The ClamAV plugin can be used with other plugins, like c-icap and rspamd, to scan for viruses.
Your machine needs at least 1.5 GB RAM. Otherwise the machine will run out of memory and crash because of out of memory kills. Using a machine with at least 2 GB RAM is recommended.
There are some techniques to avoid detection and scanning using AV software and not every malware is known by AV products. Signature based AV software can decrease the risk of getting hit by a known malware but it does never guarantee that your computers don’t get infected. It is important to teach the users how to handle files from the internet and untrusted devices safely. Also plan a regular Backup of important files, make sure, that ACLs are used correctly and apply patches asap to keep the attack surface and damage as small as possible.
To make ClamAV working, you need to download signatures. Please note that those files need to be fetched after a reboot again if they are stored on a ram disk.
First of all, you have to install the ClamAV plugin (os-clamav) from the plugins view.
After a page reload you will get a new menu entry under services for ClamAV. Select it and you will get to the following screen:
- Enable clamd service
Selecting this checkbox enables clamd so you can use it to scan files.
- Enable freshclam service
Freshclam is a service to update your malware signatures. If you use ClamAV, it is recommended to update the signatures on a regular basis.
- Enable TCP Port
This checkbox needs to be checked, if you want to use clamd over the network or for local services, which use a TCP connection.
- Maximum number of threads running
Thread limit is used to avoid a denial of service of the daemon and your machine. Usually a number next or equal to the number of cores would be good.
- Maximum number of queued items
This is the maximum of files which can be in the queued for scanning. The reason is the same as for the threads.
- Idle Timeout
The connection will be dropped if it is inactive for this amount of time. If the other socket endpoint is a machine, this value can be low but if you plan to use it for develpoment reasons, you may set it to a higher value.
- Max directory recursion
Limit the depth of the directory tree. In the worst case there is a loop which causes the scanner to run endlessly and this setting should prevent it.
- Follow directory symlinks
If this is checked, clamav will follow directory symlinks which may lead to a loop. If you want to check this, make sure the recursion limit is set to a useful value.
- Follow regular file symlinks
If this is checked, clamav will follow symlinks to regular files. This may expose information about the filesystem, the user should not have access to.
- Disable cache
If you check this, the results are not cached. This is only useful in develpoment environments as it slows down the response time.
- Scan portable executable
Check this box, if you want to scan PE files. If you are using PE-files (*.exe, *.dll etc.) files in your network, checking this box is recommended.
- Scan executeable and linking format
Check this box, if you want to scan ELF-files. ELF is for example used on Linux based operating systems and on *BSD.
- Detect broken executables
This setting will mark an executable as broken if it does not match the spec. A executable may be broken because of a download issue or manipulation. In any case, there should not be any legit case to pass a broken executable.
- Scan OLE2
If this is checked, OLE2 files (for example Microsoft Office files) will be analyzed. Such files should be analyzed as they may contain macros which have been used to download and install malware (usually ransomware).
- OLE2 block macros
Check this box, if documents containing macros should be blocked. If you don’t use macros and you don’t expect them from your business partners or friends, this setting is recommended.
- Scan PDF files
- Scan SWF
If you check this box, Flash files will be scanned. Flash is used to provide video players or interactive content. Nowadays it should have been replaced by HTML5.
- Scan XMLDOCS
Scan XML Documents
- Scan HWP3
HWP seems to be a korean document format. If you don’t use them, it is better to block them in the proxy than scanning them. If you have them in use, you should scan them.
- Decode mail files
If you select this option, the sections of emails will be read and therefore it will be possible to scan email attachments. Mail attachments are important to scan as an attached file may contain malware. For example, some malware campaigns used a JScript file which has been packed in a ZIP file which was attached to an email.
- Scan HTML
- Scan archives
Scan files inside archives. This is very important as archives can contain malware. Please note that archive nesting is used to bypass scans, so scanners detect such archives as dangerous at a specific recursion level. Also keep in mind that zip bombs may be possible to DoS a scanner.
- Block encrypted archive
Encrypted archives are usually used to transfer files encrypted which don’t support encryption on their own or the sender is not aware how to encrypt those files. A tool like 7z can derive a key from a password given by the creator of the file, which will be used to encrypt the compressed data. The ClamAV cannot scan this data as it is missing the key/password. Some malware authors used encrypted archives to avoid scanning and told the victim in the email text how to unpack it.