What are some good resources for learning ClamAV?

[CosmicWanderer]

I recently installed ClamAV on my fedora system and I learned just how hard it is. I did some internet searching and found a handful of how to install videos and the ClamAV documentation which to me feels very confusing. Are there any good resources to learn ClamAV that make sense?

 

[Condobloke]

I installed ClamAV on linux Mint around 12 years ago.

I found it worthless, and decided that using my own common sense and a browser set up properly was more than enough.

Nothing has happened in the 12 years to change my mind.

 

[Condobloke]

Security in Linux Mint and Ubuntu: an Explanation and Some Tips

Easy tips, tweaks and tricks for Linux Mint and Ubuntu, both for beginners and for advanced users. Complete starter's guide with simple how-to's.

easylinuxtipsproject.blogspot.com

and somehting to rea in your spare time.....I wrote this a few years ago, and it still holds true

The vast majority of Linux users accept the security of Linux "on faith"....simply because it has been that way for many years, and would appear to be going to continue that way.

Their attitude is understandable, because behind all that you see, is a complex web of people who keep Linux safe. The number of people involved would astound you. They are spread worldwide, there are a huge number of 'failsafes' built in...so that errors/mistakes etc rarely, if ever, happen.

At my level, (11 years on Linux Mint, 8 years on linux.org forums) I am quite content to trust the process, but I also keep a wary eye out for 'changes' that do not make sense.....that set off an alarm bell, if and when I see them. i am definitely not a paranoiac. I leave that state of mind for those who are thus inclined.

As far as I am aware, there is no facility to check, checksums or hashes etc etc for Linux Mint software.

Is it possible I am mistaken ?.......yes, of course......But I do not think I am.

When it comes to managing packages, you do have to trust something. After all, trust is an integral part of life.

Linux Software, eg Gimp, is to be found in the Software Manager.

In menu, type in Software Manager....as it appears, right click on it and select 'add to panel'

This will place the icon for the software manager in your panel (task bar)

A single click on that icon will open it. If this is the firt time it has run, give it a minute to load the repository. Any time after the initial loading will be much quicker

Type in gimp to the search area. Install it from there. You can also uninstall from there.

How do you know it is safe?...Experience. From installing from that place countless times without incident.

Software from the internet. This is a risk. For well know apps, the risk is somewhat reduced, but you are trusting that no one has interfered with that site. people like mozilla (firefox) and chrome (google etc) go to great lengths to keep heir sites safe. They have a vested interest ($) in keeping their sites clean.

However...if you see a site with an app for doing something that is attractive but more obscure than is usual for example : (https://obsproject.com/)

....would you trust it ?...really ???

Because I have the experience that I have....if I really wanted/needed that particular software......i would download it.

At the first sign of something 'not right' ....i would use sudo apt purge package/app name....and then sudo apt autoremove .......to rid my system of it. I may even do a Restore in Timeshift to go back a day or two to get completely away from it, as well as wiping any Timeshift snapshot that had been taken the day I installed that software.

It is a fact that the Software Manager (also called the Repository) has a huge number of apps. It is equally true that there is no list of contents which you search. The only way you can discover what is in there is by experimentation. When I see an app somewhere...often on a users post at Linux.org etc....I sometimes wonder where did he/she get that ???.....I will search in Software Manager for it...I will use different words to look for it, or preferably something that does the same thing.

Having done that, most of the time I will then uninstall it. I have only done it to experiment....just something to do. Occasionally I find something of use, in which case it stays installed.

There is no rule book....no recipe

Make the system suit YOU. It is Linux, it is free, it is about having Choices.

SO, find an approach that suits you. That makes you feel safe.

There is no AV necessary for Linux. That may change in the future. Then again that has been said for the last 10 years that i know of, and probably for longer. This people who maintain Linux, work unbelievably HARD to keep it safe.

The most important digital signature/checksum etc....is the one for your OS (operating system) ....In my case, that is Linux Mint 22.1

 

[CaffeineAddict]

I found it worthless, and decided that using my own common sense and a browser set up properly was more than enough.

I second that, AV is un-needed, practicing 'safe computing' is what you need.

IDK if you heard of FUD malware? it means "Fully UnDetectable", which means no AV signature exists to detect it.
AV's are powerless against FUD malware and there's plenty of it in the wild, probably even more than that which is detectable.

Also for detectable malware, malware writers will always run it trough crypter to evade detection, so AV is again powerless.

 

[osprey]

As far as I am aware, there is no facility to check, checksums or hashes etc etc for Linux Mint software.

Is it possible I am mistaken ?.......yes, of course......But I do not think I am.

The use of checksums in the apt package manager is quite extensive. In the following examples a debian machine is used.

