ClamAV Autoscan (Telegram and email alerts)

Daily virus and malware scan with ClamAV. This script will send notifications by Telegram and / or email when malware is detected.

This script is designed and tested in Debian 9.

Installation

• Install ClamAV and all its components:

sudo apt-get update && apt-get install clamav clamav-docs clamav-daemon clamav-freshclam

• Install different packages so that ClamAV can also analyze the compressed files:

sudo apt-get install arc arj bzip2 cabextract lzop nomarch p7zip pax tnef unrar-free unzip zoo

• Install the sendmail package (to send notifications by email), curl package (to send notifications to Telegram) and cpulimit (so that the scan doesn’t consume all the CPU):

sudo apt-get install sendmail curl cpulimit

ClamAV configuration

• Edit the /etc/clamav/freshclam.conf file and modify the number of daily checks (replace 24 by 1):

sudo vi /etc/clamav/freshclam.conf

...
Checks 1
...

• Restart service:

sudo service clamav-freshclam restart

Install and configure the script

• Insert the script “clam_scan.sh” in the /root directory.

• Edit the configuration variables (sudo vi /root/clam_scan.sh):

  • LOG_FILE: Name for the log files.
  • HOST_NAME: Name of the host.
  • CPU_LIMIT: Maximum percentage of CPU to be consumed by malware scanning.
  • MSG_SUBJECT: Subject of notifications when malware is detected.
  • MSG_INFO: Notification information when malware is detected. Some HTML tags (those allowed by Telegram) can be used.
  • EMAIL: If an email notification should be sent when detecting malware (true) or not (false).
  • EMAIL_FROM: Sender email address.
  • EMAIL_TO: Recipient email address.
  • TELEGRAM: If a malware notification should be sent to Telegram (true) or not (false).
  • TELEGRAM_TOKEN: Token of the Telegram bot to be able to notifications.
  • TELEGRAM_CHATID: Id of the Telegram chat to send the notifications to.
  • DIR_TO_SCAN: Directory/s to scan. Several can be indicated separated by a blank space.

• Give script permissions:

chmod 0755 /root/clam_scan.sh

• Create a cron to run the script at the time you want:

crontab -e

00 03 * * * /root/clam_scan.sh

• To verify that the script works correctly, run:

/root/clam_scan.sh