I'm writing this because I found not obvious to make ClamAV work on my Moodle 3.11 installation running on Ubuntu 20.04. I hope this could be useful to others.
Then, keep in mind that the virus database is loaded every time you run the /usr/bin/clamscan command, and loading it may take several seconds.
You can work around this problem running the clamav-daemon, that loads the database once and keeps it in RAM, and then use the /usr/bin/clamdscan to runscans querying the daemon.
Because of default security policies of Ubuntu, you need also to change a few things (Apparmor and ACLs) on your server to allow ClamAV to scan files uploaded by the web server.
According to documentation you may also run a scan though Unix domain socket, but I couldn't figure out how to make it work, so ended up using "Command line" as "Running method" for ClamAV.
To do on the server:
- First, install required packages:
$ sudo apt install clamav clamdscan clamav-daemon apparmor-utils
- Configure freshclam to keep your virus database updated:
$ sudo dpkg-reconfigure clamav-freshclam
- Add clamav user to the www-data group, so it can read and write files created by the web server:
$ sudo usermod -a -G www-data clamav
- Disable Apparmor profile for clamd command and reload profiles:
$ sudo aa-disable /usr/sbin/clamd
$ sudo service apparmor reload
- Set ACLs to clamav user can read, write and access the contents of /tmp sub dirs:
$ sudo setfacl -Rdm clamav:rwx /tmp
- Lastly, enable and start clamav-daemon service
$ sudo systemctl enable clamav-daemon
$ sudo systemctl start clamav-daemon
To do in Moodle:
- Visit Site administration > Plugins > Antivirus plugins and enable "ClamAV Antivirus"
- Click on Settings and set:
- Running method: Command line
- Command line: /usr/bin/clamdscan
- On ClamAV failure: set it according to my need - I set it to "Refuse upload, try again"
To test your setup:
- Try to upload a regular file, for example from the "Private files" page, it should work as expected.
- Then download the eicar.com Anti Malware Testfile from https://www.eicar.org/?page_id=3950 (it's a harmless file used to test antivirus tools) and try to upload it.
This time you should get an error like "eicar.com has been scanned by a virus checker and found to be infected!" - ClamAV works! 😀
I found it very useful to keep an eye on logs, looking at a terminal running sudo journalctl -f.
For example, when I tried to set up Unix domain socket method I saw messages like this:
clamd: Sat May 29 12:38:46 2021 -> ^File path check failure on: /tmp/phpFmIQN0
Furthermore, when I tried to run clamdscan using Command line method before doing steps 3., 4. and 5. I got messages like:
audit: AVC apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/clamd" name="tmp/phpidtNEv" pid=16989 comm="clamd" requested_mask="r" denied_mask="r" fsuid=111 ouid=33
kernel: audit: type=1400 audit(1622286181.885:67): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/clamd" name="tmp/phpidtNEv" pid=16989 comm="clamd" requested_mask="r" denied_mask="r" fsuid=111 ouid=33
clamd: Sat May 29 13:03:01 2021 -> fd: Not a regular file. ERROR