In this post, I’m going to explain and show how ClamAV, a free antivirus software, scans your Linux system to detect malicious software to improve the security posture of it.
Nevertheless, ClamAV can’t be considered as a Next Generation AntiVirus (NGAV) since it doesn’t provide any threat intelligence from a cloud centric processing, it is not based in Tactics Techniques and Procedures (TTP) and does not deliver any Artificial Intelligence feature.
Although ClamAV is more a traditional antivirus software, it is available for Linux, Windows and Mac for free. So it could be a good option for you to cover the endpoint protection from your cybersecurity program. Moreover, it is easy to install, to setup and maintain as well.
Therefore, if you want to learn more about this tool, continue reading until the end of the post.
How to install ClamAV in Linux systems
The easiest way to install ClamAV is to use the package manager from your OS, apt, yum, zypper or dnf. Bear in mind that you’ll need sudo privileges for the installation process.
For CentOS systems, execute the following commands to install the antivirus:
$ sudo yum install epel-release -y
$ sudo yum update -y
$ sudo yum install clamav -y
For Ubuntu systems execute:
$ sudo apt-get update
$ sudo apt-get install clamav -y
However, the target OS package manager does not necessarily have the latest version and, therefore, you might want to check the ClamAV download page to get and install the last version. Make sure to check the signature of the downloaded files: Verifying a Detached GPG Signature sig or asc of a Download File in Linux
Update the ClamAV database and setup periodically update
One of the most important activities of any antivirus is to keep updated the virus signatures or definitions, so you can ensure that this security measure is working properly. To do so in ClamAV, you need to run the following command:
$ sudo freshclam
The freshclam
is a tool to update the ClamAV antivirus signature database, it can be executed on demand manually but also periodically by running it as a daemon. The output of the freshclam
command should be:
$ sudo freshclam
ClamAV update process started at Tue Aug 16 15:12:40 2022
daily database available for download (remote version: 26629)
Time: 1.1s, ETA: 0.0s [========================>] 56.73MiB/56.73MiB
Testing database: '/var/lib/clamav/tmp.11a4d39d23/clamav-634a0666e68ddd070612d388c9de5c57.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26629, sigs: 1996952, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 3.0s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
Testing database: '/var/lib/clamav/tmp.11a4d39d23/clamav-696bf2b42253e8bbb5099cd3a0d47fb8.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 333)
Time: 0.1s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB
Testing database: '/var/lib/clamav/tmp.11a4d39d23/clamav-6dd7444930d5bdf52289870087d98860.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Any recent data downloaded from the antivirus definitions update, will be included in the database files in path /var/lib/clamav:
However, this is done once and, if it is not done on a regular basis, ClamAV might have a gap of new antivirus that might not be able to detect, because the database is not updated. To overcome this issue and run the update on a periodic basis, you can rely on the freshclam
daemon which will take care of this activity periodically.
Therefore, let’s proceed to enable the service and run the service:
$ sudo systemctl enable clamav-freshclam
$ sudo systemctl start clamav-freshclam
You may also want to review the service status with:
$ sudo systemctl status clamav-freshclam
If the service is “active (running)” then everything went ok. It will also display the freshclam
last antivirus signature update check:
By default, the daemon will update every 2 hours, but it can be customised by adjusting the parameter Checks from the file /etc/freshclam.conf, which will define the number of times during the day, that freshclam
will check for any antivirus definitions updates.
You may also find other adjustable settings in the same configuration file.
Run a manual scan with clamscan command
To execute ClamAV scan manually, you will need to use the command clamscan
and, to show which would be the behaviour in case of true positive, let’s download the anti malware test file EICAR which is a well known standard harmless file, that most of the antivirus in the market will detect it:
$ wget -q https://secure.eicar.org/eicar.com.txt
$ clamscan --infected --recursive .
The output will show that clamscan
has detected the eicar.com.txt as an infected file:
$ wget -q https://secure.eicar.org/eicar.com.txt
$ clamscan --infected --recursive .
/home/fse/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8629010
Engine version: 0.103.7
Scanned directories: 1
Scanned files: 5
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 17.379 sec (0 m 17 s)
Start Date: 2022:08:16 16:10:45
End Date: 2022:08:16 16:11:02
The options –infected (or -i) tells the command to show only the infected files instead of all the scanned files, and –recursive (or -r) option will search in all the subfolders recursively from the path you passed in the argument.
You may also take a step further and remove the files from the system deemed to be infected with the option –remove. However, you may end up messing the system by removing files which could be false positives. Therefore, use this option carefully and double check with detection only scan and then remove it with clamscan
or even rm
.
Now that you know how to perform a manual malware scan with ClamAV, let’s proceed to configure it to run on a scheduled basis.
Configure periodic ClamAV scan
You can schedule with crontab
the execution of ClamAV scan by creating a small bash script to handle clamscan
execution and write the output in log files.
#!/bin/bash
SCANLOGS=/var/log/clamavscan.log
SCANPATH=/home/fse
CLAMSCAN=/bin/clamscan
$CLAMSCAN --recursive --infected --log=$SCANLOGS $SCANPATH
The above bash script will run clamscan
on the target path SCANPATH and write the logs in SCANLOGS. In this use case, it will be named as “clamavscan.sh” and the paths can be changed to adjust it to your testing case.
Then, if you want to run the scan in daily basis, create the softlink on the daily cron folder and give the appropriate permissions to the script:
$ chmod 700 /home/fse/clamavscan.sh
$ sudo ln -s /home/fse/clamavscan.sh /etc/cron.daily/clamavscan
Finally, the script will be executed each day by crontab
.