How to install ClamAv antivirus with rspamd on Ubuntu 16.04/20.04 LTS?

As usual I prefer to use open-source components. So the obvious choice is the famous ClamAV virus scanner. But its detection rate is ridiculously low with its default signatures. I heard of a study telling that in their tests ClamAV showed a 100% detection rate. I myself have been scanning multiple infected emails with it (that have been found by another software) and it did not even find one infection. 

So I started researching the alternatives – like a free-beer virus scanner from Sophos that worked well with the amavis-milter in the past. Its detection rate is pretty good. But no matter what I tried – I couldn’t get the two to work together. And to be honest… the documentation of rspamd’s antivirus module is incomplete to put say the least. 

Then suddenly a friendly nerd pointed me to the SaneSecurity project that adds anti-virus signatures to ClamAV to make it actually useful. And this finally became the recommended solution for me. In a commercial setup where your customers rely on better virus scanning you probably cannot avoid spending money on a commercial variant though. 

Why do I tell you all this? Mainly as an excuse that it took four weeks to just write this page. Anyway – if you decide that you want virus scanning let’s add it to your mail server. 

Description: clamav-unofficial-sigs 

The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, urlhaus, MalwareExpert, interServer etc. The script will also generate and install cron, logrotate, and man files. 

Required Ports / Firewall Exceptions 

1. rsync: TCP port 873 
2. wget/curl: TCP port 443 

Supported Operating Systems 

Debian, Ubuntu, Raspbian, CentOS (RHEL and clones), OpenBSD, FreeBSD, OpenSUSE, Archlinux, Mac OS X, Slackware, Solaris (Sun OS), pfSense, Zimbra and derivative systems 

CLAMAV INSTALL INSTRUCTIONS

Make sure you do not have the package installed via apt

# apt-get purge -y clamav-unofficial-sigs 

Install clamav : Run the following as root

 # apt-get update && apt-get install -y clamav-base clamav-freshclam clamav clamav-daemon 

Run the following commands in shell (console/terminal)

# mkdir -p /usr/local/sbin/
# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh && chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
# mkdir -p /etc/clamav-unofficial-sigs/
# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf
# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/user.conf -O /etc/clamav-unofficial-sigs/user.conf

Select your operating system config from https://github.com/extremeshok/clamav-unofficial-sigs/tree/master/config/  replace os.ubuntu.conf with your required config, ubuntu = os.ubuntu.conf, debian10 = os.debian.conf, debian9 = os.debian.conf, debian8 = os.debian8.conf, debian8-systemd = os.debian8.systemd.conf, debian7 = os.debian7.conf

# os_conf="os.ubuntu.conf"
# wget "https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/os/${os_conf}" -O /etc/clamav-unofficial-sigs/os.conf 

Optional: configure your user config /etc/clamav-unofficial-sigs/user.conf 

RUN THE SCRIPT ONCE AS ROOT 

ensure there are no errors, fix any missing dependencies script must run once as your superuser to set all the permissions and create the relevant directories

# /usr/local/sbin/clamav-unofficial-sigs.sh --force 

Install logrotate and Man files

# /usr/local/sbin/clamav-unofficial-sigs.sh --install-logrotate
# /usr/local/sbin/clamav-unofficial-sigs.sh --install-man 

Install Systemd configs OR use Ccron 

Cron ( Prefer )

# /usr/local/sbin/clamav-unofficial-sigs.sh --install-cron 

Systemd ( Optional )

# mkdir -p /etc/systemd/system/
# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/systemd/clamav-unofficial-sigs.service -O /etc/systemd/system/clamav-unofficial-sigs.service
# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/systemd/clamav-unofficial-sigs.timer -O /etc/systemd/system/clamav-unofficial-sigs.timer

# systemctl enable clamav-unofficial-sigs.service
# systemctl enable clamav-unofficial-sigs.timer
# systemctl start clamav-unofficial-sigs.timer

Check Clamav Group is Present or not

# cat /etc/gshadow | grep clamav 

Check if signature are being loaded 

**Run the following command to display which signatures are being loaded by clamav

# clamscan --debug 2>&1 /dev/null | grep "loaded" 

UPGRADE INSTRUCTIONS (version 7.0 +)

# clamav-unofficial-sigs.sh --upgrade
# clamav-unofficial-sigs.sh --force 

UPGRADE INSTRUCTIONS (version 6.1 and below)

# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh && chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
# wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf
# clamav-unofficial-sigs.sh --force 

ClamAV Troubleshooting :

 # sudo freshclam 

it fails throwing the following error: 

Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file 

My Error --------- Mon Dec 23 07:23:27 2019 -> 

Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory

#clamd --version
#clamscan --version

#cat /etc/clamav/clamd.conf | grep Socket
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666

#ls -l /var/run/clamav/
ls: cannot access '/var/run/clamav/': No such file or directory

# sudo touch /var/lib/clamav/clamd.sock
# sudo chown clamav:clamav /var/lib/clamav/clamd.sock 

Download Eicar 

# cd /tmp
# wget http://www.eicar.org/download/eicar_com.zip
# wget http://www.eicar.org/download/eicarcom2.zip  

Now Follow The below Steps to Update 

# systemctl restart clamav-daemon.service

Try to scan
# clamscan --infected --remove --recursive /tmp

Stop auto uptade process: 
# sudo /etc/init.d/clamav-freshclam stop

Run manual update: 
# sudo freshclam

Re-Start auto update process: 
#sudo /etc/init.d/clamav-freshclam start

# /etc/init.d/clamav-daemon status
# /etc/init.d/clamav-daemon start 

Official Git : 

https://github.com/extremeshok/clamav-unofficial-sigs 

https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/config/os/os.ubuntu.conf

https://hackertarget.com/clamav-tutorial-antivirus-linux/

https://blog.didierstevens.com/2015/08/28/test-file-pdf-with-embedded-doc-dropping-eicar/

https://www.unixmen.com/installing-scanning-clamav-ubuntu-14-04-linux/

https://www.howtoforge.com/tutorial/clamav-ubuntu/