Automate your f-prot antivirus

[JoeG]

Hi folks. I know, not a lot of viruses exist that exploit *nix's, but some of us run SAMBA for Windows networks, email servers ... etc. Hey, me, I just wanna know for sure that I'm not infected, even on my desktop gentoo box. So...here's how I did it.

As root,

• install f-prot AV

  Code: Select all

  emerge f-prot

  make sure that you're updated

  Code: Select all

  /opt/f-prot/check-updates.pl

  download http://www.rexswain.com/eicar.com to your home folder, then make sure that it's working by (as per http://www.rexswain.com/eicar.html )

  Code: Select all

  /opt/f-prot/f-prot -disinf -list ~/

  Now let's script it. Create the file /usr/sbin/fprotscan with the following content:

  Code: Select all

  #Script to automate virus scans and logging
  #
  #Get the system date and store some needed variables
  set `date`
  DAY=`echo $6$2$3`
  LOGDIR=~/f-prot
  #
  #Next, let's make sure that we're up-to-date
  /opt/f-prot/check-updates.pl -cron -quiet 
  #
  #Mount /boot so it can be checked as well
  mount /boot
  #
  #Change to a predetermined log directory, create it if need be.
  if [ -d $LOGDIR ]
  	then
  		echo "Log folder exists.."
  		cd $LOGDIR
  		echo "Scanning...this may take awhile"
  	else
  		echo "Creating log folder..."
  		mkdir $LOGDIR
  		cd $LOGDIR
  		echo "Scanning...this may take awhile"
  fi
  #
  #Run the virus scan...and log it.
  #Thanks for the help on this part in particular, guys!
  /opt/f-prot/f-prot -disinf -list -report=$DAY.log -append / 
  #
  #Unmount /boot
  umount /boot
  

  Make it executable

  Code: Select all

  chmod a+x /usr/sbin/fprotscan

  Now, let's automate.

  Code: Select all

  crontab -e

  Insert the following line, save, and exit

  Code: Select all

  30 3 * * * /usr/sbin/fprotscan

  This will run your scan at 3:30 AM (when most people's computer's are otherwise idle) every day. Check here if you want to modify the schedule to run and don't understand cron.

You should be all set now. Happy Gentoo'ing.

Regards,
JoeG

[trooper82]

Great tip, thanks!

[JoeG]

null perspiration, chummer

[riksta]

Hey

slight error

/opt/f-prot-check-updates.pl

is

/opt/f-prot/check-updates.pl


Rick

[JoeG]

Thx, Riksta. Typo demon hell. It's edited now.

[DavidMCS]

You may want to consider adding -auto to your command line options if you're going to do this in a cron job as user confirmation is required with -disinf
--
David-

[JoeG]

Great idea, David. It's fixed...see above

[fourhead]

Hi, great tip. Do you know if there's a way to integrate f-prot with Samba like you can do it with ClamAV (via a vfs module)?

Tom

[-Rick-]

Hey, just a question: is the scanning faster than ClamAV? If I scan everything with ClamAV it takes 6+ hours....

[SaFrOuT]

sorry for the question, but do i really need an antivirus for my Gentoo

i don't have except Gentoo on my machine although i have a fat32 partition

do i still need f-prot ???

[JoeG]

Hey, just a question: is the scanning faster than ClamAV? If I scan everything with ClamAV it takes 6+ hours....

Hard to say. Kinda depends on how many files you have in your filesystems, the size of the files...etc. On my system, f-prot runs in about 80 min's and I've used about 72GB of my space across 5 partitions.

Regards,

JoeG

[JoeG]

sorry for the question, but do i really need an antivirus for my Gentoo

i don't have except Gentoo on my machine although i have a fat32 partition

do i still need f-prot ???

Not quite sure what you're asking. IMHO, you always need some type of A/V on a computer. F-Prot isn't the only option, but it's the one I like. ClamAV seems to integrate more tightly into SaMBa.
Just like any OS, as far as A/V goes, get it...update it...run it...constantly.

