Better malware protection from ClamAV

security malware antivirus clamav
5,379

Solution 1

Maybe it isn't designed to run in background.

Yes, it is. The wiki shows methods running it as a daemon and as a scanner:

Run ClamAV as a Daemon

Install clamav-daemon. You can then use clamdscan where you would previously have used clamscan. Lots of programs, especially e-mail servers, can connect to a ClamAV daemon. This speeds up virus scanning as the program is always in memory.

The clamav-daemon package creates a 'clamav' user; in order to allow ClamAV to scan system files, such as your mail spool, you can add clamav to the group that owns the files.

Let ClamAV listen for Incoming Scans

There are cases where you may want ClamAV daemon to act as a scanner for other systems, so you don't have to run everything locally on the system.

To do this, you simply have to modify the clamd.conf file and add TCPSocket PORTNUMBER and TCPAddr IPADDRESS arguments to the clamd.conf file and reload the daemon. The daemon will then accept connections to it via the IP address and Port combination you specify.

I just want good protection for my system.

Linux is fundamentally different from Windows so we did not inherit the problems Windows (still) faces. Our system has been set up as a multi-user system: more than 1 user at the same time is expected to use it. This means we have a security model built into our system since some users are not expected to see all the content or be able to do what they want on our systems. That also hinders malware to abuse your system.

Yes, it does not make Linux invulnerable. But as long as it is easier to infect millions of Windows system than to infect 1 Linux machine we win. Only if your machine is targeted specifically (when you run a game server for instance) you need to take precautions. But those are: create regular backups, use a good password, use a router, keeping an eye on the CVE tracker, keeping your system up to date and not installing software you do not need. All things you should do any way.

  • Have you used other software showing better protection than ClamAV?

Yes (1st part: as a system admin for 30+ systems I have examined several virus scanners and root kit detectors and also made an assessment about threat risks when not using one) and no (2nd part). But the no is not because ClamAV is so good: it is as bad as any other virus scanner. Virus scanners all have such a low success rate that they are useless. When near 100% of all claims it claims to be a virus are false, I can't use it.

  • Are there any "enhancements" possible to increase the threat detection in ClamAV, since it is lightweight? (I have seen some websites suggesting to add their threat signatures to the ClamAV list. Is this safe?)

See for instance the "signatures.pdf" in the "doc" dir of ClamAV on how to upload extra virus signatures.

But this is only useful when you actually find a virus as the 1st person. The virus definition file gets updates pretty regularly so I doubt there is anything to improve.

  • Overall (and this is important), below you can find additional tasks which can be performed for hardened protection, without slowing down the machine.

This is a question on its own and has also no relation to virus scanners.

  • Encrypt your system.
  • Do not install software that allows you to use FTP, Telnet, rlogin and rsh services
  • Minimize the software installed: don't use it? Remove it.
  • Keep your system up to date.
  • Use strong passwords and password aging.

Important:

The protection of your system does not come from anti-virus software; it comes from how you treat your system. If you ever do find a virus you are too late: removing a virus is not enough as your system has been compromized and needs to be re-installed from a proven clean backup. You always have to assume they got your admin password.

Solution 2

LoL, you guys are fun :-)

Ok, on more serious matter, what you'll ever need to do to keep you safe is to control your system and network. To do that, there are things that need to be learned about:

  1. Everything about networking, start small.
  2. How to configure your firewall (Ufw or, better yet, Iptables)
  3. Learn about Nethogs and use it for live traffic information. Worst case scenario, you can always disable the network, if you are paranoid when you don't understand the traffic.
  4. Install and learn about Snort. A must have setup!
  5. Another must have is No-script browser addon. It will prevent you from getting infected in the first place. Just make sure you support websites you trust by enabling scripts for them specifically, because all the scripts are disabled by default.
  6. Optionally, get yourself Nmap and Wireshark. Both very useful.
  7. Be careful what you install on your system. Always use Ubuntu center if possible and verify your downloads.
  8. Encrypt sensitive information. Better you than someone else. Ubuntu has a built in encfs encryption you should check out.
  9. Use Cron or Inotify to check if your key files have been accessed or modified and, if so, to alert you.
  10. Be careful when you play with groups and users. The least harmful thing that can happen is to lock yourself out of the root.

Well this is about it. I have probably missed things, like ClamAV for example which I have never used. I might look into it for extra security layer. Oh and above all, use your brain, no one will use it for you.

