ClamFS - Antivirus Filesystem for Linux

Disclaimer: Flying through Linux and OpenSource. You might experience Freedom along with plenty of awesomeness.

Linux as never failed to amaze me with its simplicity and its feature richness. That was one of the few reasons that convinced me to switch to Linux on my computers as the primary Operating System. One such feature is the ability to load virtual filesystems in userspace using the FUSE module. When enabled, the custom FUSE module would allow you to load custom data stores that could be traditional and non-traditional file systems or custom programs that allow filesystem like interaction. You could then interact with these custom userspace filesystems as though they were like any other filesystem. Depending on the fuse module, you could browse the folders and create, modify, and delete data as though they were regular files on your computer.

Two of the many real world applications of FUSE are in the following areas:

1. Antivirus filesystems - Creates virtual filesystems that trigger antivirus scanning whenever files within the filesystems are written to or read from.


2. Encrypted filesystems - Creates virtual filesystems that automatically encrypt files on write operations and decrypt them on reads.

In this article, I'll introduce ClamFS, which lets you create a virtual antivirus filesystem on top of your existing filesystem.

ClamFS triggers automatic scanning of files using ClamAV whenever I/O is performed on them. The best candidate for ClamFS would be the default downloads folder where you Internet browser saves those files that are downloaded from the Internet. You would ideally start with an empty Downloads folder, however, ClamFS also allows you to secure folders that already have contents in them.

ClamFS could be easily installed from your Linux distributions software package manager. Just search for clamfs. For each virtual antivirus filesystem that you'd like to create, you will need an XML configuration file. The configuration file will let you define the following:

1. What folder to secure, where to mount the virtual filesystem
2. What maximum file size to scan - to increase performance
3. Whitelist extensions - files with these extensions will never be scanned
4. Blacklist extensions - files with these extensions will always be scanned regardless of maximum file size parameter
5. Logging method - standard out, syslog, file, or email

In the event that you attempt to download or write an infected file to the ClamFS virtual filesystem, an error entry will be logged and the file will not be successfully written to your filesystem. If an infected file already exists on the ClamFS virtual filesystem, you will not be allowed to read from it.

Here is an example configuration: clamfs.xml

The command to enable ClamFS protected virtual filesystem is:

$ sudo clamfs configuration.xml

You can find more information about ClamFS and on the configuration XML on their website.

This article is part of the series ClamAV - Antivirus for Linux:

ClamAV - Antivirus for Linux

ClamFS - Antivirus Filesystem for Linux

You may also like:

Filesystem Encryption under Linux - EncFS

ClamAV - Antivirus for Linux

Disclaimer: Flying through Linux and OpenSource. You might experience Freedom along with plenty of awesomeness.

In today's digital world, where access to electronic content is so convenient that it is almost taken for granted, there is a constant threat of malware infection.

While Linux computers a much less likely to be infected by a malware transmitted via sharing files via removable media or over the Internet, it is certainly not impossible. And while you yourself may not be too much concerned about getting your computer infected because of an infected file, you may unknowingly put the non-Linux users with whom you may share files at risk. These could be your family, friends, and colleagues, etc.

There are a few steps that one can take to prevent and minimize getting and spreading such infections and the most common one happens to be installing an antivirus software. Many antivirus software vendors today offer some paid as well as free versions for Linux computers. When I was a Window user, one of the first things I did after (re)installing the operating system on my computer was to install an antivirus on it. I hated using antivirus, especially the real-time scan features, since they slowed my computer, negatively affecting the overall experience. Ever since I made the switch to Linux few years ago I've not had that problem and I've gotten used to using my computers without any antivirus software installed. I changed my mind few weeks ago when I realized that malware were no longer restricted to the standard executable files. Malware authors are now exploiting vulnerabilities in popular software like Adobe PDF Reader and Flash Player etc. and packaging malware in pdf, swf, and other files. While Linux users should still be relatively safe from such infections, non-Linux users, especially Windows users are not. Therefore, in order to stop the malware from spreading out from your computer, it is essential that they be detected there first.

ClamAV is a popular open source antivirus that has been around for many years. Its website describes it as follows.

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

It is available on many popular Linux distributions. On Ubuntu, it can be installed using the Software Center or any Package Manager. Just search for clamav. You will also need to install the virus definitions updater for ClamAV which is known as freshclam. Keep in mind that ClamAV does not install a graphical user interface and once you've installed clamav and freshclam, they would be only usable via the command line shell. There are however a few GUI tools available that can be used with clamav and one such tool is clam tk which could also be installed from the software manager. Once installed, clamtk will allow you to scan files and directories using clamav. It will also allow you to configure clamav using its Advanced -> Preferences menu entry.

  

If you are wondering what that Last infected file was, I used a test virus file, EICAR.COM, that is readily available over the Internet and can be used to test if the antivirus is in fact scanning and detecting infected files.

While you could use clamav from both command line as well as using the ClamTK gui, most modern graphical Linux distributions also allow you to add a menu entry on the right click context menu to scan a file or a folder using ClamAV. Here is a screen shot from my laptop which runs Kubuntu 11.10 showing the context menu entry.

While no antivirus software will make your computer 100% safe and secure, they will certainly help. ClamAV is the antivirus of choice by most Linux server administrators and computer users. At the end of the day however it boils down to how responsible and cautious you yourself are. I hope you found this article helpful.

This article is part of the series ClamAV - Antivirus for Linux:
ClamAV - Antivirus for Linux
ClamFS - Antivirus Filesystem for Linux

You may also like:
Filesystem Encryption under Linux - EncFS