Setting up ClamAV on Linux Mint 20.2 Cinnamon

In this post, I’ll be documenting how to install, setup, and configure ClamAV to run on Linux Mint 20.2 Cinnamon systems using "on-access scanning". The following sections will instruct you how to install and configure ClamAV: 1. Install ClamAV daemon 2. Setting up on-access scanning 3. Setting up notification During setup you have to edit several files. I've done this by using _vim_, e.g. `sudo vim /etc/clamav/clamd.conf`. **1\. Install ClamAV daemon** First of all you have to install the "clamav-daemon" package from the Linux Mint repo. Open a terminal and type: `sudo apt-get update` `sudo apt-get -y install clamav-daemon` `sudo systemctl enable clamav-daemon` Add the following lines to `/etc/clamav/clamd.conf`: Code: ```bash #MaxDirectoryRecursion 15 MaxDirectoryRecursion 20 ExcludePath ^/proc ExcludePath ^/sys ExcludePath ^/run ExcludePath ^/dev ExcludePath ^/home/timeshift ``` On my system I had to increase the `MaxDirectoryRecursion` value to 20. On your system the path of `Timeshift` might be different from `/home/timeshift`. Restart the clamav daemon: `sudo systemctl restart clamav-daemon` Wait a few seconds for the deamon to restart. Check the status of both daemons: `sudo systemctl status clamav-daemon` `sudo systemctl status clamav-freshclam` Now you are able to run a test scan of your home directory: `sudo /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log /home` **2\. Setting up on-access scanning** First of all you have to install the "apparmor-utils" package from the Linux Mint repo. Open a terminal and type: `sudo apt-get -y install apparmor-utils` `sudo aa-complain /usr/sbin/clamd` Add the following lines to `/etc/clamav/clamd.conf`: Code: ```bash OnAccessIncludePath /home OnAccessExcludeUname clamav ``` Create a startup script for clamonacc `/etc/systemd/system/clamonacc.service`: Code: ```bash # /etc/systemd/system/clamonacc.service [Unit] Description=ClamAV On Access Scanner Requires=clamav-daemon.service After=clamav-daemon.service After=syslog.target After=network-online.target [Service] Type=simple User=root ExecStartPre=/bin/bash -c "while [ ! -S /var/run/clamav/clamd.ctl ]; do sleep 1; done" ExecStart=/usr/sbin/clamonacc -F --fdpass --config-file=/etc/clamav/clamd.conf --log=/var/log/clamav/clamonacc.log [Install] WantedBy=multi-user.target ``` Set startup script to 644 and enable clamonacc.service: `sudo chmod 644 /etc/systemd/system/clamonacc.service` `sudo systemctl enable clamonacc` On my system I had to increase the _fs.inotify.max\_user\_watches_ value as mentioned in [ClamAV documentation](https://docs.clamav.net/manual/OnAccess.html): Add the following line to `/etc/sysctl.conf`: `fs.inotify.max_user_watches = 524288` Reboot your system and check if the clamonacc daemon is correctly started. Remember: wait a few seconds for the deamon to restart. `sudo systemctl status clamonacc` **3\. Setting up notification** On my system I'm using _notify-send_ to get ClamAV alerts. First of all you have to install the "inotify-tools" package from the Linux Mint repo. Open a terminal and type: `sudo apt-get -y install inotify-tools` `sudo touch /var/log/clamav/clamonacc_notify.log` `sudo chmod 644 /var/log/clamav/clamonacc_notify.log` `sudo chmod 644 /var/log/clamav/clamonacc.log` `sudo chown clamav: /var/log/clamav/clamonacc_notify.log` The script clamav\_wrapper is triggered on _VirusEvent_ configured in clamd.conf. So clamav\_wrapper is writing the latest FOUND to a notify file. This file can be watched from your local user. Create a file `/usr/local/bin/clamav_wrapper`: Code: ```bash #!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin LANG=C sleep 2 grep FOUND /var/log/clamav/clamonacc.log | tail -n 1 > /var/log/clamav/clamonacc_notify.log ``` Set clamav\_wrapper script to 755: `sudo chmod 755 /usr/local/bin/clamav_wrapper` The script notify\_clamav is watching the clamonacc\_notify.log file for new FOUND entries and sending alert messages to the desktop of the local user. Create a file `/usr/local/bin/notify_clamav`: Code: ```bash #!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin LANG=C _log=/var/log/clamav/clamonacc_notify.log if [ ! -e $_log ]; then notify-send "ClamAV" "error: $_log missing." exit 1 fi inotifywait -mq -e close_write $_log | while read do _result=$(cat $_log) if [ "$_result" != "" ]; then notify-send "ClamAV" "$_result" else notify-send "ClamAV" "Please check $_log" fi done ``` Set clamav\_wrapper script to 755: `sudo chmod 755 /usr/local/bin/notify_clamav` Add the following line to `/etc/clamav/clamd.conf`: `VirusEvent /usr/local/bin/clamav_wrapper` In Cinnamon open Startup Applications to set up notify\_clamav for start on logon: > Startup Applications > + > Custom command > Name: Notify ClamAV > Command: /usr/local/bin/notify\_clamav > Startup delay: 5 ![[Pasted image 20240915175545.png|350]] Finally we have to cleanup the system on shutdown be ending notify\_clamav. Create a file `/usr/local/sbin/notify_cleanup`: Code: ```bash #!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin LANG=C killall notify_clamav killall inotifywait cp /dev/null /var/log/clamav/clamonacc_notify.log ``` Set notify\_cleanup to 750: `sudo chmod 750 /usr/local/sbin/notify_cleanup` Add the following lines to `/etc/lightdm/lightdm.conf`: `session-cleanup-script=/usr/local/sbin/notify_cleanup` Reboot your system and wait a few seconds for the deamon to restart. **Testing your system** Now it's time to run a notification test on your system by downloading a test virus file. Open a terminal and type: `wget https://secure.eicar.org/eicar.com.txt` `cat eicar.com.txt` You should see a notification message like this: ![[Pasted image 20240915175716.png|550]] ## Sources [ClamAV-Howto - Setting up ClamAV on Linux Mint 20.2 Cinnamon - Linux Mint Forums](https://forums.linuxmint.com/viewtopic.php?f=42&t=355781&sid=79a71bc6c98720281cd2d98b62f1ac50)