Share:
5,379

Related videos on Youtube

arjun
Author by

arjun

curious creator

Updated on September 18, 2022

Comments

  • arjun
    arjun over 1 year

    I am bit concerned about the security of my linux machine. ClamAV shows it detects malware but only during manual scan. Maybe it isn't designed to run in background. I don't know. I just want good protection for my system.
    Atleast Avast in Windows immediately blocks any further interaction if it even gets a slight hint of malicious activity. I haven't seen any Windows malware popup during manual scan in a long time.

    Recently ClamAV showed lot of threats and many times before 

    /home/arjun/.cache/mozilla/firefox/velcy2qd.default-1475046670923/cache2/entries/5B6A5C07930975FDE8750B7CA9824A79551A31A2      PUA.Win.Tool.Packed-177         
/home/arjun/.config/min/Cache/f_000036                                                                                         PUA.Win.Trojan.Xored-1          
/home/arjun/.config/min/Cache/f_000020                                                                                         PUA.Win.Trojan.Xored-1          
/home/arjun/.config/Vectr/Cache/f_000006                                                                                       PUA.Html.Trojan.Agent-37075     
/home/arjun/.npm/accessibility-developer-tools/2.11.0/package.tgz                                                              PUA.Html.Trojan.Agent-37075     
/home/arjun/.npm/npm/2.15.11/package.tgz                                                                                       PUA.Win.Trojan.Xored-1          
/home/arjun/.npm/imurmurhash/0.1.4/package.tgz                                                                                 PUA.Win.Trojan.Xored-1          
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

    I don't know if these are false positives or really malwares. If we go by this report - http://www.networkworld.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html - it shows ClamAV having around 60% efficiency.
    In fact the report recommends going with Kaspersky or even Sophos would be much better. And there are many other reports in the internet advising the same.

    1. Have you used other software showing better protection than ClamAV?
    2. Are there any "enhancements" possible to increase the threat detection in ClamAV, since it is lightweight? (I have seen some websites suggesting to add their threat signatures to the ClamAV list. Is it safe?)
    3. Overall, this is important, some configurations which can be performed for hardened protection, without slowing down the machine.
  • arjun
    arjun over 7 years
    Mere assurance that Linux is different wouldn't keep any system secure. Please answer the three points which would help me with better judgment while dealing with security incidents.
  • Rinzwind
    Rinzwind over 7 years
    Yes it does. But any system is as secure as you -treat- it. The one thing I do claim: due to historical reasons Linux IS better at preventing wrongdoing on our systems by our -own- users. So outside interference is also lower. Linux systems get far more compromised by social engineering.
  • Fabby
    Fabby over 7 years
    Wow! Flagged as Low Quality! (And no: it wasn't an audit) Upvoted, expect a bounty soon.
  • Soren A
    Soren A over 7 years
    I think that you missed some important points: 11) Take backup. 12) Take backup. 13) Take backup ....
  • Fabby
    Fabby over 7 years
    @SorenA Good one!!!
  • user633551
    user633551 over 7 years
    @SorenA I thought that was self-evident, as well as not putting anything really sensitive, like passwords and credit card numbers, on a computer!!! But I guess I misjudged the situation. Here are a couple more in such case. 14. Don't forget the encryption passwords. 15. Never have a sledgehammer nearby or have a computer close to an open window :-)
  • David Foerster
    David Foerster over 7 years
    @Rinzwind: That's true for Linux desktop systems. For Linux servers I'd say the bigger issue are exploitable internet services (because the server admin uses development configuration in a production environment, didn't apply security upgrades in time or runs some homebrew PHP or CGI scripts with security holes as big as barn doors). Virus scanners don't really help against either of those though.
  • Andrew Vian
    Andrew Vian over 6 years
    Getting the ClamAV OnAccess scanning operational is a bit difficult. Here is a good link describing the process. blog.clamav.net/2016/03/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ClamAV: PUA.Win.Exploit.CVE_2012_0110 FOUND (/usr/share/mime/mime.cache)
How do I scan for viruses with ClamAV?
Does ClamAV run in the background and monitor all activity, like Windows AVs do?
ClamAV PUA.Win32.Packer.PrivateExeProte-7
Does Ubuntu 18.04LTS require antivirus/malware?
How to remove malware?
What are the .android folders and adbkey files on my computer?
Is there an Ubuntu sanity check for malware?
I can't update the clamav antivirus
How can I make a detailed report of ClamAv scan results (location of infected files)?