For an installed package, one can check that the files in a package are what they are supposed to be, true and verified, with the use of the command: debsums. The following command shows the debsums executable to be from the debsums package.

[~]$ dpkg -S /usr/bin/debsums
debsums: /usr/bin/debsums

The debsums command checks the MD5 sums of the files against a sum for each file of the package:

As an example, using the installed package: cowsay, the following check shows that all of the files in the package are "OK", which means they are verified and uncorrupted:

[~]$ debsums cowsay
/usr/games/cowsay                                 OK
/usr/share/cowsay/cows/apt.cow                    OK
/usr/share/cowsay/cows/bud-frogs.cow              OK
/usr/share/cowsay/cows/bunny.cow                  OK
/usr/share/cowsay/cows/calvin.cow                 OK
/usr/share/cowsay/cows/cheese.cow                 OK
/usr/share/cowsay/cows/cock.cow                   OK
/usr/share/cowsay/cows/cower.cow                  OK
<snip>

The actual md5sums that debsums checks the file against, are provided in the /var/lib/dpkg/info directory where each package has a sum listed for each file. For example, for the cowsay package, the md5sum sums are in the file /var/lib/dpkg/info/cowsay.md5sums. Looking into this file one sees the listing of a sum for each package file:

[~]$ less /var/lib/dpkg/info/cowsay.md5sums
4a3fcaf4ae6c1758b55cc04b075a4007  usr/games/cowsay
dd9004601a67345d76e91ed232676f60  usr/share/cowsay/cows/apt.cow
5c61632eb06305d613061882e1955cd2  usr/share/cowsay/cows/bud-frogs.cow
05eb914d3b96aea903542cb29f5c42c7  usr/share/cowsay/cows/bunny.cow
a9d1d3c2446fa9fb170c7b539ea94280  usr/share/cowsay/cows/calvin.cow
<snip>

For a .deb package itself that one may have downloaded to install, one can check the sha256sum of the package before it is installed. Taking the example of the cowsay package again, one can download the cowsay .deb file. Note that this command can be run as user since it just downloads a package into the directory from which it's run but doesn't install it:

[~]$ apt download cowsay
Get:1 http://ftp.au.debian.org/debian forky/main amd64 cowsay all 3.03+dfsg2-8 [21.4 kB]
Fetched 21.4 kB in 0s (113 kB/s)

To determine the actual sha256sum value, one can run the apt-cache command which presents the sum value at the bottom of the output:

[~]$ apt-cache show cowsay
Package: cowsay
Version: 3.03+dfsg2-8
<snip>
Description-md5: c312f9ae79aed8150f991fcfa3df1a03
Homepage: https://web.archive.org/web/20120527202447/http://www.nog.net/~tony/warez/cowsay.shtml
<snip>
Priority: optional
Filename: pool/main/c/cowsay/cowsay_3.03+dfsg2-8_all.deb
Size: 21372
MD5sum: 331cb863a7eaa69ce36747153a64116f
SHA256: 5b16f90ff97871aa0f442087abc1878940d00e310f74190ba854a097545204bf

Then to check that the .deb package is what it's supposed to be, one can run the sha256sum command to see if it outputs the same value as that shown in the apt-cache command output shown above:

[~]$ sha256sum cowsay_3.03+dfsg2-8_all.deb
5b16f90ff97871aa0f442087abc1878940d00e310f74190ba854a097545204bf  cowsay_3.03+dfsg2-8_all.deb

As can be seen, the sums tally, so all is as expected with no corruption.

 

[CaffeineAddict]

Here are my copy/paste commands from notes:

# Check all
sudo debsums --all | tee ~/Documents/debsums.txt | grep -E " FAILED| REPLACED"

# Only check configuration files
sudo debsums -e | tee ~/Documents/debsums-config.txt | grep -E " FAILED| REPLACED"

# List packages (or debs) which don't have an MD5 sums file
sudo debsums -l | tee ~/Documents/debsums-missing.txt

 

[Condobloke]

@osprey and @CaffeineAddict, Thank you, both !

 

[Condobloke]

@CosmicWanderer, my apologies for hijacking your thread.

My intention was to get the message to you that diligence and practicing safe computing is your best ally.

The Linux community is very, very strong. The members here are the smartest and most diligent I have ever come in contact with. You will do yourself a favour to stay here and learn from the best.

 

[f33dm3bits]

Safe computing doesn't help against things like Copy Fail and Dirty Frag and how such things could be combined with other things to be abused, just saying.

 

[CaffeineAddict]

Safe computing doesn't help against things like Copy Fail and Dirty Frag and how such things could be combined with other things to be abused, just saying.

I think safe computing includes monitoring CVE's and similar, if one has understanding how some vulnerability can affect you then you can do some mitigation steps and precautions.

