Linux system is design to makes it hard for viruses to run and that why it is more secure than windows operating system. However we still need to install Clam AntiVirus (ClamAV) on linux server to protect it from virus. This because the linux malware and viruses are increasing everyday. ClamAV is free antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats and one of the main uses is on main servers as server-side email virus scanner. ClamAV can be integrate with mail servers to scan the attachment and files. This article will describe on how to install ClamAV on Ubuntu Server 14.04 virtual private server (VPS) or dedicated server.
How to Install ClamAV on Ubuntu Server 14.04
1. Install clamav and clamav-daemon. Clamav daemon is for automated use.
ehowstuff@ubuntu14:~$ sudo apt-get install clamav clamav-daemon -y
2. Update the clamav pattern file :
ehowstuff@ubuntu14:~$ sudo freshclam
3. Check files in the all users home directories:
ehowstuff@ubuntu14:~$ sudo clamscan -r /home [sudo] password for ehowstuff: /home/ehowstuff/v3.1.12.zip: OK /home/ehowstuff/.mysql_history: OK /home/ehowstuff/.bash_logout: OK /home/ehowstuff/.bash_history: OK /home/ehowstuff/.profile: OK /home/ehowstuff/.bashrc: OK /home/ehowstuff/.cache/motd.legal-displayed: Empty file /home/ehowstuff/.viminfo: OK /home/ehowstuff/jcameron-key.asc: OK /home/ehowstuff/.rnd: OK /home/ehowstuff/index.html: OK /home/ehowstuff/.ssh/known_hosts: OK ----------- SCAN SUMMARY ----------- Known viruses: 3383485 Engine version: 0.98.1 Scanned directories: 4 Scanned files: 11 Infected files: 0 Data scanned: 4.66 MB Data read: 1.04 MB (ratio 4.47:1) Time: 20.139 sec (0 m 20 s) ehowstuff@ubuntu14:~$
4. Download test virus :
ehowstuff@ubuntu14:~$ wget http://www.eicar.org/download/eicar.com --2014-05-24 15:05:13-- http://www.eicar.org/download/eicar.com Resolving www.eicar.org (www.eicar.org)... 188.40.238.250 Connecting to www.eicar.org (www.eicar.org)|188.40.238.250|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 68 [application/octet-stream] Saving to: âeicar.comâ 100%[==========================================================>] 68 --.-K/s in 0s 2014-05-24 15:05:13 (8.12 MB/s) - âeicar.comâ saved [68/68]
5. Check again the directory should contain the downloaded test virus :
ehowstuff@ubuntu14:~$ sudo clamscan -r /home /home/ehowstuff/v3.1.12.zip: OK /home/ehowstuff/.mysql_history: OK /home/ehowstuff/.bash_logout: OK /home/ehowstuff/.bash_history: OK /home/ehowstuff/.profile: OK /home/ehowstuff/.bashrc: OK /home/ehowstuff/.cache/motd.legal-displayed: Empty file /home/ehowstuff/.viminfo: OK /home/ehowstuff/jcameron-key.asc: OK /home/ehowstuff/.rnd: OK /home/ehowstuff/index.html: OK /home/ehowstuff/.ssh/known_hosts: OK /home/ehowstuff/eicar.com: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 3383485 Engine version: 0.98.1 Scanned directories: 4 Scanned files: 12 Infected files: 1 Data scanned: 4.66 MB Data read: 1.04 MB (ratio 4.47:1) Time: 19.874 sec (0 m 19 s)
6. Scan and remove virus files :
ehowstuff@ubuntu14:~$ sudo clamscan --infected --remove --recursive /home /home/ehowstuff/eicar.com: Eicar-Test-Signature FOUND /home/ehowstuff/eicar.com: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 3383485 Engine version: 0.98.1 Scanned directories: 4 Scanned files: 12 Infected files: 1 Data scanned: 4.66 MB Data read: 1.04 MB (ratio 4.47:1) Time: 20.930 sec (0 m 20 s)
7. Scan again home directory. The downloaded virus file should be remove now :
ehowstuff@ubuntu14:~$ sudo clamscan -r /home /home/ehowstuff/v3.1.12.zip: OK /home/ehowstuff/.mysql_history: OK /home/ehowstuff/.bash_logout: OK /home/ehowstuff/.bash_history: OK /home/ehowstuff/.profile: OK /home/ehowstuff/.bashrc: OK /home/ehowstuff/.cache/motd.legal-displayed: Empty file /home/ehowstuff/.viminfo: OK /home/ehowstuff/jcameron-key.asc: OK /home/ehowstuff/.rnd: OK /home/ehowstuff/index.html: OK /home/ehowstuff/.ssh/known_hosts: OK ----------- SCAN SUMMARY ----------- Known viruses: 3383485 Engine version: 0.98.1 Scanned directories: 4 Scanned files: 11 Infected files: 0 Data scanned: 4.66 MB Data read: 1.04 MB (ratio 4.47:1) Time: 20.151 sec (0 m 20 s)
8. Start clamav-daemon (clamd):
ehowstuff@ubuntu14:~$ sudo /etc/init.d/clamav-daemon start * Starting ClamAV daemon clamd [ OK ]
9. Check clamd status :
ehowstuff@ubuntu14:~$ sudo /etc/init.d/clamav-daemon status * clamd is running
10. Start and check the status of clamav-freshclam :
ehowstuff@ubuntu14:~$ sudo /etc/init.d/clamav-freshclam start * Starting ClamAV virus database updater freshclam [ OK ]
ehowstuff@ubuntu14:~$ sudo /etc/init.d/clamav-freshclam status * freshclam is running
11. Verify ClamAV version number :
ehowstuff@ubuntu14:~$ sudo clamdscan -V ClamAV 0.98.1/19025/Sat May 24 10:04:32 2014
