Thursday, September 29, 2011

Linux Anti-Virus: Klamav

For a number of reasons, I reinstalled Linux openSUSE 11.4, which then meant reinstalling all the apps, including clamav, the popular anti-virus app for Linux.

This time I discovered klamav, a KDE GUI for the underlying command line interface (CLI) clamav. (There is also a Gnome GUI, but I haven't used it yet.)

klamav is a true pleasure. Very well thought out and complete, as far as it goes.

And it goes quite a way.

Use it to:
  • Schedule virus scans on any number of directories, either recursively or not: it has a very easy functional decomposition tree of the directories. If you want to go recursively there is a simple click box: click it and any particular directory in the tree and all the children are automatically checked.
  • Conduct a scan immediately. Simply click scan.
And much more.

Of course, it has a few problems:
  • It offers only two email programs to be scanned dynamically as the messages arrive: kmail and Evolution. I searched, there was a Thunderbird ("T-bird") addon that supposedly solved this, but it has disappeared for version 7.0. But that doesn't really matter, as you can manually and on schedule do the scan, as noted above. And frankly, dynamic scanning is an exercise in paranoia for most Linux users...
  • It tags and (with your permission) quarantines the entire subdirectory containing a suspect file. And it does this by default if it finds stuff it doesn't understand, like any binaries or encrypted files. But this is not a problem unless you are doing a lot of encrypted PDF and binary transfers by email, which you shouldn't be doing anyhow. Use http, ftp, BitTorrent, or whatever else, not email... And even then, it has a 'way cool "check it out" feature: once the files/messages are quarantined you can right click to have their "problem" checked out online, (I found the google link the most helpful), and then with one click, restore them.

    Most of the problems were of the "not understood" variety. I did find one file that possibly had a real virus, and deleted it.
    But it would be nice if the author were to enable quarantining just the single offending file (rather than the entire subdirectory) and include Thunderbird in his list of supported email clients, or else offer a website posting on what it would take to create a filter to do so...

    So very well done, and well recommended. Infinitely better and easier than struggling at the CLI.