One of the great things about being a desktop Linux user is that you’re immune to Windows– based viruses and spyware. However, if you’re like me, you probably share files with people that use Windows, and just as it’s possible for you to carry a biological virus and not get sick, you can unwittingly be a carrier and transmitter of Windows–based viruses, by virtue of receiving files and relaying files that are infected. Even though you don’t get sick, it’s still embarrassing when you give someone else the equivalent of the “computer clap.”
Fortunately, there are Linux–based antivirus scanners that let you take some precautions. There are a number of commercial products on the market, some of which are listed at the end of this column, but for now, let’s focus on an open source solution and a free (no cost) solution, the CLAMAV project, and Grisoft’s AVG Free antivirus software, respectively.
CLAMAV is a popular open source virus scanner because it’s free, is extremely fast (it’s written in very tight C code), and has a comprehensive virus scanning database that’s updated very often by the project’s developers. It can run on its lonesome, can be invoked as a command–line utility, can run as a resident daemon for server–based applications, or it can be embedded (as a library) in other applications, such as email servers. It can also be wrapped by graphical user interfaces (GUI’s), which I’ll get to later.
CLAMAV ships with many distributions and is available in package form for others. If freshclam exists on your machine, CLAMAV is installed. If you have the latest up–to–date version (as the magazine goes to press, the latest version was .88), you can ignore the build instructions that appear below. However, if your CLAMAV software is out–of–date, un–install that version, preferably using your distribution’s native package manager.
To download the latest CLAMAV for your distro, go to the CLAMAV project web site (http://www.clamav.net/
), go to the” Binary Packages and Ports” section (http://www.clamav.net/binary.html
), and follow the instructions for installing it on your particular distribution. If you have a RPM–
based distro, you can simply download the RPM built for your system, open a terminal prompt, and run:
# sudo rpm –Uvh clamav–0.88–formydistro.rpm
If a binary version of CLAMAV doesn’t exist for your flavor of Linux, simply compile it from source. Don’t panic! It’s not that difficult.
Go to the CLAMAV” Stable Release” page (http://www.clamav.net/stable.php
) and download the latest stable release. At the time of this writing, the file was called clamav–0.88.tar.gz.
To build CLAMAV, you need the GCC compiler suite. If you’ve done a full install of your distro from DVD, like SUSE 10.0 or Fedora Core 5, you’re set to go. If not or if you’re using something like Ubuntu or Debian, run your package manager to install the GCC dependencies first, including zlib and zlib–devel.
Once GCC is installed, open a terminal prompt and run su root to become the root user. Next, issue the following command–lines from the directory that contains the CLAMAV source code:
# groupadd clamav
# useradd –g clamav –s /bin/false \
–c "Clam AntiVirus" clamav
The two previous commands add a clamav group and a clamav group, respectively, to your system. Next, build the CLAMAV source.
$ zcat clamav–x.yz.tar.gz | tar xvf –
$ cd clamav–x.yz
$ ./configure sysconfdir=/etc
(In the second command, be sure to change x.yz to the version number of the software you downloaded.) Depending on how fast your PC is, the entire build process could take a few minutes or a bit longer.
Once the build is finished, install the CLAMAV software with the command:
$ su –c "make install"
Next, become root and create the initial log file and assign it appropriate access permissions for the clamav user:
# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
# chown clamav /var/log/freshclam.log
You must also set the permissions on the CLAMAV virus signature directory:
# chown clamav.clamav /var/lib/clamav
# chmod 755 /var/lib/clamav
Next, open the /etc/clamav.conf file with your favorite text editor, and remove this section:
#Comment or remove the line below
Next, remove the # symbol in front of this line:
Save the file and exit the editor. To continue, run the freshclam command as root from a terminal prompt. If you’ve followed all of the instructions correctly, you should see a message that the virus database has been updated, as in:
[root@localhost ~]# freshclam
ClamAV update process started at Tue Jan 24 13:16:06 2006
Downloading main.cvd [*]
main.cvd updated (version: 35, sigs: 41649, f–level: 6, builder: tkojm)
Downloading daily.cvd [*]
daily.cvd updated (version: 1248, sigs: 852, f–level: 7, builder: diego)
Database updated (42501 signatures) from db.us.clamav.net (IP: 22.214.171.124)
To automatically have freshclam update its database on a periodic basis, add the following line to your /etc/cron.hourly file:
N * * * * /usr/local/bin/freshclam –quiet
If you run SUSE or another distro, /etc/cron.hourly might be a directory containing vanilla shell scripts. In that case, create a text file named /etc/cron.hourly/freshclam with the following lines:
Scanning with CLAMAV
Doing CLAMAV scans are fast and efficient. To perform a scan, simply issue the following command–line as root:
# clamscan ––recursive ––infected /path/to/a/directory
This causes clamscan to scan the files within the specified directory and within all of the directory’s subdirectories. If you omit /path/to/a/directory, clamscan recursively scans . (“dot”), the current working directory.
