1. Maintaining Virus and Malware Software

Here is how install and setup clamav:

#apt-get update

#apt-get install clamav

this will install following packages

clamav clamav-base clamav-freshclam libbz2-1.0 libclamav1 libcurl3 libgmp3 libidn11 ucf

Manually update the virus database.

Edit the the following two setup files:

more /etc/clamav/clamd.conf

#Automatically Generated by clamav-base postinst

#To reconfigure clamd run #dpkg-reconfigure clamav-base

#Please read /usr/share/doc/clamav-base/README.Debian.gz for details

LocalSocket /var/run/clamav/clamd.ctl

FixStaleSocket true

LocalSocketGroup clamav

LocalSocketMode 666

# TemporaryDirectory is not set to its default /tmp here to make overriding

# the default with environment variables TMPDIR/TMP/TEMP possible

User clamav

AllowSupplementaryGroups true

ScanMail true

ScanArchive true

ArchiveBlockEncrypted false

MaxDirectoryRecursion 15

FollowDirectorySymlinks false

FollowFileSymlinks false

ReadTimeout 180

MaxThreads 12

MaxConnectionQueueLength 15

LogSyslog true

LogFacility LOG_LOCAL6

LogClean false

LogVerbose true

PidFile /var/run/clamav/clamd.pid

DatabaseDirectory /var/lib/clamav

SelfCheck 3600

Foreground false

Debug false

ScanPE true

ScanOLE2 true

ScanHTML true

DetectBrokenExecutables false

ExitOnOOM false

LeaveTemporaryFiles false

AlgorithmicDetection true

ScanELF true

IdleTimeout 30

PhishingSignatures true

PhishingScanURLs true

PhishingAlwaysBlockSSLMismatch false

PhishingAlwaysBlockCloak false

DetectPUA false

ScanPartialMessages false

HeuristicScanPrecedence false

StructuredDataDetection false

CommandReadTimeout 5

SendBufTimeout 200

MaxQueue 100

ExtendedDetectionInfo true

OLE2BlockMacros false

StreamMaxLength 25M

LogFile /var/log/clamav/clamav.log

LogTime true

LogFileUnlock false

LogFileMaxSize 0

Bytecode true

BytecodeSecurity TrustSigned

BytecodeTimeout 60000

OfficialDatabaseOnly false

CrossFilesystems true

more /etc/clamav/freshclam.conf

Note: inorder to edit the freshclam.conf file, you need to remove the write attribute from the file, using chattr [-+]i

# Automatically created by the clamav-freshclam postinst

# Comments will get lost when you reconfigure the clamav-freshclam package


HTTPProxyPort 8080

DatabaseOwner clamav

UpdateLogFile /var/log/clamav/freshclam.log

LogVerbose true

LogSyslog true

LogFacility LOG_LOCAL6

LogFileMaxSize 0

LogTime true

Foreground false

Debug false

MaxAttempts 5

DatabaseDirectory /var/lib/clamav

DNSDatabaseInfo current.cvd.clamav.net

AllowSupplementaryGroups false

PidFile /var/run/clamav/freshclam.pid

ConnectTimeout 30

ReceiveTimeout 30

TestDatabases yes

ScriptedUpdates yes

CompressLocalDatabase no

Bytecode true

# Check for new database 24 times a day

Checks 24

DatabaseMirror db.local.clamav.net

DatabaseMirror database.clamav.net

reload the virus definitions

# freshclam

ClamAV update process started at Thu Feb 26 05:56:55 2015

Connecting via

Downloading main.cvd [ 6%]

ClamAV update process started at Mon Sep 11 16:27:40 2006main.cvd is up to date (version: 40, sigs: 64138, f-level: 8, builder: tkojm)daily.cvd is up to date (version: 1859, sigs: 4556, f-level: 8, builder: ccordes)

Note: If it is not working, check your DNS configuration

Test your scan manually before using your scheduler

# /usr/bin/clamscan -l /var/log/clamav/scan_out --exclude-dir=/dev --exclude-dir=/sys/module -r /*

auto-updating your Virus Database using your cron scheduler

freshclam is the default database updater for Clam AntiVirus. It can work in two modes

interactive - from command line, verbosely via crontab

daemon - alone, silently

When started by a superuser it drops privileges and switches to the clamav user. freshclam uses the database.clamav.net round-robin DNS which automatically selects a database mirror9.1. freshclam is an advanced tool: it supports database version verification through DNS, proxy servers (with authentication), digital signatures and various error scenarios. Quick test: run freshclam (as superuser) with no parameters and check the output. If everything is OK you may create the log file in /var/log (owned by clamav or another user freshclam will be running as (--user)

The other method is to use the cron daemon. You have to add the following line to the crontab of the root or clamav users

Note: you have to set your favoide editor

export EDITOR=vi

e.g. Automatically scan files/folders for viruses at midnight everyday

* * * * * means minute hour date month year

you need to edit your crontab file

#crontab -e

Append the following line at the end of file

# ClamAV nightly scan

01 01 * * 0 (. ./.profile && /usr/bin/clamscan -l /var/log/clamav/scan_out --exclude-dir=/dev --exclude-dir=/sys/module -r /* )

# Freshclam – check for updates

30 23 * * * /usr/bin/freshclam

to check for a new database once a day.

next we will install "rkhunter"

Please use reference guide:


make sure to setup your $HOME/.wgetrc file correctly before install rkhunter as shown in the above link.

command rkhunter --configfile /etc/rkhunter.conf --report-warnings-only --checkall

Warning: The SSH and rkhunter configuration options should be the same:

SSH configuration option 'PermitRootLogin': no

Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': yes

FIX: vi /etc/rkhunter.conf and set LOG'ALLOW_SSH_ROOT_USER'=no