ClamAV or Clam Antivirus is an open source antivirus tool for UNIX. It was built specially for scanning emails at mail gateways but these days it is used for securing various types of systems and applications. ClamAV provides a number of utilities including a flexible multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. ClamAV is used widely for securing Linux servers, mail gateways. It is also used along with CPanel to secure the file system.
A few notable features of ClamAV are:

• It is opensource, POSIX compliant, portable software licensed under GNU general public licence.
• It provides fast scanning and supports on access scanning of a file.
• It claims to detect over 1 million viruses, worms and Trojans, including Microsoft Office macro viruses, mobile malware, and other threats.
• Capable of scanning within various types of archives and compressed files.
• Supports Portable Executable files, ELF and Mach-O files as well.
• Supports almost all mail formats and special files and formats.
• Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries.

I. ClamAV setting up

 

1.CentOS

Run following command to install ClamAV into your CentOS server

yum -y install epel-release
yum -y update
yum clean all
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

II. Slack webhook registration

Firstly, you need to configure your Incomming Webhook in Slack

https://YOUR_DOMAIN.slack.com/apps/manage/custom-integrations

III. Implement ClamAV scan script & send into Slack

1. Scan script

You need to implement a script to freshscan your hosting location, when there are a warning, it will send directly into your slack

nano /root/clamav.sh

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
DIRTOSCAN="";URL=""
CHANNEL="";
HOST="`hostname`";
for S in ${DIRTOSCAN}; do
    DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
    echo "Starting a daily scan of "$S" directory.Amount of data to be scanned is "$DIRSIZE".";
    clamscan -ri --exclude='\.(jpg|jpeg|png|gif|log|xml) "$S" >> "$LOGFILE";
    # get the value of "Infected lines"MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
    # if the value is not equal to zero, send an email with the log file attached
    if [ "$MALWARE" -ne "0" ];then
        content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"CLAMAV on \`$host\`\", \"text\": \"CLAMAV scan on \`$HOST\` found \`$MALWARE\` malwares\", \"fields\": [{\"title\": \"Dir size\",\"value\": \"$DIRSIZE\", \"short\": true},{ \"title\": \"Scanned dir\", \"value\": \"$DIRTOSCAN\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
         curl -X POST --data-urlencode "payload={\"channel\": \"$CHANNEL\", \"mrkdwn\": true, \"username\": \"ssh-bot\", $content, \"icon_emoji\": \":computer:\"}" $URL
         #echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
    fi
done
exit 0

2. Daily scan

Now you only need to link your script into /etc/cron.daily/ directory with following command

ln /root/clamav.sh /etc/cron.daily/clamav_daily