Not all vulnerabilities can be simply executed at any time.

 

[f33dm3bits]

Not all vulnerabilities can be simply executed at any time.

True but hackers can get creative and combine things, as that has been done before.

 

[GatorsFan]

Clam AV is not an "Active" anti-virus tool it is "Passive" that is it only scans and removes it does not monitor your system in the background (Actively) like Windowz antivirues - so your machine can get infected then you have to scan then maybe remove the varmint - but like so many have already stated - be smart when you surf and you should not have an issue

 

[beanburrito]

There are many text/html based tutorials on clamav on the web.

Sadly, Linux doesn't have up-to-date feature rich malware scanners. We have rkhunter, chkrootkit, they only catch so much. rkhunter hasn't been updated in years.

I find clamav is best for scanning Windows binaries. But even then, I prefer booting from an AV LiveCD to scan the Windows system. I run clamav on *nix for giggles, but I don't expect it to find anything.

Lynis is a nice auditing program, as well are the myraid of intrusion detection softwares.

If you're scanning Windows systems, you may as well use a free AV LiveCD from one of the big companies. Or, just wipe/install your free OS of choice and be done with it.

 

[KGIII]

Sadly, Linux doesn't have up-to-date feature rich malware scanners.

I haven't tried it, but Kaspersky now has a Linux anti-malware application.

For reasons, I'm not legally allowed to try it -- and (I checked) they won't sell it to me.

For reasons, I'm not sure how much I'd rely on it.

From what I remember, Kaspersky had a solid AV application. They'd later buy Agnitum, which was a pretty well-rated software firewall. I have zero modern experience with any of those.

 

[beanburrito]

I haven't tried it, but Kaspersky now has a Linux anti-malware application.

Yes, I remember the announcement. I forget, is it 30day free then paid or a perpetually crippled free version?

For reasons, I'm not legally allowed to try it -- and (I checked) they won't sell it to me.

Well if you're in the US and/or have some NDA or something forbidding it...But shouldn't it work regardless of country? (maybe only updates won't work if you're US but there are ways around that which I'm sure you know)

For reasons, I'm not sure how much I'd rely on it.

It's proprietary so, I'd avoid it. Much like I avoid Little Snitch for Linux since some portion of it is proprietary.

From what I remember, Kaspersky had a solid AV application. They'd later buy Agnitum, which was a pretty well-rated software firewall. I have zero modern experience with any of those.

I used to test Kaspersky software on Windows and their (now discontinued?) free AV LiveCD every so often. I believe they called it a "rescue disc(k)?"

 

[KGIII]

Well if you're in the US and/or have some NDA or something forbidding it...But shouldn't it work regardless of country? (maybe only updates won't work if you're US but there are ways around that which I'm sure you know)

Oh, I am sure I could make it work. I'm just not going to take those risks.

It's proprietary so, I'd avoid it.

Meh... I'm not a zealot, so I use proprietary software when it is better for me.

But, in this case, I'd sort of like to try it in a sandbox just to see what it looked like and how it functioned. I don't think I'd want it running on bare metal without a very heavy trial period.

It's not that I'm xenophobic, or anything like that. It's just that the situation is such that I can't be certain other parties aren't involved. I'd elaborate, but discussing politics is not allowed. You can likely draw your own conclusions.

 

[beanburrito]

Meh... I'm not a zealot, so I use proprietary software when it is better for me.

You don't have to be a zealot to shun proprietary software. It's simply my choice.

 

[KGIII]

t's simply my choice.

Yup. Though it's pretty much impossible to only use free software.

This very forum is based on proprietary software, even though free forum scripts exist.

As an aside, I was in school with RMS back in the day. That was, of course, many years ago. I can definitely appreciate FOSS and do much to support it. But, at the same time, I don't mind proprietary stuff -- again, when it's better for me.

These days, you're likely using multiple binary blobs that are proprietary. It's just the nature of the beast.

As a percentage, there aren't many desktop Linux users. OEMs are doing more than they used to, but we're still second-class citizens in the tech world (as far as support goes). I'm not sure how much that will change in my remaining years.

 

[beanburrito]

@ KGIII,

I fully understand where you're coming from. I choose not to use proprietary software whenever possible, and I choose to recommend FOSS to people by default. I discourage use of closed software whenever possible. I didn't say I was Amish.

 

[Mike-BTU]

I once made my living from a leased, "bare metal" RHEL LAMP server. Up to 11 websites were hosted on it.

Yes, I had ClamAV running on it.

But, ClamAV was ONLY for scanning incoming/outgoing email for MS Windows viruses!

If you don't need to do the latter, then you have no practical reason to learn ClamAV.

You're welcome.