Anti virus
Clam AntiVirus (clamAV) is an open source, free software. We will setup the clamav first.
In CentOS, or Fedora, install it by:
yum install clam clams clam-update
In Ubuntu, try:
sudo apt-get install clamav clamav-daemon clamav-freshclam
You can scan a directory and it’s subdirectory by command:
clamscan -r
Scan directories recursively. All the subdirectories in the given directory will be scanned.
More switches, see https://linux.die.net/man/1/clamscan
Enable the service:
systemctl enable /lib/systemd/system/clamav-daemon.service
we can configure the clamd from cli instead of configuration file by :
sudo dpkg-reconfigure clamav-daemon
sudo vi /etc/clamav/clamd.conf
we are going to scan it remotely, so add following line:
TCPSocket 3310
Use command netstat -l , you should find something like: tcp6 0 0 [::]:3310 [::]:* LISTEN
In MAC, to install clam Antivirus, use following steps.
1 The easiest way to get the ClamAV package is using Homebrew
$ brew install clamav
2. Before trying to start the clamd process, you’ll need a copy of the ClamAV databases.
Create a freshclam.conf file and configure as so
/usr/local/etc/clamav/freshclam.conf
DatabaseMirror database.clamav.net
3. Then run
$ freshclam -v
to download the ClamAV databases.
4. Edit configuration file
make a copy of the clamd.conf.sample and edit it:
cp /usr/local/etc/clamav/clamd.conf.sample /usr/local/etc/clamav/clamd.conf vi /usr/local/etc/clamav/clamd.conf
Add following line:
LocalSocket /usr/local/var/run/clamav/clamd.sock
You’ll need to ensure that the socket directory exists, and the deamon has the permission to write the socket file.
$ mkdir /usr/local/var/run/clamav $ sudo chown clamav /usr/local/var/run/clamav/ $ sudo chmod 775 /usr/local/var/run/clamav/
You should now be able to run
$ clamd
to start the process.
If system can not find the clamd, use find / -type f -name clamd to search for it. Then use the full path, in my case it is:
/usr/local/Cellar/clamav/0.99.2_1/sbin/clamd
Check the status
ps -ef | grep clamd 501 34483 1 0 10:57pm ?? 0:00.00 /usr/local/Cellar/clamav/0.99.2_1/sbin/clamd 501 34493 34107 0 11:00pm ttys001 0:00.01 grep clamd
First line of the result means the daemon is running. Now that the installation of the clamav is finished, we can use python to work with clamav now.
pyclamd
import time
import pyclamd
from threading import Thread
class Scan(Thread) :
def __init__ (self, IP, scan_type, file) :
Thread.__init__(self)
self.IP = IP
self.scan_type=scan_type
self.file = file
self.connstr=""
self.scanresult=""
def run(self) :
try:
cd = pyclamd.ClamdNetworkSocket(self.IP, 3310)
if cd.ping() :
self.connstr=self.IP+" connection [OK]"
cd.reload()
if self.scan_type=="contscan_file":
self.scanresult="{0}\n".format(cd.contscan_file(self.file))
elif self.scan_type=="multiscan_file":
self.scanresult="{0}\n".format(cd.multiscan_file(self.file))
elif self.scan_type=="scan_file":
self.scanresult="{0}\n".format(cd.scan_file(self.file))
time.sleep(1) #????1?
else:
self.connstr=self.IP+" ping error, exit"
return
except Exception, e:
self.connstr=self.IP+" "+str(e)
IPs=['192.168.10.53']
scantype="multiscan_file"
scanfile="/var/www"
i=1
threadnum=2
scanlist = []
for ip in IPs:
currp = Scan(ip, scantype, scanfile)
scanlist.append(currp)
if i%threadnum==0 or i==len(IPs) :
for task in scanlist:
task.start()
for task in scanlist:
task.join()
print task.connstr
print task.scanresult
scanlist = []
i+=1
Problems with permission
Error message: lstat() failed: Permission denied.’
–> In the file: /etc/clamav/clamd.conf, change AllowSupplementaryGroups false -> true (does not work)
–> check the syslog in the target machine, ” kernel: [64967.169911] audit: type=1400 audit(1515711368.823:26): apparmor=”DENIED” operation=”open” profile=”/usr/sbin/clamd” name=”/var/www/” pid=12217 comm=”clamd” requested_mask=”r” denied_mask=”r” fsuid=113 ouid=0 ”
This is what it is telling you:
- apparmor=”DENIED” AppArmor denied something based on a profile (we’ll get to that later).
- operation=”open” The operation AppArmor denied (in this case opening something, probably a file).
- profile=”/usr/sbin/clamd” The profile that made AppArmor deny this action.
- name=”/var/www” The file that something was trying to open.
- pid=12217 The PID of the process trying to open it.
- comm=”clamd” The command/name of the process that tried to open it.
- requested_mask=”r” What ntpd wanted to do with the file (r for read in this case).
- denied_mask=”r” What AppArmor stopped it from doing.
So, in plain English, clamd wanted to read website(/var/www) file, AppArmor thought it had no business in website file, so it blocked the action according to clamd’s profile for /usr/sbin/clamd.
Why is AppArmor even there in first place? AppArmor’s main purpose is to prevent compromised apps/processes from doing things they shouldn’t.
This means apparmor blocked the clamd from reading the /var/www. Apparmor has two kinds of profiles mirroring two modes, enforced and complained. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.
We can check the mode of the profile by:
$sudo apparmor_status apparmor module is loaded. 56 profiles are loaded. 19 profiles are in enforce mode. ... /usr/sbin/clamd ... 37 profiles are in complain mode. ... 3 processes have profiles defined. 3 processes are in enforce mode. ... /usr/sbin/clamd (6923)
We should put it in the complain mode. install package “apparmor-utils” then ” sudo aa-complain /usr/sbin/clamd ” this will move the profile from enforce to complain, but if the process is already in the enforce mode, we need to restart that process and apparmor:
sudo service apparmor restart sudo service clamav-daemon restart
Then check the clamd profile status is in the complain mode:
$ sudo apparmor_status 1 processes are in complain mode. /usr/sbin/clamd (13764)