How to trigger virus scan on-the-fly with ClamFS on Ubuntu

To scan files on the fly, ClamAV requires a separate module which is ClamFS. How to install ClamAV, please read my previous tutorial.

ClamFS is a FUSE-based user-space file system for Linux with on-access anti-virus file scanning through clamd daemon.

Features

• User-space file system (no kernel patches, recompilation, etc.)
• Configuration stored in XML files
• FUSE (and libfuse) used as file system back-end
• Scan files using ClamAV
• ScanCache (LRU with time-based and out-of-memory expiration) speeds up file access
• Sends mail to administrator when detecting the virus

ClamFS is completely user-space anti-virus solution for Linux. It uses the libfuse and Linux kernel module to provide a file system. ClamAV is used as an anti-virus scanner.

Normally program (or library) uses glibc open() call to obtain file descriptor. Glibc calls kernel VFS to open file regardless of file system used. If file is on ClamFS file system open call from VFS is directed to user-space by FUSE. ClamFS calls libfuse to communicate with FUSE and through it with VFS.

Internals

ClamFS is split into four parts:

• libfuse bindings — used to communicate with FUSE (and with VFS through it),
• ScanCache — store (per file) results of anti-virus scanning to speed up future open() requests
• ScanQueue — queue files for scanning
• clamd / libclamav bindings — communicate with anti-virus scanner

Simplified flow chart for ClamFS:

Install the ClamFS module.

sudo apt–get install clamfs fuse

mkdir /etc/clamfs
chmod 777 /etc/clamfs
gunzip -c /usr/share/doc/clamfs/clamfs-sample.xml.gz > /etc/clamfs/config.xml
nano /clamfs/config.xml

In config.xml, replace:

<filesystem root=”/tmp” mountpoint=”/clamfs/tmp” public=”yes” />

with:

<filesystem root=”/your/target/dir” mountpoint=”/clamfs/secure” public=”yes” />

For example, you can protect the Downloads folder by updating the configuration file. In config.xml, replace:

<filesystem root=”/home/username/Downloads” mountpoint=”/clamfs/secure” public=”yes” />

Run the ClamFS process.

clamfs /etc/clamfs/config.xml

Now, this folder is scanned by ClamAV antivirus.