ClamAV is an open-source antivirus software toolkit used to scan files for viruses. It is commonly used to scan emails on mail gateways. ClamAV is completely free software.
ClamAV provides inbuilt tools - a command-line scanner, database updater, milter interface for Sendmail, built-in support for almost all mail file formats, archive formats, popular document format, and more.
In this tutorial, we learn how to install and use ClamAV on Ubuntu 20.04
ClamAV components consist of:
clamd (clamav-daemon) - This daemon is mainly responsible for loading the virus database to memory when scanning starts.
freshclam (clamav-freshclam) - This daemon is used to update, download and install the Virus signature database.
clamdscan - Tool to scan files and directories for viruses.
clamonacc - This daemon provides on-access scanner functionality for ClamAV
Install ClamAV on Ubuntu
ClamAV is available in the Ubuntu repository. You can simply install ClamAV using the apt command.
First, update the Ubuntu system.
$ sudo apt update
Install ClamAV on Ubuntu:
$ sudo apt install clamav clamav-daemon -y
Verify the installation by checking the ClamAV version, type:
$ clamscan --V
ClamAV 0.103.2/26233/Thu Jul 15 07:31:54 2021
By default, clamav-freshclam service will be enabled and running.
$ sudo systemctl status clamav-freshclam
On clamav-freshclam startup its automatically update Virus database to /var/lib/clamav. If not started run the following command to start clamav-freshclam.
$ sudo systemctl start clamav-freshclam
Download and Update ClamAV Signature Database
After ClamAV installation and verification, you will need to update the ClamAV Signature Database for Virus. freshclam command is used to download and update ClamAV’s official virus signature databases.
1. First, we will need to stop the clamav-freshclam service with the following command, before updating the database.
$ sudo systemctl stop clamav-freshclam
2. Next, download and update the database manually using the following command:
$ sudo freshclam
If you get the following output, then the database is updated:
Tue Jul 13 04:15:19 2021 -> ClamAV update process started at Tue Jul 13 04:15:19 2021
Tue Jul 13 04:15:19 2021 -> daily.cvd database is up to date (version: 25930, sigs: 4317819, f-level: 63, builder: raynman)
Tue Jul 13 04:15:19 2021 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Jul 13 04:15:19 2021 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
By default ClamAV signature database is updated automatically every hour, this behavior can be changed in freshclam configuration file /etc/clamav/freshclam.conf.
NOTE: It is also possible to manually download the signature database from the ClamAV virus database mirror.
ClamAV use three virus definitions files such as main.cvd, daily.cvd, and bytecode.cvd and kept in the directory /var/lib/clamav.
3. Finally, start the freshclam daemon service:
$ sudo systemctl start clamav-freshclam
The output of the above command will indicate whether the virus signatures are up-to-date.
● clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-07-16 01:41:20 UTC; 41s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Main PID: 65112 (freshclam) Tasks: 1 (limit: 1073) Memory: 2.0M CGroup: /system.slice/clamav-freshclam.service └─65112 /usr/bin/freshclam -d --foreground=true Jul 16 01:41:20 li1129-224 systemd: Started ClamAV virus database updater. Jul 16 01:41:20 li1129-224 freshclam: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/freshclam.conf:22 Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> ClamAV update process started at Fri Jul 16 01:41:20 2021 Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> ^Your ClamAV installation is OUTDATED! Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> ^Local version: 0.103.2 Recommended version: 0.103.3 Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> daily.cld database is up-to-date (version: 26233, sigs: 1961297, f-level: 90, builder: raynman) Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> main.cld database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr) Jul 16 01:41:20 li1129-224 freshclam: Fri Jul 16 01:41:20 2021 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
For fresh installation, its recommended to start clamav daemon after ClamAV Virus Database (.cvd) file(s) installed. Now start clamav-daemon service to load database definitions to memory.
sudo systemctl start clamav-daemon
To verify clamd, check the ClamAV logs in /var/log/clamav/clamav.log
Thu Jul 15 04:23:41 2021 -> Portable Executable support enabled. Thu Jul 15 04:23:41 2021 -> ELF support enabled. Thu Jul 15 04:23:41 2021 -> Mail files support enabled. Thu Jul 15 04:23:41 2021 -> OLE2 support enabled. Thu Jul 15 04:23:41 2021 -> PDF support enabled. Thu Jul 15 04:23:41 2021 -> SWF support enabled. Thu Jul 15 04:23:41 2021 -> HTML support enabled. Thu Jul 15 04:23:41 2021 -> XMLDOCS support enabled. Thu Jul 15 04:23:41 2021 -> HWP3 support enabled. Thu Jul 15 04:23:41 2021 -> Self checking every 3600 seconds.
For testing ClamAV, we can download a test virus to /tmp and scan using clamscan tool.
$ cd /tmp $ wget http://www.eicar.org/download/eicar.com $ clamscan --infected --remove eicar.com
/tmp/eicar.com: Eicar-Test-Signature FOUND /tmp/eicar.com: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 8553243 Engine version: 0.103.2 Scanned directories: 17 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 62.005 sec (1 m 2 s) Start Date: 2021:07:16 02:08:29 End Date: 2021:07:16 02:09:31
How to use ClamAV
ClamAV configuration file is located at /etc/clamav/clamd.conf. Configuration file allows to set scanning behavior, user name for clamd daemon (by default daemon is run by clamav), exclude directories from scanning, and much more.
ClamAV logs are stored in /var/log/clamav/, which contains information about each virus scan.
ClamAV comes with many inbuilt tools, among clamscan is the important tool. Clamscan is a clamd client used to scan files.
1. Scanning all files, from the current directory.
$ clamscan -r /
2. Scan files but only show infected files.
$ clamscan -r -i /[path-to-folder]
3. To scan infected files in a specific directory recursively and then remove them.
$ clamscan --infected --remove --recursive /home/ubuntu/Desktop/
These options means:
- --infected: prints only infected files
- --remove: removes infected files
- --recursive: all directory and subdirectories in that path will be scanned
------------ SCAN SUMMARY ------------ Known viruses: 2226383 Engine version: 0.103.2 Scanned directories: 18 Scanned files: 75 Infected files: 0 Data scanned: 15.80 MB Data read: 5.66MB (ratio 3.09:1) Time: 15.842 sec (0 m 15 s)
The best practice is to set up cron jobs to run ClamAV scans in regular intervals.
4. To scan your web server and everything in the standard Apache document root, you scan any suspicious files and unwanted applications with the following command.
$ sudo clamscan --infected --detect-pua=yes --recursive /var/www/html/
pua - Potential Unwanted Application
5. Scan files, but show only infected files without displaying OK files.
$ clamscan -r -o /[path-to-folder]
6. Scan files, but only send results of infected files to a new results file.
$ clamscan -r /[path-to-folder] | grep FOUND >> /[path-folder]/[file].txt
7. Scan and move infected files to a different directory path.
$ clamscan -r --move=/[path-to-folder] /[path-to-quarantine-folder]
For more information check clamscan man page or clamscan -h.
Install ClamTK on Ubuntu
ClamTK on the other hand is a Graphical User Interface for a ClamAV software program. If you are more comfortable using GUI instead of the command line, you can install ClamTK with the following command:
$ sudo apt-get install clamtk
After installing clamTK, open it and you will get a nice GUI with all options including Configuration, History, Updates, Analysis.
Now go to the Analysis group, and chose "Scan a directory" option. Then, will be asked to chose desired directory that want to scan.
After choosing the desired directory, ClamTK will scan that directory and will display the result of scanning.
In terms of performance between ClamAV and ClamTK, there is no difference between these two tools. You can choose the one that is more suited to use, and ClamTK is more user-friendly, especially for beginners.
It is most commonly known that viruses do not exist in Linux, and cannot be infected, but it is not true. Viruses, trojans, and malware exist in Linux but they are not quite common. If you want your Linux machine to be more secure, you can install and start using either ClamAV or ClamTK software tools to protect the system from suspicious things.