12. See more option for clamscan by issue “sudo clamscan –help” command:
ehowstuff@ubuntu14:~$ sudo clamscan --help Clam AntiVirus Scanner 0.98.1 By The ClamAV Team: http://www.clamav.net/team (C) 2007-2009 Sourcefire, Inc. --help -h Print this help screen --version -V Print version number --verbose -v Be verbose --archive-verbose -a Show filenames inside scanned archives --debug Enable libclamav's debug messages --quiet Only output error messages --stdout Write to stdout instead of stderr --no-summary Disable summary at end of scanning --infected -i Only print infected files --suppress-ok-results -o Skip printing OK files --bell Sound bell on virus detection --tempdir=DIRECTORY Create temporary files in DIRECTORY --leave-temps[=yes/no(*)] Do not remove temporary files --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR --official-db-only[=yes/no(*)] Only load official signatures --log=FILE -l FILE Save scan report to FILE --recursive[=yes/no(*)] -r Scan subdirectories recursively --allmatch[=yes/no(*)] -z Continue scanning within file after finding a match --cross-fs[=yes(*)/no] Scan files and directories on other filesystems --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always) --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always) --file-list=FILE -f FILE Scan files from FILE --remove[=yes/no(*)] Remove infected files. Be careful! --move=DIRECTORY Move infected files into DIRECTORY --copy=DIRECTORY Copy infected files into DIRECTORY --exclude=REGEX Don't scan file names matching REGEX --exclude-dir=REGEX Don't scan directories matching REGEX --include=REGEX Only scan file names matching REGEX --include-dir=REGEX Only scan directories matching REGEX --bytecode[=yes(*)/no] Load bytecode from the database --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode --bytecode-timeout=N Set bytecode timeout (in milliseconds) --bytecode-statistics[=yes/no(*)] Collect and print bytecode statistics --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications --exclude-pua=CAT Skip PUA sigs of category CAT --include-pua=CAT Load PUA sigs of category CAT --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card) --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both) --structured-ssn-count=N Min SSN count to generate a detect --structured-cc-count=N Min CC count to generate a detect --scan-mail[=yes(*)/no] Scan mail files --phishing-sigs[=yes(*)/no] Signature-based phishing detection --phishing-scan-urls[=yes(*)/no] URL-based phishing detection --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found --phishing-ssl[=yes/no(*)] Always block SSL mismatches in URLs (phishing module) --phishing-cloak[=yes/no(*)] Always block cloaked URLs (phishing module) --algorithmic-detection[=yes(*)/no] Algorithmic detection --scan-pe[=yes(*)/no] Scan PE files --scan-elf[=yes(*)/no] Scan ELF files --scan-ole2[=yes(*)/no] Scan OLE2 containers --scan-pdf[=yes(*)/no] Scan PDF files --scan-swf[=yes(*)/no] Scan SWF files --scan-html[=yes(*)/no] Scan HTML files --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav) --detect-broken[=yes/no(*)] Try to detect broken executable files --block-encrypted[=yes/no(*)] Block encrypted archives --nocerts Disable authenticode certificate chain verification in PE files --dumpcerts Dump authenticode certificate chain in PE files --max-filesize=#n Files larger than this will be skipped and assumed clean --max-scansize=#n The maximum amount of data to scan for each container file (**) --max-files=#n The maximum number of files to scan for each container file (**) --max-recursion=#n Maximum archive recursion level for container file (**) --max-dir-recursion=#n Maximum directory recursion level --max-embeddedpe=#n Maximum size file to check for embedded PE --max-htmlnormalize=#n Maximum size of HTML file to normalize --max-htmlnotags=#n Maximum size of normalized HTML file to scan --max-scriptnormalize=#n Maximum size of script file to normalize --max-ziptypercg=#n Maximum size zip to type reanalyze (*) Default scan settings (**) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside. The above options ensure safe processing of this kind of data.
I hope this article gives you some ideas and essential guidance on how to install clamav ubuntu server 14.04 virtual private server (VPS) or dedicated server.
4 Comments
Thanks! Great tutorial!
Hi,
How can we set clamav scan daily and remove virus itself?
Thanks
CRON job. I’d be careful tho. You might want to disinfect the file in case you need it instead of deleting.
The process by which we can install the ClamAV ubuntu server can be done by the user and the user just have to follow the procedure and to make sure that the insatllation will be successful and do not get any error in between.