Using Clamav for Scanning Virus in FreeBSD

We provide ftp access to student for storing their work, song, etc in limited space. Around 100 – 150 MB for each student.

Due to report for virus that might appear in their PC in the class I have to scan and remove it in their ftp account before take action to PC level.

I use clamav from FreeBSD ports to scan virus in FTP server, here’s the steps:

*make sure to update ports to latest version*

1. Install Clamav

ftp# cd /usr/ports/security/clamav && make install

2. Edit rc.conf file and insert these lines :

clamav_freshclam_enable=”YES”

clamav_clamd_enable=”YES”

3. Starting Clamav Daemon

ftp# /usr/local/etc/rc.d/clamav-clamd start

4. Update virus database

ftp# freshclam


ClamAV update process started at Fri Dec  5 16:02:20 2008
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven)
Downloading daily-8684.cdiff [100%]
Downloading daily-8685.cdiff [100%]
Downloading daily-8686.cdiff [100%]
Downloading daily-8687.cdiff [100%]
…………………………

…..
Downloading daily-8718.cdiff [100%]
Downloading daily-8719.cdiff [100%]
Downloading daily-8720.cdiff [100%]
Downloading daily-8721.cdiff [100%]
Downloading daily-8722.cdiff [100%]
daily.cld updated (version: 8722, sigs: 32790, f-level: 38, builder: guitar)
Database updated (470762 signatures) from database.clamav.net (IP: 193.1.193.64)
Clamd successfully notified about the update.
ftp#

Ok, its time to test scan :

ftp# clamscan -r -i -l scan.txt /home

See the report :

ftp# cat scan.txt

———– SCAN SUMMARY ———–
Known viruses: 470392
Engine version: 0.94.2
Scanned directories: 22068
Scanned files: 118646
Infected files: 4
Data scanned: 6868.50 MB
Time: 1342.066 sec (22 m 22 s)

/home/materi/prog/tools/XBOX Emulator.zip: Trojan.Clicker-1009 FOUND
/home/materi/prog/tools/new/mirc616.exe: Trojan.IRCBot-2833 FOUND

/home/materi/prog/resource/freeware/mirc616.exe: Trojan.IRCBot-2833 FOUND

/home/hr/wew/antu.php: Trojan.PHP.C99Shell FOUND
Looks good, but I need another comparison so I install f-prot from ports too and do same test in same directory, the respond is different :
ftp# f-prot -ai /home
Virus scanning report  -  5 December 2008 @ 15:19

F-PROT ANTIVIRUS
Program version: 4.6.8
Engine version: 3.16.16

VIRUS SIGNATURE FILES
SIGN.DEF created 20 November 2008
SIGN2.DEF created 20 November 2008
MACRO.DEF created 20 November 2008

Search: /home
Action: Report only
Files: “Dumb” scan of all files
Switches: -ARCHIVE -PACKED -SERVER -AI

/home/materi/prog/tools/XBOX Emulator.zip->Sucess.exe  is a destructive program
/home/materi/prog/tools/XBOX Emulator.zip->NetBUIE.exe  is a security risk or a “backdoor” program
/home/materi/prog/tools/XBOX Emulator.zip->Archive.exe  is a security risk or a “backdoor” program
/home/hr/wew/antu.php  Infection: PHP/C99Shell.A

Results of virus scanning:

Files: 118761
MBRs: 0
Boot sectors: 0
Objects scanned: 126967
Infected: 1
Suspicious: 3
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 12:50
ftp#

Yes, f-prot faster but the result more important for me 🙂
I go with clamav.
P.S :
for scan plus remove I use this command :
ftp# clamscan -r -i –remove -l scan_home.txt /home/mother/Prince
/home/mother/Prince/Pioneer/Prochat.zip: Trojan.Spy-6636 FOUND
/home/mother/Prince/Pioneer/Prochat.zip: Removed
/home/mother/Prince/Pioneer/Uncharted/Winace 2.11/keygen/CORE2000.EXE: Trojan.Packed-4 FOUND
/home/mother/Prince/Pioneer/Uncharted/Winace 2.11/keygen/CORE2000.EXE: Removed

Tags: