Protect Your Server Using ClamAV

One of the most oft-repeated myths relating to Linux is that there are no Linux viruses. Unfortunately this isn’t true. Granted there are fewer threats for Linux systems than for Windows ones, but when Linux is attacked it is often servers that are targeted. Something else to be mindful of is that when your server is handling files that may be exchanged with a Windows server that you may end up accidentally passing on Windows viruses that may not affect your Linux system.
ClamAV is an open source anti-virus solution for detecting virii, trojans and malware. The project is owned by Cisco Systems and is available for Linux, UNIX, MacOS and Windows systems. It comes as a command line tool that can be used to scan disk partitions or files. It also has a daemon mode that enables the antivirus to run in the background and scan files on demand from other programs. This feature is often leveraged for anti-virus scanning of email on Linux email servers. There are also graphical user interfaces to allow ClamAV to be used easily on desktop systems. A downside to ClamAV is that it doesn’t perform real-time virus scanning that other anti virus tools may support, so files aren’t scanned when read or written. However, there are other tools that can be used to fulfil that function.
Due to its popularity, ClamAV is provided in the default repositories for most Linux distributions.

Installing ClamAV

On Debian and Ubuntu systems, it can be installed with:
sudo apt-get update
sudo apt-get install clamav
On CentOS and Red Hat systems it can be installed from the EPEL repositories. So if they are not installed they need installing first:
sudo yum install epel-release
Next, you can install ClamAV with:
sudo yum install clamav clamav-update
ClamAV consists of a number of parts:
clamscan is the scanner itself that can be used to scan your file system for viruses or malware.
freshclam is the tool used to update ClamAV’s virus database.
On Debian systems freshclam is launched automatically and will immediately start updating your virus database. On CentOS and Red Hat this will need to be done manually with the following command:
freshclam
To ensure regular updates it is worth adding this to your cron table to run nightly.
sudo crontab -e
Then add the following line at the end:
0 1 * * * /usr/bin/freshclam
Save and exit the file – freshclam should now update the database every night for you.
Now you can start scanning your system using ClamAV:
sudo clamscan -r -i /
The above command will scan the entire filesystem for viruses.  The -r flag means to scan recursively within the specified path, in this case we gave “/”.  The -i flag means to only show infected files in the output.
Obviously running ClamAV manually doesn’t ensure that your server remains secure, so automating the scans makes sense. Again we can put a command into the cron table to run the scans for you:
sudo crontab -e
Now paste in the following line in beneath the previous one:
0 2 * * * /usr/bin/clamscan -r -i / | /usr/bin/mail user@example.com
Before saving, make sure to replace “user@example.com” with your email address.  This cron task will cause clamscan to run every night at 2am and then use the mail command to send the output to your e-mail address so that you are aware of any infected files that ClamAV finds without needing to log into the server.
With that you have some basic virus and malware protection using ClamAV. Reading the man page for ClamAV should help give a better idea of some of the more advanced features available to you that can be used.