================|  27 kB    00:04  
---> Package clamav.i386 115:0.90.3-1 set to be updated  
--> Running transaction check  


Dependencies Resolved

Package Arch Version Repository Size
Installing:clamav i386 115:0.90.3-1 crash-hat 1.3 M


Transaction Summary:
=================== Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: clamav ######################### [1/1]
Current working dir is /var/lib/clamav
Max retries == 3
ClamAV update process started at Sat Jul 21 20:44:38 2007
Querying current.cvd.clamav.net
TTL: 300
Retrieving http://db.pk.clamav.net/main.cvd
Trying to download http://db.pk.clamav.net/main.cvd (IP: 58.221.222.66)
main.cvd updated (version: 44, sigs: 133163, f-level: 20, builder: sven)

DON’T PANIC! Read http://www.clamav.net/support/faq
Retrieving http://db.pk.clamav.net/daily.cvd
Trying to download http://db.pk.clamav.net/daily.cvd (IP: 58.221.222.66)
nonblock_recv: recv timing out (30 secs)
Trying again in 5 secs…
ClamAV update process started at Sat Jul 21 20:51:24 2007
Querying current.cvd.clamav.net
TTL: 300
If-Modified-Since: Sat, 21 Jul 2007 15:50:49 GMT
Reading CVD header (main.cvd): Connected to db.pk.clamav.net (IP: 222.124.18.201).
Trying to retrieve CVD header of http://db.pk.clamav.net/main.cvd
OK
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)
Please check if ClamAV tools are linked against proper version of libclamav

DON’T PANIC! Read http://www.clamav.net/support/faq
Retrieving http://db.pk.clamav.net/daily.cvd
Ignoring mirror 222.124.18.201 (too often connections with outdated version)
Trying again in 5 secs…
ClamAV update process started at Sat Jul 21 20:51:30 2007
Querying current.cvd.clamav.net
TTL: 294
If-Modified-Since: Sat, 21 Jul 2007 15:50:49 GMT
Reading CVD header (main.cvd): Connected to db.pk.clamav.net (IP: 219.127.68.136).
Trying to retrieve CVD header of http://db.pk.clamav.net/main.cvd
OK
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)
Please check if ClamAV tools are linked against proper version of libclamav

DON’T PANIC! Read http://www.clamav.net/support/faq
Retrieving http://db.pk.clamav.net/daily.cvd
Ignoring mirror 219.127.68.136 (too often connections with outdated version)
Giving up on db.pk.clamav.net…
ClamAV update process started at Sat Jul 21 20:51:40 2007
Querying current.cvd.clamav.net
TTL: 284
If-Modified-Since: Sat, 21 Jul 2007 15:50:49 GMT
Reading CVD header (main.cvd): Connected to database.clamav.net (IP: 219.117.246.122).
Trying to retrieve CVD header of http://database.clamav.net/main.cvd
OK
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)
Please check if ClamAV tools are linked against proper version of libclamav

DON’T PANIC! Read http://www.clamav.net/support/faq
Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 219.117.246.122 (too often connections with outdated version)
Trying again in 5 secs…
ClamAV update process started at Sat Jul 21 20:51:46 2007
Querying current.cvd.clamav.net
TTL: 278
If-Modified-Since: Sat, 21 Jul 2007 15:50:49 GMT
Reading CVD header (main.cvd): Connected to database.clamav.net (IP: 218.44.253.75).
Trying to retrieve CVD header of http://database.clamav.net/main.cvd
OK
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)
Please check if ClamAV tools are linked against proper version of libclamav

DON’T PANIC! Read http://www.clamav.net/support/faq
Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 218.44.253.75 (too often connections with outdated version)
Trying again in 5 secs…
ClamAV update process started at Sat Jul 21 20:51:52 2007
Querying current.cvd.clamav.net
TTL: 272
If-Modified-Since: Sat, 21 Jul 2007 15:50:49 GMT
Reading CVD header (main.cvd): Ignoring mirror 222.124.18.201 (too often connections with outdated version)
Ignoring mirror 58.221.222.66 (too often connections with outdated version)
Trying host database.clamav.net (61.205.61.201)…
Connected to database.clamav.net (IP: 61.205.61.201).
Trying to retrieve CVD header of http://database.clamav.net/main.cvd
OK
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)
Please check if ClamAV tools are linked against proper version of libclamav

DON’T PANIC! Read http://www.clamav.net/support/faq
Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 61.205.61.201 (too often connections with outdated version)
Giving up on database.clamav.net…
Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.

