Debian – Sending a File to a Remote Clamd Instance

anti-virusclamavdebian

I may be misunderstanding how to utilize clamd. I've got a situation where I have a media server that isn't quite powerfull enough to scan files as well as host the other services it is running (raspberry pi). While I was looking through clamd.conf and man pages, it looks like there is an option to have clamd listen on a specified IP address and socket. Is there a way to stream files from a remote file server to another machine running clamd to be scanned?

I've also come accross this "remote clamd scanning" though it even points out in the code

You must be using a local socket to scan local files

(it also is designed to scan a single file at a time, rather than a directory which would be nice)

A similar question has been asked here though as sandroid was pointing out

Clamd sits and listens for instructions on what files need to be scanned, that is the communication it receives via TCP. We need to know how it accesses the mail files to be scanned…

So, is remote file scanning not supported by clamd? If not, what would be the best approach to scan remote files? I could rsync over the files temporarly and scan them or configure raspbian as a file server and mount it to the machine I am hosting the clamd service. If there are better recomendations, it would be much appreciated.

Best Answer

I agree with jezzaaaa on the above answer, you can indeed configure the client/server accordingly with your needs. For example:

If you want a clamaV to be the server that will be doing the scanning and catch the infected files, here is the configuration for Ubuntu 20.04...

SERVER SIDE

# Install the 'daemon and freshclam'
sudo apt remove -y clamav-daemon clamav-freshclam

Make it available for receiving the requests listen on port 3310 adding the option 'TCPSocket 3310' on '/etc/clamav/clamd.conf' file.

Done, the server is now listening and waiting for requests.

CLIENT SIDE

# Install the 'clamdscan', this will install other things, you can remove them
sudo apt install -y clamdscan

# Remove the extra from the client machine
sudo apt remove -y clamav-daemon clamav-freshclam

Add the option TCPAddr and TCPSocket (TCPAddr 1.2.3.4 TCPSocket 3310) and remove (LocalSocket) from the client on /etc/clamav/clamd.conf file.

Tests on client

~$ clamdscan -v ~/infected-file.txt
~$ clamdscan -v ~/document-file.pdf

If the server and the client machines can communicate over port 3310, the outputs should be recorded on the server machines where you have the clamav-daemon running.

Related Solutions

Is it safe to disable clamd

All of the other answers for some reason seem to assume that clamd actually scans your system automatically. In reality, clamd does not scan your system on its own. All it does is wait for another process to ask it to scan the system, and thus doesn't do much more then speed up the "clamscan" procedure (since it doesn't have to reload virus definitions on each scan). If you are running a mail or file sharing server and want to scan files as they are passed through, this can be a highly useful optimization. However, if you are like me and simply want to make sure nobody's trying to host Windows malware on your server with a once-daily cronjob scan, clamd is largely unnecessary.

I realize that this is three years old, but it comes in the first few entries when someone searches "what's the point of clamd", "is it safe to turn of clamd" and the like.

Centos – Using the antivirus clamav with clamfs in order to scan a file system

I've noticed the trouble might come from apparmor. I was trying to setup clamfs for my home dir and it just kept complaining. Then I created an apparmor config file for it worked :)

$ cat /etc/apparmor.d/usr.bin.clamfs

In simplicity I copied clamav armor and modified to clamfs - guesswork:

#include <tunables/global>

/usr/bin/clamfs {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # LP: #433764:
  capability dac_override,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamfs/* r,
  /etc/fuse.conf r,

  /usr/bin/clamfs mr,

  /tmp/ rw,
  /tmp/** krw,

  /var/run/clamav/clamd.ctl rw,

  # Allow home dir to be scanned
  /media/disk/* rw,
  /media/disk/** rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.clamfs>
}

I also copied the /etc/init.d/skeleton to /etc/init.d/clamfs-home and edited to my intuition's best liking, made it executable and called update-rc.d clamfs-home defaults. Then executed with /etc/init.d/clamfs-home start and yay! Let's see if it comes back after reboot. What I'm wondering about is how to run clamfs with a non-root user...

Best Answer

Related Solutions

Is it safe to disable clamd

Centos – Using the antivirus clamav with clamfs in order to scan a file system

Related Topic