Clam Anti Virus on IBM iSeries using PASE

Introduction

Who should read this HOWTO

This HOWTO is intended for anyone interested in installing and using the free ClamAV anti virus scanner on an IBM iSeries.

Disclaimer

Use this document at your own risk - no liabilty for the contents can be accepted. This document is put together from my own experience with ClamAV, and while I believe it to be accurate I can't guarantee it will work on your system.

Also note that currently ClamAV at V5R2? is not that useful frown The change in format of the antivirus definitions between version 0.65 and 0.85 means the 0.65 clamscan binary can no longer read the virus definitions! It will run, but only with a very limited number of signatures (only 77 on the systems I've been able to test with). Clamav 0.85 works on V5R3?, though requires slightly different configuration - see below for details.

Another thing to point out is that the version of ClamAV currently available for AIX (0.85) lags behind that for other platforms (currently 0.86.2, was 0.86.1 when this HOWTO went online). There are some security related issues with 0.85, and if I'm able to track down (or build) a later version I'll add it here.

Prerequisites

  • V5R2? or higher of OS/400. This may work at an earlier release, but that has not been tested.
  • PASE - Licensed Program 5722SS1, Option 33: OS/400 - Portable App Solutions Environment.
  • Port 80 access to the internet from your iSeries or iSeries LPAR, and the ability to resolve domain names to IP addresses, if you wish to fetch antivirus signature updates direct from your iSeries.

Installation considerations and planning

  • All the PASE software from the Public Domain Software Library will install to /usr/local/ on your IFS. You will need write access to the /usr and /QOpenSys directories to perform the installation.
  • Software packages. These are compressed tar archives which you will need to unpack before installing. If you don't have software (gunzip) to uncompress a .Z file, then download the zipped gzip archive from the link at the end of this page. Once that is installed you can use it to unpackage all the other utilities. Download the AIX 5.1 binary version of each of these packages:
  • Place the packages in the root of the IFS using a suitable transfer routine (FTP, Windows Explorer, etc).
  • The gzip package should be uncompressed before the next stage, so it should show as gzip.1.2.4a.tar, not gzip.1.2.4a.tar.Z
  • ALERT! Note: I had problems using gzip on V5R3? that I haven't solved yet. I would recommend that you uncompress the downloaded files first, using gunzip on a Linux system, or get gzip for Windows at http://gnuwin32.sourceforge.net/packages/gzip.htm.

Installing ClamAV

  • Create the CLAMAV user profile (used for the owner of the updates process). CRTUSRPRF USRPRF(CLAMAV) PASSWORD(*NONE) INLMNU(*SIGNOFF) LMTCPB(*YES) TEXT('ClamAV anti virus database owner')
  • Enter the PASE shell: CALL PGM(QP2TERM?)
  • Create the /usr/local directory if it doesn't already exist: mkdir /QOpenSys/usr/local
  • Create a symbolic link to the local directory in the root '/' directory if not present: ln -s /QOpenSys/usr/local /usr/local
  • Change directory to the IFS root: cd /
  • V5R2? only:
    • Check the contents of the gzip archive, which should show that all files are under /usr/local : tar tf gzip.1.2.4a.tar
    • Unpack the gzip archive: tar xvf gzip.1.2.4a.tar
  • Check the contents of /usr/local: ls -lR /QOpenSys/usr/local/ (you need to use the real path here, not the symbolic link)
  • Check your executable path: echo $PATH ( something like /QOpenSys/usr/bin:/usr/ccs/bin:/QOpenSys/usr/bin/X11:/usr/sbin:.:/usr/bin)
  • Add /usr/local/bin to your path: PATH=/usr/local/bin:$PATH (you should get something like /usr/local/bin:/QOpenSys/usr/bin:/usr/ccs/bin:/QOpenSys/usr/bin/X11:/usr/sbin:.:/usr/bin)
  • Uncompress the remaining packages: gunzip unzip.5.51.tar.Z, gunzip textutils.2.1.tar.Z, gunzip curl.7.14.0.tar.Z and unzip clamav.0.65.tar.zip. For V5R3? you should already have done this on a Windows or Linux system.
  • Check the contents of each tar file with tar tf filename.tar as above
  • Unpack each tar file with tar xvf filename.tar

