# Automate your f-prot antivirus

## JoeG

Hi folks.  I know, not a lot of viruses exist that exploit *nix's, but some of us run SAMBA for Windows networks, email servers ... etc.  Hey, me, I just wanna know for sure that I'm not infected, even on my desktop gentoo box.  So...here's how I did it.

As root,

install f-prot AV

```
emerge f-prot
```

make sure that you're updated

```
/opt/f-prot/check-updates.pl
```

download http://www.rexswain.com/eicar.com to your home folder, then make sure that it's working by (as per http://www.rexswain.com/eicar.html )

```
/opt/f-prot/f-prot -disinf -list ~/
```

Now let's script it.  Create the file /usr/sbin/fprotscan with the following content:

```

#Script to automate virus scans and logging

#

#Get the system date and store some needed variables

set `date`

DAY=`echo $6$2$3`

LOGDIR=~/f-prot

#

#Next, let's make sure that we're up-to-date

/opt/f-prot/check-updates.pl -cron -quiet 

#

#Mount /boot so it can be checked as well

mount /boot

#

#Change to a predetermined log directory, create it if need be.

if [ -d $LOGDIR ]

   then

      echo "Log folder exists.."

      cd $LOGDIR

      echo "Scanning...this may take awhile"

   else

      echo "Creating log folder..."

      mkdir $LOGDIR

      cd $LOGDIR

      echo "Scanning...this may take awhile"

fi

#

#Run the virus scan...and log it.

#Thanks for the help on this part in particular, guys!

/opt/f-prot/f-prot -disinf -list -report=$DAY.log -append / 

#

#Unmount /boot

umount /boot

```

Make it executable

```
chmod a+x /usr/sbin/fprotscan
```

Now, let's automate. 

```
crontab -e
```

Insert the following line, save, and exit

```
30 3 * * * /usr/sbin/fprotscan
```

This will run your scan at 3:30 AM (when most people's computer's are otherwise idle) every day.  Check here if you want to modify the schedule to run and don't understand cron.

You should be all set now.  Happy Gentoo'ing.

Regards,

JoeG

----------

## trooper82

Great tip, thanks!

----------

## JoeG

null perspiration, chummer   :Wink: 

----------

## riksta

Hey

slight error

 /opt/f-prot-check-updates.pl

is

 /opt/f-prot/check-updates.pl

Rick  :Very Happy: 

----------

## JoeG

Thx, Riksta.  Typo demon hell.  It's edited now.    :Laughing: 

----------

## DavidMCS

You may want to consider adding -auto to your command line options if you're going to do this in a cron job as user confirmation is required with -disinf

-- 

David-

----------

## JoeG

Great idea, David.  It's fixed...see above

----------

## fourhead

Hi, great tip. Do you know if there's a way to integrate f-prot with Samba like you can do it with ClamAV (via a vfs module)?

Tom

----------

## -Rick-

Hey, just a question: is the scanning faster than ClamAV? If I scan everything with ClamAV it takes 6+ hours....

----------

## SaFrOuT

sorry for the question, but do i really need an antivirus for my Gentoo

i don't have except Gentoo on my machine although i have a fat32 partition 

do i still need f-prot ???

----------

## JoeG

 *-Rick- wrote:*   

> Hey, just a question: is the scanning faster than ClamAV? If I scan everything with ClamAV it takes 6+ hours....

 

Hard to say.  Kinda depends on how many files you have in your filesystems, the size of the files...etc.  On my system, f-prot runs in about 80 min's and I've used about 72GB of my space across 5 partitions.

Regards,

JoeG

----------

## JoeG

 *SaFrOuT wrote:*   

> sorry for the question, but do i really need an antivirus for my Gentoo
> 
> i don't have except Gentoo on my machine although i have a fat32 partition 
> 
> do i still need f-prot ???

 

Not quite sure what you're asking.  IMHO, you always need some type of A/V on a computer.  F-Prot isn't the only option, but it's the one I like.  ClamAV seems to integrate more tightly into SaMBa.

