I have deep misgivings about "anti-virus" software. The immutable commercial AV tools that bedevil all Windows installations have been far more pernicious to me personally than any actual putative viruses. Although I work in the pharmaceutical industry, I can’t think of a business with more of a conflict of interest than "anti-virus" companies.

That said, it does seem that there is some malware out there that is well-known, easily characterized, identifiable, and simple to eradicate. This is what I’m going to focus on.

ClamAV

Because of the conflict of interest issue and the reprehensible extortionate marketing tactics of the major commercial providers, I’m going to focus mainly on ClamAV, an open source (GPL) antivirus engine that runs especially well on Unix/Linux.

I’m running clamav on my backup file servers during off times. The idea is that in between when my main server makes backups, the material can be scanned essentially off line.

Installation

My file servers run Gentoo and getting ClamAV was as simple as:

emerge -avuD clamav

The default installation does not come with a database of malware (signatures I presume) pre-installed. To get that set up you need to run a helper command called freshclam. This program’s actions are controlled by /etc/freshclam.conf.

When freshclam runs, it logs its activities to /var/log/clamav/freshclam.log. Make sure your clock is right (/etc/init.d/ntp status) and run:

freshclam -v

It should tell you some interesting things and ultimately say something nice like:

Database updated (1306932 signatures) from database.clamav.net

Have a look in /var/lib/clamav/ to see things are being populated properly.

Running

My usage mode is to simply get ClamAV to tell me if it recognizes any bad stuff anywhere in a particular directory tree. I will initiate the scan and I will control what to do about it personally. To do this use:

time clamscan -r -i -l /root/scan.txt /raid/fsbackup/users

The -r is recursive so that all sub directories are checked. The -i is so that only "infected" files are listed, not all that are searched. The -l is to specify a location to write the log file too. The main path argument is the top level of the tree to search.

This can take a long time. Better put it in a screen session or some other background method. Also after launching it I thought it would be decent of me to renice 19 16501 where 16501 is the process id of the clamscan.