ClamAV 0.99 supports scan on access, through clamav-daemon (clamd), Below are instructions for setting this up with Lubuntu 16.04.
1) apt-get install clamav-daemon
2) apt-get install libnotify-bin
(we will use notify-send to send alerts to the desktop)
3) edit /etc/clamav/clamd.confUser root
…
ScanOnAccess true
OnAccessPrevention yes
OnAccessIncludePath /home/user/Downloads
VirusEvent VirusEvent export DISPLAY=:0; /usr/bin/notify-send –icon=error “CLAMD VIRUS ALERT:” “$CLAM_VIRUSEVENT_VIRUSNAME FOUND IN $CLAM_VIRUSEVENT_FILENAME” 4) Configure Apparmor:# The default clamd apparmor profile won’t allow ScanOnAccess feature to load, so set to complain
sudo aa-complain usr.sbin.clamd
#We can mark a point in the apparmor log from where clamd profile can be checked
sudo aa-logprof -m $(date)
sudo service clamav-daemon restart
# Download and test here with the Eicar test virus, access should be prevented
# and a notify message should be sent to the desktop.
# If not successful check /var/log/clamav/clamav.log
# Next review the changes required to the apparmor clamd profile,
# add only those that are required:
sudo aa-logprof
# Allow references to /bin/dash, /etc/machine-id, /usr/bin/dbus-launch
# Allow execute unconfined (ux) for /usr/bin/notify-send
# If required add these manually to /etc/apparmor.d/usr.sbin.clamd
# Return apparmor to enforce mode:
sudo aa-enforce /etc/apparmor.d/usr.sbin.clamd Test behaviour with Eicar again. Check logs and adjust as necessary.Once working you may add more directories with OnAccessIncludePath. Notes:
- I could not get to work using just /home or /home/user, so recommend just adding a list of specific sub-directories.
- When OnAccessPrevention is set to “yes”, this prevents clamscan from accessing the file. So if you do manual scans they may report no virus found if clamd has blocked access.
- For reference see: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html