Installed: clamav.i386 115:0.90.3-1
Complete!
[root@fileserver ~]#


RPM EFFORT for CLAMAV PROVED USELESS.

CLAMAV from source:


[root@fileserver clamav-0.91.1]# ./configure && make && make install && echo "Success"  
  
[root@fileserver clamav-0.91.1]# cp  contrib/init/RedHat/clam* /etc/init.d/  
[root@fileserver clamav-0.91.1]# chmod +x /etc/init.d/clam*  
  
[root@fileserver clamav-0.91.1]# vi /usr/local/etc/clamd.conf  
LogFile /var/log/clamav/clamd.log  
LogFileMaxSize 2M  
LogVerbose yes  
PidFile /var/run/clamd.pid  
TemporaryDirectory /var/tmp  
DatabaseDirectory /var/lib/clamav  
LocalSocket /var/run/clamav/clamd.socket  
User clamav  
  
[root@fileserver clamav-0.91.1]# useradd -c "clamav user" -d /dev/null -s /sbin/nologin clamav  
  
[root@fileserver clamav-0.91.1]# mkdir /var/log/clamav  
[root@fileserver clamav-0.91.1]# mkdir /var/run/clamav  
  
[root@fileserver clamav-0.91.1]# chown clamav:clamav /var/log/clamav -R   
  
[root@fileserver clamav-0.91.1]# /etc/init.d/clamd start  
Starting clamd:                                            [  OK  ]  
[root@fileserver clamav-0.91.1]#  
  
[root@fileserver ~]# cat /var/log/clamav/clamd.log  
+++ Started at Sat Jul 21 21:25:21 2007  
clamd daemon 0.91.1 (OS: linux-gnu, ARCH: i386, CPU: i686)  
Running as user clamav (UID 500, GID 500)  
Log file size limited to 2097152 bytes.  
Reading databases from /var/lib/clamav  
ERROR: Input/Output error  
[root@fileserver ~]#   
  

OHHHHHHHHH!!!  
 
  
[root@fileserver ~]# mkdir /var/lib/clamav  
[root@fileserver ~]# chown clamav:clamav /var/lib/clamav -R  
[root@fileserver ~]# cd /var/lib/clamav/  
[root@fileserver clamav]# ls  
[root@fileserver clamav]# wget http://db.local.clamav.net/main.cvd  
--21:29:51--  http://db.local.clamav.net/main.cvd  
Resolving db.local.clamav.net... 193.140.100.10, 202.71.97.92, 203.16.234.78, ...  
Connecting to db.local.clamav.net|193.140.100.10|:80... connected.  
HTTP request sent, awaiting response... 200 OK  
Length: 10251443 (9.8M) [text/plain]  
Saving to: `main.cvd'  
  
100%[==========================================================>] 10,251,443  26.8K/s   in 6m 12s  
  
21:36:05 (26.9 KB/s) - `main.cvd' saved [10251443/10251443]  
  
[root@fileserver clamav]# wget http://db.local.clamav.net/daily.cvd  
--21:39:13--  http://db.local.clamav.net/daily.cvd  
Resolving db.local.clamav.net... 193.140.100.10, 202.71.97.92, 203.16.234.78, ...  
Connecting to db.local.clamav.net|193.140.100.10|:80... connected.  
HTTP request sent, awaiting response... 200 OK  
Length: 200864 (196K) [text/plain]  
Saving to: `daily.cvd'  
  
100%[==========================================================>] 200,864     28.5K/s   in 7.8s  
  
21:39:23 (25.0 KB/s) - `daily.cvd' saved [200864/200864]  
  
