Using the ClamAV daemon to scan files placed in my Downloads directory in Gentoo Linux
March 5, 2017 7 Comments
In a previous post I explained how to automatically detect files placed in my Downloads directory in Linux and scan them for viruses. The method I described in that post used clamscan
, the command-line anti-virus scanner of ClamAV. Now, in addition ClamAV has a daemon (a program that runs continuously in the background), clamdscan
, that you can enable. So I decided to switch to using clamdscan
, as its response to downloaded files is much faster because the process waiting for new files to appear in ~/Downloads/
does not have to load clamscan
from disk each time a new file arrives. Anyway, if you want to monitor a download directory in Gentoo Linux (running OpenRC) by using the ClamAV daemon — which will also download virus signature database updates automatically — then the procedure to set this up is given below.
1. Install clamav if it is not installed already:
root # emerge clamav
2. Add the service to the default runlevel:
root # rc-update add clamd default
The daemon will be launched automatically next time the computer boots.
3. The first download of the virus database has to be done manually:
root # freshclam
4. Start the daemon now:
root # rc-service clamd start
5. Create the Bash script ~/monitorDownloadsGUI
with the following contents:
#!/bin/bash DIR=$HOME/Downloads # Get rid of old log file, if any rm $HOME/virus-scan.log 2> /dev/null IFS=$(echo -en "\n\b") # Optionally, you can use shopt to avoid creating two processes due to the pipe shopt -s lastpipe inotifywait --quiet --monitor --event close_write,moved_to --recursive --format '%w%f' $DIR | while read FILE # Added '--recursive' so that a directory copied into $DIR also triggers clamscan/clamdscan, although downloads # from the Web would just be files, not directories. do # Have to check file length is nonzero otherwise commands may be repeated if [ -s $FILE ]; then # Replace 'date >' with 'date >>' if you want to keep log file entries for previous scans. date > $HOME/virus-scan.log clamdscan --fdpass --move=$HOME/virus-quarantine $FILE >> $HOME/virus-scan.log kdialog --title "Virus scan of $FILE" --msgbox "$(cat $HOME/virus-scan.log)" fi done
Make it executable:
user $ chmod +x ~/monitorDownloadsGUI
6. Create the directory ~/virus-quarantine/
to store infected files pending investigation/deletion:
user $ mkdir ~/virus-quarantine
7. Install kdialog if it is not already installed:
root # emerge kdialog
8. Use ‘System Settings’ > ‘Startup and Shutdown’ > ‘Autostart’ to add the script ~/monitorDownloadsGUI to the list of script files that are automatically started each time you log in to KDE.
9. Log out then back in again, and you should see that everything is running as expected:
user $ rc-status | grep clam
clamd [ started ]
user $ ps -ef | grep clam | grep -v grep
clamav 1920 1 0 01:48 ? 00:00:00 /usr/sbin/clamd
clamav 1929 1 0 01:48 ? 00:00:00 /usr/bin/freshclam -d
user $ ps -ef | grep GUI | grep -v grep
fitzcarraldo 9143 8971 0 13:56 ? 00:00:00 /bin/bash /home/fitzcarraldo/.config/autostart-scripts/monitorDownloadsGUI.sh
10. To test, surf to http://www.eicar.org/ and download one of the EICAR test files into your ~/Downloads/ directory. You should see a pop-up KDialog window with a message similar to the following:
Virus scan of /home/fitzcarraldo/Downloads/eicarcom2.zip — KDialog
Mon 27 Feb 14:05:26 GMT 2017
/home/fitzcarraldo/Downloads/eicarcom2.zip: Eicar-Test-Signature FOUND
/home/fitzcarraldo/Downloads/eicarcom2.zip: moved to ‘/home/fitzcarraldo/virus-quarantine/eicarcom2.zip’———– SCAN SUMMARY ———–
Infected files: 1
Time: 0.001 sec (0 m 0 s)
Note that the above-mentioned pop-up window may be preceded by one or more pop-up windows with an error message. I’m using the Chrome browser at the moment, but you may get a similar message if you are using another browser. Here is an example:
Virus scan of /home/fitzcarraldo/Downloads/.com.google.Chrome.Uh3oGm — KDialog ?
