wiki

User Tools

Site Tools

Trace: antivirus
linux:antivirus

This is an old revision of the document!

Linux antivirus

ClamAV

https://www.clamav.net/

Packages are available for Linux, MacOS and Windows

ClamAV can be updated offline or online

Offline DB update: 

https://database.clamav.net/daily.cvd
https://database.clamav.net/main.cvd
https://database.clamav.net/bytecode.cvd

Stop every clam process, then copy theses 3 definitions file into /var/lib/clamav and check permissions 

chown clamav:clamav /var/lib/clamav/*cvd
chmod 644 /var/lib/clamav/*cvd

A Linux package install will probably go in /usr, with: 

applications in /usr/bin
daemons in /usr/sbin
libraries in /usr/lib
headers in /usr/include
configs in /etc/clamav
databases in /var/lib/clamav

The full list of packages includes: 

clamav - command-line interface
clamav-base - base package
clamav-daemon - scanner daemon
clamav-docs - documentation
clamav-freshclam - virus database update utility
clamav-milter - sendmail integration
clamdscan - A command-line client for clamd similar to clamscan
clamav-testfiles - test files
libclamav-dev - development files
libclamav9 - library
libclamunrar9 - unrar support

For Redhat like distribution, you'll find it in EPEL repo

EPEL offers a selection of packages to install ClamAV: 

  clamd - The Clam AntiVirus Daemon
  clamav - End-user tools for the Clam Antivirus scanner
  clamav-data - Virus signature data for the Clam Antivirus scanner
  clamav-devel - Header files and libraries for the Clam Antivirus scanner
  clamav-lib - Dynamic libraries for the Clam Antivirus scanner
  clamav-milter - Milter module for the Clam Antivirus scanner
  clamav-update - Auto-updater for the Clam Antivirus scanner data-files

Most users will only need to run: 

dnf install -y clamav clamd clamav-update

Run these to generate example configs in /etc/clamav/, if needed: 

clamconf -g freshclam.conf > freshclam.conf
clamconf -g clamd.conf > clamd.conf
clamconf -g clamav-milter.conf > clamav-milter.conf

To allow ClamAV to operate under SELinux, run the following: 

setsebool -P antivirus_can_scan_system 1

Start scanning:

  • One time: clamscan –recursive /
  • Memory: clamscan –memory –infected
  • On access: clamonacc

Mail filtering configuration file is : clamav-milter.conf 

# clamscan --version
ClamAV 0.103.2

Only scan one file 

# clamscan Downloads/LOS.zip

To check all files on the computer, displaying the name of each file: 

# clamscan -r /

To check all files on the computer, but only display infected files and ring a bell when found: 

# clamscan -r --bell -i /

To check files in the USER home directory and move infected files to another folder: 

# clamscan -r --move=/home/USER/VIRUS /home/USER

To check files in the USER home directory and remove infected files (WARNING: Files are gone.): 

# clamscan -r --remove /home/USER

To scan all folders in your computer (except /sys): 

# clamscan -r -i --exclude-dir="^/sys" --bell /

To scan specific folders or files, you have to create a file in which you list out which files/folders you want to scan, and tell clamav where to find that file: 

# clamscan -r -i --bell --file-list=/home/nav/ClamScanTheseFolders.txt

My ClamScanTheseFolders.txt contained: 

/media/nav/someFolder1
/media/nav/someFolder2
/opt/someFolder/somefile

/etc/clamav/clamd.conf 

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /run/clamav/clamd.ctl

ExcludePath ^/home/user/.mozilla/
ExcludePath ^/etc/hosts
ExcludePath ^/dev/
ExcludePath ^/proc/
ExcludePath ^/sys/

OnAccessExcludePath /run
OnAccessExcludePath /sys
OnAccessExcludePath ^/home/user/.mozilla/
OnAccessExcludePath ^/etc/hosts
OnAccessMountPath /
OnAccessExcludePath /proc
OnAccessExcludeUID 0

OnAccessPrevention false
OnAccessExtraScanning true
OnAccessExcludeUname clamav
User clamav

Then you can run it with:

clamdscan –multiscan –fdpass –quiet /

  1. -multiscan will speed up the processing because it uses multiple threads.
  2. -fdpass will allow you to scan files as the clamd user that the clamav-daemon.service runs as.
  3. -quiet should suppress all output except infected files. At least that's what it seems to do on my system but that isn't how it is described in the documentation.

If you want to save to file you can just redirect the output clamdscan <options> > /save/file.txt Or save it to file with the –log=FILE option.

Example of script 

#!/bin/bash
clamlog=/var/log/clamav/clamav.log
rm -f $clamlog
touch $clamlog

nice -n5 clamscan --recursive --infected / --excluded-dir=/proc --exclude-dir=/sys --exclude-dir=/dev --exclude-dir=/media --exclude-dir=/mnt -l $clamlog

MALWARE=$(tail "$clamlog"|grep Infected|cut -d" " -f3) && if [ "$MALWARE" -ne "0" ]; 
    then mail -s "Malware Found $(hostname -i; uname -a)" $(cat ~/.env/EMAIL) <<< 
    $(cat $clamlog); fi
linux/antivirus.1747382819.txt.gz · Last modified: 2025/05/16 10:06 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki