How to Install antivirus software on Raspberry Pi 4 ?

Anti Virus
Reading Time: 5 minutes

I installed clamav, this is open source antivirus software on Raspberry Pi 4!

I setup nextcloud, it’s nice!
But I am a little worrying about security.
Do you have any good idea?

I will solve this question.

If you are already familiar with clamav and want to establish virus scan server by clamav, go here.



Security measures to Raspberry Pi 4

The basic security measures are as follows.

  • Install antivirus software
    • on-demand type
    • real-time type
  • Install web application firewall
  • Setup additional user, delete default user “pi”
  • Change SSH setting to allow only public key authentication

This post shows how to install antivirus software.

Which antivirus software can I use with Raspberry Pi 4?

First of all, we need to recognize that Windows antivirus software like Symantec/McAfee cannot be installed to Raspberry Pi 4 because CPU architecture of Raspberry Pi 4 is different from PC one.
– Raspberry Pi 4: arm
– PC: intel x86, amd64
Avast/AVG and Kaspersky, which are popular antivirus for Linux, cannot be installed.

So I select clamav that seems to have availability to be installed to Raspberry Pi 4..

What is on-demand scan, real-time scan?

There are two main types of virus detection as follows.
– On demand
– Real time

On-demand is a method of scanning when a user triggers to scan for viruses.

Real-time is a method which antivirus software automatically watches specified directory.

on-demand scanning is,
– You can decide for yourself when you want to run scanning.
– You can not detect immediately, this might be security risk.

real-time scanning is,
– There is less risk compared to on-demand scanning.
– Antivirus software uses CPU and memory all time.

This is the table that summarize above.

MethodProsCons
on-demandEasy handling performance affectionRisk of opening infected files
real-timeLess risk of opening infected filesReuires high CPU/memory

Both have pros and cons so you can choose which is suitable for you.
Real-time is better from less risk perspective, but it doesn’t make sense if performance are much down due to real-time scanning.

There may be compromise if you can control by appropriate rules that everyone needs to scan before using suspicious file.

On this post, I will install clamav on-demand.

Install clamav

It’s very easy.
You only need to do this command.

pi@raspberrypi:~ $ sudo apt install clamav

There are two commands you usually use.
– clamscan: Do scan
– freshclam: Update virus definition

freshclam automatically starts in the background since immediately after clamav installation.
You don’t need to run by yourself.

pi@raspberrypi:~ $ ps aux | grep [f]reshclam
clamav 608 0.0 0.5 53672 10276 ? Ss 00:35 0:00 /usr/bin/freshclam -d --forever=true

Let’s do scanning by clamscan by using sample virus file!

# Download test viruses
pi@raspberrypi:~ $ wget -q https://secure.eicar.org/eicar.com

# Scan Run
pi@raspberrypi:~ $ clamscan eicar.com
/home/pi/eicar.com: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Unknown viruses: 8935348
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Informed files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 59.575 sec (0 m 59 s)

It takes a minute to scan a single file, and the memory usage is huge at 1GB.

Why it takes so long time and big memory?
Because clamscan behavior is as follows.
– Read the virus definition into the clamscan memory.
– Scan files/directories

If you scan in daytime all users who are accessing to Raspberry Pi4 may think performance down.
Therefore, to scan in midnight is better for example.

I tried scanning the main directory of Raspberry Pi 4. It took approximately 18 minutes.

pi@raspberrypi:~ $ sudo clamscan --recursive /bin /home /srv /var /boot /etc /lib /opt /root /sbin /usr
(snip)

----------- SCAN SUMMARY -----------
Unknown viruses: 8935348
Engine version: 0.102.4
Scanned directories: 5745
Scanned files: 44543
Informed files: 0
Data scanned: 1930.79 MB
Data read: 1862.09 MB (ratio 1.04:1)
Time: 1093.140 sec (18 m 13 s)

I setup cron periodical scan.
If detected a virus, it moves the file to /opt/clamav/quoteine/ and sends an email.

#!/bin/bash

logger "Starring clamav daily scan..."

CLAMSCAN_LOG=/tmp/clamscan.log.$$
QUARANTINE_DIR=/opt/clamav/quantine
MAIL_ADDRESS=abc@hotmail.com

sudo clamscan --recursive --informed --suppress-ok-results --move=${QUARANTINE_DIR} --include-dir=${QUARANTINE_DIR} /bin /home /srv /var /boot /etc /lib /opt /root /sbin /usr > ${CLAMSCAN_LOG}
if [ 0 != $( grep 'Infected files' ${CLAMSCAN_LOG} | cut -f 3 -d' ' ) ]; then
    logger "Virus found!"
    cat ${CLAMSCAN_LOG} | mail -s 'Virus protected!' ${MAIL_ADDRESS}
else
    logger "Virus not found."
Fi

rm ${CLAMSCAN_LOG}

logger "Finished clamav daily scan..."

“mail” command is required.
If you can’t use it, you need to install a mail server such as postfix or qmail.

pi@raspberrypi:~ $ sudo apt install postfix mailutils
# or
pi@raspberrypi:~ $ sudo apt install qmail mailutils

Change permission and copy it to /etc/cron.daily/.
The file name is clamav-dailyscan.

pi@raspberrypi:~ $ chmod 755 clamav-dailyscan
pi@raspberrypi:~ $ sudo cp clamav-dailyscan /etc/cron.daily/

Check to see if it works.
I can see that virus are found.

pi@raspberrypi:~ $ grep clamav /var/log/syslog
Nov 15 06:25:01 raspberrypi root: Starting clamav daily scan...
Nov 15 06:44:22 raspberrypi root: Finished clamav daily scan...
pi@raspberrypi:~ $ ls /opt/clamav/quoteine/
eicar.com eicar.com.1

It works!
And mail also arrived properly, good!

Since this script will work around 6:00, an email will be sent around 6:00 when the virus is detected. Therefore, it is better to send it to an email address where notifications is not annoying.

Conclusion

How was it?

It is must to have to keep high level security!

Next time, I’ll try real-time scan in below article!



Also here I explain how to install mod-security which is Web Application Firewall(WAF) !



In below article I introduce each step how to establish nextcloud on Raspberry Pi 4!
You should be interested in it too!

Comments

Copied title and URL