[clamav-users] Questions about ClamAV installers
Scott A. Wozny
sawozny at hotmail.com
Wed Aug 28 14:57:28 EDT 2019
Greetings, ClamAV Gurus! :)
I’m looking at installing Clam on my CentOS 7 servers and whenever I install anything new, I tend to look at both the product’s install documentation as well as resources online that show that install in practical use. This has brought up a few questions I’m hoping someone on this list can answer. Just to clarify, I understand that the ClamAV team doesn’t build packages for distros, but I’m hoping someone on the list has enough experience with the CentOS packages to help me understand the ecosystem a bit better. If I went to the CentOS list with this, I’m pretty sure they’d tell me to post here. :)
First, the documentation on the ClamAV site indicates that after the EPEL repository is configured, one does a sudo yum install clamav and proceed from there with configuration. However, most of the sites offering install tutorials recommend installing clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib AND clamav-server-systemd. The fact that they all do it in the same order makes me wonder if they all came up with this list independently or they’ve all copied from each other, but to me it begs the question of whether or not this is all necessary, particularly considering the official documentation is just to install ClamAV.
So, is there a list of the purpose of each of these packages somewhere? I couldn’t find it in the documentation. When I started looking at the packages, it looks like ClamAV contains all the major pieces (clamav, clamav-filesystem, clamav-lib, clamav-update, libtool-ltdl and pcre2) EXCEPT for clamd. The clamav-server package contains all the same packages except clamd rather than clamav. Neither package contains clamav-data, but maybe that’s because clamav-update’s purpose is to download fresh data and there’s no good reason to include the data package in a fresh install.
I guess my fundamental question is what does clamd do that clamav does not and vice versa? I suppose the “easiest” way to do this is to do a kitchen sink install like many sites suggest and go from there, but the security guy in me wants to avoid installing unneeded applications / services to minimize my attack surface. If it helps, my intent is to do both scheduled and on-access scanning so if that’s where clamd and clamav differ (which is the impression I’m getting from the documentation, but I’m not SUPER clear on it) do I need both?
And while on the topic of on-access scanning, I’m considering setting the OnAccessIncludePath to /home and /var. In people’s experience, is that too aggressive or not aggressive enough? I’m toying with /usr, /etc and /boot but I don’t know if I’d be shooting myself in the foot there. Or, like the documentation proposes and due to the fact that Linux viruses are much rarer, would I be better served going wider with my scans (perhaps all the way to /), but setting to notify-only so I don’t block the system up. I’m just seeking the benefit of other’s experience in use.
Beyond my specific practical considerations, I’m also curious about the other packages in this list. Clamav-scanner-systemd and clamav-server-systemd both seem to contain all the same packages as clamav-server so what is their purpose? Finally, I see clamav-devel contains a lot of other stuff that none of the other packages do. With a name like clamav-devel is that package specifically for the authoring of signatures? If so, is that something I want to only install on a development system for signature writing, rather than deploy it to all servers Clam will be protecting? Again, this is about minimizing software / attack surface.
And, what I hope is my last question, I see some documents refer to scan.conf and some refer to clamd.conf for engine configuration. Is one deprecated in favour of the other or do they both have current use.
Sorry this turned into a novel, but I’d appreciate any insights any of you may have.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the clamav-users