Create cron job or daemon to run clamdscan?

[bknowles]

One thing I noticed about this cookbook is that it installs and configured clamd and freshclam, but it doesn't actually set up any regular scans by clamscan or clamdscan. Is this an intentional choice? If so, what is the recommended method for doing something like this on a site-local basis?

[hartmantis]

It was an intentional choice, but only because my use of ClamAV is strictly as a server for client applications like Postfix to talk to, not so much as a filesystem scanner.

I like the idea of having a scheduled scan option. Are there any particular options you'd want to see in such a thing? Would configurable frequency and directories to scan be sufficient? Would you want to generate an email report or take some other action when a virus is found?

In the meantime, outside of this cookbook, the cron cookbook provides a resource for configuring jobs that I've had good luck implementing in other places in the past.

[bknowles]

One thing that we're going to need is to run clamd with elevated permissions -- i.e., either as root, or as group wheel. I haven't figured out yet which is going to be best. Beyond that, I think configurable frequency and directories to be scanned (or avoided) would be plenty.

For the moment, I'm going to be doing some manual tweaking and testing, and then I'm going to add some minimal additional stuff to a private fork of the cookbook, plus one or two cron jobs -- maybe via the cron cookbook, or maybe just drop them in manually as part of the private clamav cookbook. Again, haven't decided yet which would be best.

But once I get something working to my satisfaction, I'll let you know and then we can try to figure out what I can contribute back that wouldn't be a violation of our policies with our client.

[bknowles]

So, I found a "clamav-scan.sh" script at http://guylabs.ch/2013/09/18/install-clamav-antivirus-in-ubuntu-server-and-client/ that looks pretty good, and I think I'm going to be creating a variant to use for our customer.

All it really needs is the ability to feed it a list of directories to scan, so that we can do a full scan of the entire system on a weekly basis, and a more targeted scan on a daily basis. I'm thinking that could be passed on the command line to the script, and have it pass the arguments as-is to clamdscan, and if there are no arguments to the script then assume that a full scan is to be performed.

Of course, you need to be able to set a few "ExcludePath" entries, but those can be put into the clamd.conf file, along with the appropriate "MaxDirectoryRecursion", and certain other settings.

[bknowles]

I was a little surprised to see that the ClamAV documentation touted their high performance for scanning, and referenced pages such as https://www.shadowserver.org/wiki/pmwiki.php/AV/VirusMonthlyStats, when in fact their 0day detection rate over the month is only just over 50%, whereas the best scanners on Linux are over 70%. Considering the retry performance, ClamAV goes up to 59%, but the best scanners on Linux exceed 80%.

And that's just the single scanner performance. If you look at what happens with certain pairs of high-performing scanners (see https://www.shadowserver.org/wiki/pmwiki.php/AV/CombinedPerformance), as of 7 Jan 2014, the top six spots are some combination of McAfee plus another program and exceed or get near 90% 0day performance, and on retest some combination of AVG takes the top three spots with catch rates near or over 95%.

That's a huge difference compared to what ClamAV seems to be able to do.

Note that the situation doesn't seem to improve by much even as you go to combined performance over a year or two year period of time -- ClamAV fairly consistently seems to get 0day coverage in the 40-50% range, whereas the best scanners on Linux seem to be able to do 70% or better.

[bknowles]

Looks like we should be getting client approval to contribute the code I've been working on back to your project. Then we can just use your latest version and not have to maintain our own private fork, which should make everyone happy.

More info as I get it. Thanks!

[bknowles]

See Pull Request #25