PCI-DSS 3.1 Requirement 5 states the following:
Protect all systems against malware and regularly update anti-virus software or programs.
There are commercial based solutions out there for Linux based systems, but costs can become an issue, especially for small companies with a small footprint within their card holder data environment (CDE). So can one satify this requirement without breaking the bank? I personally prefer ClamAV.
Taken from the projects website, ClamAV is an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats.
1. I want to scan my entire system nightly.
2. All virus reports are emailed to me so I can archive them for a year offsite.
3. Have the antivirus definitions updated nightly before the scan.
Installing, running and maintaining ClamAV is very straight forward on Linux based systems. To get started, install ClamAV by:
# CentOS 6 / RedHat 6 [[email protected] ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [[email protected] ~]# yum install clamav mailx # CentOS 7 / RedHat 7 [[email protected] ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm [[email protected] ~]# yum install clamav clamav-update mailx [[email protected] ~]# sed -i '/^Example/d' /etc/freshclam.conf # Ubuntu 12.04 / Ubuntu 14.04 [[email protected] ~]# apt-get update [[email protected] ~]# apt-get install clamav mailutils
Now update the virus definitions by running:
[[email protected] ~]# freshclam
Finally, configure the virus definitions to update nightly, and also scan the entire system and email a report:
[[email protected] ~]# crontab -e 00 2 * * * /usr/bin/freshclam 00 3 * * * /usr/bin/clamscan -r -i / | mail -s "ClamAV Report : INSERT_SERVER_HOSTNAME_HERE" [email protected]
Posted below is an example report ClamAV would send me via email nightly:
----------- SCAN SUMMARY ----------- Known viruses: 4289299 Engine version: 0.99 Scanned directories: 51929 Scanned files: 808848 Infected files: 0 Total errors: 10982 Data scanned: 76910.89 MB Data read: 83578.27 MB (ratio 0.92:1) Time: 6641.424 sec (110 m 41 s)
How does one go about testing ClamAV to ensure its working? There is a known antivirus test file that was designed specifically for this purpose by www.eicar.org. To create this file, simply setup the following test file, then rerun your ClamAV scan:
[[email protected] ~]# vim /tmp/EICAR-AV-Test ... X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ...