What is ClamAV®?
ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
ClamAV® can be easily installed via Terminal on your ubuntu Server.
root@gs2:~# apt-get install clamav
Once ClamAV® is installed, the first thing you have do is to update the virus definitions with:
root@gs2:~# freshclam ClamAV update process started at Fri Oct 3 23:42:51 2015 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 20952, sigs: 1589971, f-level: 63, builder: jesler) bytecode.cld is up to date (version: 268, sigs: 47, f-level: 63, builder: anvilleg) root@gs2:~#
Then you can scan for viruses.
For Example:
•To check all files on the computer, displaying the name of each file:
root@gs2:~# clamscan -r / ----------- SCAN SUMMARY ----------- Known viruses: 4008679 Engine version: 0.98.7 Scanned directories: 23613 Scanned files: 92730 Infected files: 0 Total errors: 11692 Data scanned: 2375.55 MB Data read: 2647.36 MB (ratio 0.90:1) Time: 2464.365 sec (41 m 4 s) root@gs2:~#
•To check all files on the computer, but only display infected files and ring a bell when found:
root@gs2:~# clamscan -r --bell -i / ----------- SCAN SUMMARY ----------- Known viruses: 4008679 Engine version: 0.98.7 Scanned directories: 23613 Scanned files: 92730 Infected files: 0 Total errors: 11692 Data scanned: 2375.55 MB Data read: 2647.36 MB (ratio 0.90:1) Time: 2360.552 sec (39 m 20 s) root@gs2:~#
•To check files in the all users home directories:
root@gs2:~# clamscan -r /home ----------- SCAN SUMMARY ----------- Known viruses: 4008676 Engine version: 0.98.7 Scanned directories: 9 Scanned files: 26 Infected files: 0 Data scanned: 36.14 MB Data read: 499.79 MB (ratio 0.07:1) Time: 15.731 sec (0 m 15 s) root@gs2:/home/sibgen#
•To check files in the USER home directory and move infected files to another folder:
root@gs2:~# clamscan -r --move=/tmp/home/sibgen/virus /home/sibgen ----------- SCAN SUMMARY ----------- Known viruses: 4008676 Engine version: 0.98.7 Scanned directories: 8 Scanned files: 26 Infected files: 0 Data scanned: 36.14 MB Data read: 499.79 MB (ratio 0.07:1) Time: 15.050 sec (0 m 15 s) root@gs2:/home/sibgen#
•To check files in the USER home directory and remove infected files (WARNING: Files are gone.):
root@gs2:~# clamscan -r --remove /home/sibgen ----------- SCAN SUMMARY ----------- Known viruses: 4008676 Engine version: 0.98.7 Scanned directories: 8 Scanned files: 26 Infected files: 0 Data scanned: 36.14 MB Data read: 499.79 MB (ratio 0.07:1) Time: 15.050 sec (0 m 15 s) root@gs2:/home/sibgen#
•To see more options:
root@gs2:~# clamscan --help
Clam AntiVirus Scanner 0.98.7
By The ClamAV Team: http://www.clamav.net/about.html#credits
(C) 2007-2009 Sourcefire, Inc.
--help -h Print this help screen
--version -V Print version number
--verbose -v Be verbose
--archive-verbose -a Show filenames inside scanned archives
--debug Enable libclamav's debug messages
--quiet Only output error messages
--stdout Write to stdout instead of stderr
--no-summary Disable summary at end of scanning
--infected -i Only print infected files
--suppress-ok-results -o Skip printing OK files
--bell Sound bell on virus detection
--tempdir=DIRECTORY Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] Do not remove temporary files
--database=FILE/DIR -d FILE/DIR Load virus database from FILE or load
all supported db files from DIR
--official-db-only[=yes/no(*)] Only load official signatures
--log=FILE -l FILE Save scan report to FILE
--recursive[=yes/no(*)] -r Scan subdirectories recursively
--allmatch[=yes/no(*)] -z Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)
--file-list=FILE -f FILE Scan files from FILE
--remove[=yes/no(*)] Remove infected files. Be careful!
--move=DIRECTORY Move infected files into DIRECTORY
--copy=DIRECTORY Copy infected files into DIRECTORY
--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX
--bytecode[=yes(*)/no] Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] Load unsigned bytecode
--bytecode-timeout=N Set bytecode timeout (in milliseconds)
--bytecode-statistics[=yes/no(*)] Collect and print bytecode statistics
--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications
--exclude-pua=CAT Skip PUA sigs of category CAT
--include-pua=CAT Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card)
--structured-ssn-format=X SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N Min SSN count to generate a detect
--structured-cc-count=N Min CC count to generate a detect
--scan-mail[=yes(*)/no] Scan mail files
--phishing-sigs[=yes(*)/no] Signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] URL-based phishing detection
--heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
--phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module)
--phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module)
--partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.
--algorithmic-detection[=yes(*)/no] Algorithmic detection
--scan-pe[=yes(*)/no] Scan PE files
--scan-elf[=yes(*)/no] Scan ELF files
--scan-ole2[=yes(*)/no] Scan OLE2 containers
--scan-pdf[=yes(*)/no] Scan PDF files
--scan-swf[=yes(*)/no] Scan SWF files
--scan-html[=yes(*)/no] Scan HTML files
--scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)
--detect-broken[=yes/no(*)] Try to detect broken executable files
--block-encrypted[=yes/no(*)] Block encrypted archives
--nocerts Disable authenticode certificate chain verification in PE files
--dumpcerts Dump authenticode certificate chain in PE files
--max-filesize=#n Files larger than this will be skipped and assumed clean
--max-scansize=#n The maximum amount of data to scan for each container file (**)
--max-files=#n The maximum number of files to scan for each container file (**)
--max-recursion=#n Maximum archive recursion level for container file (**)
--max-dir-recursion=#n Maximum directory recursion level
--max-embeddedpe=#n Maximum size file to check for embedded PE
--max-htmlnormalize=#n Maximum size of HTML file to normalize
--max-htmlnotags=#n Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n Maximum size of script file to normalize
--max-ziptypercg=#n Maximum size zip to type reanalyze
--max-partitions=#n Maximum number of partitions in disk image to be scanned
--max-iconspe=#n Maximum number of icons in PE file to be scanned
--enable-stats Enable statistical reporting of malware
--disable-pe-stats Disable submission of individual PE sections in stats submissions
--stats-timeout=#n Number of seconds to wait for waiting a response back from the stats server
--stats-host-id=UUID Set the Host ID used when submitting statistical info.
(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
files inside. The above options ensure safe processing of this kind of data.
root@gs2:~#
ClamAV® Virus definitions update automatically every 2 hours by default, as such it is recommended to running the updated version virus definitions in order to keep your Server secure at all times. To automate this task using freshclam you need to create a shell script called freshclam.sh:
root@gs2:/usr/local/bin# vi freshclam.sh
Press i to insert text, and the "Copy and Paste" this text into your freshclam.sh shell script.
#!/bin/sh # Automate : ClamAV® Virus definitions update # Author : Geneva Sibanda under GPL v.2.x+ # ------------------------------------------ /usr/bin/freshclam --quiet exit 0
To save and exit from vi, press [Esc] key on your keyboard and type : (colon) and type wq!.
Then set up a cronjob to update the virus definitions to every 3 hours by calling freshclam script created above.
0 0-23/3 * * * * * * bash /usr/local/bin/freshclam.sh
Till next time. Take Your Server Security very seriously.
NB: Remember that it is your responsibility to keep your server secure and you can install firewall. A firewall can help you block incoming and outgoing ports as well as block brute force login attempts.