“The man of science has learned to believe in justification, not by faith, but by verification.”
― Thomas Henry Huxley,
So its tax season and many people are rushing to download their latest Tax and accounting software to fire up in a Windows VM. The issue is are there viruses and malware secretly installed with those packages that could leak your most sensitive information? Without looking up statistics via CERT the chance are pretty high and the question becomes how can you remediate that risk? So to get started fire up your Linux machine (CentOS is my favorite) and make sure your software folder is accessible to the command line.
So now Lets install ClamAV if you already don’t have it installed. Here’s their link for a more detailed description of what they offer.
For those that just want to fire it up heres a one line code to paste into CentOS/RedHat/Fedora Distro
yum -y install epel-release; yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd; sed -i '/^Example$/d' /etc/freshclam.conf; sed -i '/^Example$/d' /etc/clamd.d/scan.conf; sed -i -e 's/#LocalSocket \/var\/run\/clamd.scan\/clamd.sock/LocalSocket \/var\/run\/clamd.scan\/clamd.sock/g' /etc/clamd.d/scan.conf; sed -i '/REMOVE ME/d' /etc/sysconfig/freshclam; systemctl enable clamd@scan; freshclam; systemctl start clamd@scan; systemctl status clamd@scan;
If everything is OK, after several minutes output should end something like this.
So if you want to take a more detailed look at each process here you go
Install EPEL repo:
EPEL can be installed from CentOS Extras repository, which is enabled by default, with the following command.
yum -y install epel-release
In case epel-release package is not available for any reason, it can be installed from Webtatic or Fedora servers, with following commands.
rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Install ClamAV packages:
Once EPEL is installed ClamAV packages can be installed with the following command.
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Once all necessary packages have been installed, freshclam.conf file needs to be edited, for ClamAV update to work.
Correct freshclam.conf file:
Default installation will return the following error when “freshclam” command is run, due to file being marked as example config file.
# freshclam ERROR: Please edit the example config file /etc/freshclam.conf ERROR: Can't open/parse the config file /etc/freshclam.conf
Error is caused by the following section in the freshclam.conf configuration file.
## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. Example
As specified in the file, last line in this snippet, needs to be removed, or commented out, in order for “freshclam” command to work.
Line can be removed with the following command.
sed -i '/^Example$/d' /etc/freshclam.conf
Enable automatic Updates:
By default freshclam cronjob is disabled, and last line needs to be removed or commented out from /etc/sysconfig/freshclam in order for automatic updates to run.
[root@test ~]# cat /etc/sysconfig/freshclam ## When changing the periodicity of freshclam runs in the crontab, ## this value must be adjusted also. Its value is the timespan between ## two subsequent freshclam runs in minutes. E.g. for the default ## ## | 0 */3 * * * ... ## ## crontab line, the value is 180 (minutes). # FRESHCLAM_MOD= ## A predefined value for the delay in seconds. By default, the value is ## calculated by the 'hostid' program. This predefined value guarantees ## constant timespans of 3 hours between two subsequent freshclam runs. ## ## This option accepts two special values: ## 'disabled-warn' ... disables the automatic freshclam update and ## gives out a warning ## 'disabled' ... disables the automatic freshclam silently # FRESHCLAM_DELAY= ### !!!!! REMOVE ME !!!!!! ### REMOVE ME: By default, the freshclam update is disabled to avoid ### REMOVE ME: network access without prior activation FRESHCLAM_DELAY=disabled-warn # REMOVE ME [root@test ~]#
Lines can be removed with following command.
sed -i '/REMOVE ME/d' /etc/sysconfig/freshclam
Correct scan.conf file:
Same needs to be done for scan.conf file
## ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Comment or remove the line below. Example
Following command removes the line from scan.conf file.
sed -i '/^Example$/d' /etc/clamd.d/scan.conf
We also need to define the socket file.
If we try to run clamd, following error is returned.
[root@test ~]# clamd -c /etc/clamd.d/scan.conf ERROR: Please define server type (local and/or TCP). [root@test ~]#
Checking the scan.conf file, we see socket file is commented out.
# Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) #LocalSocket /var/run/clamd.scan/clamd.sock
Comment can be removed with following command.
sed -i -e 's/#LocalSocket \/var\/run\/clamd.scan\/clamd.sock/LocalSocket \/var\/run\/clamd.scan\/clamd.sock/g' /etc/clamd.d/scan.conf
So now that your up and running its time to scan the folder where your tax files live.
To check all files on the computer, but only display infected files and ring a bell when found:
clamscan -r --bell -i /
Your final output should look like this
Once its verified to be Virus free fire up your Virtual Windows machine and copy the desired folder into it and get going.
Talk to you soon – PS there has been a bunch of AI related questions coming in to my Inbox so look out for a video response to those soon as its too much to write for now