How to set up real-time scan by clamav on Raspberry Pi 4 ?

Anti Virus
Reading Time: 4 minutes

I setup the environment which can realtime scanning by clamav on Raspberry Pi 4!

I am able to run on-demand scanning but realtime scaning is safer, isn’t it?
I want to setup realtime scan to be safer!

You can find solution how to do it.

Set up real-time scanning

This post is based on the assumption that you have set up on-demand type.
If you haven’t set up an on-demand type yet, please check here.

Compared to on-demand scanning, realtime scanning has the following pros/cons.
Can detect/quarantine viruses immediately
Consume CPU power and RAM at all times

I truly recommend to test with another microSD before production.

First, please install clamav-daemon package.
This package have daemon process used for realtime scanning.

pi@raspberrypi:~ $ sudo apt install clamav-daemon

Next please update configuration file.

# nano can be used instead of vim
sudo vim /etc/clamav/clamd.conf

# Contents of clamd.conf below
# Run with root and be able to scan all directory
# User clamav
User root
# Run the following scripts sequentially when detecting viruses
VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/
# Directory to be scanned in real time
OnAccessIncludePath /home/pi
OnAccessIncludePath /var/www/html
# Whether to enable FANOTIFY monitoring
OnAccessPrevention false
# skip files with clamav permissions
OnAccessExcludeUname clamav
# Do not scan directories to which virus-infected files are moved
ExclusivePath /opt/clamav/quoteine

If OnAccessPrevention is true, clamav uses FANOTIFY.
FANOTIFY is kernel module of kernel.

However, there are the following issues in my environment for now.
– Raspberry Pi OS kernel is disabled by FANOTIFY
– I tried with building FANOTIFY enabled kernel, installing.
However it derived an communication error between clamonacc and clamdscan.

10/01/2021
I tried it.
Please take a look this article if you are interested in.

After restarting clamav-daemon(or just reboot), then clamdscan should work fine.

pi@raspberrypi:~ $ sudo systemctl restart clamav-daemon

clamdscan is the bridge process between user and clamd.
The structure is as follows.

clamdscan has the same functionality as clamscan, but clamdscan requires clamd to execute exact scaning.

clamd has loaded virus definition into its memory, so scanning is very quick.

This is the case of clamscan for reference.

Perform real-time scanning

Next, run clamonacc process.

clamonacc is a daemon process that detects file I/O in real time and requests clamd to scan for viruses.

clamonacc will not automatically start just by installing clamav-daemon.
You need to run it by yourself.

I created a configuration file and script to run it as a service.

pi@raspberrypi:~ $ sudo nvim /etc/systemd/system/clamonacc.service

# Below is /etc/systemd/system/clamonacc.service contents
[Unit]
Description=Clamav on access scan service
[Service]
After=clamav-daemon
ExecStart=/etc/systemd/system/clamonacc.sh
RemainAfterExit=yes
pi@raspberrypi:~ $ sudo nvim /etc/systemd/system/clamonacc.sh

# Below is /etc/systemd/system/clamonacc.sh contents
#!/bin/bash
while [ 0 != $( systemctl status clamav-daemon | grep -q 'Self checking' ; echo $? ) ];
do
        sleep 5;
done ;
/usr/bin/clamonacc --move=/opt/clamav/quarantine
pi@raspberrypi:~ $ sudo nvim /etc/clamav/virusevent.d/sendmail

# Below is /etc/clamav/virusevent.d/sendmail contents
#!/bin/bash
MAIL_ADDRESS=abcde@hotmail.com
MAIL_CONTENTS="${CLAM_VIRUSEVENT_VIRUSNAME} is found in ${CLAM_VIRUSEVENT_FILENAME}"
/bin/echo ${MAIL_CONTENTS} | /usr/bin/mail -s 'Virus detected!' ${MAIL_ADDRESS}

Let’s try it by downloading test virus file.
You can see that the file is moved automatically!

pi@raspberrypi:~ $ wget http://www.eicar.org/download/eicar.com
--2020-11-17 10:51:19--  http://www.eicar.org/download/eicar.com
Resolving www.eicar.org (www.eicar.org)... 89.238.73.97
Connecting to www.eicar.org (www.eicar.org)|89.238.73.97|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [application/x-msdownload]
Saving to: ‘eicar.com’
eicar.com                                              100%[=========================================================================================================================>]      68  --.-KB/s    in 0s      
2020-11-17 10:51:20 (3.39 MB/s) - ‘eicar.com’ saved [68/68]
pi@raspberrypi:~ $ ls
pi@raspberrypi:~ $ ls /opt/clamav/quarantine
eicar.com

E-mail is also sent to you!

Cons of real-time scanning

You have now set up a real-time scan.
However please be careful because it uses a lot of CPU and memory.
Below figure is the state after a while after the setup is finished.
You can see almost 1GB is consumed by clamd/clamonacc and about 50% CPU power.
I only have 2GB model, so I want 4GB model…

Conclusion

How was it?

There are concerns with CPU/memory usage.
But security level hightened!

In next post I am planning to introduce web application firewall!



In below article I introduce each step how to establish nextcloud on Raspberry Pi 4!
You should be interested in it too!

Comments

タイトルとURLをコピーしました