Anti Virus Stuff

ClamAV

To Run a clamscan and show only infected files

-r (recursive)

-i (show only infected)

--remove=yes (to remove)

clamscan -ri /shares1/data/public/ -l /var/log/clamav/scan.log

Nice live self updating CD for clearing windows PCs

http://ftp.kaspersky.com/devbuilds/RescueDisk/kav_rescue_2008.iso

Upgrading clam

Check if clam is installed:

[root@ls1 ~]# rpm -qa | grep clam

clamav-db-0.94.2-1.el4.rf

clamd-0.94.2-1.el4.rf

clamav-0.94.2-1.el4.rf

[root@ls1 ~]#

This tells us clam is installed at version 0.94.2-1.

If it's a smaller version please ask me to upgrade it or do it yourself with (about 20Mb):

[root@ls1 ~]# yum install -y clamav-db clamd clamav nail ; freshclam

Now install nail:

[root@ls1 ~]# yum install -y nail

Then please insert a weekly scan into /etc/crontab. Here's how (rather copy and paste this in a putty session to avoid typo's):

echo "0 2 * * 0 root > /var/log/clamav/scan.log ; clamscan -r /shares/data/ -l /var/log/clamav/scan.log ; nail -s '$HOSTNAME AV Report' 'me@domain.com' < /var/log/clamav/scan.log > /dev/null 2&>1" >> /etc/crontab

The easiest if you have rpmforge installed is

yum install clamav clamd clamav-db ; freshclam

wget the following from http://dag.wieers.com/rpm/packages/clamav/

rpm -qa | grep clam

clamd-0.94.2-1.el4.rf clamav-db-0.94.2-1.el4.rf clamav-0.94.2-1.el4.rf

rpm -Uvh clam*

/etc/init.d/clamd restart

clamscan --version

freshclam

Restart mail services like exim and or cyrus-imapd

Check for a virus on a network

tcpdump -tnli eth0 not port ssh and not port smtp and not domain and not http and not https and not imap

DROP traffic on a port from an IP eg 5901

iptables -I RH-Firewall-1-INPUT -s 172.25.105.142 -p tcp --dport 5901 -j DROP

Upgrading ClamAV (From source)

wget -c http://belnet.dl.sourceforge.net/source ... 8.5.tar.gz

unpack the sources

tar xvzf clamav-0.88.5.tar.gz

cd clamav-0.88.5/

install

./configure --disable-zlib-vcheck

make all install

freshclam

clamav-config --version

Oversized.zip disabling (mailscanner)

Disable ArchiveMaxCompressionRatio in Clam conf by setting to 0.