How to Scan your Linux Box for Trojan, Malware and Virus using ClamAV

This tutorial will take you through the ClamAV installation on CentOS, which can help you to detect Virus, Malware, Trojans and other malicious threats on your Linux machine. Before we get into the installation steps, I’ll quickly brief you about ClamAV. ClamAV is an open source antivirus engine or a program designed to scan the specified directory and logs identified threats. It allows you to maintain up-to-date virus databases by scheduling a cron script.

In this tutorial, you’ll learn to configure scheduled scans and on-demand scans using ClamAV. Here we go,

Install EPEL Repo

1. Download and Install EPEL Repo for yum

# yum install epel-release -y

2. Edit EPEL Repo file and set ‘enabled=1‘.

# vim /etc/yum.repos.d/epel.repo

ClamAV malware scanner

Install ClamAV packages

1. Now you have EPEL Repo, go ahead and install ClamAV packages as below:

# yum install clamav clamd

2. Set ‘clamd‘ daemon to start during the system boot.

# chkconfig clamd on

3. Start ‘clamd‘ Antivirus server:

#/etc/init.d/clamd start
 Starting Clam AntiVirus Daemon: LibClamAV Warning: **************************************************
 LibClamAV Warning: *** The virus database is older than 7 days! ***
 LibClamAV Warning: *** Please update it as soon as possible. ***
 LibClamAV Warning: **************************************************
 [ OK ]

The daemon will check for the up-to-date virus signatures and warns if the database is found to be old.

4. You can update the virus database using the below command

# freshclam
 ClamAV update process started at Tue Oct 6 15:48:09 2015
 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
 connect_error: getsockopt(SO_ERROR): fd=5 error=111: Connection refused
 Can't connect to port 80 of host db.in.clamav.net (IP: 120.88.46.210)
 Trying host db.in.clamav.net (193.1.193.64)...
 WARNING: getfile: daily-20395.cdiff not found on remote server (IP: 193.1.193.64)
 WARNING: Incremental update failed, trying to download daily.cvd
 connect_error: getsockopt(SO_ERROR): fd=5 error=111: Connection refused
 Can't connect to port 80 of host db.in.clamav.net (IP: 120.88.46.210)
 Downloading daily.cvd [100%]
 daily.cvd updated (version: 20954, sigs: 1589056, f-level: 63, builder: jesler)
 Downloading bytecode.cvd [100%]
 bytecode.cvd updated (version: 268, sigs: 47, f-level: 63, builder: anvilleg)
 Database updated (4013328 signatures) from db.in.clamav.net (IP: 193.1.193.64)

Note: The virus database will be updated daily using the cron script ‘/etc/cron.daily/freshclam‘. You need not create one, it will be created automatically during the installation of the package.

Running Instant Scan

You can scan any directory instantly using the below command.

#/usr/bin/clamscan -i -r /home/peter/
----------- SCAN SUMMARY -----------
Known viruses: 4007761
Engine version: 0.98.7
Scanned directories: 1
Scanned files: 22
Infected files: 0
Data scanned: 79.93 MB
Data read: 2.74 MB (ratio 29.15:1)
Time: 17.215 sec (0 m 17 s)

Configure Scheduled scan

In order to schedule a scan, we’ll write a simple shell script specifying the directory to be scanned and a file to logs the results.

1. Create a daily cron script as below:

# vim /etc/cron.daily/manual_clamscan

2. Copy and paste the below code and make changes accordingly. For e.g., Lookout for ‘SCAN_DIR‘ and the ‘LOG_FILE‘.

#!/bin/bash
 SCAN_DIR="/"
 LOG_FILE="/var/log/clamav/manual_clamscan.log"
 /usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE
#chmod +x  /etc/cron.daily/manual_clamscan

The above script will scan the entire ‘/’ root directory. You can view the log file (/var/log/clamav/manual_clamscan.log) to read the scan results.

Remove Infected files

You can also automatically remove or delete the malicious file. To do that, you can use ‘–remove‘ option.

WARNING!!!: Be cautious when you enable ‘–remove‘ option with ‘clamscan‘, as this will remove the file completely.

Submit File to Sourcefire

You can also submit files to Sourcefire for further analysis using ‘clamsubmit‘ command.

That’s it. Do you know any other Antivirus program for Linux? Let us know your comments.

Thanks to CentOS blog.

Updated on September 3, 2017

Was this article helpful?

Related Articles

Leave a Comment