Configuring ClamAV for daily system scans and email notification on Debian

Configuring ClamAV so it can scan your system on a daily basis and send email notification can be slightly a tough task for some of us. That’s why we are urged to write down this tutorial and explain how we can achieve this goal successfully. If you’re unfamiliar with ClamAV, well, it’s an open-source free and antivirus software available for any Linux distribution. Please note that you must have a working mail service before we proceed with this tutorial.

Installing and configuring ClamAV

The following command will update and upgrade existing debian packages followed by the installation of ClamAV.

 apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx 

Once installed, we will run the ClamAV service using the following command :

 service clamav-freshclam start 

In the default configuration of ClamAV, it will check for new virus databases every hour, but if you want to change this parameter you can edit the configuration file /etc/clamav/freshclam.conf

Look for the following line :

 # Check for new database 24 times a day
Checks 24 

And change it to:

 # Check for new database 2 times a day
Checks 2 

Also note that on some systems you will have to comment out the following line:

 #NotifyClamd /etc/clamav/clamd.conf 

Checking for newer virus databases a couple of times each day should be sufficient. However, if you want to check for new virus databases manually you can do so by typing this:

 freshclam -v 

Enable notification and scheduled scanning

We will now create a bash script to achieve this task /root/clamav_dailyscan.sh
Copy the code below and paste it to your clamav_dailyscan.sh file. In this script, modify the variable DIRTOSCAN (directory to scan) to specify the directories you’d want to scan in the schedule and EMAIL_FROM and EMAIL_TO to your own desired emails :

 nano /root/clamav_dailyscan.sh 
 #!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="clamav_daily@linux.com";
EMAIL_TO="admin@system.com";
DIRTOSCAN="/var/www /root/";

for S in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$S" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$S" >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 # if the value is not equal to zero, send an email with the log file attached
 if [ "$MALWARE" -ne "0" ];then
 # using heirloom-mailx below
 echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
 fi 
done

exit 0 

Now save the file with (ctrl+x), and then change the file permission to:

 chmod 755 /root/clamav_dailyscan.sh 

Now, we will make this script run once every day by creating a symlink in the /etc/cron.daily/ directory.

 ln /root/clamav_dailyscan.sh /etc/cron.daily/clamav_dailyscan 

Now your system is set to send email notification once a day for virus in your mail files or websites. ClamAV also has a feature of scanning the content of PHP files to detect any possible precense of malware of other dangerous malicious content in it.

Testing the script

The configuration we created in this tutorial will not perform any action if the viruses are found, as it will not delete any file, so we have nothing to worry about before testing this script. In order to test the script, we’ll simply execute this command:

 /root/clamav_dailyscan.sh 

Once the script has finished, there should be two possible states :
– ClamAV has found some viruses, in this scenario you should receive an email in your inbox with the log attached (as seen below).
– In case if ClamAV hasn’t found any viruses, or if something goes wrong during the execution of script, you will have to inspect the log for the reason. The logs are available at /var/log/clamav/ directory.
This is an example of what the log files look like. It should also be an attachment sent to your inbox:

 Starting a daily scan of /var/www directory. Amount of data to be scanned is 25G.
Wed Jul 15 10:11:19 PST 2015

----------- SCAN SUMMARY -----------
Known viruses: 38418
Engine version: 0.98.3
Scanned directories: 479
Scanned files: 316827
Infected files: 0
Data scanned: 17281.70 MB
Data read: 34021.59 MB (ratio 0.50:1)
Time: 1432.747 sec (23 m 52 s)
Wed Jul 15 10:11:19 PSST 2015
------------------------------------------------------
------------------------------------------------------
Starting a daily scan of /root/ directory. Amount of data to be scanned is 70.0G.
Wed Jul 15 10:11:17 PSST 2015
/root/.Cestino/cur/1386677288.M361286P15524,W=2675,S=2627:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/root/.Cestino/cur/1371451873.M697795P19793,W=5421,S=5353:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/root/.Cestino/cur/1390203133.M981287P17350,W=3223,S=3157:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/root/.Cestino/cur/1386677288.M361285P15524,W=2270,S=2227:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND 

In this scenario, ClamAV has found some viruses in your /root/ directory, hence you’ll have the log above been sent to your email.
Good luck!

Feel free to contact us if you believe you’re still facing issues following these steps. Rackhansa Professionals are always ready to help their customers in making their online presence smooth and uninterrupted. Our free webhosting services have also been devised mainly for those entrepreneurs who have just jumped into online business. To know more about our services, please visit our products page to enjoy the cheap hosting plans.