[root@fileserver clamav]#        
  
[root@fileserver clamav]# chown clamav:clamav /var/lib/clamav -R  
  
service clamd restart  
  
[root@fileserver clamav]# tail -f /var/log/clamav/clamd.log  
  
+++ Started at Sat Jul 21 21:49:34 2007  
clamd daemon 0.91.1 (OS: linux-gnu, ARCH: i386, CPU: i686)  
Running as user clamav (UID 500, GID 500)  
Log file size limited to 2097152 bytes.  
Reading databases from /var/lib/clamav  
Loaded 139549 signatures.  
Unix socket file /tmp/clamd.socket  
Setting connection queue length to 15  
ERROR: Can't save PID in file /var/run/clamd.pid #### <----------  
Listening daemon: PID: 12126  
Archive: Archived file size limit set to 10485760 bytes.  
Archive: Recursion level limit set to 8.  
Archive: Files limit set to 1000.  
Archive: Compression ratio limit set to 250.  
Archive support enabled.  
Algorithmic detection enabled.  
Portable Executable support enabled.  
ELF support enabled.  
Mail files support enabled.  
Mail: Recursion level limit set to 64.  
OLE2 support enabled.  
PDF support disabled.  
HTML support enabled.  
Self checking every 1800 seconds.  
  
[root@fileserver ~]# mkdir /var/run/clamav  
[root@fileserver ~]# chown clamav:clamav /var/run/clamav -R  
  
Edit the /usr/local/etc/clamav.conf and update the following:  
PidFile /var/run/clamav/clamd.pid  
  
[root@fileserver ~]# service clamd restart  
Stopping clamd:                                            [  OK  ]  
Starting clamd:                                            [  OK  ]  
[root@fileserver ~]#  
  
[root@fileserver clamav]# tail -f /var/log/clamav/clamd.log  
Shutting down the main socket.  
Closing the main socket.  
Socket file removed.  
ERROR: Can't unlink the pid file /var/run/clamd.pid  
--- Stopped at Sat Jul 21 21:54:24 2007  
+++ Started at Sat Jul 21 21:54:25 2007  
clamd daemon 0.91.1 (OS: linux-gnu, ARCH: i386, CPU: i686)  
Running as user clamav (UID 500, GID 500)  
Log file size limited to 2097152 bytes.  
Reading databases from /var/lib/clamav  
Loaded 139549 signatures.  
Unix socket file /tmp/clamd.socket  
Setting connection queue length to 15  
Listening daemon: PID: 15742  
Archive: Archived file size limit set to 10485760 bytes.  
Archive: Recursion level limit set to 8.  
Archive: Files limit set to 1000.  
Archive: Compression ratio limit set to 250.  
Archive support enabled.  
Algorithmic detection enabled.  
Portable Executable support enabled.  
ELF support enabled.  
Mail files support enabled.  
Mail: Recursion level limit set to 64.  
OLE2 support enabled.  
PDF support disabled.  
HTML support enabled.  
Self checking every 1800 seconds.  
  
[root@fileserver ~]# service clamd status  
clamd (pid 1057) is running...  
[root@fileserver ~]#  
  
  
---

At this point we have a functional CLAMAV (compiled from source) and functional SAMBA (from RPM). We also have downloaded samba-vscan from openantivirus.org. Now we need to compile samba-vscan and integrate it between SAMBA and CLAMAV.
To compile this we need SAMBA source as CENTOS 5 does not contain samba-devel. (What a disappointment!)

Get samba source from

[root@fileserver ~]# wget http://us3.samba.org/samba/ftp/stable/samba-3.0.25b.tar.gz  
  
[root@fileserver ~]# tar xzf samba-3.0.25b.tar.gz  
  
cd samba-3.0.25b/source  
  
./configure  
  
[root@fileserver source]# make proto  
  
  
Now you must do some compile time settings in the samba-vscan source before compiling that.  
  
