Using ClamAV to Scan for Viruses in Linux

A popular and easy to use tool for detecting virus infections on Linux systems is Clam AV. It’s open source and free, and works on many Linux systems, including Ubuntu and Fedora. In this article, we will see how to install and use the tool on Ubuntu, Linux Mint and related systems.

Install ClamAV on Linux Mint

The first step of installation Clam AV on Ubuntu, Mint and related distros should be updating your system.

$ sudo apt update && sudo apt upgrade -y

After that you can install Clam AV and verify the installation with commands like these:

$ sudo apt-get install clamav clamav-daemon
$ clamscan --version
ClamAV 0.103.5/26469/Wed Mar  2 04:27:25 2-22

ClamAV Commands

Clam AVThe tools are clams do the scan and fresh clams to update the list of known virus signatures.

To start running fresh clams as a service you need to run a command like this:

$ sudo systemctl start clamav-freshclam

Using the Freshclam Service

To update virus signatures, you can use the fresh clams tool like this:

$ sudo freshclam
ClamAV update process started at Thu Mar  3 11:58:21 2022
daily.cld database is up-to-date (version: 26470, sigs: 1975358, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

To see the fresh clams service, use a command like this:

$ systemctl | grep clam
  clamav-freshclam.service           loaded active running ClamAV virus database updater

You can also use the -D (Where —Devil) Option with fresh clams. It will then run 12 checks per day by default. The process you see should look like this:

$ ps -ef | grep freshclam
clamupd+ 2536188       1  0 Mar03 ?        00:00:02 /usr/bin/freshclam -d --foreground=true

This means that you will get frequent virus signature updates without having to install them yourself.

ClamAV Options

Clam AV is extremely easy to use and examines individual files in the directory you point it to. It will report files and directories scanned and the number of infections. Depending on the size of a directory you ask it to scan, it can return results fairly quickly or take hours to run.

Here are some of the options and what they do:

  • –verbose: displays the version of the tool
  • –infected: show only infected files
  • –quiet: list error messages only
  • –remove: remove infected files
  • –recursive: ensures that all subdirectories of the directory will be scanned
  • –move: move infected files to the specified directory

A command like the one shown below examines a single user account. As you can see, it took almost half an hour to run, scanned 940 directories and almost 34,000 files, but found no infected files. Without file system location, clams will examine the current filesystem.

$ clamscan --infected --remove --recursive /home/jdoe

----------- SCAN SUMMARY -----------
Known viruses: 8607279
Engine version: 0.103.5
Scanned directories: 940
Scanned files: 33946
Infected files: 0
Data scanned: 3147.79 MB
Data read: 1735.15 MB (ratio 1.81:1)
Time: 1734.069 sec (28 m 54 s)
Start Date: 2022:03:02 14:47:09
End Date:   2022:03:02 15:16:03

the clams report also shows you how long it took to run with start and end times.

Without the recursive option, clams would only look at files in the specified directly, but would not go deeper into the filesystem. In the command below, clams didn’t look at subdirectories, so it only looked at 39 files.

$ clamscan --infected --remove /home/jdoe

----------- SCAN SUMMARY -----------
Known viruses: 8607279
Engine version: 0.103.5
Scanned directories: 1
Scanned files: 39
Infected files: 0
Data scanned: 242.30 MB
Data read: 164.58 MB (ratio 1.47:1)
Time: 107.981 sec (1 m 47 s)
Start Date: 2022:03:02 15:18:47
End Date:   2022:03:02 15:20:35

Keep in mind that Clam AV does not sanitize files. It only deletes them from the system or moves them to a specified location. It also does not monitor infections. It scans when you ask for it and stays idle otherwise.

To view version information, use the -v (Where –version).

$ clamscan --version
ClamAV 0.103.5/26470/Thu Mar  3 04:49:16 2022

Run the same command the next day and the report should show updates:

$ clamscan --version
ClamAV 0.103.5/26471/Fri Mar  4 04:24:47 2022

Numbers 26470 and 26471 in the above output show the version of the signatures that allow clams recognize viruses while the version of the clams the tool itself is 0.103.5.

the clams report below includes information that can help you see that updates are in progress as well as details about what the tool has detected:

$ sudo clamscan --infected --remove --recursive /home/nemo

----------- SCAN SUMMARY -----------
Known viruses: 8607429	<== larger number confirms updates
Engine version: 0.103.5	<== release
Scanned directories: 39
Scanned files: 2145
Infected files: 	<== no infected files
Data scanned: 4.68 MB
Data read: 9.21 MB (ratio 0.51:1)
Time: 52.778 sec (0 m 52 s)	<== under 1 minute
Start Date: 2022:03:04 10:15:43
End Date:   2022:03:04 10:16:36

An important thing to keep in mind is that clams can only read files that the user running the tool can read, so using sudo is generally required.

Join the Network World communities on Facebook and LinkedIn to comment on topics that matter to you.

Copyright © 2022 IDG Communications, Inc.

Source link

Steven L. Nielsen