I have deep misgivings about "anti-virus" software. The immutable commercial AV tools that bedevil all Windows installations have been far more pernicious to me personally than any actual putative viruses. Although I work in the pharmaceutical industry, I can’t think of a business with more of a conflict of interest than "anti-virus" companies.
-
Runs as root, claims security, unpopular, few updates = trouble
-
Stern words on the topic.
That said, it does seem that there is some malware out there that is well-known, easily characterized, identifiable, and simple to eradicate. This is what I’m going to focus on.
ClamAV
Because of the conflict of interest issue and the reprehensible extortionate marketing tactics of the major commercial providers, I’m going to focus mainly on ClamAV, an open source (GPL) antivirus engine that runs especially well on Unix/Linux.
I’m running clamav
on my backup file servers during off times. The
idea is that in between when my main server makes backups, the
material can be scanned essentially off line.
Installation
My file servers run Gentoo and getting ClamAV was as simple as:
emerge -avuD clamav
The default installation does not come with a database of malware
(signatures I presume) pre-installed. To get that set up you need to
run a helper command called freshclam
. This program’s actions are
controlled by /etc/freshclam.conf
.
When freshclam
runs, it logs its activities to
/var/log/clamav/freshclam.log
. Make sure your clock is right
(/etc/init.d/ntp status
) and run:
freshclam -v
It should tell you some interesting things and ultimately say something nice like:
Database updated (1306932 signatures) from database.clamav.net
Have a look in /var/lib/clamav/
to see things are being populated
properly.
Running
My usage mode is to simply get ClamAV to tell me if it recognizes any bad stuff anywhere in a particular directory tree. I will initiate the scan and I will control what to do about it personally. To do this use:
time clamscan -r -i -l /root/scan.txt /raid/fsbackup/users
The -r
is recursive so that all sub directories are checked. The
-i
is so that only "infected" files are listed, not all that are
searched. The -l
is to specify a location to write the log file too.
The main path argument is the top level of the tree to search.
This can take a long time. Better put it in a screen
session or some
other background method. Also after launching it I thought it would be
decent of me to renice 19 16501
where 16501 is the process id of the
clamscan
.