Mon 27 Feb 14:16:30 GMT 2017
/home/fitzcarraldo/Downloads/.com.google.Chrome.Uh3oGm: Access denied. ERROR———– SCAN SUMMARY ———–
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
Read the error message and click ‘OK’, as this is not an actual problem; it is inotifywait
detecting temporary files in the ~/Downloads/
directory during the download process. With larger files sometimes several such messages are displayed, presumably because the file being downloaded is being opened and closed more than once during the downloading process. This issue does not occur if you copy or move a file into ~/Downloads/
from another directory in your installation; try it and see for yourself. Then you only get the one pop-up window with the scan result for the file you put in ~/Downloads/
.
Also have a look in ~/virus-quarantine/
and you will see the EICAR test file in that directory. You can delete it if you want (it is not infected with a real virus, so does no harm).
In future be sure to read the messages in the pop-up windows before clicking ‘OK’, as they will inform you that an infected file has been moved to the quarantine directory.
That’s all there is to it. Very simple, and quite handy if you want to check quickly that files you download don’t have a malware payload. Just make sure you download all files into ~/Downloads/
or they will not be checked automatically. Also, if you are given e.g. a USB pen drive with a file on it, you can copy the file to ~/Downloads/
if you want it to be scanned for malware.
I’d like to say that I’ve expanded a lot on this code, took me about a day. The changes I’ve done are:
-Changed popups to notifications
-Different notifications for safe/infected files
-A scanning prompt for files over 25MB
-Hid all files required so it works in the background
-Clears virus-quarantine for each login
This new code needs the ‘notify-send’ package for debian based OSes and this was designed to work for KDE5 on KDE neon.
For anybody interested in the code, it can be found here: https://mega.nz/#!PhxlQIgb!afMIf-stGyzsafJChoEHkFT3YtVRK7iwNwmCDUspuhM
Nice idea to use
notify-send
(notifications) instead ofkdialog
(dialogue windows).notify-send
could also be used in GNOME and some other Desktop Environments. There are many different ways to skin a cat, as the saying goes (libnotify
,dunst
,xosd
,xmessage
,zenity
,kdialog
,gtkdialog
,xdialog
, etc.).By the way, in Gentoo the package that installs
notify-send
islibnotify
, which would already be installed if a Desktop Environment like KDE or GNOME is already installed:Pingback: Preventing Lubuntu 18.04 from leaving a user process running after the user logs out | Fitzcarraldo's Blog
Pingback: Moving from Lubuntu 18.04 to 20.10 | Fitzcarraldo's Blog
At the suggestion of Gentoo Linux user Haraldpeter I have added the option ‘–fdpass’ to the
clamdscan
command in the script, which prevents the ‘Access denied’ error messages while a large file is being downloaded.The blog post was written in March 2017 when the on-access scanner USE flag did not exist in the
app-antivirus/clamav
ebuild in Gentoo Linux. Even in October 2019 it did not exist:I think the on-access scanner USE flag was introduced in the ebuild for ClamAV 0.102.0 or thereabouts. If the on-access scanner were mandatory or essential then there would not be a USE flag to allow the user to omit it.
If enabled, the ClamAV on-access scanner will scan a file when anything tries to read, write or execute that file. On the other hand, the ClamAV daemon will scan a file when my script tells it to scan a file. I am only interested in scanning files downloaded to, or moved to, or changed while in, the directory
~/Downloads/
. My script already fulfils that role without needing the ClamAV on-access scanner, and displays an alarm if the ClamAV daemon detects an infection in a new or changed file in~/Downloads/
explicitly, so I have not bothered to enable the ClamAV on-access scanner in my Gentoo Linux installations. Basically, my script is performing on-access scanning, i.e. it does essentially the same thing that the ClamAV on-access scanner does.On-access scanning: Whenever you open, save, copy or rename a file,
clamonacc
scans the file and grants access to it only if it does not pose a threat to your computer or has been authorised for use.On-demand scanning: On-demand is when you initiate a scan. You can scan anything from a single file to your entire computer.
So my script is performing on-access scanning specifically of the contents of the
~/Downloads/
directory. Therefore I do not need to enable ClamAV’s on-access scanning as well.Pingback: Using GeckoLinux to resurrect my old nettop | Fitzcarraldo's Blog