Just like any OS, as far as A/V goes, get it...update it...run it...constantly.

Regards,

JoeG

----------

## bravecobra

f-prot has a -report=<report_name> option

----------

## JoeG

 *bravecobra wrote:*   

> f-prot has a -report=<report_name> option

 

Yup, it sure enough does, but it accomplishes the same thing we're after here...a logfile.  One problem that I've found with my approach here, though, is the size of the logfiles.  A scan of my home directory alone yields a >9MB text file.  If anyone can figure out an easy way to rotate old logfiles out to conserve space, I'll include it in this script, crediting the author  :Wink: .  Also, I'm working on getting the script to email root with the results only.  The logfile itself can be checked later, if a red flag pops up in the tail.

'Gards

JoeG

----------

## bravecobra

Just add it to logrotate.d

Anyway ever tried to run it on a system that has amavis emerged? That comes with sample viruses and mailbombs. Now for some reason, f-prot fails to recognize the mailbomb and starts unpacking the content which leaves it in a sort or almost endless loop. Kinda deadly when your script is automated.

----------

## JoeG

 *bravecobra wrote:*   

> Just add it to logrotate.d
> 
> Now for some reason, f-prot fails to recognize the mailbomb and starts unpacking the content which leaves it in a sort or almost endless loop. Kinda deadly when your script is automated.

 

Fails to recognize any mailbombs?  The only shortcoming that I've seen is that it can't disinfect gzipped tarballs...of course, YMMV.  Agreed tho, that automating can lead to unexpected results.  That's why I'm asking for feedback, to improve my script for everyone's benefit.  Thanks for the heads-up!

JoeG

----------

## amanoj

Kudos to JoeG for the script. Just saved me an hour to have to create one myself. Per your request... here is my feedback!

Shell Script works fine for me,  but I made a few modifications:

Changed the check-update.pl command to include the -cron -quiet options. (Which do work outside of CRON.)

 *Quote:*   

> 
> 
> #Next, let's make sure that we're up-to-date
> 
> /opt/f-prot/check-updates.pl -cron -quiet
> ...

 

Updated the F-Prot command with the -report and -append options. * Removed Tail to STDOUT *

 *Quote:*   

> 
> 
> /opt/f-prot/f-prot -auto -disinf -list -report=$LOGDIR/$DAY.log -append /
> 
> 

 

Just my .02! I will work on STDERR outputs from f-prot & the perl script... but the script works great for my laptop & 2 servers. Next project... script to integrate F-prot with Postfix for mail scanning. Good Job!

----------

## JoeG

That's what I like!  :Very Happy:   Somone starts a little something nice...people help improve it...next thing ya know, it all works pretty damn well!  bravecobra recommended the -report option instead of what I was originally doing the other day.

  The big thing to watch out for is that the log files can get quite large rather quickly.  Gonna hafta take his advice on logrotate.  The tail was pretty useless from a cron job as well  :Wink: .  Losing it is probably a good idea.  This is how open source is s'posed to work, Baby!

Thanks for all the advice, guys.

JoeG

P.S.  I've been up for over 24 hrs again, the last 18 of it doing an "upgrade" of a network to Windows.  As a result, I'm just a bit slap-happy.  Not to mention a little balder from the hair yanking.

P.S.S.  Oh!  Just one thing, amanoj.  You're already in $LOGDIR, so maybe 

```
-report=$DAY.log
```

 instead.  I already updated the script at the top of the page, so new folks won't hafta take the original and hack like we did.  They just get the end result.    :Cool: 

----------

## amanoj

 *JoeG wrote:*   

> That's what I like!   Somone starts a little something nice...people help improve it...next thing ya know, it all works pretty damn well!  bravecobra recommended the -report option instead of what I was originally doing the other day.
> 
>   The big thing to watch out for is that the log files can get quite large rather quickly.  Gonna hafta take his advice on logrotate.  The tail was pretty useless from a cron job as well .  Losing it is probably a good idea.  This is how open source is s'posed to work, Baby!
> 
> Thanks for all the advice, guys.
> ...

