Anti Virus Stuff
ClamAV
To Run a clamscan and show only infected files
-r (recursive)
-i (show only infected)
--remove=yes (to remove)
clamscan -ri /shares1/data/public/ -l /var/log/clamav/scan.log
Nice live self updating CD for clearing windows PCs
http://ftp.kaspersky.com/devbuilds/RescueDisk/kav_rescue_2008.iso
Upgrading clam
Check if clam is installed:
[root@ls1 ~]# rpm -qa | grep clam
clamav-db-0.94.2-1.el4.rf
clamd-0.94.2-1.el4.rf
clamav-0.94.2-1.el4.rf
[root@ls1 ~]#
This tells us clam is installed at version 0.94.2-1.
If it's a smaller version please ask me to upgrade it or do it yourself with (about 20Mb):
[root@ls1 ~]# yum install -y clamav-db clamd clamav nail ; freshclam
Now install nail:
[root@ls1 ~]# yum install -y nail
Then please insert a weekly scan into /etc/crontab. Here's how (rather copy and paste this in a putty session to avoid typo's):
echo "0 2 * * 0 root > /var/log/clamav/scan.log ; clamscan -r /shares/data/ -l /var/log/clamav/scan.log ; nail -s '$HOSTNAME AV Report' 'me@domain.com' < /var/log/clamav/scan.log > /dev/null 2&>1" >> /etc/crontab
The easiest if you have rpmforge installed is
yum install clamav clamd clamav-db ; freshclam
wget the following from http://dag.wieers.com/rpm/packages/clamav/
rpm -qa | grep clam
clamd-0.94.2-1.el4.rf clamav-db-0.94.2-1.el4.rf clamav-0.94.2-1.el4.rf
rpm -Uvh clam*
/etc/init.d/clamd restart
clamscan --version
freshclam
Restart mail services like exim and or cyrus-imapd
Check for a virus on a network
tcpdump -tnli eth0 not port ssh and not port smtp and not domain and not http and not https and not imap
DROP traffic on a port from an IP eg 5901
iptables -I RH-Firewall-1-INPUT -s 172.25.105.142 -p tcp --dport 5901 -j DROP
Upgrading ClamAV (From source)
wget -c http://belnet.dl.sourceforge.net/source ... 8.5.tar.gz
unpack the sources
tar xvzf clamav-0.88.5.tar.gz
cd clamav-0.88.5/
install
./configure --disable-zlib-vcheck
make all install
freshclam
clamav-config --version
Oversized.zip disabling (mailscanner)
Disable ArchiveMaxCompressionRatio in Clam conf by setting to 0.