Using the ClamAV daemon to scan files placed in my Downloads directory in Gentoo Linux

In a previous post I explained how to automatically detect files placed in my Downloads directory in Linux and scan them for viruses. The method I described in that post used clamscan, the command-line anti-virus scanner of ClamAV. Now, in addition ClamAV has a daemon (a program that runs continuously in the background), clamdscan, that you can enable. So I decided to switch to using clamdscan, as its response to downloaded files is much faster because the process waiting for new files to appear in ~/Downloads/ does not have to load clamscan from disk each time a new file arrives. Anyway, if you want to monitor a download directory in Gentoo Linux (running OpenRC) by using the ClamAV daemon — which will also download virus signature database updates automatically — then the procedure to set this up is given below.

1. Install clamav if it is not installed already:

root # emerge clamav

2. Add the service to the default runlevel:

root # rc-update add clamd default

The daemon will be launched automatically next time the computer boots.

3. The first download of the virus database has to be done manually:

root # freshclam

4. Start the daemon now:

root # rc-service clamd start

5. Create the Bash script ~/monitorDownloadsGUI with the following contents:



# Get rid of old log file, if any
rm $HOME/virus-scan.log 2> /dev/null

IFS=$(echo -en "\n\b")

# Optionally, you can use shopt to avoid creating two processes due to the pipe
shopt -s lastpipe
inotifywait --quiet --monitor --event close_write,moved_to --recursive --format '%w%f' $DIR | while read FILE
# Added '--recursive' so that a directory copied into $DIR also triggers clamscan/clamdscan, although downloads
# from the Web would just be files, not directories.
# Have to check file length is nonzero otherwise commands may be repeated
if [ -s $FILE ]; then
# Replace 'date >' with 'date >>' if you want to keep log file entries for previous scans.
date > $HOME/virus-scan.log
clamdscan --fdpass --move=$HOME/virus-quarantine $FILE >> $HOME/virus-scan.log
kdialog --title "Virus scan of $FILE" --msgbox "$(cat $HOME/virus-scan.log)"

Make it executable:

user $ chmod +x ~/monitorDownloadsGUI

6. Create the directory ~/virus-quarantine/ to store infected files pending investigation/deletion:

user $ mkdir ~/virus-quarantine

7. Install kdialog if it is not already installed:

root # emerge kdialog

8. Use ‘System Settings’ > ‘Startup and Shutdown’ > ‘Autostart’ to add the script ~/monitorDownloadsGUI to the list of script files that are automatically started each time you log in to KDE.

9. Log out then back in again, and you should see that everything is running as expected:

user $ rc-status | grep clam
 clamd                                                             [  started  ]

user $ ps -ef | grep clam | grep -v grep
clamav    1920     1  0 01:48 ?        00:00:00 /usr/sbin/clamd
clamav    1929     1  0 01:48 ?        00:00:00 /usr/bin/freshclam -d

user $ ps -ef | grep GUI | grep -v grep
fitzcarraldo      9143  8971  0 13:56 ?        00:00:00 /bin/bash /home/fitzcarraldo/.config/autostart-scripts/

10. To test, surf to and download one of the EICAR test files into your ~/Downloads/ directory. You should see a pop-up KDialog window with a message similar to the following:

Virus scan of /home/fitzcarraldo/Downloads/ — KDialog

Mon 27 Feb 14:05:26 GMT 2017
/home/fitzcarraldo/Downloads/ Eicar-Test-Signature FOUND
/home/fitzcarraldo/Downloads/ moved to ‘/home/fitzcarraldo/virus-quarantine/’

———– SCAN SUMMARY ———–
Infected files: 1
Time: 0.001 sec (0 m 0 s)

Note that the above-mentioned pop-up window may be preceded by one or more pop-up windows with an error message. I’m using the Chrome browser at the moment, but you may get a similar message if you are using another browser. Here is an example:

Virus scan of /home/fitzcarraldo/Downloads/ — KDialog ?

Mon 27 Feb 14:16:30 GMT 2017
/home/fitzcarraldo/Downloads/ Access denied. ERROR

———– SCAN SUMMARY ———–
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)

Read the error message and click ‘OK’, as this is not an actual problem; it is inotifywait detecting temporary files in the ~/Downloads/ directory during the download process. With larger files sometimes several such messages are displayed, presumably because the file being downloaded is being opened and closed more than once during the downloading process. This issue does not occur if you copy or move a file into ~/Downloads/ from another directory in your installation; try it and see for yourself. Then you only get the one pop-up window with the scan result for the file you put in ~/Downloads/.

