Antivirus on a Linux machine
How to, on a Linux machine, using the ClamAV, detect malicious code (trojans, viruses, malware & other malicious threats).
ClamAV (Clam AntiVirus) - is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats on mail servers, but it can also be used on desktops.
Installation
It’s included in the Debian repositories, so installation is simple:
sudo apt-get update
sudo apt-get install clamav
Using
Before scanning, you must update the virus signature database:
sudo freshclam
ClamAV update process started at Tue May 19 17:02:33 2015 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily-20485.cdiff [100%] daily.cld updated (version: 20485, sigs: 1392599, f-level: 63, builder: neo) bytecode.cld is up to date (version: 256, sigs: 45, f-level: 63, builder: dgoddard) Database updated (3816869 signatures) from db.local.clamav.net (IP: 198.148.78.4)
Now you can scan any directory (such as /home) for a viruses:
clamscan -r -i /home
- -r - Scan directories recursively.
- -i - Show only infected files.
- /home - Directory of scanning.
Note: To scan the entire system (
/) you must to run a programme as root (using sudo).
Note: This command will only show the infected files, but will not clean them (remove virus from file), send to quarantine or delete.
The utility clamscan have many additional options for scanning. Example:
- –bell - Sound bell on virus detection.
- –log - Write log.
- –max-dir-recursion - The maximum depth of search in directories.
- –exclude-dir - Don’t scan directory.
- –copy - Copy infected files into directory.
- –move - Move infected files into directory.
- –remove - Remove infected files. Be careful!
To learn about ClamAv’s other options try man:
man clamscan
An example of the use of additional parameters:
sudo clamscan -ri --bell --max-dir-recursion=50 --move=/home/user/INFECTED/ --log=/var/log/clamav/clamav.log --exclude-dir=/mnt/storage/ /
Automation
To automate the scanning, you can use the Cron task scheduler. To do this, you need to enter several lines in the file /etc/crontab.
sudo nano /etc/crontab
# ClamAV 0 3 * * * root /usr/bin/freshclam 20 3 * * * root /usr/bin/clamscan -r /
Now scanning will occur automatically every day at 3:0. A twenty minute period required to complete the freshclam (update the database).
Note: Set any time you like and replace the string
/usr/bin/clamscan -r /to necessary.
Possible finds
The scan can detect these “viruses”:
PUA.Script.Packed-1 FOUND PUA.Script.Packed-2 FOUND
In fact, this is not a virus.
- PUA - Possibly Unwanted Applications.
- Script.Packed - The script is packed (archived).
To disable detection of PUA use an additional parameter:
--detect-pua=no
And to enable detection of PUA:
--detect-pua=yes
Example:
sudo clamscan -r -i --detect-pua=yes /
Possible errors
ERROR 1
When you update the virus signature database, it can return this error message:
freshclam
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
This is because the user was running freshclam without certain rights. This is solved by running freshclam with sudo:
sudo freshclam
ERROR 2
Scanning can return this error message:
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0 LibClamAV Error: fmap_readpage: pread error: Input/output error
For this to not happen, you must to exclude from scanning several directories, like so:
sudo clamscan -ir --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc /
If this article has helped you then please leave a comment 
Thanks for reading!
Arthur is a designer and full stack software engineer. He is the founder of Space X-Chimp and the blog My Cyber Universe. His personal website can be found at arthurgareginyan.com.
