ClamAV – The antivirus you are looking for!

Funny names! why, oh why?

I use ClamAV on my workstations. So what is ClamAV and why is it a big deal? ClamAV [site] is a powerful Free/Open source software cross platform anti-virus framework that is licensed under GNU GPL. It is based on the libclamav library and hence it’s more a framework than a product.

Do I need an anti-virus?

Now some of you *nix users may be asking yourself the obvious question

I’m running Do I need an anti-virus at all?

The short answer is “YES”. The long answer? It depends. While there are not many Linux viruses (virii?) in the wild, that’s only because the authors of malware are only interested in targeting systems with a large user base. Windows desktop user base is larger than Linux currently. That could change if the user-base of Linux increases in size significantly.

There is no silver bullet to security. Security is a mindset. It’s a practice. Having a system that detects and quarantines viruses is a single part of the set of good security practices. Although Linux isn’t prone to virus infections much, it’s a good idea to have a strong anti-virus running for these reasons:

  1. Your system might inadvertently play host to viruses from flash drives
  2. You might have a file server or a NAS server that Windows users connect to
  3. You might be running a mail server.

Why ClamAV?

That said, why ClamAV? For starters, it’s free software (as in freedom 😉 It’s also free of cost. That’s not to say it’s not powerful. It is. In fact in several tests, it fared waaay better than several popular commercial anti-virus systems (that I’m not going to name) in terms of detection rate, speed, being light on resources, etc. If you want to see some of those benchmarks, DuckDuckgo is your friend.

It’s cross platform. It works on BSD systems, Linux, MacOS and Windows. On Linux ClamAV is mostly command line based. But you can install the graphical packages that are available from the repos.  Windows version can be downloaded directly from their website. The graphical package for Linux is called clamtk.

clamtk interface

Installing ClamAV on Linux

# apt-get -y install clamav  # Debian based systems
# yum -y install clamav # Redhat based systems

To scan your system

$ clamscan -r /home/user #scan home directory recursively
$ clamscan -i -r /home/user #print only infected files
# clamscan -i -r / #scanning root directory with sudo

Programming with libclamav

Language bindings. At ClamAV’s core is libclamav that is a library that can be used in your program. So there are language bindings that you can use to scan for virus if your program deals with files.

# apt-get install -y python-pyclamav.

Unfortunately, using pip to install is too complicated and in some cases, simply doesn’t work. If you know your way around pip, then you can try installing clamav or pyclamav packages. You might need to manually resolve dependencies like cffi, etc.

$ pip search clam
$ pip install clamav #option1 with dependency hell or..
$ pip install pyclamav #option2 

Image by Cubmundo on Wikimedia

I haven’t tried installing the other packages. Moving on.. To use the clamav library in programs is very simple and straight forward. Here’s a Python example.

#!/usr/bin/python
import pyclamav
tmpfile = '/home/user/eicar.com.txt'
f = open(tmpfile, 'rb')

infected, name = pyclamav.scanfile(tmpfile)
if infected:
    print "File infected with %s Deleting file." %name
    os.unlink(file)
else:
    print "File is clean!"

Here, we import pyclamav library and then use a sample test file (eicar.com.txt) to scan for viruses. The pyclamav.scanfile returns a tuple with two values. Infection status: Boolean and the detected signature. The infection status is true (infected) if 1 and false (clean) if 0.

Note on EICAR test file

EICAR is short for European Institute for Computer Antivirus Research. They have a unique signature that is included in all Antivirus software as a virus. But the file is actually harmless. This file is used to simply test whether the antivirus in question works or not. You can download the various formats of the files containing the test virus here. Note that chrome browser will not let you download it because it’s identified as a virus. So use wget or similar tools.

Clam Daemon

ClamAV can also run in the background as a daemon clamd. The daemon just listens on a socket waiting for connections. It provides anti-virus scanning for any service or program that requests it. Installing it is fairly straight forward on Debian based system.

# apt-get install clamav-daemon

The clamav-daemon can also scan data streams!

So what do you think? Have you used ClamAV? Was it effective? Tell us in the comments!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s