Enabling “real-time-protection” with ClamAV on Ubuntu 24.04 Desktop for Palo Alto Networks Global Protect (PanGP) VPN

Posted on By XceptN No Comments on Enabling “real-time-protection” with ClamAV on Ubuntu 24.04 Desktop for Palo Alto Networks Global Protect (PanGP) VPN

Some Palo Alto Networks Global Protect (PanGP) VPN servers require a running anti-malware product on the connecting client computers.

Unfortunately, just installing clamav using apt does not solve the problem.

If you just install ClamAV, you’ll see the product in your PanGP UI host info section but “real-time-protection” will appear as “no”

This post intends to walk you through all necessary steps.

Let’s install necessary software

sudo apt update
sudo apt install clamav clamav-daemon clamav-freshclam clamdscan clamav-base clamav-docs

Update virus definitions

sudo freshclam

Stop the services to configure them

sudo systemctl stop clamav-freshclam
sudo systemctl stop clamav-daemon

Configure ClamAV for real-time scanning

Let’s edit the clamd configuration file. Non-default settings are in italics.

sudo vi /etc/clamav/clamd.conf

# Real Time Protection
# Enable TCP socket
TCPSocket 3310
TCPAddr 127.0.0.1

# Enable local socket 
LocalSocket /var/run/clamav/clamd.ctl
LocalSocketGroup clamav
LocalSocketMode 666

# Real-time protection settings
OnAccessPrevention true
OnAccessExtraScanning true
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M

Create the clamav-daemon systemd service definition:

sudo vi /usr/lib/systemd/system/clamav-daemon.service

[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/
Requires=clamav-daemon.socket
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

[Service]
ExecStart=/usr/sbin/clamd --config-file=/etc/clamav/clamd.conf --foreground=true
Type=simple
ExecReload=/bin/kill -USR2 $MAINPID
TimeoutStartSec=420
Restart=on-failure

[Install]
WantedBy=multi-user.target
Also=clamav-daemon.socket

… and the clamav-daemon systemd socket definition:

sudo vi /usr/lib/systemd/system/clamav-daemon.socket

[Unit]
Description=Socket for Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

[Socket]
ListenStream=/run/clamav/clamd.ctl
ListenStream=127.0.0.1:3310
SocketUser=clamav
SocketGroup=clamav
RemoveOnStop=True

[Install]
WantedBy=sockets.target

Configure Freshclam

Update the freshclam configuration file. Non-default settings are in italics.

sudo vi /etc/clamav/freshclam.conf

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

Configure ClamAV on-access scanner

Create systemd service file:

sudo vi /etc/systemd/system/clamonacc.service

[Unit]
Description=ClamAV On-Access Scanner
Documentation=man:clamonacc(8) man:clamd.conf(5)
After=clamav-daemon.service network.target
Wants=clamav-daemon.service

[Service]
Type=simple
User=root
ExecStartPre=/bin/bash -c "while [ ! -S /var/run/clamav/clamd.ctl ]; do sleep 1; done"
ExecStart=/usr/sbin/clamonacc --foreground --config-file=/etc/clamav/clamonacc.conf --log=/var/log/clamav/clamonacc.log --move=/tmp/clamav-quarantine
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=journal
TimeoutStartSec=420
Restart=on-failure

[Install]
WantedBy=multi-user.target

Identify the ID of the clamav user

id clamav

Create configuration file. Make sure you include the correct UID for clamav user.

sudo vi /etc/clamav/clamonacc.conf

# TCP connection settings - must match clamd.conf
TCPSocket 3310
TCPAddr 127.0.0.1

# Include paths for scanning
OnAccessIncludePath /home
OnAccessIncludePath /tmp
OnAccessIncludePath /opt
OnAccessIncludePath /usr/local

# Exclude system paths to prevent performance issues
OnAccessExcludePath /proc
OnAccessExcludePath /sys
OnAccessExcludePath /dev
OnAccessExcludePath /var/run
OnAccessExcludePath /var/lib/clamav
OnAccessExcludePath /var/log

# CRITICAL: Exclude clamav user to prevent infinite loops
OnAccessExcludeUname clamav
OnAccessExcludeRootUID yes

# Enable prevention mode (quarantine infected files)
OnAccessPrevention yes

# Enable extra scanning features
OnAccessExtraScanning yes

# Set maximum file size to scan (in MB)
OnAccessMaxFileSize 100M

# Quarantine infected files
OnAccessMountPath /
# Find the clamav UID and exclude it
# Run: id clamav
# Then add: OnAccessExcludeUID <uid_number>
OnAccessExcludeUID 123

Create quarantine directory:

sudo mkdir -p /tmp/clamav-quarantine
sudo chown clamav:clamav /tmp/clamav-quarantine
sudo chmod 750 /tmp/clamav-quarantine

Start and Enable Services

# Make new service & socket files effective
sudo systemctl daemon-reload

# ClamAV signature updater
sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-freshclam

# ClamAV daemon services
sudo systemctl enable clamav-daemon
sudo systemctl stop clamav-daemon.socket
sudo systemctl stop clamav-daemon.service
sudo systemctl start clamav-daemon.socket

# On-access scanner services
sudo systemctl enable clamonacc
sudo systemctl start clamonacc

# Checking services
sudo systemctl status clamav-daemon
sudo systemctl status clamav-daemon.socket
sudo systemctl status clamav-freshclam
sudo systemctl status clamonacc

Restart GlobalProtect

After making sure you are disconnected from VPN, restart the GPD service:

sudo systemctl restart gpd

Now, PanGP UI host-info should show something like below:

All done for anti-malware “real-time-protection”

Note: The VPN server you are connecting to may require other configurations like full disk encryption or others. Please check with your VPN administrator.

desktop, internet, linux Tags:, ,

Related Posts

How to Set/Check the Arguments Used with “ntpd” Service linux
Motorokr e6 and synchronization on Linux linux
USB TV BOX desktop
Convert .nrg image to .iso desktop
Linux DVD9 to DVD5 desktop
Dipping Toes into Nix Package Manager | Installing Freeplane desktop

Leave a Reply

Your email address will not be published. Required fields are marked *