Released ClamAV 0.99 with Major new features and changes

ClamAV is an open source anti-virus engine which is used to scan entire linux system, web servers & email server. Linux OS is virus free (hard for viruses to run on it) even though its hard for virus, due to technology improvement day by day virus & malware strength is increased. So there are many reasons you might need a virus scanner on your Linux system. ClamAV team produly announced the latest version of ClamAV 0.99 on December 01, 2015.

It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates.

ClamAV Features

  • Command-line scanner
  • Command-line scanner with whole home directory or specific user
  • Virus database updated multiple times per day
  • Advanced database updater with support for scripted updates and digital signatures
  • Support all standard mail file formats
  • Support all kinds of files HTML, Flash, RTF, MS Office, MacOffice and PDF
  • Support for various archive formats, like Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others
  • Support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
  • For more details

What’s New in ClamAV 0.99

  • Processing of YARA rules (some limitations- see signatures.pdf).
  • Support in ClamAV logical signatures for many of the features added for YARA, such as Perl Compatible Regular Expressions, alternate strings, and YARA string attributes. See signatures.pdf for full details.
  • New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities.
  • A new ClamAV API callback function that is invoked when a virus is found. This is intended primarily for applications running in all-match mode. Any applications using all-match mode must use the new callback function to record and report detected viruses.
  • Configurable default password list to attempt zip file decryption.
  • TIFF file support.
  • Upgrade Windows pthread library to 2.9.1.
  • A new signature target type for designating signatures to run against files with unknown file types.
  • Improved fidelity of the “data loss prevention” heuristic algorithm. Code supplied by Bill Parker.
  • Support for LZMA decompression within Adobe Flash files.
  • Support for MSO attachments within Microsoft Office 2003 XML files.
  • A new sigtool option(–ascii-normalize) allowing signature authors to more easily generate normalized versions of ascii files.
  • Windows installation directories changed from \Program Files\Sourcefire\ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64.
  • ClamAV 0.99 release notes

1) ClamAV installation

Use the below commands to install ClamAV on your system. It will automatically install freshclam which will help us to update the ClamAV database (virus definition database or virus signature).

# For Ubuntu/LinuxMint/Debian #
$ sudo apt-get install clamav clamav-daemon

# For CentOS/RHEL #
# yum install clamav clamd

# For Fedora 21 older #
# yum install clamav clamav-update

# For Fedora 22 later #
# dnf install clamav clamav-update

# For openSUSE #
# zypper install clamav

# For Mageia #
# urpmi clamav

Note : All the distro having old version of ClamAV 0.98-7 and there is no PPA also available as of now (December 7, 2015) but in Fedora 23DatabaseMirror they built the rpm file and didn’t added into Fedora 23 Repository. Most propaply this will included within a week, i think so. If you want to install ClamAV 0.99 on Fedora 23, use the rpm files or try manual installation method.

2) Only Fedora User : Modify the freshclam.conf file

Modify the below settings on freshclam.conf file into Fedora system (Fedora User only). Then only we can run the freshclam without any error.

# nano /etc/freshclam.conf

# Comment or remove the line below #

# Uncomment DNSDatabaseInfo line #

# Localized the virus database source : Uncomment DatabaseMirror line and add your country code instead of XX #

# Make sure the following line is uncomment #

3) Updating ClamAV Database

After installing ClamAV on your system. You will get notification stating that your Clamav signatures & databases not updated. So you need to update it by running below commands.

# Update ClamAV’s signatures #
# freshclam

See the below screen shot taken from Fedora 23, I’m using latest version of ClamAV 0.99.
See the below screen shot taken from Ubuntu 15.10, I’m using latest version of ClamAV 0.98.7.
See the below screen shot taken from openSUSE 42.1, I’m using latest version of ClamAV 0.98.7.

4) Scan the System

Perform the system scan using below commands.

# Scan all files on the computer #
# clamscan -r /

# Scan all users home directories #
# clamscan -ri /home
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/63FB09C75E6F8F14E5ADCCF2F87244FF5D0C9CB1: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/C8E29843C9F0CBB577037BE9CF8502BB94ECC062: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/2444618B40CA0FC854B6C539AEE4A4E7C479F532: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/58CB865E942E052F00AB01A9A65B5B67949D406F: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/D75D46B41E962765F93746E5DCA04D3D1891DFAA: HTML.FileDownload_iacenc_dll FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/35DFDA5356192EEFB57A0E52FFA8C98721B3B40F: Exploit.Iframe-1 FOUND
/home/magesh/Downloads/mageshm/919134.php: PHP.Webshell-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3623180
Engine version: 0.98.1
Scanned directories: 14303
Scanned files: 129684
Infected files: 9
Data scanned: 12050.80 MB
Data read: 123972.73 MB (ratio 0.10:1)
Time: 2616.052 sec (43 m 36 s)

# Scan all files on the computer, but only display infected files and ring a bell when found #
# clamscan -r --bell -i /

# Move all the infected files list on a particular file #
# clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

# Scan files in the USER home directory and save infected files to specific file #
# clamscan -ril /var/log/clamscan.log /home/USER	

# Scan files in the USER home directory and remove infected files #
# clamscan -r --remove /home/USER

# Scan files in the USER home directory and exclude 2daygeek directory #
# clamscan --exclude=2daygeek -i -r /home/USER

5) Scan Automatically

Create a file called clamav_scan under /etc/cron.daily/ directory and paste below script to run ClamAV Automatically on your system daily. Make sure you should give executable permission

# nano /etc/cron.daily/clamav_scan                                               

/usr/bin/clamscan -ri $SCAN_DIR >> $LOG_FILE

Give executable permission to /etc/cron.daily/clamav_scan

# chmod +x /etc/cron.daily/clamav_scan

It will run daily and store the affected files to /var/log/clamav/dailyscan.log

We are preparing all articles in-depth to understand by all level/stage Linux administrators. If the article is useful for you, then please spend less than a minute to share your valuable comments in our commenting section. Please stay tune with us…Good Luck.

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...