Linux security – Antivirus

Just a quick note on scanning files on linux. By far the most popular AV program on Linux is ClamAV. To install (Debian):

apt-get install clamav clamav-daemon

run initial AV definition update:

# freshclam
ClamAV update process started at Sun Mar 27 13:55:19 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.1
DON'T PANIC! Read http://www.clamav.net/support/faq
Empty script main-56.cdiff, need to download entire database
Downloading daily.cvd [100%]
daily.cvd updated (version: 21475, sigs: 83902, f-level: 63, builder: jesler)
Downloading bytecode-272.cdiff [100%]
Downloading bytecode-273.cdiff [100%]
Downloading bytecode-274.cdiff [100%]
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
Database updated (4302737 signatures) from db.local.clamav.net (IP: 129.67.1.218)
Clamd successfully notified about the update.

Now to scan a folder and display list of infected files just run:

clamscan -r -i /folder/to/scan

Once the scan is completed scan summary will be displayed:

----------- SCAN SUMMARY -----------
Known viruses: 4297365
Engine version: 0.99
Scanned directories: 60
Scanned files: 318
Infected files: 0
Data scanned: 805.54 MB
Data read: 27979.70 MB (ratio 0.03:1)
Time: 55.183 sec (0 m 55 s)

LINUX – ClamAV Unofficial Signatures Updater

The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol. The package also contains cron, logrotate, and man files.

https://github.com/extremeshok/clamav-unofficial-sigs

The “original” script deployed via apt-get or yum is outdated and generates many error messages mainly because some of the DBs are no longer free and require account setup in order to download the files.

Clamscan reports SecuriteInfo database integrity problems

For the last few day I was getting email from my email server with the following content:

Clamscan reports SecuriteInfo honeynet.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/honeynet.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: honeynet.hdb - SKIPPING
 Clamscan reports SecuriteInfo securiteinfobat.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/securiteinfobat.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: securiteinfobat.hdb - SKIPPING
 Clamscan reports SecuriteInfo securiteinfodos.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/securiteinfodos.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: securiteinfodos.hdb - SKIPPING
 Clamscan reports SecuriteInfo securiteinfoelf.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: securiteinfoelf.hdb - SKIPPING
 Clamscan reports SecuriteInfo securiteinfooffice.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/securiteinfooffice.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: securiteinfooffice.hdb - SKIPPING
 Clamscan reports SecuriteInfo securiteinfopdf.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/securiteinfopdf.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: securiteinfopdf.hdb - SKIPPING
 Clamscan reports SecuriteInfo securiteinfosh.hdb database integrity tested BAD - SKIPPING
 rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/securiteinfosh.hdb" failed: No such file or directory (2)
 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1183) [sender=3.1.1]
 Failed to successfully update SecuriteInfo production database file: securiteinfosh.hdb - SKIPPING

as per the: http://lurker.clamav.net/message/20150423.072453.3394b584.en.html I edited my /usr/share/clamav-unofficial-sigs/conf.d/00-clamav-unofficial-sigs.conf file and commented out this bit:

# ========================
 # SecuriteInfo Database(s)
 # ========================
 # Add or remove database file names between quote marks as needed. To
 # disable any SecuriteInfo database downloads, remove the appropriate
 # lines below. To disable all SecuriteInfo database file downloads,
 # comment all of the following lines.
 #si_dbs="
 #honeynet.hdb
 #securiteinfo.hdb
 #securiteinfobat.hdb
 #securiteinfodos.hdb
 #securiteinfoelf.hdb
 #securiteinfohtml.hdb
 #securiteinfooffice.hdb
 #securiteinfopdf.hdb
 #securiteinfosh.hdb
 #"