# clamav Konfiguration

## flammenflitzer

Hallo

Ich möchte, daß mein home-Verzeichnis permanent überwacht wird und clamav (freshclam) beim Systemstart nach updates(virendefinition) sucht. Gefundene Viren sollen per email an root gepostet werden.

Ich habe dazuko im Kernel und das Modul wird auch geladen. clamav und fresclam werden im default runlevel ohne Fehlermeldungen gestartet.

Ich glaube, meine Konfigurationsdateien sind nicht ganz rund. Vielleicht kann mir jemand helfen?

```

cat clamd.conf | grep \# -v | sort

ClamukoIncludePath /home/olaf

ClamukoScanArchive

ClamukoScanOnAccess

FixStaleSocket

LocalSocket /var/run/clamav/clamd.sock

LogFile /var/log/clamav/clamd.log

LogTime

PidFile /var/run/clamav/clamd.pid

ScanArchive

ScanRAR

User clamav

VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

```

```

cat clamd.conf

##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

# Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: disabled

#LogFileUnlock

# Maximal size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

# Log time with each message.

# Default: disabled

LogTime

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: disabled

#LogClean

# Use system logger (can work together with LogFile).

# Default: disabled

#LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: disabled

#LogVerbose

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled

LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.

# Default: disabled

FixStaleSocket

# TCP port address.

# Default: disabled

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: disabled

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximal attachment size.

# Default: 10M

#StreamMaxLength 20M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximal number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximal depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: disabled

#FollowDirectorySymlinks

# Follow regular file symlinks.

# Default: disabled

#FollowFileSymlinks

# Perform internal sanity check (database integrity and freshness).

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced by a virus name.

# Default: disabled

VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as a selected user (clamd must be started by root).

# Default: disabled

User clamav

# Initialize supplementary group access (clamd must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

#Debug

# Do not remove temporary files (for debug purposes).

# Default: disabled

#LeaveTemporaryFiles

# By default clamd uses scan options recommended by libclamav. This option

# disables recommended options and allows you to enable selected ones below.

# DO NOT TOUCH IT unless you know what you are doing.

# Default: disabled

#DisableDefaultScanOptions

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: enabled

#ScanPE

# With this option clamav will try to detect broken executables and mark

# them as Broken.Executable

# Default: disabled

#DetectBrokenExecutables

##

## Documents

##

# This option enables scanning of Microsoft Office document macros.

# Default: enabled

#ScanOLE2

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: enabled

#ScanMail

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#          Never use it on loaded servers.

# Default: disabled

#MailFollowURLs

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: enabled

#ScanHTML

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: enabled

#neu

ScanArchive

# Due to license issues libclamav does not support RAR 3.0 archives (only the

# old 2.0 format is supported). Because some users report stability problems

# with unrarlib it's disabled by default and you must uncomment the directive

# below to enable RAR 2.0 support.

# Default: disabled

#neu

ScanRAR

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deep the process should be continued.

# Value of 0 disables the limit.

# Default: 8

#ArchiveMaxRecursion 9

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: disabled

#ArchiveLimitMemoryUsage

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: disabled

#ArchiveBlockEncrypted

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)

# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is

# reached.

# Default: disabled

#ArchiveBlockMax

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##          up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: disabled

#ClamukoScanOnAccess

#neu zum Schutz /home/olaf

ClamukoScanOnAccess

# Set access mask for Clamuko.

# Default: disabled

#ClamukoScanOnOpen

#ClamukoScanOnClose

#ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#neu zum Schutz /home/olaf

ClamukoIncludePath /home/olaf

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/guru

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M

#neu

ClamukoScanArchive

```

```

cat freshclam.conf | grep \# -v | sort

DatabaseMirror database.clamav.net

DatabaseOwner clamav

OnErrorExecute echo "freshclam: virus database update failed." | mail -s "clamav virus db update failed." root@Roadrunner

PidFile /var/run/clamav/freshclam.pid

UpdateLogFile /var/log/clamav/clam-update.log

