How to install ClamAV on Ubuntu Server

By | October 3, 2015

What is ClamAV®?

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

ClamAV® can be easily installed via Terminal on your ubuntu Server.

root@gs2:~# apt-get install clamav

Once ClamAV® is installed, the first thing you have do is to update the virus definitions with:

root@gs2:~# freshclam
ClamAV update process started at Fri Oct  3 23:42:51 2015
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
daily.cld is up to date (version: 20952, sigs: 1589971, f-level: 63, builder: jesler)
bytecode.cld is up to date (version: 268, sigs: 47, f-level: 63, builder: anvilleg)
root@gs2:~#

Then you can scan for viruses.

For Example:

•To check all files on the computer, displaying the name of each file:

root@gs2:~# clamscan -r /


----------- SCAN SUMMARY -----------
Known viruses: 4008679
Engine version: 0.98.7
Scanned directories: 23613
Scanned files: 92730
Infected files: 0
Total errors: 11692
Data scanned: 2375.55 MB
Data read: 2647.36 MB (ratio 0.90:1)
Time: 2464.365 sec (41 m 4 s)
root@gs2:~#

•To check all files on the computer, but only display infected files and ring a bell when found:

root@gs2:~# clamscan -r --bell -i /

----------- SCAN SUMMARY -----------
Known viruses: 4008679
Engine version: 0.98.7
Scanned directories: 23613
Scanned files: 92730
Infected files: 0
Total errors: 11692
Data scanned: 2375.55 MB
Data read: 2647.36 MB (ratio 0.90:1)
Time: 2360.552 sec (39 m 20 s)
root@gs2:~#

•To check files in the all users home directories:

root@gs2:~# clamscan -r /home

----------- SCAN SUMMARY -----------
Known viruses: 4008676
Engine version: 0.98.7
Scanned directories: 9
Scanned files: 26
Infected files: 0
Data scanned: 36.14 MB
Data read: 499.79 MB (ratio 0.07:1)
Time: 15.731 sec (0 m 15 s)
root@gs2:/home/sibgen#

•To check files in the USER home directory and move infected files to another folder:

root@gs2:~# clamscan -r --move=/tmp/home/sibgen/virus /home/sibgen

----------- SCAN SUMMARY -----------
Known viruses: 4008676
Engine version: 0.98.7
Scanned directories: 8
Scanned files: 26
Infected files: 0
Data scanned: 36.14 MB
Data read: 499.79 MB (ratio 0.07:1)
Time: 15.050 sec (0 m 15 s)
root@gs2:/home/sibgen#

•To check files in the USER home directory and remove infected files (WARNING: Files are gone.):

root@gs2:~# clamscan -r --remove /home/sibgen

----------- SCAN SUMMARY -----------
Known viruses: 4008676
Engine version: 0.98.7
Scanned directories: 8
Scanned files: 26
Infected files: 0
Data scanned: 36.14 MB
Data read: 499.79 MB (ratio 0.07:1)
Time: 15.050 sec (0 m 15 s)
root@gs2:/home/sibgen#

•To see more options:

root@gs2:~# clamscan --help


                       Clam AntiVirus Scanner 0.98.7
           By The ClamAV Team: http://www.clamav.net/about.html#credits
           (C) 2007-2009 Sourcefire, Inc.

    --help                -h             Print this help screen
    --version             -V             Print version number
    --verbose             -v             Be verbose
    --archive-verbose     -a             Show filenames inside scanned archives
    --debug                              Enable libclamav's debug messages
    --quiet                              Only output error messages
    --stdout                             Write to stdout instead of stderr
    --no-summary                         Disable summary at end of scanning
    --infected            -i             Only print infected files
    --suppress-ok-results -o             Skip printing OK files
    --bell                               Sound bell on virus detection

    --tempdir=DIRECTORY                  Create temporary files in DIRECTORY
    --leave-temps[=yes/no(*)]            Do not remove temporary files
    --database=FILE/DIR   -d FILE/DIR    Load virus database from FILE or load
                                         all supported db files from DIR
    --official-db-only[=yes/no(*)]       Only load official signatures
    --log=FILE            -l FILE        Save scan report to FILE
    --recursive[=yes/no(*)]  -r          Scan subdirectories recursively
    --allmatch[=yes/no(*)]   -z          Continue scanning within file after finding a match
    --cross-fs[=yes(*)/no]               Scan files and directories on other filesystems
    --follow-dir-symlinks[=0/1(*)/2]     Follow directory symlinks (0 = never, 1 = direct, 2 = always)
    --follow-file-symlinks[=0/1(*)/2]    Follow file symlinks (0 = never, 1 = direct, 2 = always)
    --file-list=FILE      -f FILE        Scan files from FILE
    --remove[=yes/no(*)]                 Remove infected files. Be careful!
    --move=DIRECTORY                     Move infected files into DIRECTORY
    --copy=DIRECTORY                     Copy infected files into DIRECTORY
    --exclude=REGEX                      Don't scan file names matching REGEX
    --exclude-dir=REGEX                  Don't scan directories matching REGEX
    --include=REGEX                      Only scan file names matching REGEX
    --include-dir=REGEX                  Only scan directories matching REGEX

