ClamAV or Clam Antivirus is an open source antivirus tool for UNIX. It was built specially for scanning emails at mail gateways but these days it is used for securing various types of systems and applications. ClamAV provides a number of utilities including a flexible multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. ClamAV is used widely for securing Linux servers, mail gateways. It is also used along with CPanel to secure the file system.
A few notable features of ClamAV are:
- It is opensource, POSIX compliant, portable software licensed under GNU general public licence.
- It provides fast scanning and supports on access scanning of a file.
- It claims to detect over 1 million viruses, worms and Trojans, including Microsoft Office macro viruses, mobile malware, and other threats.
- Capable of scanning within various types of archives and compressed files.
- Supports Portable Executable files, ELF and Mach-O files as well.
- Supports almost all mail formats and special files and formats.
- Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries.
I. ClamAV setting up
1.CentOS
Run following command to install ClamAV into your CentOS server
yum -y install epel-release
yum -y update
yum clean all
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
II. Slack webhook registration
Firstly, you need to configure your Incomming Webhook in Slack
https://YOUR_DOMAIN.slack.com/apps/manage/custom-integrations
III. Implement ClamAV scan script & send into Slack
1. Scan script
You need to implement a script to freshscan your hosting location, when there are a warning, it will send directly into your slack
nano /root/clamav.sh
#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
DIRTOSCAN="";URL=""
CHANNEL="";
HOST="`hostname`";
for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
echo "Starting a daily scan of "$S" directory.Amount of data to be scanned is "$DIRSIZE".";
clamscan -ri --exclude='\.(jpg|jpeg|png|gif|log|xml) "$S" >> "$LOGFILE";
# get the value of "Infected lines"MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
# if the value is not equal to zero, send an email with the log file attached
if [ "$MALWARE" -ne "0" ];then
content="\"attachments\": [ { \"mrkdwn_in\": [\"text\", \"fallback\"], \"fallback\": \"CLAMAV on \`$host\`\", \"text\": \"CLAMAV scan on \`$HOST\` found \`$MALWARE\` malwares\", \"fields\": [{\"title\": \"Dir size\",\"value\": \"$DIRSIZE\", \"short\": true},{ \"title\": \"Scanned dir\", \"value\": \"$DIRTOSCAN\", \"short\": true } ], \"color\": \"#F35A00\" } ]"
curl -X POST --data-urlencode "payload={\"channel\": \"$CHANNEL\", \"mrkdwn\": true, \"username\": \"ssh-bot\", $content, \"icon_emoji\": \":computer:\"}" $URL
#echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
fi
done
exit 0
2. Daily scan
Now you only need to link your script into /etc/cron.daily/ directory with following command
ln /root/clamav.sh /etc/cron.daily/clamav_daily