[root@fileserver source]# cd ../../samba-vscan-0.3.6b  
  
  
[root@fileserver samba-vscan-0.3.6b]# vi clamav/vscan-clamav.h  
  

Now compile samba-vscan :

cp -r /root/samba-vscan-0.3.6b  /root/samba-3.0.25b/examples/VFS/  
  
cd /root/samba-3.0.25b/examples/VFS/  
  
[root@fileserver samba-vscan-0.3.6b]# ./configure  

Since we want only the clamav backend:


[root@fileserver samba-vscan-0.3.6b]# make clamav  
Compiling global/vscan-functions.c with -fPIC  
In file included from /root/samba-3.0.25b/examples/VFS/samba-vscan-0.3.6b/include/vscan-global.h:4,  
from global/vscan-functions.c:15:  
/root/samba-3.0.25b/source/include/includes.h:102:31: error: system/capability.h: No such file or directory  
/root/samba-3.0.25b/source/include/includes.h:103:24: error: system/dir.h: No such file or directory  
/root/samba-3.0.25b/source/include/includes.h:104:28: error: system/filesys.h: No such file or directory  
/root/samba-3.0.25b/source/include/includes.h:105:25: error: system/glob.h: No such file or directory  
/root/samba-3.0.25b/source/include/includes.h:106:26: error: system/iconv.h: No such file or directory  
/root/samba-3.0.25b/source/include/includes.h:107:27: error: system/locale.h: No such file or directory  
/root/samba-3.0.25b/source/include/includes.h:108:28: error: system/network.h: No such file or directory  
  

OHHHHHHHHHHHHHHHHHHHHHH !!!!!!1

So I downloaded samba-3.0.23c source and redid the steps above:


[root@fileserver ~]# wget http://us3.samba.org/samba/ftp/old-versions/samba-3.0.23c.tar.gz  
  
[root@fileserver ~]# tar xzf samba-3.0.23c.tar.gz  
  
[root@fileserver ~]# cd samba-3.0.23c/source  
  
[root@fileserver source]# ./configure && make proto  
  
  
[root@fileserver ~]# cp -r /root/samba-vscan-0.3.6b /root/samba-3.0.23c/examples/VFS/  
  
  
[root@fileserver ~]# cd /root/samba-3.0.23c/examples/VFS/samba-vscan-0.3.6b/  
  
  
[root@fileserver samba-vscan-0.3.6b]# ./configure  
  
  
[root@fileserver samba-vscan-0.3.6b]# make clamav  
  
Compiling global/vscan-functions.c with -fPIC  
Compiling global/vscan-message.c with -fPIC  
Compiling global/vscan-quarantine.c with -fPIC  
Compiling global/vscan-fileaccesslog.c with -fPIC  
Compiling global/vscan-filetype.c with -fPIC  
Compiling global/vscan-parameter.c with -fPIC  
Compiling clamav/vscan-clamav.c with -fPIC  
Compiling clamav/vscan-clamav_core.c with -fPIC  
Linking vscan-clamav.so  
with libs:  -lmagic  
[root@fileserver samba-vscan-0.3.6b]#              
  

ALHUMDULILLAH

Check where are the library files placed for your samba vfs:-

[root@fileserver samba-vscan-0.3.6b]# rpm -ql samba| grep vfs  
/usr/lib/samba/vfs  
/usr/lib/samba/vfs/audit.so  
/usr/lib/samba/vfs/cap.so  
/usr/lib/samba/vfs/default_quota.so  
/usr/lib/samba/vfs/expand_msdfs.so  
/usr/lib/samba/vfs/extd_audit.so  
/usr/lib/samba/vfs/fake_perms.so  
/usr/lib/samba/vfs/full_audit.so  
/usr/lib/samba/vfs/netatalk.so  
/usr/lib/samba/vfs/readonly.so  
/usr/lib/samba/vfs/recycle.so  
/usr/lib/samba/vfs/shadow_copy.so  
/usr/share/doc/samba-3.0.23c/htmldocs/Samba3-Developers-Guide/vfs.html  
/usr/share/doc/samba-3.0.23c/htmldocs/manpages/vfstest.1.html  
[root@fileserver samba-vscan-0.3.6b]#                       
  
