HOWTO: On-access virus scanning on FC5
Kevin Kofler
kevin.kofler at chello.at
Wed Apr 12 09:35:52 UTC 2006
HOWTO: On-access virus scanning on FC5
by Kevin Kofler
This HOWTO describes how to enable on-access virus scanning with Clamuko (clamd
and Dazuko, i.e. using only Free Software) on Fedora Core 5. It should also
work on older Fedora releases. Unlike other methods to install Dazuko on
Fedora, no kernel recompile is needed, only a compilation of a small module
against the running kernel, thanks to patches developed by Sami Tikka and me.
WARNINGS AND IMPORTANT NOTES:
* Given the current malware landscape, on-access virus scanning is usually NOT
NEEDED on GNU/Linux systems. So unless you're really paranoid, these
instructions are useful only to protect directories shared with more vulnerable
systems.
* On-access scanning is a HUGE PERFORMANCE HOG, especially if you're watching
the entire file system! While it doesn't go as far as making the system
unusable, it does slow things down considerably, and some things like Konqueror
context menus are REALLY SLOW. As usual, there is a tradeoff between
performance and security.
* Right now, the Dazuko patches mentioned below are ONLY FOR 32-BIT X86
systems. At least the execute hook needs porting for other architectures.
* The procedure below should be run entirely as root.
* Running clamd as root is a security risk! But it is required to support
Dazuko on-access scanning ("For security reasons Dazuko will only operate with
processes that are running as root."), so there's no other option.
* These instructions are provided in the hope that they will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. The entire risk as to the quality and
performance of these instructions is with you. Should the instructions prove
defective, you assume the cost of all necessary servicing, repair or
correction. IN NO EVENT unless required by applicable law will the author be
liable to you for damages, including any general, special, incidental or
consequential damages arising out of the use or inability to use the
instructions (including but not limited to loss of data or data being rendered
inaccurate or losses sustained by you or third parties or a failure of the
instructions to operate with any other programs), even if the author has been
advised of the possibility of such damages. Proceed AT YOUR OWN RISK.
STEPS:
1. Obtain Dazuko 2.2.0 from http://www.dazuko.org/
2. Obtain the FC5 patches from:
https://savannah.nongnu.org/patch/?func=detailitem&item_id=4952
You need files #9648, #9751, #9760 and #9761.
3. Untar Dazuko:
tar xvzf dazuko-2.2.0.tar.gz
cd dazuko-2.2.0
4. Apply all 4 patches (in numerical order):
patch -p1 <linux26_syscall_hook.patch
patch dazuko_linux26_syscall.c <dazuko_linux26_syscall-fc5-fix.diff
patch configure <dazuko-configure-unprotect.diff
patch dazuko_linux26_syscall.c <dazuko_linux26_syscall-unprotect.diff
5. Install kernel-devel: yum install kernel-devel
(NOTE: kernel-devel must match your running kernel.)
6. Configure Dazuko: ./configure --enable-syscalls
7. Compile Dazuko: make
8. Install Dazuko: make install
9. Install clamd: yum install clamav-server
10. Configure clamd: Create an /etc/clamd.conf and put this into it:
LocalSocket clamuko
ClamukoScanOnAccess
ClamukoScanOnOpen
ClamukoScanOnClose
ClamukoScanOnExec
ClamukoIncludePath /
ClamukoExcludePath /dev
ClamukoExcludePath /proc
ClamukoExcludePath /sys
(WARNING: Don't forget the exclude paths or you may lockup your system.)
11. Start Dazuko: modprobe dazuko
12. Start clamd: clamd
(NOTE: Steps 11-12 need to be repeated after each reboot.)
Don't forget to update your virus databases regularly (using the freshclam tool
in the clamav-update package).
Kevin Kofler
More information about the fedora-list
mailing list