Clam AntiVirus (ClamAV)

ClamAV (Clam AntiVirus) is GNU free software. It is a signature-based virus scanner and a phishing-filter.

In IPFire the ClamAV is automatically configured but to make advanced, configuration files needs to be manually edited using the console or an SSH session.

Requirements

The Web Proxy is used in the non-transparent/conventional mode. Transparent on Green (or Blue) must be disabled. Please configure and setup before continuing.

Installation

clamav and squidclamav can be installed with the PakFire web interface or via the Console:

pakfire install clamav squidclamav

Usage

There is no web interface for this Addon. After the installation ClamAV activates itself automatically, which can be verified under the menu Status -> Services.

Configuration

ClamAV and SquidClamav are now installed. Go to the menu Network > Web Proxy and enable the SquidClamav in the proxy settings. If SquidClamav does not show up here, verify that you installed both packages.

Testing and Optimisation

To test the security of your ClamAV installation, download the standard Anti-Malware test file from the EICAR organisation using HTTP (not HTTPS!). This is not an actual virus and should do no damage to your system.

If working correctly, ClamAV should automatically prevent you from downloading the file.

Manual virus signature update

You can manually update your virus signatures with the following command using an SSH session or on the Console:

/usr/bin/freshclam --quiet

Fix for streaming media (flash)

If have problems with streaming media, like Youtube, you can stop Adobe Flash applications and videos from being scanned.

  1. Add the following line to your /etc/squidclamav.conf.
    abortcontenti ^.*application\/x-shockwave-flash.*$
    It must be added before the line containing:
    content ^.*application\/.*$

  2. Restart the proxy so that ClamAV is restarted and re-reads its configuration.

Exclude files from being scanned

If you must exclude a file from being scanned, use the following line in your /etc/squidclamav.conf file;
whitelist .*\.website.com
Where *.website.com is the URL of the website you wish to exclude.

Specific file types can also be excluded from scans by adding lines like;
abort ^.*\.(ico|gif|png|jpg)$
where ico is a file extension of the kind you do not want to have scanned.

Note - The proxy must reloaded or restarted after any configuration changes in order for the changes to take effect.

Further Documentation

Edit Page ‐ Yes, you can edit!

Older Revisions • July 1 at 4:21 pm • Jon