HOWTO: On-access virus scanning on FC5 by Kevin Kofler This HOWTO describes how to enable on-access virus scanning with Clamuko (clamd and Dazuko, i.e. using only Free Software) on Fedora Core 5. It should also work on older Fedora releases. Unlike other methods to install Dazuko on Fedora, no kernel recompile is needed, only a compilation of a small module against the running kernel, thanks to patches developed by Sami Tikka and me. WARNINGS AND IMPORTANT NOTES: * Given the current malware landscape, on-access virus scanning is usually NOT NEEDED on GNU/Linux systems. So unless you're really paranoid, these instructions are useful only to protect directories shared with more vulnerable systems. * On-access scanning is a HUGE PERFORMANCE HOG, especially if you're watching the entire file system! While it doesn't go as far as making the system unusable, it does slow things down considerably, and some things like Konqueror context menus are REALLY SLOW. As usual, there is a tradeoff between performance and security. * Right now, the Dazuko patches mentioned below are ONLY FOR 32-BIT X86 systems. At least the execute hook needs porting for other architectures. * The procedure below should be run entirely as root. * Running clamd as root is a security risk! But it is required to support Dazuko on-access scanning ("For security reasons Dazuko will only operate with processes that are running as root."), so there's no other option. * These instructions are provided in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. The entire risk as to the quality and performance of these instructions is with you. Should the instructions prove defective, you assume the cost of all necessary servicing, repair or correction. IN NO EVENT unless required by applicable law will the author be liable to you for damages, including any general, special, incidental or consequential damages arising out of the use or inability to use the instructions (including but not limited to loss of data or data being rendered inaccurate or losses sustained by you or third parties or a failure of the instructions to operate with any other programs), even if the author has been advised of the possibility of such damages. Proceed AT YOUR OWN RISK. STEPS: 1. Obtain Dazuko 2.2.0 from http://www.dazuko.org/ 2. Obtain the FC5 patches from: https://savannah.nongnu.org/patch/?func=detailitem&item_id=4952 You need files #9648, #9751, #9760 and #9761. 3. Untar Dazuko: tar xvzf dazuko-2.2.0.tar.gz cd dazuko-2.2.0 4. Apply all 4 patches (in numerical order): patch -p1 <linux26_syscall_hook.patch patch dazuko_linux26_syscall.c <dazuko_linux26_syscall-fc5-fix.diff patch configure <dazuko-configure-unprotect.diff patch dazuko_linux26_syscall.c <dazuko_linux26_syscall-unprotect.diff 5. Install kernel-devel: yum install kernel-devel (NOTE: kernel-devel must match your running kernel.) 6. Configure Dazuko: ./configure --enable-syscalls 7. Compile Dazuko: make 8. Install Dazuko: make install 9. Install clamd: yum install clamav-server 10. Configure clamd: Create an /etc/clamd.conf and put this into it: LocalSocket clamuko ClamukoScanOnAccess ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec ClamukoIncludePath / ClamukoExcludePath /dev ClamukoExcludePath /proc ClamukoExcludePath /sys (WARNING: Don't forget the exclude paths or you may lockup your system.) 11. Start Dazuko: modprobe dazuko 12. Start clamd: clamd (NOTE: Steps 11-12 need to be repeated after each reboot.) Don't forget to update your virus databases regularly (using the freshclam tool in the clamav-update package). Kevin Kofler