Anti virus

Clam AntiVirus (clamAV) is an open source, free software. We will setup the clamav first.

In CentOS, or Fedora, install it by:

yum install clam clams clam-update

In Ubuntu, try:

sudo apt-get install clamav clamav-daemon clamav-freshclam

You can scan a directory and it’s subdirectory by command:

clamscan -r

Scan directories recursively. All the subdirectories in the given directory will be scanned.

More switches, see

Enable the service:

systemctl enable /lib/systemd/system/clamav-daemon.service

we can configure the clamd from cli instead of configuration file by :

sudo dpkg-reconfigure clamav-daemon
sudo vi /etc/clamav/clamd.conf

we are going to scan it remotely, so add following line:

TCPSocket 3310

Use command netstat -l , you should find something like: tcp6   0   0   [::]:3310    [::]:*     LISTEN


In MAC, to install clam Antivirus, use following steps.

1 The easiest way to get the ClamAV package is using Homebrew

$ brew install clamav

2. Before trying to start the clamd process, you’ll need a copy of the ClamAV databases.

Create a freshclam.conf file and configure as so



3. Then run

$ freshclam -v

to download the ClamAV databases.

4. Edit configuration file

make a copy of the clamd.conf.sample and edit it:

cp /usr/local/etc/clamav/clamd.conf.sample /usr/local/etc/clamav/clamd.conf
vi /usr/local/etc/clamav/clamd.conf

Add following line:

LocalSocket /usr/local/var/run/clamav/clamd.sock

You’ll need to ensure that the socket directory exists, and the deamon has the permission to write the socket file.

$ mkdir /usr/local/var/run/clamav
$ sudo chown clamav /usr/local/var/run/clamav/
$ sudo chmod 775 /usr/local/var/run/clamav/

You should now be able to run

$ clamd

to start the process.

If system can not find the clamd, use find / -type f -name clamd to search for it. Then use the full path, in my case it is:

Check the status
ps -ef | grep clamd

  501 34483     1   0 10:57pm ??         0:00.00 /usr/local/Cellar/clamav/0.99.2_1/sbin/clamd

  501 34493 34107   0 11:00pm ttys001    0:00.01 grep clamd

First line of the result means the daemon is running. Now that the installation of the clamav is finished, we can use python to work with clamav now.




import time
import pyclamd
from threading import Thread
class Scan(Thread) :
    def __init__ (self, IP, scan_type, file) :
        self.IP = IP
        self.file = file
    def run(self) :

            cd = pyclamd.ClamdNetworkSocket(self.IP, 3310)
            if :
                self.connstr=self.IP+" connection [OK]"
                if self.scan_type=="contscan_file":
                elif self.scan_type=="multiscan_file":
                elif self.scan_type=="scan_file":
                time.sleep(1) #????1?
                self.connstr=self.IP+" ping error, exit"
        except Exception, e:
            self.connstr=self.IP+" "+str(e)
scanlist = []
for ip in IPs:
    currp = Scan(ip, scantype, scanfile)
    if i%threadnum==0 or i==len(IPs) :
        for task in scanlist:
        for task in scanlist:
            print task.connstr
            print task.scanresult
        scanlist = []


Problems with permission

Error message: lstat() failed: Permission denied.’
–> In the file: /etc/clamav/clamd.conf, change AllowSupplementaryGroups false -> true (does not work)
–> check the syslog in the target machine, ” kernel: [64967.169911] audit: type=1400 audit(1515711368.823:26): apparmor=”DENIED” operation=”open” profile=”/usr/sbin/clamd” name=”/var/www/” pid=12217 comm=”clamd” requested_mask=”r” denied_mask=”r” fsuid=113 ouid=0 ”
This is what it is telling you:

  • apparmor=”DENIED” AppArmor denied something based on a profile (we’ll get to that later).
  • operation=”open” The operation AppArmor denied (in this case opening something, probably a file).
  • profile=”/usr/sbin/clamd” The profile that made AppArmor deny this action.
  • name=”/var/www” The file that something was trying to open.
  • pid=12217 The PID of the process trying to open it.
  • comm=”clamd” The command/name of the process that tried to open it.
  • requested_mask=”r” What ntpd wanted to do with the file (r for read in this case).
  • denied_mask=”r” What AppArmor stopped it from doing.

So, in plain English, clamd wanted to read website(/var/www) file, AppArmor thought it had no business in website file, so it blocked the action according to clamd’s profile for /usr/sbin/clamd.

Why is AppArmor even there in first place? AppArmor’s main purpose is to prevent compromised apps/processes from doing things they shouldn’t.

This means apparmor blocked the clamd from reading the /var/www. Apparmor has two kinds of profiles mirroring two modes, enforced and complained. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

We can check the mode of the profile by:

$sudo apparmor_status

apparmor module is loaded.
 56 profiles are loaded.
 19 profiles are in enforce mode.
 37 profiles are in complain mode.
 3 processes have profiles defined.
 3 processes are in enforce mode.
 /usr/sbin/clamd (6923)

We should put it in the complain mode. install package “apparmor-utils” then ” sudo aa-complain /usr/sbin/clamd ” this will move the profile from enforce to complain, but if the process is already in the enforce mode, we need to restart that process and apparmor:

sudo service apparmor restart
sudo service clamav-daemon restart

Then check the clamd profile status is in the complain mode:

$ sudo apparmor_status
 1 processes are in complain mode.
 /usr/sbin/clamd (13764)