ClamAV® — Is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. |
Contents
Installation
ClamAV can be installed by issuing the following command in the terminal:
$ sudo apt install clamav clamav-daemon clamav-freshclam clamdscan
Description of packages: *clamav: ClamAV anti-virus package *clamav-daemon: scanner daemon for ClamAV for automatic scanning *clamav-freshclam: ClamAV utility for updating virus database signatures and used for mail server integration *clamdscan: The command line interface for 'clamav-daemon'
After the installation is finished, check the ClamAV service status with the command below.
$ sudo systemctl is-enabled clamav-daemon && sudo systemctl status clamav-daemon
Keeping updated with freshclam
After you've installed ClamAV, you need to configure mirror and update the signature databases, and then start and enable the 'clamav-freshclam' service to enable automatic update of malware/virus signature databases.
Open the configuration '/etc/clamav/freshclam.conf':
$ sudo nano /etc/clamav/freshclam.conf
Adjust the '?DatabaseMirror' configuration with your default country code. Or you can leave the configuration as default.
DatabaseMirror db.<country code>.clamav.net
Save the file and exit the editor.
Now run the 'freshclam' command below to update your anti-virus database.
$ sudo freshclam
Once the database is updated, run the 'systemctl' command below to start and enable the 'clamav-freshclam' service. Your anti-virus database will be updated automatically by the 'clamav-freshclam' service.
$ sudo systemctl enable --now clamav-freshclam
Lastly, check the 'clamav-freshclam' service with the command below. You'll see that the service is running and enabled.
$ sudo systemctl status clamav-freshclam
Note: It is recommended to restart your machine after the installation, so that the virus signature database updates and informs ClamAV about the update.
Scanning Files and Directories with ClamAV
Before scanning files or directories, ensure that the 'clamav-daemon' service is running. Check it with the command below.
$ sudo systemctl status clamav-daemon
If running, you'll see an output such as 'active(running)'.
ClamAV is able to scan separate files or if necessary entire directories. Examples of commands are demonstrated bellow.
To scan the file with ClamAV, run the 'clamscan' command followed by the filename like the following.
clamscan file.docx
As for scanning a directory, you can follow the directory name like the following.
clamscan /home/
Now you can run the command below to skip any result with the status 'OK'.
clamscan -o /home/
Or you can just show the infected file with the '-i' option.
clamscan -i /home/
Run the command below to scan the directory recursively and print infected files.
clamscan -i -r /home
Lastly, you can use the '-r' with the '--move' parameter to move infected files to the target directory.
clamscan -i -r --move=/home/$USER/infected /home/
Note: If you would like ClamAV to remove the infected files add the --remove option.
By default ClamAV will not scan files larger than 20Mb. In order to override that setting the options --max-filesize=2000M --max-scansize=2000M must be appended to the command. Where the size 2000M may be replaced as necessary by the user. An example is provided bellow.
$ clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /home
Note: Making ClamAV fully scan each and every file in your home folder may take up a lot of time (2+ hours) depending on the amount of files in your home folder.
Automatic Scanning and Real Time protection with ClamAV Daemon
ClamAV provides automatic scanning via the 'clamav-daemon' service. To configure the 'clamav-daemon' to automatically scan your system directories such as '/home', '/etc', and '/var'.
Edit the ClamAV daemon configuration '/etc/clamav/clamd.conf'
$ sudo nano /etc/clamav/clamd.conf
Insert the configuration below to configure automatic scan for directories such as '/home', '/etc', and '/var'. The '?ScanOnAccess' will enable real-time protection through the 'clamd' to scan files when they're accessed.
ScanOnAccess yes OnAccessIncludePath /home OnAccessIncludePath /etc OnAccessIncludePath /var
Save the file and exit the editor.
Now run the 'systemctl' command below to start and enable the 'clamav-daemon' service.
sudo systemctl restart clamav-daemon
Lastly, check the 'clamav-daemon' service status to ensure it is running.
sudo systemctl status clamav-daemon
Debugging ClamAV
The default log file for ClamAV is located in the '/var/log/clamav/clamav.log' file. You can check the log file with the 'tail' command below.
tail -f /var/log/clamav/clamav.log
Now run the 'tail' command below to check the log file for the 'freshclam' service that will automatically update your anti-virus database.
tail -f /var/log/clamav/freshclam.log
You can also monitor the ClamAV service status using the 'clamdtop' command.
clamdtop