How to, on a Linux machine, using the ClamAV, detect malicious code (trojans, viruses, malware & other malicious threats).
ClamAV (Clam AntiVirus) - is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats on mail servers, but it can also be used on desktops.
It’s included in the Debian repositories, so installation is simple:
sudo apt-get update sudo apt-get install clamav
Before scanning, you must update the virus signature database:
ClamAV update process started at Tue May 19 17:02:33 2015 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Downloading daily-20485.cdiff [100%] daily.cld updated (version: 20485, sigs: 1392599, f-level: 63, builder: neo) bytecode.cld is up to date (version: 256, sigs: 45, f-level: 63, builder: dgoddard) Database updated (3816869 signatures) from db.local.clamav.net (IP: 220.127.116.11)
Now you can scan any directory (such as
/home) for a viruses:
clamscan -r -i /home
- -r - Scan directories recursively.
- -i - Show only infected files.
- /home - Directory of scanning.
Note: To scan the entire system (
/) you must to run a program as root (using sudo).
Note: This command will only show the infected files, but will not clean them (remove virus from file), send to quarantine or delete.
The utility clamscan have many additional options for scanning. Example:
- –bell - Sound bell on virus detection.
- –log - Write log.
- –max-dir-recursion - The maximum depth of search in directories.
- –exclude-dir - Don’t scan directory.
- –copy - Copy infected files into directory.
- –move - Move infected files into directory.
- –remove - Remove infected files. Be careful!
To learn about ClamAv’s other options try
An example of the use of additional parameters:
sudo clamscan -ri --bell --max-dir-recursion=50 --move=/home/user/INFECTED/ --log=/var/log/clamav/clamav.log --exclude-dir=/mnt/storage/ /
To automate the scanning, you can use the Cron task scheduler. To do this, you need to enter several lines in the file
sudo nano /etc/crontab
# ClamAV 0 3 * * * root /usr/bin/freshclam 20 3 * * * root /usr/bin/clamscan -r /
Now scanning will occur automatically every day at 3:0. A twenty minute period required to complete the freshclam (update the database).
Note: Set any time you like and replace the string
/usr/bin/clamscan -r /to necessary.
The scan can detect these “viruses”:
PUA.Script.Packed-1 FOUND PUA.Script.Packed-2 FOUND
In fact, this is not a virus.
- PUA - Possibly Unwanted Applications.
- Script.Packed - The script is packed (archived).
To disable detection of PUA use an additional parameter:
And to enable detection of PUA:
sudo clamscan -r -i --detect-pua=yes /
When you update the virus signature database, it can return this error message:
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
This is because the user was running freshclam without certain rights. This is solved by running freshclam with sudo:
Scanning can return this error message:
LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset 11, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0 LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0 LibClamAV Error: fmap_readpage: pread error: Input/output error
For this to not happen, you must to exclude from scanning several directories, like so:
sudo clamscan -ir --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc /