March 23, 2016

ClamAV & OSX using MacPorts


ClamAv is a command line virus scanner. It runs on all the major platforms, Windown,Linux, and OSX. You can download the source and install it from there, or you can follow these simple steps   to install it using MacPorts.

To install ClamAv check the ports including clam by listing these:

port search clam

Then to install the files issue:

sudo port install clamav clam-server clamsmtp p5-mail-clamav

Once the ports are installed you'll need to configure ClamAv. The following is an extract from the port installation echo:

To configure clamd and freshclam look for the following files:
    /opt/local/etc/clamd.conf
    /opt/local/etc/freshclam.conf

If these files do not exist you can copy the sample conf files into place:

    sudo cp /opt/local/etc/clamd.conf.sample /opt/local/etc/clamd.conf
    sudo cp /opt/local/etc/freshclam.conf.sample /opt/local/etc/freshclam.conf

Edit /opt/local/etc/clamd.conf to your liking, example:

# Comment out 'Example' near the top if it exists
    #Example
    LogFile /opt/local/var/log/clamav/clamd.log
    PidFile /opt/local/var/run/clamav/clamd.pid
    LocalSocket /opt/local/var/run/clamav/clamd.socket
    TCPSocket 3310
    TCPAddr 127.0.0.1
    Foreground yes

Edit /opt/local/etc/freshclam.conf to your liking, example:

# Comment out 'Example' near the top if it exists
    #Example
    UpdateLogFile /opt/local/var/log/clamav/freshclam.log
    PidFile /opt/local/var/run/clamav/freshclam.pid
    NotifyClamd /opt/local/etc/clamd.conf

The important thing when editing these configuration files, is that the directories for clams and freshclam points to the same directories. I let mine point to:

/opt/local/var/log/clamav/
/opt/local/var/run/clamav/

And, make sure that the TCPSocket and TCPAddr are set, enabling you to use ClamAv from within other programs. After installation you'll need to create an entry in the ports share directory. The reason for this is that  ClamAv runs in this directory and the directory is not created on installation. Create it like this:

sudo mkdir -p /opt/local/share/clamav
sudo chown clamav:clamav /opt/local/share/clamav

Now you're ready to create a fresh clam, issue:

sudo freshclam -v

Current working dir is /opt/local/share/clamav
Max retries == 3
ClamAV update process started at Thu Mar 24 00:01:09 2016
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 632
Software version from DNS: 0.99.1
main.cvd version from DNS: 57
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd version from DNS: 21470
daily.cld is up to date (version: 21470, sigs: 83891, f-level: 63, builder: neo)
bytecode.cvd version from DNS: 275
bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)


ClamAv will generate a new virus signature file. When it is done, you're ready to scan your box. This is done by:

clamscan -ro ~/

----------- SCAN SUMMARY -----------
Known viruses: 4297361
Engine version: 0.99.1
Scanned directories: 132235
Scanned files: 595659
Infected files: 0
Total errors: 4
Data scanned: 72096.62 MB
Data read: 136687.80 MB (ratio 0.53:1)
Time: 22133.709 sec (368 m 53 s)


It'll take loads of time to finish. As, almost, all other codlin tools --help or man clamscan displays all the options you can pass to the program. Next, you'll need to get ClamAv running automatically. Following the installation instructions, another extract:

Two launchd startup items have been installed.
To load clamd and freshclam do the following:
    sudo launchctl load -w /Library/LaunchDaemons/org.macports.clamd.plist
    sudo launchctl load -w /Library/LaunchDaemons/org.macports.freshclam.plist

To unload clamd and freshclam do the following:
    sudo launchctl unload -w /Library/LaunchDaemons/org.macports.clamd.plist
    sudo launchctl unload -w /Library/LaunchDaemons/org.macports.freshclam.plist

Issue both of the commands that loads the deamons, then check that the clamd is running.

ps -aef | grep clamd 

The result should look somewhat like this:

0 25965     1   0  4:52PM ??         0:07.78 /opt/local/sbin/clamd

If your are using Thunderbird and Firefox you can use ClamAv to scan your downloads and your mails. Install the firefox add-on Fireclam, and the Thunderbird add-on clamdrip LIN.

The clam drip LIN extension if meant for Linux only, but it's all runnable using the port version of ClamAv. simply press the: Download for Linux anyway link anyhu!


And import the add on in Thunderbird. Ignore the *beware* message, if you do not trust me, check the contents of the plugin file, using unzip to extract it and inspect the code. It, doesn't look malicious to me.

Next, go to the Thunderbird add on, and select the clam drib preferences. Configure it to listen to the clamd available on localhost:3310.


Now, all you have to do to verify that ClamAv is running, is to check your mail.


The ClamAv status is shown in the green blop above. The information is also shown in the preview pane in Thunderbird.

No comments: