How to setup clamav, freshclam, and havp in Arch for virus protection

Since Arch dansguardian.conf file shows: !!! Not compiled for all content scanners integration with DG, we will use ClamAV integration with Squid via havp

1) Install clamav and clamav-freshclam (keeps clamav database up to date)
pacman -S clamav
2) The configuration files for ClamAV are located in /etc/clamav, but the default configuration is appropriate for our needs. FreshClam will update virus definitions hourly; if you want to change this behaviour, edit /etc/clamav/freshclam.conf 
            
        a) Comment the line that contains the word Example at the beginning of the configuration files /etc/clamav/freshclam.conf, /etc/clamav/clamd.conf
 
        b) Run the daemon and freshclam to update the virus definition filenames 
/etc/rc.d/clamav start

freshclam
   If you get the following messages after running freshclam:
WARNING: Clamd was NOT notified: Can't connect to clamd through 
 /var/lib/clamav/clamd.sock connect(): No such file or directory
   Add a sock file for clamav:
touch /var/lib/clamav/clamd.sock

/etc/rc.d/clamav restart
  The database files are saved in:
 /var/lib/clamav/daily.cvd
/var/lib/clamav/main.cvd
3) To run as a server edit /etc/clamav/clamd.conf and /etc/clamav/freshclam.conf and comment out the Example flag. In /etc/conf.d/clamav change the start options from "no" to "yes".
   # change these to "yes" to start
   START_FRESHCLAM="yes"
   START_CLAMD="yes"
4) To start clamav at boot edit /etc/rc.conf and add both clamav and clamav-freshclam  to DAEMONS
 
5) To change how often freshclam checks for virus definition files edit freshclam.conf file.  Replace Checks 24 with Checks 1 meaning once a day
              vim /etc/clamav/freshclam.conf
 
       Restart clamav-freshclam after changing the configuration
             /etc/rc.d/clamav restart   #this will restart both clamav and freshclam
 
6)  Create buildfolder and manually build install hapv -- proxy interface for clamav
cd ~

mkdir build

cd build

--change download file to represent the latest at (http://aur.archlinux.org/packages.php?ID=10417) see tarball link on the left

wget http://aur.archlinux.org/packages/havp/havp.tar.gz

tar -xzvf havp.tar.gz

cd havp

--check if the install files are not malicious

vim PKGBUILD

   change the version from 0.90 to 0.92

      pkgver=0.90     to    pkgver=0.92

   add the following

      arch=('x86_64')

   change md5sums to be 

      md5sums=('5d7be4a702ced59a6a2687b044c30da3')


mkdir $startdir/pkg/var/log/havp

mkdir $startdir/pkg/var/tmp/havp  


             
--Build

makepkg --asroot

    
--Install package

pacman -U havp-0.92-1-x86_64.pkg.tar.xz
7) Change the owner of the antivirus logs and temporary file-testing directories to havp :
               chown -R havp:havp /var/run/havp
               chown -R havp:havp /var/log/havp
       
 8) Add the mandatory lock option to your filesystem (needed by HAVP) : In your /etc/fstab, modify :
 
                [...] / ext4 defaults 0 1
 
                to :
 
                [...] / ext4 defaults,mand 0 1
 
            Then reload your filesystem :
 
                mount -o remount /
 
 9) Enhable havp by removing REMOVETHISLINE deleteme from config file, change listening port to 8000, and enabling clamav scanners
              vim /etc/havp/havp.conf
                  change PORT 8080 to PORT 8090                  
                  change ENABLECLAMLIB false to ENABLECLAMLIB true
                  uncomment BINDADDRESS 127.0.0.1
 
 10) Add this info in your /etc/squid/squid.conf :
 
              cache_peer 127.0.0.1 parent 8090 0 no-query no-digest no-netdb-exchange default
              cache_peer_access 127.0.0.1 allow all
 
 11) Reload your squid and start HAVP :
 
              /etc/rc.d/squid restart
              /etc/rc.d/havp start
 
       The execution flow of internet access becomes like this (http://forums.gentoo.org/viewtopic.php?t=689149):
                Computer Browser proxy(8080)-> Dansguardian(8080)  -> Squid(3128)-> HAVP(8090) -> Internet
 
12) Test. Go to http://www.eicar.org/anti_virus_test_file.htm# and try to download ecair.com.  you should get an infected virus file from havp
       
13) Add havp to DAEMONS in rc.conf
            vim /etc/rc.conf
                   DAEMONS=( ...  squid havp  ...)
 
Additional documentation:

 

Rate: 

0
No votes yet