<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello</p>
<p>I got the following init clamonacc script from <span
class="author-a-z74zz87zdmz83zv8yz81zt99z88zyeg"> </span><span
class="author-a-z74zz87zdmz83zv8yz81zt99z88zyeg url"><a
href="https://www.chaddevops.com/2020/02/ubuntu-1804-installing-clamav-with.html"
rel="noreferrer noopener" class="moz-txt-link-freetext">https://www.chaddevops.com/2020/02/ubuntu-1804-installing-clamav-with.html</a><br>
</span></p>
<div aria-live="assertive" class="ace-line"><br>
</div>
<div aria-live="assertive" class="ace-line"><font face="monospace">#
/etc/systemd/system/clamonacc.service<br>
[Unit]<br>
Description=ClamAV On Access Scanner<br>
Requires=clamav-daemon.service<br>
After=clamav-daemon.service syslog.target network.target<br>
<br>
[Service]<br>
Type=simple<br>
User=root<br>
ExecStart=/usr/sbin/clamonacc -F --log=/var/log/clamav/clamonacc
--move=/root/quarantine<br>
Restart=on-failure<br>
RestartSec=120s<br>
<br>
[Install]<br>
WantedBy=multi-user.target</font></div>
<div aria-live="assertive" class="ace-line"><br>
</div>
<div aria-live="assertive" class="ace-line"> <br>
</div>
<div aria-live="assertive" class="ace-line">added this to
/etc/clamav/clamd.conf .<br>
</div>
<div aria-live="assertive" class="ace-line"><br>
</div>
<div aria-live="assertive" class="ace-line"><font face="monospace">OnAccessMaxFileSize
5M<br>
OnAccessMountPath /home<br>
OnAccessIncludePath /home<br>
OnAccessExcludeUname root<br>
OnAccessPrevention true<br>
OnAccessExtraScanning false<br>
VirusEvent /etc/clamav/detected.sh<br>
OnAccessExcludeRootUID yes<br>
OnAccessRetryAttempts 3</font></div>
<div aria-live="assertive" class="ace-line"><br>
</div>
<div aria-live="assertive" class="ace-line">and did these <br>
</div>
<div aria-live="assertive" class="ace-line"><font face="monospace">mkdir
/root/quarantine</font></div>
<div aria-live="assertive" class="ace-line"><br>
</div>
<div aria-live="assertive" class="ace-line"><font face="monospace">added
/etc/clamav/detected.sh :<br>
</font><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">#!/bin/bash
</span><br>
#/etc/clamav/detected.sh
<br>
#modify reply and to addresses
<br>
<br>
PATH=/usr/bin
<br>
alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in
$CLAM_VIRUSEVENT_FILENAME"
<br>
<br>
logtail="$(tail -n 50 /var/log/clamav/clamav.log | tac)"
<br>
<br>
# send email
<br>
export HOME=/root
<br>
/usr/bin/printf "Host: $HOSTNAME.\n$alert\n\ntail -n 50
/var/log/clamav/clamav.log\n\n\n$logtail" | /usr/bin/mailx -s
"VIRUS ALERT - $HOSTNAME" -r<br>
<a class="moz-txt-link-abbreviated" href="mailto:REPLY@YOURDOMAIN.COM">REPLY@YOURDOMAIN.COM</a> <a class="moz-txt-link-rfc2396E" href="mailto:ALERTS@YOURDOMNAIN.COM">"ALERTS@YOURDOMNAIN.COM"</a>
<br>
<br>
# Send the alert to systemd logger if exist, othewise to
/var/log
<br>
if [[ -z $(command -v systemd-cat) ]]; then
<br>
echo "$(date) - $alert" >>
/var/log/clamav/detections.log
<br>
else
<br>
echo "$alert" | /usr/bin/systemd-cat -t clamav -p emerg
<br>
fi<br>
<br>
</span></div>
<div aria-live="assertive" class="ace-line"><span
style="font-family:monospace"><br>
</span></div>
<div aria-live="assertive" class="ace-line"><span
style="font-family:monospace"><br>
</span></div>
<div aria-live="assertive" class="ace-line">Note , we still have
apparmor issues so I disabled clamonacc for now.<br>
<span style="font-family:monospace"></span></div>
</body>
</html>