I setup the environment which can realtime scanning by clamav on Raspberry Pi 4!
I am able to run on-demand scanning but realtime scaning is safer, isn’t it?
I want to setup realtime scan to be safer!
You can find solution how to do it.
If you are already familiar with clamav and want to establish virus scan server by clamav, go here.
Set up real-time scanning
This post is based on the assumption that you have set up on-demand type.
If you haven’t set up an on-demand type yet, please check here.
Compared to on-demand scanning, realtime scanning has the following pros/cons.
– Can detect/quarantine viruses immediately
– Consume CPU power and RAM at all times
I truly recommend to test with another microSD before production.
First, please install clamav-daemon package.
This package have daemon process used for realtime scanning.
pi@raspberrypi:~ $ sudo apt install clamav-daemon
Next please update configuration file.
# nano can be used instead of vim sudo vim /etc/clamav/clamd.conf # Contents of clamd.conf below # Run with root and be able to scan all directory # User clamav User root # Run the following scripts sequentially when detecting viruses VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/ # Directory to be scanned in real time OnAccessIncludePath /home/pi OnAccessIncludePath /var/www/html # Whether to enable FANOTIFY monitoring OnAccessPrevention false # skip files with clamav permissions OnAccessExcludeUname clamav # Do not scan directories to which virus-infected files are moved ExclusivePath /opt/clamav/quoteine
If OnAccessPrevention is true, clamav uses FANOTIFY.
FANOTIFY is kernel module of kernel.
However, there are the following issues in my environment for now.
– Raspberry Pi OS kernel is disabled by FANOTIFY
– I tried with building FANOTIFY enabled kernel, installing.
However it derived an communication error between clamonacc and clamdscan.
10/01/2021
I tried it.
Please take a look this article if you are interested in.
After restarting clamav-daemon(or just reboot), then clamdscan should work fine.
pi@raspberrypi:~ $ sudo systemctl restart clamav-daemon
clamdscan is the bridge process between user and clamd.
The structure is as follows.
clamdscan has the same functionality as clamscan, but clamdscan requires clamd to execute exact scaning.
clamd has loaded virus definition into its memory, so scanning is very quick.
This is the case of clamscan for reference.
Perform real-time scanning
Next, run clamonacc process.
clamonacc is a daemon process that detects file I/O in real time and requests clamd to scan for viruses.
clamonacc will not automatically start just by installing clamav-daemon.
You need to run it by yourself.
I created a configuration file and script to run it as a service.
pi@raspberrypi:~ $ sudo nvim /etc/systemd/system/clamonacc.service # Below is /etc/systemd/system/clamonacc.service contents [Unit] Description=Clamav on access scan service [Service] After=clamav-daemon ExecStart=/etc/systemd/system/clamonacc.sh RemainAfterExit=yes
pi@raspberrypi:~ $ sudo nvim /etc/systemd/system/clamonacc.sh # Below is /etc/systemd/system/clamonacc.sh contents #!/bin/bash while [ 0 != $( systemctl status clamav-daemon | grep -q 'Self checking' ; echo $? ) ]; do sleep 5; done ; /usr/bin/clamonacc --move=/opt/clamav/quarantine
pi@raspberrypi:~ $ sudo nvim /etc/clamav/virusevent.d/sendmail # Below is /etc/clamav/virusevent.d/sendmail contents #!/bin/bash MAIL_ADDRESS=abcde@hotmail.com MAIL_CONTENTS="${CLAM_VIRUSEVENT_VIRUSNAME} is found in ${CLAM_VIRUSEVENT_FILENAME}" /bin/echo ${MAIL_CONTENTS} | /usr/bin/mail -s 'Virus detected!' ${MAIL_ADDRESS}
Let’s try it by downloading test virus file.
You can see that the file is moved automatically!
pi@raspberrypi:~ $ wget http://www.eicar.org/download/eicar.com --2020-11-17 10:51:19-- http://www.eicar.org/download/eicar.com Resolving www.eicar.org (www.eicar.org)... 89.238.73.97 Connecting to www.eicar.org (www.eicar.org)|89.238.73.97|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 68 [application/x-msdownload] Saving to: ‘eicar.com’ eicar.com 100%[=========================================================================================================================>] 68 --.-KB/s in 0s 2020-11-17 10:51:20 (3.39 MB/s) - ‘eicar.com’ saved [68/68] pi@raspberrypi:~ $ ls pi@raspberrypi:~ $ ls /opt/clamav/quarantine eicar.com
E-mail is also sent to you!
Cons of real-time scanning
You have now set up a real-time scan.
However please be careful because it uses a lot of CPU and memory.
Below figure is the state after a while after the setup is finished.
You can see almost 1GB is consumed by clamd/clamonacc and about 50% CPU power.
I only have 2GB model, so I want 4GB model…
Conclusion
How was it?
There are concerns with CPU/memory usage.
But security level hightened!
In next post I am planning to introduce web application firewall!
In below article I introduce each step how to establish nextcloud on Raspberry Pi 4!
You should be interested in it too!
Comments