  

Place the newly compiled vscan-clamav.so to /usr/lib/samba/vfs


[root@fileserver samba-vscan-0.3.6b]# cp vscan-clamav.so /usr/lib/samba/vfs/  

And it’s config file to /etc/samba/


[root@fileserver samba-vscan-0.3.6b]# cp clamav/vscan-clamav.conf /etc/samba/  

You may want to edit the /etc/samba/vscan-clamav.conf file and setup certain settings:

[root@fileserver samba-vscan-0.3.6b]# vi /etc/samba/vscan-clamav.conf  
[samba-vscan]  
max file size = 0  
verbose file logging = no  
scan on open = yes  
scan on close = yes  
deny access on error = yes  
deny access on minor error = yes  
send warning message = yes  
infected file action = delete  
quarantine directory  = /tmp  
quarantine prefix = virusinfected-  
max lru files entries = 100  
lru file entry lifetime = 5  
exclude file types =  
clamd socket name = /var/run/clamav/clamd.socket  
libclamav max files in archive = 1000  
libclamav max archived file size = 10485760  
libclamav max recursion level = 5  
  

Alright, time to setup a samba share and test it through windows.


[root@fileserver samba-vscan-0.3.6b]# vi /etc/samba/smb.conf  
. . .  
[data]  
path = /data  
public = yes  
guest ok = yes  
writeable = yes  
browseable = yes  
vfs object = vscan-clamav  
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf  
  
[root@fileserver samba-vscan-0.3.6b]# mkdir /data  
[root@fileserver samba-vscan-0.3.6b]# chmod 777 /data  
  
[root@fileserver samba-vscan-0.3.6b]# service smb restart  
Shutting down SMB services:                                [  OK  ]  
Shutting down NMB services:                                [FAILED]  
Starting SMB services:                                     [  OK  ]  
Starting NMB services:                                     [  OK  ]  
[root@fileserver samba-vscan-0.3.6b]#  
  

TESTING:

Download sample files virus files from www.eicar.org

EICAR = European Institute for Computer Antivirus Research.


[root@fileserver ~]# wget http://www.eicar.org/download/eicar.com  
[root@fileserver ~]# wget http://www.eicar.org/download/eicar.com.txt  
[root@fileserver ~]# wget http://www.eicar.org/download/eicar_com.zip  
[root@fileserver ~]# wget http://www.eicar.org/download/eicarcom2.zip  
  

Open two different terminals. One for smbclient and the other to view the log file.

Terminal # 1:


[root@fileserver ~]# smbclient  //localhost/data  
Password:  
Anonymous login successful  
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.23c-2]  
smb: > put eicar.com  
putting file eicar.com as eicar.com (0.2 kb/s) (average 0.2 kb/s)  
smb: > put install.log  
putting file install.log as install.log (310.4 kb/s) (average 310.4 kb/s)  
smb: > ls  
.                                   D        0  Sun Jul 22 04:27:17 2007  
..                                  D        0  Sun Jul 22 04:05:41 2007  
install.log                         A    26702  Sun Jul 22 04:27:18 2007  
  
63461 blocks of size 65536. 29683 blocks available  
smb: >  

Terminal # 2:


[root@fileserver ~]# tail -f /var/log/clamav/clamd.log  

/data/eicar.com: Eicar-Test-Signature FOUND

Alhumdulillah. Good. Ideally, based on our settings, this virus file must not have been copied to the /data directory and must have been deleted by clamd. This is already evident from the ls command in the smb:> prompt above. Still:

smb: > quit  
  
[root@fileserver ~]# ls /data -lh  
total 32K  
-rwxr--r-- 1 nobody nobody 27K Jul 22 04:27 install.log  
[root@fileserver ~]#                         

As you can see the virus infected file does not exist over there! The normal one does. Mission accomplished. Alhumdulillah.

