You are here: DBG/400>DBG400 Web>ClamAVoniSeries (12 Aug 2005, MartinRowe)EditAttach
Clam Anti Virus on IBM iSeries using PASE
Introduction
Who should read this HOWTO
This HOWTO is intended for anyone interested in installing and using the free ClamAV anti virus scanner on an IBM iSeries.Disclaimer
Use this document at your own risk - no liabilty for the contents can be accepted. This document is put together from my own experience with ClamAV, and while I believe it to be accurate I can't guarantee it will work on your system. Also note that currently ClamAV at V5R2? is not that useful
The change in format of the antivirus definitions between version 0.65 and 0.85 means the 0.65 clamscan binary can no longer read the virus definitions! It will run, but only with a very limited number of signatures (only 77 on the systems I've been able to test with). Clamav 0.85 works on V5R3?, though requires slightly different configuration - see below for details.
Another thing to point out is that the version of ClamAV currently available for AIX (0.85) lags behind that for other platforms (currently 0.86.2, was 0.86.1 when this HOWTO went online). There are some security related issues with 0.85, and if I'm able to track down (or build) a later version I'll add it here.
Prerequisites
- V5R2? or higher of OS/400. This may work at an earlier release, but that has not been tested.
- PASE - Licensed Program 5722SS1, Option 33: OS/400 - Portable App Solutions Environment.
- Port 80 access to the internet from your iSeries or iSeries LPAR, and the ability to resolve domain names to IP addresses, if you wish to fetch antivirus signature updates direct from your iSeries.
Installation considerations and planning
- All the PASE software from the Public Domain Software Library will install to
/usr/local/on your IFS. You will need write access to the/usrand/QOpenSysdirectories to perform the installation. - Software packages. These are compressed tar archives which you will need to unpack before installing. If you don't have software (gunzip) to uncompress a .Z file, then download the zipped gzip archive from the link at the end of this page. Once that is installed you can use it to unpackage all the other utilities. Download the AIX 5.1 binary version of each of these packages:
- ClamAV - http://aixpdslib.seas.ucla.edu/packages/clamav.html - the Clam anti virus package. This is for V5R3? only. For V5R2? use the 0.65 version of ClamAV from the downloads at the end of this page.
- Curl - http://aixpdslib.seas.ucla.edu/packages/curl.html - Web retrieval utility to fetch signature updates
- GZip - http://aixpdslib.seas.ucla.edu/packages/gzip.html - gzip utility to unpackage tar.Z and tar.gz archives
Note: might not work on V5R3?
- UnZip - http://aixpdslib.seas.ucla.edu/packages/unzip.html - unzip utility for Clam to use when scanning zip files on the IFS
- Textutils - http://aixpdslib.seas.ucla.edu/packages/textutils.html - the md5sum utility is needed to verify the downloaded signatures
- Place the packages in the root of the IFS using a suitable transfer routine (FTP, Windows Explorer, etc).
- The gzip package should be uncompressed before the next stage, so it should show as gzip.1.2.4a.tar, not gzip.1.2.4a.tar.Z
- Note: I had problems using gzip on V5R3? that I haven't solved yet. I would recommend that you uncompress the downloaded files first, using gunzip on a Linux system, or get gzip for Windows at http://gnuwin32.sourceforge.net/packages/gzip.htm.
Installing ClamAV
- Create the CLAMAV user profile (used for the owner of the updates process).
CRTUSRPRF USRPRF(CLAMAV) PASSWORD(*NONE) INLMNU(*SIGNOFF) LMTCPB(*YES) TEXT('ClamAV anti virus database owner') - Enter the PASE shell:
CALL PGM(QP2TERM?) - Create the /usr/local directory if it doesn't already exist:
mkdir /QOpenSys/usr/local - Create a symbolic link to the local directory in the root '/' directory if not present:
ln -s /QOpenSys/usr/local /usr/local - Change directory to the IFS root:
cd / - V5R2? only:
- Check the contents of the gzip archive, which should show that all files are under /usr/local :
tar tf gzip.1.2.4a.tar - Unpack the gzip archive:
tar xvf gzip.1.2.4a.tar
- Check the contents of the gzip archive, which should show that all files are under /usr/local :
- Check the contents of /usr/local:
ls -lR /QOpenSys/usr/local/(you need to use the real path here, not the symbolic link) - Check your executable path:
echo $PATH( something like /QOpenSys/usr/bin:/usr/ccs/bin:/QOpenSys/usr/bin/X11:/usr/sbin:.:/usr/bin) - Add /usr/local/bin to your path:
PATH=/usr/local/bin:$PATH(you should get something like /usr/local/bin:/QOpenSys/usr/bin:/usr/ccs/bin:/QOpenSys/usr/bin/X11:/usr/sbin:.:/usr/bin) - Uncompress the remaining packages:
