Creating a Local Virus Database Server with Apache and ClamAV

Apache is an open source HTTP server which runs on BSD, Linux, Mac OS X, Solaris and Windows.

ClamAV is an open source anti-virus library which has virus scanners for BSD, Linux, Mac OS X, Solaris and Windows.

Updating ClamAV

ClamAV updates its virus definitions using the freshclam utility. Freshclam pulles the virus definitions files from the database server specified by the DatabaseMirror directive in freshclam.conf. To speed delivery and help distribute the load, the ClamAV team has established regional mirrors. To use any of the mirrors for a particular country, specify the following in the DatabaseMirror, db.XX.clamav.net where XX is the country code desired.

This page covers how to become a regional mirror.

Another way to reduce the load on the mirrors and decrease update times is to create a local ClamAV virus definitions database (CVD) server. This reduces the amount of machines pulling virus updates from the mirrors and allows the remaining clients to pull from a much closer machine, the local server.

Configuring Apache

An Apache server can be run as a local CVD mirror. The server running Apache needs to also be running ClamAV and freshclam. This page discusses how to install these packages and run them from daemontools.

By default, freshclam installs the CVD files in /var/lib/clamav. The location is determined by DatabaseDirectory in freshclam.conf. This directory will be used as the DocumentRoot for the VirtualHost directive which setup the CVD server. The below example shows a mythical configuration of a server, virusdb.domain.xyz running on the IP address, 10.0.0.1. Please make sure to make changes as appropriate. The directives used below and many others are covered on this page .

<VirtualHost 10.0.0.1:80>
    ServerAdmin webmaster@domain.xyz
    DocumentRoot /var/lib/clamav
    ServerName virusdb.domain.xyz
</VirtualHost>

Since this is a local mirror, only local clients should be able to access it for updates. If it was open to the public, it might as well be a regional mirror. Access from the rest of the web can be restricted through the use of firewalling software such as iptables. However since I believe in defense in depth, I recommend the use of the Allow, Deny and Order directives. The below configuration restricts access to the CVD server to all but the 10.0.0.0/24 network.

<VirtualHost 10.0.0.1:80>
    ServerAdmin webmaster@domain.xyz
    DocumentRoot /var/lib/clamav
    ServerName virusdb.domain.xyz

    Order deny,allow
    Deny from all
    Allow from 10.0.0.0/24
</VirtualHost>

Client Configurations

Configuration for clients who run the 'Nix version of ClamAV to point to the local server is easy. Simply change the DatabaseMirror directive to point to the local server. Then restart freshclam. The below example shows what the directive should look like.

DatabaseMirror virusdb.domain.xyz

For ClamWin, select the Internet Updates configuration tab. Enter the local server's DNS name or IP address and click OK.

[Valid HTML 4.01 Trans] Validated by HTML Validator (based on Tidy) Copyright 2006-2008 Patrick R. McDonald <marlowe@antagonism.org> (GPG key)
This document last modified Friday, 02-May-2008 14:49:56 PDT