If clamscan finds any viruses, it warns you of the infections, but it won’t clean them by default. However, if you run the following command…
# clamscan ––recursive ––move=/path/to/my/quarantine
… clamscan moves all infected files to /path/to/my/quarantine, at which point you can go through those files to see which are infected and delete those at your leisure.
Or, if you’re feeling totally paranoid and want the files removed from your system immediately, the following command erases any infected files found:
# clamscan –recursive ––remove /directoryname
clamscan has many other many command-line options. Type clamscan –help to review them.
If the command-line is not your thing, look at KLAMAV
) a KDE/Qt
front–end to CLAMAV. KLAMAV has some nice features which make it comparable to commercial–quality antivirus packages for Windows, including on-access virus scanning and email program integration. However, KLAMAV has a number of dependencies, such as the Qt development libraries, the kernel source for your installed kernel, and a pre–built Linux kernel that’s compatible with the on–access scanning kernel module (dazuko
). Depending on your distribution, you might have some difficulty installing KLAMAV. On the other hand, some distros are starting to include KLAMAV, so check the KLAMAV homepage to see if your version of Linux is supported.
The CLAMAV documentation also lists a number of other CLAMAV GUI–front–ends that you can either buy inexpensively or download for free.
Grisoft AVG Free
Grisoft AVG is a commercial virus scanner that offers a free version for home use, AVG Free. AVG Free uses the same virus definitions and uses the same virus scanning engine as their commercial product, but it has a reduced feature set. Nonetheless, AVG Free is a very effective virus scanner and I like it. Additionally, AVG has a built–in GUI. I use it on both my Windows and Linux systems. For a no cost product, you can’t beat it.
You can download AVG Free from http://free.grisoft.com/
. Currently, Grisoft offers versions for SUSE, Red Hat,
If you’ve got some form of Debian, you’ll want to use alien
to install the Red Hat version. AVG Free requires Python,
the Python pygtk
modules, and libstdc.
If you did a full install of your distro, you probably already have everything you need.
Once you’ve downloaded the AVG Free RPM file, open a terminal window, change to the directory you’ve saved the RPM to (say, your home directory) and run the following commands:
# su root
# rpm –Uvh avglinux–7.1–22_free_xxx_avi0649.i386.rpm
The third command updates the GUI with your name and default license information. To run the AVG free GUI, simply type avggui from any command prompt.
From within the GUI, everything is pretty straightforward: the Update button grabs the latest virus signatures from the AVG web site, and the Test button brings up a dialog that allows you to scan any subdirectory on your file system, including filesystems that are remotely mounted.
AVG also has a command–line interface. Simply issue the” avgscan” command:
# avgscan /home
Like CLAMAV, avgscan has a lot of command-line options. Issue avgscan –help to learn more.
Other Virus Scanners
–prot.com/) by Frisk Software International is a fully commercial virus scanning program that’s free for home users, with no restrictions or removed features. Like CLAMAV, it’s command–line based. BitDefender
is another command–line based virus scanner that is also free for use by Linux users. You can download BitDefender from http://www.bitdefender.com
Kaspersky (Http://www.kaspersky.com/) is a fully commercial Linux virus scanner that’s considered one of the best on the market, with lots of integration with email and anti–spam products. For the most part, its geared to professional and server–based use.
Whatever software package you choose to use, remember to always practice safe computing. After all, you don’t know where that attachment has been.