 

Sounds Good to Me! We just keep working on the script and make it better! Like Hannabal from A-Team said, "I love it when a plan comes together!!" (Showing my Age!)    :Laughing: 

Amanoj

----------

## JoeG

 *amanoj wrote:*   

> Like Hannabal from A-Team said, "I love it when a plan comes together!!" (Showing my Age!)   
> 
> Amanoj

 

Or like B.A. said "I ain't gettin' on no PLANE, Hannabal!"    :Cool:  I'm from that era, too.

JoeG

----------

## Master One

That f-prot protection sounds interesting, but I am not sure, if I understand the purpose right.

f-prot is scanning for such nasty executeables, which are of no use in the Linux world, and only dangerous for machines running Windows.

Usually it makes more sense to install a good antivirus on all Windows machines or under windows on dualboot (I wouldn't use WinXP without Norton Antivirus at all).

If you have a Linux server, you wouldn't need f-prot, because you surely have no dualboot with Windows on a server. Concerning samba and mailserver-protection, you surely would use an antivirus solution, that integrates better with these services.

If you have a Linux workstation, why bother with an antivirus solution, if the usual executable files are of no harm to such a system. And concerning a workstation, most people probably will not have such a machine run 24/7, so using cron would probably not lead to automatic scans at all.

At the moment I have 3 Linux-servers and 1 Linux-notebook (with dualboot) on my local lan (and trying to convert the other 3 Windows-workstations to pure Linux-workstations as well). On all Windows-machines, Norton Antivirus is installed. I am curious now, if I should install f-prot on the 3 servers and the linux-dualboot-notebook (as well as on the other workstations, after they have been converted to Linux).

----------

## JoeG

 *Master One wrote:*   

>  Concerning samba and mailserver-protection, you surely would use an antivirus solution, that integrates better with these services.

 

Exellent point.

 *Master One wrote:*   

> If you have a Linux workstation, why bother with an antivirus solution, if the usual executable files are of no harm to such a system. 

 

Try this.  Besides, I originally posted here to show people an easy way to get AV protection installed, updated, and run on schedule.

Like it or no, viruses do exist for Linux and for services that run on Linux.  Granted, the damage can be limited on your workstation or server (i.e.  by User or Process priviledge level), but IMHO you have a responsibility to the rest of the Internet community to make sure that you are at least not helping to spread viruses that can infect their Windows machines.  If you prefer another AV solution, then by all means, use that.  ClamAV is a very nice piece of software, for example.  But you really should be running something.  

Please, please, don't take this as a flame.  I just don't want people to assume that if their computer running Linux is not vulnerable to 99% of viruses in the wild, that they cannot be infected or infect others.  It's kinda like keeping a condom on your bits  :Wink: .

Regards,

JoeG

----------

## Master One

Thank's for the feedback, JoeG.

Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?

The cron idea does not fit for such a machine.

What about running the scan on every boot?

I have no idea, how long such a scan needs on a normal Gentoo workstation installation, and what happens, if I shutdown the machine before the scan is completed.

----------

## JoeG

 *Master One wrote:*   

> 
> 
> Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?
> 
> The cron idea does not fit for such a machine.
> ...

 

Well, it would be easy enough to create an init script and add it to your default runlevel, but then your computer is going to take a long time to boot up.    :Shocked: 

If you're wanting to scan files as they download, I'm afraid (with f-prot at least) that we're out of luck.  We'll have to scan after the download is complete, AFAIK.  Anyone who knows differently, PLEASE let us know!  :Sad:   According to their support page:

BUGS

We have received a request for the ability to scan stdin. This is actually rather difficult, as the engine design requires that the size of any scannable object is known before starting a scan.

I'm considering writing a mini-HOWTO for using ClamAV due to several factors:

1.  I'm trying to be fair  :Very Happy: 

2.  ClamAV seems to integrate more smoothly with services

3.  ClamAV can be run as a daemon (Well, so can f-prot, but you need file or mail server version)

4.  ClamAV is GPL.  'Nuff said.

Ideas, Folks?