Post-installation steps

Configuring the applications

You will need to create configuration files for freshclam (the signature update process) and optionally clamscan (the scanning program).
  • Create the configuration directory if it doesn't already exist: mkdir /usr/local/etc
  • Create the log directory if it doesn't already exist: mkdir /usr/local/var and mkdir /usr/local/var/log
  • Create the virus definitions database directory, if not there: mkdir /usr/local/share/clamav
  • V5R2? only: Create the clamav config directory if not yet present: mkdir /usr/local/etc/clamav
  • Create the configuration files in QP2TERM? so that they are assigned the correct CCSID:
    • V5R2?: echo # > /usr/local/etc/clamav/clamav.conf and echo # > /usr/local/etc/clamav/freshclam.conf
    • V5R3?: echo # > /usr/local/etc/clamd.conf and echo # > /usr/local/etc/freshclam.conf
  • From the iSeries commandline (F21 from inside the PASE shell, QP2TERM?) edit the configuration file for freshclam:
    • V5R2?: EDTF STMF('/usr/local/etc/clamav/freshclam.conf')
    • V5R3?: EDTF STMF('/usr/local/etc/freshclam.conf')
  • Enter the following then save and exit EDTF:
DatabaseOwner clamav                      
UpdateLogFile /usr/local/var/log/freshclam.log
MaxAttempts 5                             
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.XY.clamav.net        # replace XY with your country code - http://www.iana.org/cctld/cctld-whois.htm
DatabaseMirror database.clamav.net
DatabaseDirectory /usr/local/share/clamav/       
                                          
# Check for new database 5 times a day    
Checks 5                                  
  • For clamscan, you can use this configuration, but it isn't always necessary, as you can specify commandline options:
    • V5R2?: EDTF STMF('/usr/local/etc/clamav/clamav.conf')
    • V5R3?: EDTF STMF('/usr/local/etc/clamd.conf')
User clamav                       
ScanMail                          
ScanArchive                       
ArchiveMaxRecursion 5             
ArchiveMaxFiles 1000              
ArchiveMaxFileSize 10M            
ArchiveMaxCompressionRatio 250    
ReadTimeout 180                   
MaxThreads 12                     
MaxConnectionQueueLength 15       
LogFile /usr/local/var/log/clamav.log
LogTime                           
LogFileMaxSize 0                  

Using ClamAV

You can use clamscan interactively through QP2TERM?, or in a PASE shell script via QP2SHELL?. In QP2TERM?, make sure /usr/local/bin is in your path and type: clamscan /usr/local/bin/ which will check the executables you have just installed. To do the same in a script type (from a commandline) EDTF STMF('/usr/local/bin/avscan_bin.sh') and type in, then save, the following:
#!/QOpenSys/usr/bin/sh                                                                     
PATH=/usr/local/bin:$PATH                                                                  
clamscan -r --max-space=20480 --unzip -i --log=/usr/local/var/log/clamscan.log /usr/local/bin
exit 0
The -r switch causes clamscan to recurse down through subdirectories. --max-space=20480 defines how many kilobytes to extract from each compressed archive (zips etc) to check, -i tells it to only list infected files, not everyone it checks, and --log should be self-evident wink To run this script: CALL PGM(QP2SHELL?) PARM('/usr/local/bin/avscan_bin.sh') Note that QP2SHELL? can take an additional parameter which lists arguments (parameters in iSeries parlance) for the script.

If you want to move or delete the infected files, rather than just report them, then use the --delete or --move=DIRECTORY arguments (where DIRECTORY is a directory the user running clamscan has write access to). For more details on the options for clamscan see the man(ual) page

To update the antivirus definitions - it isn't much use without them - run the freshclam program. In the PASE shell, with /usr/local/bin in your PATH, type freshclam You should see something like the following:
> freshclam                                                                      
  ClamAV update process started at Sat Jul 23 20:49:17 2005                      
  Reading CVD header (main.cvd): OK                                              
  main.cvd is up to date (version: 33, sigs: 36102, f-level: 5, builder: tkojm)  
  Reading CVD header (daily.cvd): OK                                             
  daily.cvd is up to date (version: 989, sigs: 832, f-level: 5, builder: ccordes)
  $                                                                              
From an iSeries commandline, you could do CALL PGM(QP2SHELL?) PARM('/usr/local/bin/freshclam') instead, which would bring up a terminal window with the same output as above. To schedule this, create a PASE script: EDTF STMF('/usr/local/bin/run_freshclam.sh')
#!/QOpenSys/usr/bin/sh                                                                     
PATH=/usr/local/bin:$PATH                                                                  
freshclam --log=/usr/local/var/log/freshclam.log
exit 0
Create a scheduled job entry to run that every day, or include it at the start of your scheduled clamscan of your IFS.

Removing ClamAV

All of the files in ClamAV, and in the other applications install to /usr/local, so you can just delete them from there. Remember that tar tf filename.tar lists the contents of each archive, so you know which files belong to which package.

-- MartinRowe - 19 Jul 2005

Topic attachments
I Attachment ActionSorted ascending Size Date Who Comment
clamav.0.65.tar.zipzip clamav.0.65.tar.zip manage 1716.3 K 01 Oct 2014 - 19:36 MartinRowe Clam AV for V5R2?
gzip.1.2.4a.tar.zipzip gzip.1.2.4a.tar.zip manage 67.6 K 01 Oct 2014 - 19:36 MartinRowe GZip in a zipped archive. Use Winzip or similar to unpack
Topic revision: r11 - 12 Aug 2005 - 07:12:43 - MartinRowe
 
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding DBG/400? Send feedback