gunzip unzip.5.51.tar.Z,gunzip textutils.2.1.tar.Z,gunzip curl.7.14.0.tar.Zandunzip clamav.0.65.tar.zip. For V5R3? you should already have done this on a Windows or Linux system. - Check the contents of each tar file with
tar tffilename.tar as above - Unpack each tar file with
tar xvffilename.tar
Post-installation steps
Configuring the applications
You will need to create configuration files for freshclam (the signature update process) and optionally clamscan (the scanning program).- Create the configuration directory if it doesn't already exist:
mkdir /usr/local/etc - Create the log directory if it doesn't already exist:
mkdir /usr/local/varandmkdir /usr/local/var/log - Create the virus definitions database directory, if not there:
mkdir /usr/local/share/clamav - V5R2? only: Create the clamav config directory if not yet present:
mkdir /usr/local/etc/clamav - Create the configuration files in QP2TERM? so that they are assigned the correct CCSID:
- From the iSeries commandline (F21 from inside the PASE shell, QP2TERM?) edit the configuration file for freshclam:
- Enter the following then save and exit EDTF:
DatabaseOwner clamav
UpdateLogFile /usr/local/var/log/freshclam.log
MaxAttempts 5
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.XY.clamav.net # replace XY with your country code - http://www.iana.org/cctld/cctld-whois.htm
DatabaseMirror database.clamav.net
DatabaseDirectory /usr/local/share/clamav/
# Check for new database 5 times a day
Checks 5
- For clamscan, you can use this configuration, but it isn't always necessary, as you can specify commandline options:
User clamav ScanMail ScanArchive ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxCompressionRatio 250 ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogFile /usr/local/var/log/clamav.log LogTime LogFileMaxSize 0
Using ClamAV
You can use clamscan interactively through QP2TERM?, or in a PASE shell script via QP2SHELL?. In QP2TERM?, make sure/usr/local/bin is in your path and type: clamscan /usr/local/bin/ which will check the executables you have just installed. To do the same in a script type (from a commandline) EDTF STMF('/usr/local/bin/avscan_bin.sh') and type in, then save, the following:
#!/QOpenSys/usr/bin/sh PATH=/usr/local/bin:$PATH clamscan -r --max-space=20480 --unzip -i --log=/usr/local/var/log/clamscan.log /usr/local/bin exit 0The
-r switch causes clamscan to recurse down through subdirectories. --max-space=20480 defines how many kilobytes to extract from each compressed archive (zips etc) to check, -i tells it to only list infected files, not everyone it checks, and --log should be self-evident 
To run this script: CALL PGM(QP2SHELL?) PARM('/usr/local/bin/avscan_bin.sh') Note that QP2SHELL? can take an additional parameter which lists arguments (parameters in iSeries parlance) for the script.
If you want to move or delete the infected files, rather than just report them, then use the --delete or --move=DIRECTORY arguments (where DIRECTORY is a directory the user running clamscan has write access to). For more details on the options for clamscan see the man(ual) page
To update the antivirus definitions - it isn't much use without them - run the freshclam program. In the PASE shell, with /usr/local/bin in your PATH, type freshclam You should see something like the following:
> freshclam ClamAV update process started at Sat Jul 23 20:49:17 2005 Reading CVD header (main.cvd): OK main.cvd is up to date (version: 33, sigs: 36102, f-level: 5, builder: tkojm) Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 989, sigs: 832, f-level: 5, builder: ccordes) $From an iSeries commandline, you could do
CALL PGM(QP2SHELL?) PARM('/usr/local/bin/freshclam') instead, which would bring up a terminal window with the same output as above. To schedule this, create a PASE script: EDTF STMF('/usr/local/bin/run_freshclam.sh')
#!/QOpenSys/usr/bin/sh PATH=/usr/local/bin:$PATH freshclam --log=/usr/local/var/log/freshclam.log exit 0Create a scheduled job entry to run that every day, or include it at the start of your scheduled clamscan of your IFS.
Removing ClamAV
All of the files in ClamAV, and in the other applications install to/usr/local, so you can just delete them from there. Remember that tar tf filename.tar lists the contents of each archive, so you know which files belong to which package.
-- MartinRowe - 19 Jul 2005
| I | Attachment | Action | Size | Date |
Who | Comment |
|---|---|---|---|---|---|---|
 zip |
clamav.0.65.tar.zip | manage | 1716.3 K | 01 Oct 2014 - 19:36 | MartinRowe | Clam AV for V5R2? |
| zip |
gzip.1.2.4a.tar.zip | manage | 67.6 K | 01 Oct 2014 - 19:36 | MartinRowe | GZip in a zipped archive. Use Winzip or similar to unpack |
Edit | Attach | Print version | History: r11 < r10 < r9 < r8 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r11 - 12 Aug 2005 - 07:12:43 - MartinRowe
Site Map
DBG400
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding DBG/400? Send feedback