    --bytecode[=yes(*)/no]               Load bytecode from the database
    --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode
    --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)
    --bytecode-statistics[=yes/no(*)]    Collect and print bytecode statistics
    --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications
    --exclude-pua=CAT                    Skip PUA sigs of category CAT
    --include-pua=CAT                    Load PUA sigs of category CAT
    --detect-structured[=yes/no(*)]      Detect structured data (SSN, Credit Card)
    --structured-ssn-format=X            SSN format (0=normal,1=stripped,2=both)
    --structured-ssn-count=N             Min SSN count to generate a detect
    --structured-cc-count=N              Min CC count to generate a detect
    --scan-mail[=yes(*)/no]              Scan mail files
    --phishing-sigs[=yes(*)/no]          Signature-based phishing detection
    --phishing-scan-urls[=yes(*)/no]     URL-based phishing detection
    --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found
    --phishing-ssl[=yes/no(*)]           Always block SSL mismatches in URLs (phishing module)
    --phishing-cloak[=yes/no(*)]         Always block cloaked URLs (phishing module)
    --partition-intersection[=yes/no(*)] Detect partition intersections in raw disk images using heuristics.
    --algorithmic-detection[=yes(*)/no]  Algorithmic detection
    --scan-pe[=yes(*)/no]                Scan PE files
    --scan-elf[=yes(*)/no]               Scan ELF files
    --scan-ole2[=yes(*)/no]              Scan OLE2 containers
    --scan-pdf[=yes(*)/no]               Scan PDF files
    --scan-swf[=yes(*)/no]               Scan SWF files
    --scan-html[=yes(*)/no]              Scan HTML files
    --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)
    --detect-broken[=yes/no(*)]          Try to detect broken executable files
    --block-encrypted[=yes/no(*)]        Block encrypted archives
    --nocerts                            Disable authenticode certificate chain verification in PE files
    --dumpcerts                          Dump authenticode certificate chain in PE files

    --max-filesize=#n                    Files larger than this will be skipped and assumed clean
    --max-scansize=#n                    The maximum amount of data to scan for each container file (**)
    --max-files=#n                       The maximum number of files to scan for each container file (**)
    --max-recursion=#n                   Maximum archive recursion level for container file (**)
    --max-dir-recursion=#n               Maximum directory recursion level
    --max-embeddedpe=#n                  Maximum size file to check for embedded PE
    --max-htmlnormalize=#n               Maximum size of HTML file to normalize
    --max-htmlnotags=#n                  Maximum size of normalized HTML file to scan
    --max-scriptnormalize=#n             Maximum size of script file to normalize
    --max-ziptypercg=#n                  Maximum size zip to type reanalyze
    --max-partitions=#n                  Maximum number of partitions in disk image to be scanned
    --max-iconspe=#n                     Maximum number of icons in PE file to be scanned
    --enable-stats                       Enable statistical reporting of malware
    --disable-pe-stats                   Disable submission of individual PE sections in stats submissions
    --stats-timeout=#n                   Number of seconds to wait for waiting a response back from the stats server
    --stats-host-id=UUID                 Set the Host ID used when submitting statistical info.

(*) Default scan settings
(**) Certain files (e.g. documents, archives, etc.) may in turn contain other
   files inside. The above options ensure safe processing of this kind of data.
root@gs2:~#

ClamAV® Virus definitions update automatically every 2 hours by default, as such it is recommended to running the updated version virus definitions in order to keep your Server secure at all times. To automate this task using freshclam you need to create a shell script called freshclam.sh:

root@gs2:/usr/local/bin# vi freshclam.sh

Press i to insert text, and the "Copy and Paste" this text into your freshclam.sh shell script.

#!/bin/sh
# Automate : ClamAV® Virus definitions update
# Author : Geneva Sibanda under GPL v.2.x+
# ------------------------------------------
/usr/bin/freshclam --quiet
exit 0

To save and exit from vi, press [Esc] key on your keyboard and type : (colon) and type wq!.

Then set up a cronjob to update the virus definitions to every 3 hours by calling freshclam script created above.

0 0-23/3 * * * * * * bash /usr/local/bin/freshclam.sh

Till next time. Take Your Server Security very seriously.

NB: Remember that it is your responsibility to keep your server secure and you can install firewall. A firewall can help you block incoming and outgoing ports as well as block brute force login attempts.

Leave a Reply

Your email address will not be published. Required fields are marked *