Regards,

JoeG

[bravecobra]

f-prot has a -report=<report_name> option

[JoeG]

f-prot has a -report=<report_name> option

Yup, it sure enough does, but it accomplishes the same thing we're after here...a logfile. One problem that I've found with my approach here, though, is the size of the logfiles. A scan of my home directory alone yields a >9MB text file. If anyone can figure out an easy way to rotate old logfiles out to conserve space, I'll include it in this script, crediting the author . Also, I'm working on getting the script to email root with the results only. The logfile itself can be checked later, if a red flag pops up in the tail.

'Gards

JoeG

[bravecobra]

Just add it to logrotate.d
Anyway ever tried to run it on a system that has amavis emerged? That comes with sample viruses and mailbombs. Now for some reason, f-prot fails to recognize the mailbomb and starts unpacking the content which leaves it in a sort or almost endless loop. Kinda deadly when your script is automated.

[JoeG]

Just add it to logrotate.d
Now for some reason, f-prot fails to recognize the mailbomb and starts unpacking the content which leaves it in a sort or almost endless loop. Kinda deadly when your script is automated.

Fails to recognize any mailbombs? The only shortcoming that I've seen is that it can't disinfect gzipped tarballs...of course, YMMV. Agreed tho, that automating can lead to unexpected results. That's why I'm asking for feedback, to improve my script for everyone's benefit. Thanks for the heads-up!

JoeG

[amanoj]

Kudos to JoeG for the script. Just saved me an hour to have to create one myself. Per your request... here is my feedback!

Shell Script works fine for me, but I made a few modifications:

• Changed the check-update.pl command to include the -cron -quiet options. (Which do work outside of CRON.)

#Next, let's make sure that we're up-to-date
/opt/f-prot/check-updates.pl -cron -quiet

• Updated the F-Prot command with the -report and -append options. * Removed Tail to STDOUT *

/opt/f-prot/f-prot -auto -disinf -list -report=$LOGDIR/$DAY.log -append /

Just my .02! I will work on STDERR outputs from f-prot & the perl script... but the script works great for my laptop & 2 servers. Next project... script to integrate F-prot with Postfix for mail scanning. Good Job!

[JoeG]

That's what I like! Somone starts a little something nice...people help improve it...next thing ya know, it all works pretty damn well! bravecobra recommended the -report option instead of what I was originally doing the other day.


The big thing to watch out for is that the log files can get quite large rather quickly. Gonna hafta take his advice on logrotate. The tail was pretty useless from a cron job as well . Losing it is probably a good idea. This is how open source is s'posed to work, Baby!

Thanks for all the advice, guys.

JoeG

P.S. I've been up for over 24 hrs again, the last 18 of it doing an "upgrade" of a network to Windows. As a result, I'm just a bit slap-happy. Not to mention a little balder from the hair yanking.

P.S.S. Oh! Just one thing, amanoj. You're already in $LOGDIR, so maybe

Code: Select all

-report=$DAY.log

instead. I already updated the script at the top of the page, so new folks won't hafta take the original and hack like we did. They just get the end result.

[amanoj]

That's what I like! Somone starts a little something nice...people help improve it...next thing ya know, it all works pretty damn well! bravecobra recommended the -report option instead of what I was originally doing the other day.


The big thing to watch out for is that the log files can get quite large rather quickly. Gonna hafta take his advice on logrotate. The tail was pretty useless from a cron job as well . Losing it is probably a good idea. This is how open source is s'posed to work, Baby!

Thanks for all the advice, guys.

JoeG

P.S. I've been up for over 24 hrs again, the last 18 of it doing an "upgrade" of a network to Windows. As a result, I'm just a bit slap-happy. Not to mention a little balder from the hair yanking.

P.S.S. Oh! Just one thing, amanoj. You're already in $LOGDIR, so maybe

Code: Select all

-report=$DAY.log

instead. I already updated the script at the top of the page, so new folks won't hafta take the original and hack like we did. They just get the end result.

