ClamAV ScanOnAccess

ClamAV 0.99 supports scan on access, through clamav-daemon (clamd),  Below are instructions for setting this up with Lubuntu 16.04.

1) apt-get install clamav-daemon

2) apt-get install libnotify-bin
   (we will use notify-send to send alerts to the desktop)

3) edit /etc/clamav/clamd.confUser root

ScanOnAccess true
OnAccessPrevention yes
OnAccessIncludePath /home/user/Downloads
VirusEvent VirusEvent export DISPLAY=:0; /usr/bin/notify-send –icon=error “CLAMD VIRUS ALERT:” “$CLAM_VIRUSEVENT_VIRUSNAME FOUND IN $CLAM_VIRUSEVENT_FILENAME” 4) Configure Apparmor:# The default clamd apparmor profile won’t allow ScanOnAccess feature to load, so set to complain
sudo aa-complain usr.sbin.clamd
#We can mark a point in the apparmor log from where clamd profile can be checked
sudo aa-logprof -m $(date)
sudo service clamav-daemon restart
# Download and test here with the Eicar test virus, access should be prevented
# and a notify message should be sent to the desktop.
# If not successful check /var/log/clamav/clamav.log
# Next review the changes required to the apparmor clamd profile,
# add only those that are required:
sudo aa-logprof   
# Allow references to /bin/dash, /etc/machine-id, /usr/bin/dbus-launch
# Allow execute unconfined (ux) for /usr/bin/notify-send
# If required add these manually to /etc/apparmor.d/usr.sbin.clamd
# Return apparmor to enforce mode:
sudo aa-enforce /etc/apparmor.d/usr.sbin.clamd Test behaviour with Eicar again. Check logs and adjust as necessary.Once working you may add more directories with OnAccessIncludePath. Notes:

  1. I could not get to work using just /home or /home/user, so recommend just adding a list of specific sub-directories.
  2. When OnAccessPrevention is set to “yes”, this prevents clamscan from accessing the file. So if you do manual scans they may report no virus found if clamd has blocked access.
  3. For reference see: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html