Contact Info
43 Street 3, Hiep Binh Chanh Ward
Thu Duc District, HCM City, Vietnam
[email protected]
+84 866.09.02.09
Support

How should we call you?

    Follow Us

    Zodinet Technology Co.,Ltd

    clamav with slack

    ClamAV with Slack

    ClamAV or Clam Antivirus is an open source antivirus tool for UNIX. It was built specially for scanning emails at mail gateways but these days it is used for securing various types of systems and applications. ClamAV provides a number of utilities including a flexible multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. ClamAV is used widely for securing Linux servers, mail gateways. It is also used along with CPanel to secure the file system.
    A few notable features of ClamAV are:

    • It is opensource, POSIX compliant, portable software licensed under GNU general public licence.
    • It provides fast scanning and supports on access scanning of a file.
    • It claims to detect over 1 million viruses, worms and Trojans, including Microsoft Office macro viruses, mobile malware, and other threats.
    • Capable of scanning within various types of archives and compressed files.
    • Supports Portable Executable files, ELF and Mach-O files as well.
    • Supports almost all mail formats and special files and formats.
    • Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries.

    I. ClamAV setting up

    1.CentOS

    Run following command to install ClamAV into your CentOS server

    yum -y install epel-release
    yum -y update
    yum clean all
    yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
    

    II. Slack webhook registration

    Firstly, you need to configure your Incomming Webhook in Slack

    https://YOUR_DOMAIN.slack.com/apps/manage/custom-integrations

    III. Implement ClamAV scan script & send into Slack

    1. Scan script

    You need to implement a script to freshscan your hosting location, when there are a warning, it will send directly into your slack

    nano /root/clamav.sh
    #!/bin/bash
    
    LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
    DIRTOSCAN="<your-scan-dir>";URL="<your-slack-webhook>"
    CHANNEL="<your-channel>";
    HOST="`hostname`";
    for S in ${DIRTOSCAN}; do
        DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
        echo "Starting a daily scan of "$S" directory.Amount of data to be scanned is "$DIRSIZE".";
        clamscan -ri --exclude='\.(jpg|jpeg|png|gif|log|xml)$' "$S" >> "$LOGFILE";
        # get the value of "Infected lines"MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
        # if the value is not equal to zero, send an email with the log file attached
        if [ "$MALWARE" -ne "0" ];then
            content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"CLAMAV on \`$host\`\", \"text\": \"CLAMAV scan on \`$HOST\` found \`$MALWARE\` malwares\", \"fields\": [{\"title\": \"Dir size\",\"value\": \"$DIRSIZE\", \"short\": true},{ \"title\": \"Scanned dir\", \"value\": \"$DIRTOSCAN\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
             curl -X POST --data-urlencode "payload={\"channel\": \"$CHANNEL\", \"mrkdwn\": true, \"username\": \"ssh-bot\", $content, \"icon_emoji\": \":computer:\"}" $URL
             #echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
        fi
    done
    exit 0

    2. Daily scan

    Now you only need to link your script into /etc/cron.daily/ directory with following command

    ln /root/clamav.sh /etc/cron.daily/clamav_daily

    Comments

    • Arbab

      November 5, 2019

      Thank you for sach a nice howto, Please update your script,
      #!/bin/bash
      LOGFILE=”/var/log/clamav/clamav-$(date +’%Y-%m-%d’).log”;
      DIRTOSCAN=”/home”;
      URL=”https://hooks.slack.com/services/xxxxx/yyyyy/zzzzzzzzzzzzzz”
      CHANNEL=”#script-test”
      HOST=”`hostname`”

      for S in ${DIRTOSCAN}; do
      DIRSIZE=$(du -sh “$S” 2>/dev/null | cut -f1);
      echo “Starting a daily scan of “$S” directory.
      Amount of data to be scanned is “$DIRSIZE”.”;
      clamscan -ri –exclude=’\.(jpg|jpeg|png|gif|log|xml)$’ “$S” >> “$LOGFILE”;
      # get the value of “Infected lines”

      MALWARE=$(tail “$LOGFILE”|grep Infected|cut -d” ” -f3);
      # if the value is not equal to zero, send an email with the log file attached
      if [ “$MALWARE” -ne “0” ];then
      content=”\”attachments\”: [ { \”mrkdwn_in\”: [\”text\”, \”fallback\”], \”fallback\”: \”CLAMAV on \`$HOST\`\”, \”text\”: \”CLAMAV on \`$HOST\` found \`$MALWARE\` malwares\”, \”fields\”: [ { \”title\”: \”Dir size\”, \”value\”: \”$DIRSIZE\”, \”short\”: true }, { \”title\”: \”Scanned dir\”, \”value\”: \”$DIRTOSCAN\”, \”short\”: true } ], \”color\”: \”#F35A00\” } ]”
      curl -X POST –data-urlencode “payload={\”channel\”: \”$CHANNEL\”, \”mrkdwn\”: true, \”username\”: \”ssh-bot\”, $content, \”icon_emoji\”: \”:computer:\”}” “$URL” &
      fi
      done
      exit 0

      reply

    Post a Comment