Also have a look in ~/virus-quarantine/ and you will see the EICAR test file in that directory. You can delete it if you want (it is not infected with a real virus, so does no harm).

In future be sure to read the messages in the pop-up windows before clicking ‘OK’, as they will inform you that an infected file has been moved to the quarantine directory.

That’s all there is to it. Very simple, and quite handy if you want to check quickly that files you download don’t have a malware payload. Just make sure you download all files into ~/Downloads/ or they will not be checked automatically. Also, if you are given e.g. a USB pen drive with a file on it, you can copy the file to ~/Downloads/ if you want it to be scanned for malware.


About Fitzcarraldo
A Linux user with an interest in all things technical.

7 Responses to Using the ClamAV daemon to scan files placed in my Downloads directory in Gentoo Linux

  1. I’d like to say that I’ve expanded a lot on this code, took me about a day. The changes I’ve done are:

    -Changed popups to notifications
    -Different notifications for safe/infected files
    -A scanning prompt for files over 25MB
    -Hid all files required so it works in the background
    -Clears virus-quarantine for each login

    This new code needs the ‘notify-send’ package for debian based OSes and this was designed to work for KDE5 on KDE neon.

    For anybody interested in the code, it can be found here:!PhxlQIgb!afMIf-stGyzsafJChoEHkFT3YtVRK7iwNwmCDUspuhM

    • Fitzcarraldo says:

      Nice idea to use notify-send (notifications) instead of kdialog (dialogue windows). notify-send could also be used in GNOME and some other Desktop Environments. There are many different ways to skin a cat, as the saying goes (libnotify, dunst, xosd, xmessage, zenity, kdialog, gtkdialog, xdialog, etc.).

      By the way, in Gentoo the package that installs notify-send is libnotify, which would already be installed if a Desktop Environment like KDE or GNOME is already installed:

      # equery belongs -e /usr/bin/notify-send
       * Searching for /usr/bin/notify-send ... 
      x11-libs/libnotify-0.7.7-r1 (/usr/bin/libnotify-notify-send)
  2. Pingback: Preventing Lubuntu 18.04 from leaving a user process running after the user logs out | Fitzcarraldo's Blog

  3. Pingback: Moving from Lubuntu 18.04 to 20.10 | Fitzcarraldo's Blog

  4. Fitzcarraldo says:

    At the suggestion of Gentoo Linux user Haraldpeter I have added the option ‘–fdpass’ to the clamdscan command in the script, which prevents the ‘Access denied’ error messages while a large file is being downloaded.

  5. Fitzcarraldo says:

    The blog post was written in March 2017 when the on-access scanner USE flag did not exist in the app-antivirus/clamav ebuild in Gentoo Linux. Even in October 2019 it did not exist:

    $ eix -I clamav
    [I] app-antivirus/clamav
    Available versions: 0.101.2-r1 ~0.101.3 0.101.4 ~0.102.0-r1 {bzip2 clamdtop clamsubmit doc iconv ipv6 libclamav-only libressl metadata-analysis-api milter selinux static-libs test uclibc xml}
    Installed versions: 0.101.4(14:13:59 07/10/19)(bzip2 clamdtop iconv ipv6 xml -doc -libressl -metadata-analysis-api -milter -selinux -static-libs -test -uclibc)
    Description: Clam Anti-Virus Scanner

    I think the on-access scanner USE flag was introduced in the ebuild for ClamAV 0.102.0 or thereabouts. If the on-access scanner were mandatory or essential then there would not be a USE flag to allow the user to omit it.

    If enabled, the ClamAV on-access scanner will scan a file when anything tries to read, write or execute that file. On the other hand, the ClamAV daemon will scan a file when my script tells it to scan a file. I am only interested in scanning files downloaded to, or moved to, or changed while in, the directory ~/Downloads/. My script already fulfils that role without needing the ClamAV on-access scanner, and displays an alarm if the ClamAV daemon detects an infection in a new or changed file in ~/Downloads/ explicitly, so I have not bothered to enable the ClamAV on-access scanner in my Gentoo Linux installations. Basically, my script is performing on-access scanning, i.e. it does essentially the same thing that the ClamAV on-access scanner does.

    On-access scanning: Whenever you open, save, copy or rename a file, clamonacc scans the file and grants access to it only if it does not pose a threat to your computer or has been authorised for use.

    On-demand scanning: On-demand is when you initiate a scan. You can scan anything from a single file to your entire computer.

    So my script is performing on-access scanning specifically of the contents of the ~/Downloads/ directory. Therefore I do not need to enable ClamAV’s on-access scanning as well.

  6. Pingback: Using GeckoLinux to resurrect my old nettop | Fitzcarraldo's Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: