11.11.2019

How to install Clam AntiVirus (ClamAV) on a VPS or server with CentOS

ClamAV (Clam AntiVirus) - antivirus software for UNIX systems (there are versions for other operating systems - Windows, Apple Mac OS X), a popular free product licensed under the GNU General Public License.

ClamAV Efficiency

Using ClamAV, you can find malicious files on the server, but still it does not give a 100% guarantee of the accuracy of analysis and scanning for malicious threats for sites, scripts, engines, and other software. So, for example, ClamAV encoded PHP or JavaScript malicious code will not cause any suspicions and the report will indicate that there are no malicious files (Infected files: 0). In addition, if the malicious code is not in the engine files, but in the database, then ClamAV will also not help. But, nevertheless, ClamAV scanning is the first thing to do if there is a suspicion of malware on the server. Antivirus quite well detects all kinds of Web shells - see examples of scan reports below.

Installing Clam AntiVirus (ClamAV) on a VPS / VDS or CentOS Server

So, now we’ll take a closer look at installing Clam AntiVirus (ClamAV) on VPS / VDS or a dedicated server with CentOS OS step by step.

1. Install / enable EPEL repository.

2. Install Clam AntiVirus (ClamAV) on the server:

yum install clamav clamd

3. We start the clamd service (for scanning mail) and put it in autorun

/etc/init.d/clamd on
chkconfig clamd on
/etc/init.d/clamd start

4. Updating the signature database

/usr/bin/freshclam

Set up daily ClamAV scanning

Now let's set up a daily scan of the directory with our sites, for example /var/www/

5. Create a cron file

vim /etc/cron.daily/manual_clamscan

6. Add the following lines to the file

#!/bin/bash
SCAN_DIR="/var/www"
LOG_FILE="/var/log/clamav/manual_clamscan.log"
/usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE

Where SCAN_DIR - this is the directory to be scanned.

7. Now make our crown script executable

chmod +x /etc/cron.daily/manual_clamscan

That's all! Clam AntiVirus (ClamAV) is installed and will perform a daily scan of the SCAN_DIR directory (in our case it is /var/www/).

If mail is not used on the server, then you can skip clamd. And you can install ClamAV with the following command

yum --enablerepo=epel -y install clamav

[root@server ~]# yum --enablerepo=epel -y install clamav
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.serverspace.co.uk
 * epel: mirror.bytemark.co.uk
 * extras: centos.serverspace.co.uk
 * openvz-kernel-rhel5: ftp.ticklers.org
 * updates: centos.serverspace.co.uk
epel                                                     | 3.6 kB     00:00
epel/primary_db                                          | 2.9 MB     00:00
Excluding Packages from CentOS-5 - Updates
Finished
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package clamav.i386 0:0.99-3.el5 set to be updated
--> Processing Dependency: clamav-db = 0.99-3.el5 for package: clamav
---> Package clamav.x86_64 0:0.99-3.el5 set to be updated
--> Running transaction check
---> Package clamav-db.x86_64 0:0.99-3.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch             Version              Repository      Size
================================================================================
Installing:
 clamav              i386             0.99-3.el5           epel           1.8 M
 clamav              x86_64           0.99-3.el5           epel           1.6 M
Installing for dependencies:
 clamav-db           x86_64           0.99-3.el5           epel           102 M

Transaction Summary
================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 106 M
Downloading Packages:
(1/3): clamav-0.99-3.el5.x86_64.rpm                      | 1.6 MB     00:00
(2/3): clamav-0.99-3.el5.i386.rpm                        | 1.8 MB     00:00
(3/3): clamav-db-0.99-3.el5.x86_64.rpm                   | 102 MB     00:14
--------------------------------------------------------------------------------
Total                                           7.0 MB/s | 106 MB     00:15
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : clamav-db                                                1/3
  Installing     : clamav                                                   2/3
  Installing     : clamav                                                   3/3

Installed:
  clamav.i386 0:0.99-3.el5              clamav.x86_64 0:0.99-3.el5

Dependency Installed:
  clamav-db.x86_64 0:0.99-3.el5

Complete!

If you want to run a ClamAV scan, enter the command clamscan with the flags -i (scan files in subdirectories) and -r (display information only about infected files)

clamscan -r -i

If no malicious files are detected, the report will contain a line Infected files: 0

---------- SCAN SUMMARY -----------
Known viruses: 3105755
Engine version: 0.98.1
Scanned directories: 867
Scanned files: 7102
Infected files: 0
Data scanned: 54.85 MB
Data read: 33.64 MB (ratio 1.63:1)

And now some real reports with the threats found

/var/www/user/data/www/domain.com/images/stories/.logs/xh: Hacktool.Fakeproc FOUND
/var/www/user/data/www/domain.com/images/stories/.logs/crot: Trojan.Eggdrop-117 FOUND
/var/www/user/data/www/domain.com/images/stories/.logs/httpd: Trojan.Eggdrop-118 FOUND
/var/www/user/data/www/domain.com/images/stories/.logs/t3394: Linux.RST.B FOUND
/var/www/user/data/www/domain.com/images/stories/xbot.jpg: Trojan.Perlbot FOUND
/var/www/user/data/www/domain.com/images/stories/petx.php: PHP.Hide FOUND
/var/www/user/data/www/domain.com/images/stories/x.php: PHP.Shell-22 FOUND
/var/www/user/data/www/domain.com/images/stories/eggMAGIC.tar.gz: Linux.RST.B FOUND
/var/www/user/data/www/domain.com/images/stories/mind.php: PHP.Shell-22 FOUND
/var/www/user/data/www/domain.com/icon0.php: PHP.Hide FOUND
/var/www/user/data/www/domain.com/logs/rdp/psc: Trojan.Linux.RST.b FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3578535
Engine version: 0.98.4
Scanned directories: 3422
Scanned files: 24841
Infected files: 11
Data scanned: 155.40 MB
Data read: 125.98 MB (ratio 1.23:1)

/var/www/user/data/www/domain.net/images/smilies/index.php: PHP.Shell-38 FOUND
/var/www/user/data/www/domain.net/images/banners/index.php: PHP.Shell-38 FOUND
/var/www/user/data/www/domain.net/images/stories/0d4y.php: PHP.Hide FOUND
/var/www/user/data/www/domain.net/images/stories/0d4y.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.net/images/stories/mua.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.net/images/stories/nethome.gif: PHP.Hide FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3009764
Engine version: 0.97.8
Scanned directories: 2153
Scanned files: 46223
Infected files: 6

/var/www/user/data/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/administrator/mobileSgh.php: PHP.Trojan.Spambot FOUND
/var/www/user/data/www/domain.org/images/stories/img848m.php.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/im1067n1g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/img599m.php.gif: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/images/stories/img418m.php.gif: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/images/stories/im1847n4g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/im4045n8g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/im6436n2g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/img839m.php.gif: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/images/stories/im1215n7g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/img987m.php.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/pageinfo.php: PHP.Hide FOUND
/var/www/user/data/www/domain.org/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/cache/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/cache/wthm9521g.php: Trojan.PHP-43 FOUND

/var/www/user/data/www/domain.in/sydata.php: PHP.Shell-84 FOUND
/var/www/user/data/www/domain.in/sys.php: PHP.Shell-38 FOUND

/var/www/user/data/www/domain.ru/images/images.php: PHP.Hide FOUND                                                     
/var/www/user/data/www/domain.ru/images/stories/muakero.php:PHP.Hide FOUND                                                                                                                                   
/var/www/user/data/www/domain.ru/images/stories/tir1683.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/tir1657.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/explore.php: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/3xp.php: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/functions.php: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/cache/images.php: PHP.Hide FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3226138
Engine version: 0.98.1
Scanned directories: 1805
Scanned files: 14565
Infected files: 8
Data scanned: 247.81 MB
Data read: 387.98 MB (ratio 0.64:1)
Time: 79.985 sec (1 m 19 s)

Note! If files with malicious code are detected in ClamAV reports, then you should understand that simply removing malicious files does not solve the security problem - if the vulnerabilities in the scripts are not eliminated, then files with malicious code may appear again.