Another case is that throught the Linux OS level, without using smbclient, if you copy the virus file in /data, and later when you access it through samba, you should be denied access, and the file will be deleted from /data by clamd antivirus as soon as you try to get it! Good naa! :


[root@fileserver ~]# cp eicar.com /data/  
[root@fileserver ~]# ls /data/  
eicar.com  install.log  
[root@fileserver ~]# smbclient  //localhost/data  
Password:  
Anonymous login successful  
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.23c-2]  
smb: > ls  
.                                   D        0  Sun Jul 22 04:38:50 2007  
..                                  D        0  Sun Jul 22 04:05:41 2007  
eicar.com                                   68  Sun Jul 22 04:38:50 2007  
install.log                         A    26702  Sun Jul 22 04:27:18 2007  
  
63461 blocks of size 65536. 29678 blocks available  
smb: > get eicar.com  
NT_STATUS_ACCESS_DENIED opening remote file eicar.com  
  
smb: > ls  
.                                   D        0  Sun Jul 22 04:39:18 2007  
..                                  D        0  Sun Jul 22 04:05:41 2007  
install.log                         A    26702  Sun Jul 22 04:27:18 2007  
  
63461 blocks of size 65536. 29678 blocks available  
smb: >  

The same will be logged in the clamav log file:


[root@fileserver ~]# tail -f /var/log/clamav/clamd.log  

/data/eicar.com: Eicar-Test-Signature FOUND

/data/eicar.com: Eicar-Test-Signature FOUND

Alright, the final things: Setting up clamav to get updated by freshclam, run each night and update the virus DB.


[root@fileserver freshclam]# vi /usr/local/etc/freshclam.conf  
DatabaseDirectory /var/lib/clamav  
UpdateLogFile /var/log/clamav/freshclam.log  
LogVerbose yes  
PidFile /var/run/clamav/freshclam.pid  
DatabaseOwner clamav  
DatabaseMirror db.pk.clamav.net  
DatabaseMirror database.clamav.net  
ScriptedUpdates yes  
Checks 6  
NotifyClamd /usr/local/etc/clamd.conf  
  

Try running the freshclam program in non-daemon mode at the moment:


[root@fileserver ~]# /usr/local/bin/freshclam  
ClamAV update process started at Sun Jul 22 04:56:15 2007  
WARNING: DNS record is older than 3 hours.  
WARNING: Invalid DNS reply. Falling back to HTTP mode.  
Reading CVD header (main.cvd): OK (IMS)  
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)  
Reading CVD header (daily.cvd): nonblock_recv: recv timing out (30 secs)  
ERROR: remote_cvdhead: Error while reading CVD header from db.pk.clamav.net  
WARNING: Can't read daily.cvd header from db.pk.clamav.net (IP: 58.221.222.66)  
Trying again in 5 secs...  
ClamAV update process started at Sun Jul 22 04:56:53 2007  
WARNING: DNS record is older than 3 hours.  
WARNING: Invalid DNS reply. Falling back to HTTP mode.  
Reading CVD header (main.cvd): OK (IMS)  
main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven)  
Reading CVD header (daily.cvd): OK  
Downloading daily-3715.cdiff [100%]  
Downloading daily-3716.cdiff [100%]  
daily.cvd updated (version: 3716, sigs: 6404, f-level: 16, builder: ccordes)  
Database updated (139567 signatures) from db.pk.clamav.net (IP: 219.127.68.136)  
Clamd successfully notified about the update.  
[root@fileserver ~]#   

You will see the same output as above in /var/log/clamav/freshclam.log

You will also notice the reload of database in /var/log/clamav/clamd.log

```

[root@fileserver ~]# tail -f /var/log/clamav/clamd.log

No stats for Database check - forcing reload
Reading databases from /var/lib/clamav
Database correctly reloaded (139573 signatures)

Now you may want to run freshclam in daemon mode:

freshclam -d

You can create a start up script for it in init.d or you can put this in rc.local

chkconfig –level 35 clamd on
chkconfig –level 35 samba on
echo "/usr/local/bin/freshclam -d" >> /etc/rc.local

############### END OF HOWTO #######################