Virus scanning your Qubes VMs and Templates with ClamAV

Here's a simple script to iterate over your VMs (and, optionally, your templates) and run clamscan against them.

For templates we scan the full disk /, whereas for the AppVMs we just scan the writable dir /rw

The script will start any VMs it needs to, and remember if it had to, so that it shuts down just the VMs that weren't already running.

There are a couple of caveats to this approach:

1) The AppVMs ClamAV databases are potentially out of date, since they are in /var/lib/clamav and therefore inherited by the TemplateVM. I recommend occasionally powering up your TemplateVM and ensure that ClamAV is starting and downloading fresh signatures. Certainly it is necessary the first time you install clamav on the templates.

2) In order for the TemplateVMs to download those signatures are all, they need to be able to reach the ClamAV db repositories via HTTP. Templates can't connect to most outbound HTTP servers except for APT, Yum repos etc, via the Qubes Updates Proxy service. This means that you need to tell Freshclam that there is a proxy server. To do this, add the following two lines to /etc/clamav/freshclam.conf (on Debian based templates - Fedora is probably similar):

HTTPProxyServer 10.137.255.254
HTTPProxyPort 8082

You could add this script to a cron in dom0 or just have a cron that uses notify-send to remind you to run a weekly scan.