Can anyone explain clamav to me?

I hate to ask these questions on the FreeBSD forums, but I can't find any answers on the clamav webpages. I've searched their wiki's and their FAQ's, and both gloss over the details of clamav and are written with the assumption that you already know about the details of how to setup and configure clamav. I digress however.

Here's my problem:

I have a FreeBSD 9.0 file server. It is really simple - samba shares for internal file storage, sshd for remote access and external filesharing. No other network services (and I would like to keep it that way). The machines connected to the server are almost exclusively Windows. What I want is to have this fileserver periodically scan the user directories for files containing viruses. Not only would it put the extra CPU cycles to good use, but it would also provide an additional layer of defense to the network against accidentally introduced infections.

Here's my question(s):

I installed clamav and have clamd and freshclam running in the background. Now what? Some of the basic questions I have, which I cannot find answers to on clamav's website, are:

1. What is the difference between clamd and clamscan? The best answer I can find is that clamd runs in the background and clamscan is for onetime scans. But I need a little more than that (e.g. what does clamd do when it runs in the background).
2. When clamd runs, is it continuously scanning files on the machine in the background?
3. If clamd is not continuously scanning files on the machine, what do I need to do to have it do so?
4. If clamd is incapable of continuously scanning files on the machine in the background, what is the purpose of running it?
5. My "backup solution" is to schedule a cronjob that kicks off a clamscan process each night. To me, this is the least elegant solution because it seems like something a daemon should be doing. If I have to, I will do this though.

Thoughts? Help?

Thanks in advance.

The manual page for clamd states:

The daemon listens for incoming connections on Unix and/or TCP socket and scans files or directories on demand. It reads the configuration from /etc/clamd.conf

Click to expand...

think of clamd as the butler waiting for any kind of instruction, then executing it per your commands or pre-set standard rules (clamd.conf). For example - take out the trash every night at 21:00.

So then what's the difference between clam and clamd, I hear you say. Something has to call the clam program into action - that is a daemon or in windows parlance a tsr (terminate & stay resident).

Now the more complicated part: Recall that clamd listens on a socket - it's own socket and not EVERY socket! That means, each service using its proper socket (pop, imap, hhtp:80) has to contact the daemon to call for scanning in the event real-time scanning is wanted. Here you can see why real-time scanning is so complex and really not worth the server resources. Therefore, if you wanted real-time mail scanning, you would have to have a linker in the mail program that called the daemon butler, and instruct it to scan the newly received mails. So here I hope I have answered your Q1.

2/a/b. No and see above.
3. Ask yourself where is the contamination coming from? Web pages? Not many viruses there, that risk are better handled by ad-blockers, privacy tools (privoxy is great).

Your risk is on the e-mail side and that which has not been cleaned-out from the existing workstations with hdd's.
a. Place your real-time scan on mail services on your gateway. You should have a configurable fire-walled gateway by now with privacy filters in place. Then you can ignore web page virus risks.
b. Give clamscan access to windows hdd's (mount) and let it do a one-time rigorous scan
c. Then set your cron jobs

Finally: It's better to focus on the gateway point in risk prevention than to clean-up later. Someone could receive a viral file through msn share and there is really not much a virus program could do about it unless allocating large resources to realtime-scan. Then that file would propagate its self within minutes to every system. But if you control the gateway, then you can control the types of risks you are accepting into your network.

Thanks for the explanation Beeblebrox.

So, to let me repeat (and make sure I understand):
1) Clamd listens for requests for virus scanning from third-parties. If listening on a network socket (e.g port 12345), then remote machines can make the virus scan request. If listening on a unix file socket, then local daemons can make a virus scan request.
2) Clamd does not initiate a virus scan unless told.
3) To automate the running of a virus scan on user home directories shared through Samba, I could either have a cronjob run a script that tells clamd to run a scan, OR I could just have a cronjob run a script that calls the commandline scanner directly?

As an aside, this is focusing on the gateway point. Mobile users are currently able to connect and disconnect to the network. As an example, user is working on site. User then works off site (and away from my control). When user logs back in onsite, user may upload who knows what to network storage from lord knows where. It needs to be scanned. Ditto if user remotely connects to storage from off site to upload files. Those files need to be scanned on demand. In either case, scanning has to be done server side because I do not trust the client. (Note that I am not saying I do not trust the user, or that the user is malicious, but if an ignorant user has downloaded/installed/phished a virus onto their machine, I have to assume the machine has been compromised and cannot be trusted to detect and thwart the threat).

clamd is the virus scanner engine. clamdscan submits files to it for scanning, while clamav-milter submits email for scanning. freshclam updates the virus database and notifies clamd. clamscan is (I think) the standalone version of clamd+clamdscan, probably more memory-efficient because clamd won't be running all the time.

A cron job should be fine.

Thanks for the explanation. It really cleared things up a lot.

When user logs back in onsite, user may upload who knows what to network storage

Click to expand...

You can create a process which triggers clamd if and when file upload happens, which will do a realtime scan of files being uploaded.

Again, separation of processes into the server is key...