Author of this document: Joel Barrios
Email: darksrham on gmail.com
Please note this configuration is meant and recomended only for file servers (Samba) and desktop setups.
Requirements:
- Linux Kernel >= 3.8 compiled with
CONFIG_FANOTIFY=y
andCONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
- ClamAV >= 0.99.0 < 0.102.0
-
In the ClamAV configuration, one or more directories to be monitored will be defined (
OnAccessIncludePath
). It can be used to monitor shared directories through Samba or simply monitor/home
or/home/user/Downloads
. -
Install clamav-scanner-systemd and clamav-server-systemd and clamav-update packages.
yum -y install clamav-scanner-systemd and clamav-server-systemd clamav-update
- Three files are required: a tmpfile (
clamd-scanonaccess-tmpfiles.conf
), a systemd unit file (clamd@scanonaccess.service
) and configuration file (scanonaccess.conf.systemd
). Install each one to its respective places.
install -m 0644 clamd@scanonaccess.service /usr/lib/systemd/system/name.service
install -m 0644 scanonaccess.conf.systemd /etc/clamd.d/scanonaccess.conf
install -m 0644 clamd.scanonaccess-tmpfiles.conf /usr/lib/tmpfiles.d/clamd-scanonaccess.conf
-
Edit
/etc/clamd.d/scanonaccess.conf
and define the directories to be monitored (OnAccessIncludePath
, you can define several lines withOnAccessIncludePath
). It's imperative root is used as user for clamd (User root) and I recommned use only official signatures published by the ClamAV project to avoid false positives (OfficialDatabaseOnly yes
). -
Create directory
/run/clamd.scanonaccess
(the tmpfile will take care of doing it during next boot):
mkdir -m 0710 /run/clamd.scanonaccess
chgrp clamupdate /run/clamd.scanonaccess
- Update units in systemd, enable and start service:
systemctl daemon-reload
systemctl enable clamd@scanonaccess
systemctl start clamd@scanonaccess
- Activity record will be in
/var/log/clamd-scanonaccess.log
. Leave open with `tail -f to perform tests.
tail -f /var/log/clamd-scanonaccess.log
- Test the service trying to upload through Samba files with viruses while looking at the log file. Infected files will be uploaded as empty files.
Source: https://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html