Sounds Good to Me! We just keep working on the script and make it better! Like Hannabal from A-Team said, "I love it when a plan comes together!!" (Showing my Age!)

Amanoj

[JoeG]

Like Hannabal from A-Team said, "I love it when a plan comes together!!" (Showing my Age!)

Amanoj

Or like B.A. said "I ain't gettin' on no PLANE, Hannabal!" I'm from that era, too.

JoeG

[Master One]

That f-prot protection sounds interesting, but I am not sure, if I understand the purpose right.

f-prot is scanning for such nasty executeables, which are of no use in the Linux world, and only dangerous for machines running Windows.

Usually it makes more sense to install a good antivirus on all Windows machines or under windows on dualboot (I wouldn't use WinXP without Norton Antivirus at all).

If you have a Linux server, you wouldn't need f-prot, because you surely have no dualboot with Windows on a server. Concerning samba and mailserver-protection, you surely would use an antivirus solution, that integrates better with these services.

If you have a Linux workstation, why bother with an antivirus solution, if the usual executable files are of no harm to such a system. And concerning a workstation, most people probably will not have such a machine run 24/7, so using cron would probably not lead to automatic scans at all.

At the moment I have 3 Linux-servers and 1 Linux-notebook (with dualboot) on my local lan (and trying to convert the other 3 Windows-workstations to pure Linux-workstations as well). On all Windows-machines, Norton Antivirus is installed. I am curious now, if I should install f-prot on the 3 servers and the linux-dualboot-notebook (as well as on the other workstations, after they have been converted to Linux).

[JoeG]

Concerning samba and mailserver-protection, you surely would use an antivirus solution, that integrates better with these services.

Exellent point.

If you have a Linux workstation, why bother with an antivirus solution, if the usual executable files are of no harm to such a system.

Try this. Besides, I originally posted here to show people an easy way to get AV protection installed, updated, and run on schedule.

Like it or no, viruses do exist for Linux and for services that run on Linux. Granted, the damage can be limited on your workstation or server (i.e. by User or Process priviledge level), but IMHO you have a responsibility to the rest of the Internet community to make sure that you are at least not helping to spread viruses that can infect their Windows machines. If you prefer another AV solution, then by all means, use that. ClamAV is a very nice piece of software, for example. But you really should be running something.

Please, please, don't take this as a flame. I just don't want people to assume that if their computer running Linux is not vulnerable to 99% of viruses in the wild, that they cannot be infected or infect others. It's kinda like keeping a condom on your bits .

Regards,

JoeG

[Master One]

Thank's for the feedback, JoeG.

Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?

The cron idea does not fit for such a machine.

What about running the scan on every boot?

I have no idea, how long such a scan needs on a normal Gentoo workstation installation, and what happens, if I shutdown the machine before the scan is completed.

[JoeG]

Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?

The cron idea does not fit for such a machine.

What about running the scan on every boot?

Well, it would be easy enough to create an init script and add it to your default runlevel, but then your computer is going to take a long time to boot up.

If you're wanting to scan files as they download, I'm afraid (with f-prot at least) that we're out of luck. We'll have to scan after the download is complete, AFAIK. Anyone who knows differently, PLEASE let us know! According to their support page:

BUGS
We have received a request for the ability to scan stdin. This is actually rather difficult, as the engine design requires that the size of any scannable object is known before starting a scan.

I'm considering writing a mini-HOWTO for using ClamAV due to several factors:

• 1. I'm trying to be fair
  2. ClamAV seems to integrate more smoothly with services
  3. ClamAV can be run as a daemon (Well, so can f-prot, but you need file or mail server version)
  4. ClamAV is GPL. 'Nuff said.

Ideas, Folks?

JoeG

[Irvinion]

I used your methods because I was looking for an anti-virus for noobs type thingy being new to both linux and gentoo. One small thing I noted that could have come from a version bump of f-prot, for the 4.5.3 version, the check updates file is check-updates.pl so:

Code: Select all

/opt/f-prot/check-updates.pl

Otherwise, thank you very much