The folks at clamav.net have recently built something exciting! They created a scanner daemon, clamd, which runs continuously, and which scans files upon request by a client called clamdscan.
This division of labor produces an astonishing performance gain. Most of the run time of a virus scanner is spent loading the virus definitions--which, after all, are a very long list of strings to look for. With clamd, these definitions are loaded only once, and the user's run time is only spent reading the file to be scanned. In practice, this is literally 100 times faster or more.
When clamdscan matures, I will recommend it for all installations, especially mission critical, high-volume servers that will benefit most from the major time savings. Meanwhile, I can only offer my unqualified approval of the idea, and the following notes for using clamdscan with qscanq. I use clamdscan on my server.
NOTE: clamdscan will not work correctly on Solaris. The qscanq security model requires restrictive permissions in the scanning queue. clamdscan checks the current working directory before starting to scan, which fails on Solaris, causing clamdscan to abort. This problem is not found on Linux or BSD systems. For a Solaris workaround, see the FAQ.
Building clamdscan
You should use version 0.70 of clamav or higher. You must download and build clamdscan, using this patch. It modifies clamd so that it can be told to log its activities to standard error, which allows multilog to capture them. The following commands should suffice:
wget http://www.pobox.com/~lbudney/software/qscanq/clamav-0.70-stderr.patch.gz gunzip -c clamav-0.70-stderr.patch.gz | patch -p0
Finally, build and install clamav as per the included instructions. Be sure to install clamd and clamdscan, and to install and configure the Internet update daemon, freshclam.
Configuring Clamscan
In a default install, the clamscan configuration file will be found at /usr/local/etc/clamav.conf. Edit the file and follow the contained instructions, making sure that the following entries are set in their appropriate places:
- LogFile stderr
- StreamSaveToDisk
- User Gqscanq
- Foreground
- FixStaleSocket
The FixStaleSocket setting is intended to address a problem with clamdscan: if the daemon crashes, it can leave a stale communications socket lying around. When launched, it detects this socket and refuses to start. When this happens, email will be deferred because scanning will fail; if it is not corrected in time, messages will start to bounce. The startup script supplied below also checks for this condition.
Other settings may be set at your pleasure, but clamuko should not be used. The clamd daemon will be run with non-root privilege, and clamuko will not operate properly in that configuration.
Make sure you are running freshclam in order to get the latest virus definitions in a timely way.
Running clamd
It is recommended that clamd be run as a daemontools service. If clamav was installed in the default manner, there should be a clamav user. In addition, the user Gqscanq will be created to support qscanq. You should not proceed until that user exists. Stop right now and install qscanq, or at least create the necessary users, and then come back to this step.
Is there a clamav user and a Gqscanq user? Okay, good. You may proceed.
Download this package and unpack it in /usr/local/etc. It should create the following directory structure there:
drwxr-xr-x 3 root root 4096 Feb 5 20:43 clamd drwxr-xr-x 3 root root 4096 Feb 5 20:44 clamd/log drwx--S--T 2 Gqcsanq root 4096 Feb 5 20:42 clamd/log/main -rwxr-xr-x 1 root root 97 Jan 28 23:08 clamd/log/run -rw-r--r-- 1 Gqscanq root 0 Feb 5 20:44 clamd/log/status drwxr-sr-t 2 Gqscanq root 4096 Feb 5 20:42 clamd/root -rwxr-xr-x 1 root root 65 Jan 30 06:50 clamd/run
Fix the directory structure, particularly the ownership, if necessary. Then link this folder into /service:
ln -s /usr/local/etc/clamd /service
That should be it. This daemon will be running as Gqscanq, and will be logging to /service/clamd/log/main/curent.
Test Your Installation
To test your installation, unpack eicar_com.zip, found in qscanq/src, into /tmp. Change directories to /tmp and issue the command "clamdscan ./". The software should report detection of the EICAR test virus. Then perform the qscanq tests described in the installation instructions. If those tests pass, then your installation appears to be working.
Don't forget to make sure that freshclam is running and can successfully update your virus definitions.