JoeG

----------

## Irvinion

I used your methods because I was looking for an anti-virus for noobs type thingy being new to both linux and gentoo. One small thing I noted that could have come from a version bump of f-prot, for the 4.5.3 version, the check updates file is check-updates.pl so:

```

/opt/f-prot/check-updates.pl

```

Otherwise, thank you very much   :Wink: 

----------

## JoeG

Thanks for catching that.  I've updated the script itself, but didn't catch the typo in step 2, immediately following the emerge  :Wink: .  Don't worry, the executable for updating didn't change, I just "fat fingered" my keyboard and the typo demon made me pay for it.  Glad to be of help.

JoeG

----------

## braynyac

Hello All!!!

First, I must say thanks for the great script.

Second, I had to modify mine slightly, so I figured you guys might want this one =)  I have a small problem where I mount a windows share in /mnt to my XP box.  The disk is a 250GB NT partition, through Samba, so it's not exactly fast.  Anyways, during scanning, it would grind my linux box to a halt while scanning that directory.  So I set it exclude certain directories.  Use as you see fit =)

```
#Script to automate virus scans and logging

#

#Get the system date and store some needed variables

set `date`

DAY=`echo $6$2$3`

LOGDIR=~/f-prot

#This sets up the exclusions, which are the "-I [folder_names]"

#In order to set multiple exclusions, each must be in the form "-I [folder_name]"

#and separated by a space.

bkupdirs=`ls --format=single-column / -I mnt -I razor*`

#

#Next, let's make sure that we're up-to-date

/opt/f-prot/tools/check-updates.pl -cron -quiet

#

#Mount /boot so it can be checked as well

mount /boot

#

#Change to a predetermined log directory, create it if need be.

if [ -d $LOGDIR ]

   then

      echo "Log folder exists.."

      cd $LOGDIR

      echo "Scanning...this may take awhile"

   else

      echo "Creating log folder..."

      mkdir $LOGDIR

      cd $LOGDIR

      echo "Scanning...this may take awhile"

fi

#

#Run the virus scan...and log it.

#Thanks for the help on this part in particular, guys!

#Slightly modified to use the bkupdirs variable above.

for folder in $bkupdirs; do

        /opt/f-prot/f-prot -disinf -list -report=$DAY.log -append /$folder;

done

#

#Unmount /boot

umount /boot

```

Enjoy =)

~Tim

----------

## braynyac

Do any of you have any issues with f-prot being a system hog?  I'm thinking of re-niceing the executable.  Thoughts?

~Tim

----------

## JoeG

It does seem to be a resource hog.  Might be that renicing isn't a bad idea.  Usually, I just cron it at an ungodly hour that I'm sure I won't be on the system.  Let us know if renicing helps.

JoeG

----------

## menschmeier

Hi,

I am not shure that the update really does what it should.

After I run check-updates.sh the signatures seems to be updated:

```
moon update_virus_26401 # cd /opt/f-prot/

moon f-prot # ll

total 4496

-rw-r--r--  1 root root   18935 Jun 24 11:54 ENGLISH.TX0

-rw-r--r--  1 root root  536911 Jun 24 11:54 MACRO.DEF

-rw-r--r--  1 root root 1137212 Jun 24 11:54 SIGN.DEF

-rw-r--r--  1 root root 2072492 Jun 24 11:54 SIGN2.DEF

-rwxr-xr-x  1 root root  831276 Jun 24 11:54 f-prot

drwxr-xr-x  2 root root      29 Jun 24 11:54 tools
```

But when I call f-prot I got the message that the files are old:

```
moon tmp # f-prot /tmp

Warning: The SIGN.DEF file is rather old and does not contain

         information on a substantial number of new viruses.

Warning: The MACRO.DEF file is rather old and does not contain

         information on a substantial number of new viruses.

Virus scanning report  -  24 June 2005 @ 11:55

F-PROT ANTIVIRUS

Program version: 4.5.4

Engine version: 3.16.6

VIRUS SIGNATURE FILES

SIGN.DEF created 8 February 2005

SIGN2.DEF created 8 February 2005

MACRO.DEF created 7 February 2005

...
```

Does anyone know what could be the reason of this behaviour and how to update the virus signatures and to check if the update was successful?

