Linux antivirus

https://www.clamav.net/

Packages are available for Linux, MacOS and Windows

ClamAV can be updated offline or online

Offline DB update:

https://database.clamav.net/daily.cvd
https://database.clamav.net/main.cvd
https://database.clamav.net/bytecode.cvd

Stop every clam process, then copy theses 3 definitions file into /var/lib/clamav and check permissions

chown clamav:clamav /var/lib/clamav/*cvd
chmod 644 /var/lib/clamav/*cvd

A Linux package install will probably go in /usr, with:

applications in /usr/bin
daemons in /usr/sbin
libraries in /usr/lib
headers in /usr/include
configs in /etc/clamav
databases in /var/lib/clamav

The full list of packages includes:

clamav - command-line interface
clamav-base - base package
clamav-daemon - scanner daemon
clamav-docs - documentation
clamav-freshclam - virus database update utility
clamav-milter - sendmail integration
clamdscan - A command-line client for clamd similar to clamscan
clamav-testfiles - test files
libclamav-dev - development files
libclamav9 - library
libclamunrar9 - unrar support

For Redhat like distribution, you'll find it in EPEL repo

EPEL offers a selection of packages to install ClamAV:

  clamd - The Clam AntiVirus Daemon
  clamav - End-user tools for the Clam Antivirus scanner
  clamav-data - Virus signature data for the Clam Antivirus scanner
  clamav-devel - Header files and libraries for the Clam Antivirus scanner
  clamav-lib - Dynamic libraries for the Clam Antivirus scanner
  clamav-milter - Milter module for the Clam Antivirus scanner
  clamav-update - Auto-updater for the Clam Antivirus scanner data-files

Most users will only need to run:

dnf install -y clamav clamd clamav-update

Run these to generate example configs in /etc/clamav/, if needed:

clamconf -g freshclam.conf > freshclam.conf
clamconf -g clamd.conf > clamd.conf
clamconf -g clamav-milter.conf > clamav-milter.conf

To allow ClamAV to operate under SELinux, run the following:

setsebool -P antivirus_can_scan_system 1

Start scanning:

• One time: clamscan –recursive /
• Memory: clamscan –memory –infected
• On access: clamonacc

Mail filtering configuration file is : clamav-milter.conf

# clamscan --version
ClamAV 0.103.2
# clamscan --version
ClamAV 1.0.8/27636/Tue May 13 10:40:46 2025

Only scan one file

# clamscan Downloads/LOS.zip

To check all files on the computer, displaying the name of each file:

# clamscan -r /

To check all files on the computer, but only display infected files and ring a bell when found:

# clamscan -r --bell -i /

To check files in the USER home directory and move infected files to another folder:

# clamscan -r --move=/home/USER/VIRUS /home/USER

To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

# clamscan -r --remove /home/USER

To scan all folders in your computer (except /sys):

# clamscan -r -i --exclude-dir="^/sys" --bell / 

To scan specific folders or files, you have to create a file in which you list out which files/folders you want to scan, and tell clamav where to find that file:

# clamscan -r -i --bell --file-list=/home/nav/ClamScanTheseFolders.txt

My ClamScanTheseFolders.txt contained:

/media/nav/someFolder1
/media/nav/someFolder2
/opt/someFolder/somefile

/etc/clamav/clamd.conf

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl

ExcludePath ^/home/user/.mozilla/
ExcludePath ^/etc/hosts
ExcludePath ^/dev/
ExcludePath ^/proc/
ExcludePath ^/sys/

OnAccessExcludePath /run
OnAccessExcludePath /sys
OnAccessExcludePath ^/home/user/.mozilla/
OnAccessExcludePath ^/etc/hosts
OnAccessExcludePath /proc
OnAccessMountPath /

OnAccessIncludePath /home/user/Desktop

OnAccessExcludeUID 0

OnAccessPrevention false
OnAccessExtraScanning true
OnAccessExcludeUname clamav
User clamav
# Enable verbose logging.
# Default: no
LogVerbose yes

# Enable debug messages in libclamav.
# Default: no
Debug yes

Then you can run it with:

clamdscan –multiscan –fdpass –quiet /

1. -multiscan will speed up the processing because it uses multiple threads.
2. -fdpass will allow you to scan files as the clamd user that the clamav-daemon.service runs as.
3. -quiet should suppress all output except infected files. At least that's what it seems to do on my system but that isn't how it is described in the documentation.

If you want to save to file you can just redirect the output clamdscan <options> > /save/file.txt Or save it to file with the –log=FILE option.

Example of script

#!/bin/bash
logname=/var/log/clamav/clamav.log

CURRTIME=$(date +"%Y-%m-%d_%H_%M")
clamlog=/var/log/clamav/clamav_${CURRTIME}.log
quarantine=/var/clamav/infected

main()
{
touch $clamlog

nice -n5 clamscan --recursive --infected / --excluded-dir=/proc --exclude-dir=/sys --exclude-dir=/dev --exclude-dir=/media --exclude-dir=/mnt -l $clamlog

MALWARE=$(tail "$clamlog"|grep Infected|cut -d" " -f3) && if [ "$MALWARE" -ne "0" ]; 
    then mail -s "Malware Found $(hostname -i; uname -a)" $(cat ~/.env/EMAIL) <<< 
    $(cat $clamlog); fi
}
main > $logname 2>&1

# clamconf -n

Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "209715200"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
ExcludePath = "/.git/", "lost+found", "^/run/", "^/sys/", "^/dev/", "^/proc/", "^/var/log/", "^/home/adoyle/", "^/ssd", "^/hdd", "^/mnt
"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
ScanHTML disabled
ScanOLE2 disabled
ScanPDF disabled
MaxScanTime = "120000"
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
OnAccessMountPath = "/"
OnAccessExcludePath = "/.git/", "lost+found", "/run", "/sys/", "/dev/", "/proc/", "/var/log/", "/home/adoyle/", "/ssd", "/hdd", "/mnt"
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUname = "clamav"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ReceiveTimeout disabled

clamav-milter.conf not found

Software settings
-----------------
Version: 1.0.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
daily.cld: version 26925, sigs: 2036167, built on Thu Jun  1 15:27:46 2023
bytecode.cvd: version 334, sigs: 91, built on Thu Feb 23 05:33:21 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 20:32:42 2021
Total number of signatures: 8683685

Platform information
--------------------
uname: Linux 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: No LSB modules are available.
Debian GNU/Linux 12 (bookworm)
zlib version: 1.2.13 (1.2.13), compile flags: a9
platform id: 0x0a21a1a108000000000c0200

Build information
-----------------
GNU C: 12.2.0 (12.2.0)
sizeof(void*) = 8
Engine flevel: 161, dconf: 161