Post

Configure Clamav to Detect Malware on Linux

Step-by-step guide to configuring clamav on Linux

Posted Updated
Preview Image
By 0xh3xa
2 min read
Configure Clamav to Detect Malware on Linux

ClamAV: Open-Source Antivirus Engine

What is ClamAV?

ClamAV is an open-source antivirus engine designed for detecting trojans, viruses, malware, and other malicious threats. It is widely used in email gateways, file scanning systems, and enterprise-level malware detection. The project is maintained by Cisco Talos.

ClamAV Features

  1. Open-Source Standard: ClamAV is a widely adopted open-source standard for mail gateway scanning software.
  2. High Performance: includes a multi-threaded scanner daemon, command-line utilities for on-demand file scanning, and automatic signature updates.
  3. Versatile: supports multiple file formats, signature languages, file, and archive unpacking (including popular formats like ZIP, RAR, and TAR).
  4. Cross-Platform: ClamAV versions are available for various operating systems, including Linux, Windows, and macOS.

How to Install ClamAV

  1. Install ClamAV Package:

  • Install on ArchLinux:

    1
2

      sudo pacman -Syu
  sudo pacman -S clamav

  • Install on Ubuntu:

    1
2

      sudo apt update
  sudo apt install clamav clamav-daemon

  1. Configure ClamAV:

    • Update virus database signatures:

      1

      sudo freshclam

    • Configure ClamAV by editing the /etc/clamav/clamd.conf file to ensure proper setup.

  2. Start ClamAV Daemon:

    1
2

     sudo systemctl enable clamd
 sudo systemctl start clamd

How to Use ClamAV

Running a Scan

You can run a simple scan on any directory or file by using the clamscan command:

1

clamscan -r /path/to/directory
  • The -r flag enables recursive scanning of subdirectories.

Scan Options

ClamAV provides several options to fine-tune your scanning process:

  • --infected: Only displays infected files.
1

clamscan --infected /path/to/directory
  • --remove: Automatically removes infected files.
1

clamscan --remove /path/to/directory
  • --no-summary: Suppresses summary output, useful for scripting.
1

clamscan --no-summary /path/to/directory
  • --stdout: Directs the scan output to standard output (useful for logs).
1

clamscan --stdout /path/to/directory
  • --scan-archive: Scans files within archives (ZIP, RAR, etc.).
1

clamscan --scan-archive /path/to/directory
  • --max-filesize: Set a maximum file size for scanning.
1

clamscan --max-filesize=10M /path/to/directory

How to Set Up Automatic Updates with Cron

To keep ClamAV’s virus definitions up to date, you can automate the update process using cron.

  1. Open the crontab editor:
1

crontab -e
  1. Add a line to run freshclam every hour:
1

0 * * * * /usr/bin/freshclam --quiet

This command ensures that the ClamAV virus database signatures are updated automatically every hour.

Save and close the crontab file.

Example Cron Job for Running Scans

If you want to schedule regular scans using ClamAV, you can also set up a cron job to run scans at regular intervals. For example, to run a scan every day at 2 a.m.:

Open the crontab editor:

1

crontab -e

Add a cron job for daily scans:

1

0 2 * * * clamscan -r /path/to/directory --infected > ~/clamav/$(date +\%F)_clamav_scan.log 2>&1

This will scan the specified directory every day at 2 a.m. and automatically remove any infected files.

Ops, Linux
antivirus malware malware_detection
This post is licensed under CC BY 4.0 by the author.