Thanks

menschmeier

----------

## umproko5

 *JoeG wrote:*   

>  *Master One wrote:*   
> 
> Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?
> 
> The cron idea does not fit for such a machine.
> ...

 

Has there been any work done on the mini-HOWTO?

/Jason

----------

## JoeG

 *umproko5 wrote:*   

> Has there been any work done on the mini-HOWTO?

 

This one?  Not since my last post.  To be honest, with everything else going on in my life, I hadn't really had time.  Wanna add some to it?

----------

## chieflilal

F-prot now places the update script into a new directory.  I have updated the original script to reflect the change.

```

##Script to automate virus scans and logging

#

#Get the system date and store some needed variables

set `date`

DAY=`echo $6$2$3`

LOGDIR=~/f-prot

#

#Next, let's make sure that we're up-to-date

/opt/f-prot/tools/check-updates.pl -cron -quiet

#

#Mount /boot so it can be checked as well

mount /boot

#

#Change to a predetermined log directory, create it if need be.

if [ -d $LOGDIR ]

   then

      echo "Log folder exists.."

      cd $LOGDIR

      echo "Scanning...this may take awhile"

    else

      echo "Creating log folder..."

      mkdir $LOGDIR

      cd $LOGDIR

      echo "Scanning...this may take awhile"

fi

#

#Run the virus scan...and log it.

#Thanks for the help on this part in particular, guys!

/opt/f-prot/f-prot -disinf -list -report=$DAY.log -append /

#

#Unmount /boot

umount /boot

```

----------

## sleepingsun

For updates on my version 

```
/opt/f-prot/tools/check-updates.pl
```

But where is the new directory for the script ?

----------

## trossachs

I use f-prot with amavisd in conjunction with clamav. But recently I have started to get the following error in Postfix for f-prot:

```
Aug 11 11:00:52 foo amavis[19291]: (19291-02) (!)FRISK F-Prot Daemon: Can't connect to INET socket 127.0.0.1:10204: Connection refused,

retrying (10)

Aug 11 11:00:58 foo amavis[19291]: (19291-02) (!)run_av (FRISK F-Prot Daemon, built-in i/f): Too many retries to talk to 127.0.0.1:1020

0 (Can't connect to INET socket 127.0.0.1:10200: Connection refused) at (eval 59) line 310.

Aug 11 11:00:58 foo amavis[19291]: (19291-02) (!!)FRISK F-Prot Daemon av-scanner FAILED: CODE(0x8142bac) Too many retries to talk to 127.0.0.1:10200 (Can't connect to INET socket 127.0.0.1:10200: Connection refused) at (eval 59) line 310. at (eval 59) line 511.

```

And these errors for clamav:

```
Aug 11 11:04:02 foo amavis[19290]: (19290-03) p001 1 Content-Type: text/plain, size: 366 B, name:

Aug 11 11:04:02 foo amavis[19290]: (19290-03) ClamAV-clamd: Can't send to socket /var/run/clamav/clamd: Transport endpoint is not connected, retrying (1)

Aug 11 11:04:03 foo amavis[19290]: (19290-03) (!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory, retrying (2)

Aug 11 11:04:09 foo amavis[19290]: (19290-03) (!)run_av (ClamAV-clamd, built-in i/f): Too many retries to talk to /var/run/clamav/clamd (Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory) at (eval 59) line 310.

Aug 11 11:04:09 foo amavis[19290]: (19290-03) (!!)ClamAV-clamd av-scanner FAILED: CODE(0x8142bac) Too many retries to 

talk to /var/run/clamav/clamd (Can't connect to UNIX socket /var/run/clamav/clamd: No such file or directory) at (eval 59) line 310. at (eval 59) line 511.
```

Have checked out netstat and cannot see any entry for f-prot with regards to: 127.0.0.1:10200

----------