```

```

cat freshclam.conf

##

## Example config file for freshclam

## Please read the freshclam.conf(5) manual before editing this file.

## This file may be optionally merged with clamd.conf.

##

# Comment or remove the line below.

# Example

# Path to the database directory.

# WARNING: It must match clamd.conf's directive!

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)

# Default: disabled

#UpdateLogFile /var/log/freshclam.log

UpdateLogFile /var/log/clamav/clam-update.log

# Enable verbose logging.

# Default: disabled

#LogVerbose

# Use system logger (can work together with UpdateLogFile).

# Default: disabled

#LogSyslog

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# This option allows you to save the process identifier of the daemon

# Default: disabled

PidFile /var/run/clamav/freshclam.pid

# By default when started freshclam drops privileges and switches to the

# "clamav" user. This directive allows you to change the database owner.

# Default: clamav (may depend on installation options)

DatabaseOwner clamav

# Initialize supplementary group access (freshclam must be started by root).

# Default: disabled

#AllowSupplementaryGroups

# Use DNS to verify virus database version. Freshclam uses DNS TXT records

# to verify database and software versions. With this directive you can change

# the database verification domain.

# Default: enabled, pointing to current.cvd.clamav.net

#DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country

# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.

# Default: There is no default, which results in an error when running freshclam#DatabaseMirror db.XY.clamav.net

# database.clamav.net is a round-robin record which points to our most

# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is

# not working. DO NOT TOUCH the following line unless you know what you

# are doing.

DatabaseMirror database.clamav.net

# How many attempts to make before giving up.

# Default: 3 (per mirror)

#MaxAttempts 5

# Number of database checks per day.

# Default: 12 (every two hours)

#Checks 24

# Proxy settings

# Default: disabled

#HTTPProxyServer myproxy.com

#HTTPProxyPort 1234

#HTTPProxyUsername myusername

#HTTPProxyPassword mypass

# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for

# multi-homed systems.

# Default: Use OS'es default outgoing IP address.

#LocalIPAddress aaa.bbb.ccc.ddd

# Send the RELOAD command to clamd.

# Default: disabled

#NotifyClamd

# By default it uses the hardcoded configuration file but you can force an

# another one.

#NotifyClamd /config/file/path

# Run command after successful database update.

# Default: disabled

#OnUpdateExecute command

# Run command when database update process fails.

# Default: disabled

#OnErrorExecute command

OnErrorExecute echo "freshclam: virus database update failed." | mail -s "clamav virus db update failed." root@Roadrunner

# Run command when freshclam reports outdated version.

# In the command string %v will be replaced by the new version number.

# Default: disabled

#OnOutdatedExecute command

# Don't fork into background.

# Default: disabled

#Foreground

# Enable debug messages in libclamav.

# Default: disabled

#Debug

```

----------

## Deever

Wärest du so gut und würdest du bitte Kommentare aus den Listings entfernen? Da selbige auch bei denjenigen vorhanden sind, die dir helfen, sind sie hier redundant.

Gruß,

/dev

----------

## tassilo80

 *flammenflitzer wrote:*   

> Hallo
> 
> Ich möchte, daß mein home-Verzeichnis permanent überwacht wird und clamav (freshclam) beim Systemstart nach updates(virendefinition) sucht. Gefundene Viren sollen per email an root gepostet werden.
> 
> Ich habe dazuko im Kernel und das Modul wird auch geladen. clamav und fresclam werden im default runlevel ohne Fehlermeldungen gestartet.
> ...

 Was klappt denn nicht?

Gruß,

Tassilo

----------

## ro

haha, da knüpf ich gleich an das thema an: ich suche einen freien virenscanner für linux. ist clamav empfehlenswert? wie aktuell sind da die virendefinitionen? (das projekt openantivirus.com scheint ja tot zu sein ... die virensignaturen sind nicht gerade aktuell...)

----------

## tassilo80

 *ro wrote:*   

> haha, da knüpf ich gleich an das thema an: ich suche einen freien virenscanner für linux. ist clamav empfehlenswert? wie aktuell sind da die virendefinitionen?

 

Ich denke schon. Die Virendefinitionen werden täglich aktualisiert. Auf der clamav-Homepage stehen noch mehr Details, und es sind auch Organisationen aufgeführt, die es einsetzen. Darunter sind unter anderem SourceForge, Fastmail, DynDNS, diverse Universitäten und viele mehr. Ach ja, und ich benutze es auch.  :Wink: 

Also kann es ja nicht allzu schlecht sein.

Gruß,

Tassilo

----------

## flammenflitzer

Ich will mich gerade wieder mal mit dem Thema beschäftigen. Kennt jemand ein deutsches Howto für ClamAV?

----------

## nikaya

 *flammenflitzer wrote:*   

> Ich will mich gerade wieder mal mit dem Thema beschäftigen. Kennt jemand ein deutsches Howto für ClamAV?

 

Ohne von der Materie Ahnung zu haben und mit ein wenig googeln gefunden:

http://www.opensource.apple.com/darwinsource/10.4.1/SpamAssassin-124/clamav/docs/German/clamdoc_de.pdf

und evtl. noch das hier:

http://www.gentoo.org/doc/de/quick-samba-howto.xml#doc_chap4

----------

