HOWTO: On-access virus scanning on FC5

[Kevin Kofler]

HOWTO: On-access virus scanning on FC5  
by Kevin Kofler  
  
This HOWTO describes how to enable on-access virus scanning with Clamuko (clamd  
and Dazuko, i.e. using only Free Software) on Fedora Core 5. It should also  
work on older Fedora releases. Unlike other methods to install Dazuko on  
Fedora, no kernel recompile is needed, only a compilation of a small module  
against the running kernel, thanks to patches developed by Sami Tikka and me.  
  
WARNINGS AND IMPORTANT NOTES:  
* Given the current malware landscape, on-access virus scanning is usually NOT  
NEEDED on GNU/Linux systems. So unless you're really paranoid, these  
instructions are useful only to protect directories shared with more vulnerable  
systems.  
* On-access scanning is a HUGE PERFORMANCE HOG, especially if you're watching  
the entire file system! While it doesn't go as far as making the system  
unusable, it does slow things down considerably, and some things like Konqueror  
context menus are REALLY SLOW. As usual, there is a tradeoff between  
performance and security.  
* Right now, the Dazuko patches mentioned below are ONLY FOR 32-BIT X86  
systems. At least the execute hook needs porting for other architectures.  
* The procedure below should be run entirely as root.  
* Running clamd as root is a security risk! But it is required to support  
Dazuko on-access scanning ("For security reasons Dazuko will only operate with  
processes that are running as root."), so there's no other option.  
* These instructions are provided in the hope that they will be useful, but  
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or  
FITNESS FOR A PARTICULAR PURPOSE. The entire risk as to the quality and  
performance of these instructions is with you. Should the instructions prove  
defective, you assume the cost of all necessary servicing, repair or  
correction. IN NO EVENT unless required by applicable law will the author be  
liable to you for damages, including any general, special, incidental or  
consequential damages arising out of the use or inability to use the  
instructions (including but not limited to loss of data or data being rendered  
inaccurate or losses sustained by you or third parties or a failure of the  
instructions to operate with any other programs), even if the author has been  
advised of the possibility of such damages. Proceed AT YOUR OWN RISK.  
  
STEPS:  
1. Obtain Dazuko 2.2.0 from http://www.dazuko.org/  
2. Obtain the FC5 patches from:  
   https://savannah.nongnu.org/patch/?func=detailitem&item_id=4952  
   You need files #9648, #9751, #9760 and #9761.  
3. Untar Dazuko:  
   tar xvzf dazuko-2.2.0.tar.gz  
   cd dazuko-2.2.0  
4. Apply all 4 patches (in numerical order):  
   patch -p1 <linux26_syscall_hook.patch  
   patch dazuko_linux26_syscall.c <dazuko_linux26_syscall-fc5-fix.diff  
   patch configure <dazuko-configure-unprotect.diff  
   patch dazuko_linux26_syscall.c <dazuko_linux26_syscall-unprotect.diff  
5. Install kernel-devel: yum install kernel-devel  
   (NOTE: kernel-devel must match your running kernel.)  
6. Configure Dazuko: ./configure --enable-syscalls  
7. Compile Dazuko: make  
8. Install Dazuko: make install  
9. Install clamd: yum install clamav-server  
10. Configure clamd: Create an /etc/clamd.conf and put this into it:  
LocalSocket clamuko  
ClamukoScanOnAccess  
ClamukoScanOnOpen  
ClamukoScanOnClose  
ClamukoScanOnExec  
ClamukoIncludePath /  
ClamukoExcludePath /dev  
ClamukoExcludePath /proc  
ClamukoExcludePath /sys  
    (WARNING: Don't forget the exclude paths or you may lockup your system.)  
11. Start Dazuko: modprobe dazuko  
12. Start clamd: clamd  
(NOTE: Steps 11-12 need to be repeated after each reboot.)  
  
Don't forget to update your virus databases regularly (using the freshclam tool  
in the clamav-update package).  
  
        Kevin Kofler