#!/bin/bash
# ============================================================
# anti-malware.sh — Anti-malware and rootkit detection stack
# ============================================================
# Installs ClamAV (antivirus), ClamTk (GUI front-end), rkhunter
# (rootkit hunter), and chkrootkit (AUR rootkit scanner) so the
# system has layered malware-detection coverage.  These tools are
# optional because most home Arch desktops don't need a resident
# scanner, but they are valuable on machines that handle
# untrusted files or shared network storage.
# ============================================================

set -euo pipefail
# Load shared logging helpers (log, skip, warn) from the dotfiles lib
source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"

# ── Core packages via pacman ──────────────────────────────────────────────────
# clamav:  the open-source antivirus engine and CLI scanner (clamscan, clamdscan)
# clamtk:  optional GTK GUI for ClamAV, useful for one-off scans without the CLI
# rkhunter: scans for known rootkits, backdoors, and suspicious local changes
log "Installing anti-malware tools (clamav, clamtk, rkhunter)..."
sudo pacman -S --noconfirm --needed \
    clamav clamtk rkhunter

# ── chkrootkit (AUR) ─────────────────────────────────────────────────────────
# chkrootkit: a second rootkit scanner; complements rkhunter with different
# detection heuristics. Available from AUR only (not in the official repos).
log "Installing chkrootkit (AUR)..."
yay -S --aur --noconfirm --needed chkrootkit

# ── Initial ClamAV virus database ────────────────────────────────────────────
# freshclam downloads the official ClamAV virus-definition database.
# We only run it when the main database file is absent to avoid a redundant
# download on repeat runs of the installer.
# main.cvd  = compressed virus database (fresh download)
# main.cld  = incremental update (already exists if previously initialised)
if [[ ! -f /var/lib/clamav/main.cvd ]] && [[ ! -f /var/lib/clamav/main.cld ]]; then
    log "Running initial freshclam (virus database update)..."
    sudo freshclam
else
    skip "ClamAV database already present."
fi

# ── Cron job for automatic virus-definition updates ──────────────────────────
# ClamAV definitions become stale quickly; running freshclam twice daily keeps
# the scanner effective.  We write a system-wide cron snippet to /etc/cron.d/
# rather than a user crontab so the update runs even when no user is logged in.
# The quiet flag suppresses normal output; stderr is discarded so cron mail is
# not generated on success.
CRON_FILE=/etc/cron.d/freshclam
if [[ ! -f "$CRON_FILE" ]]; then
    log "Installing freshclam cron job (twice daily)..."
    # tee writes to the privileged path without running the whole script as root
    sudo tee "$CRON_FILE" > /dev/null <<'EOF'
# Update ClamAV virus definitions twice a day
0 */12 * * * root /usr/bin/freshclam --quiet 2>/dev/null
EOF
    # 644 = readable by all (cron needs to read it), writable only by root
    sudo chmod 644 "$CRON_FILE"
else
    skip "freshclam cron job already configured."
fi

log "Anti-malware tools installed."