How to Install ClamAV on Ubuntu 20.04 and Scan for Vulnerabilities
September 29, 2020 by Hitesh Jethva (151posts) under VPS Hosting 0 CommentsClamAV is free and open-source antivirus software that can be used to find *s and malicious software and other viruses in your system. It is simple, easy to use, and capable to scan over one million viruses and *s. ClamAV supports various archive formats including Tar, Gzip, Zip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS, and also supports all mail file formats. It comes with several in-built tools, including a multi-threaded daemon and command-line interface to update the database automatically.
In this tutorial, we will explain how to install and use ClamAV on Ubuntu 20.04.
Prerequisites
- A fresh Ubuntu 20.04 VPS on the Atlantic.net Cloud Platform
- A root password configured on your server
Step 1 – Create an Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system, with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged into your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.
apt-get update -y
Step 2 – Install ClamAV
By default, the ClamAV package is available in the Ubuntu 20.04 default repository. You can install it with the following command:
apt-get install clamav clamav-daemon -y
Once the ClamAV has been installed, you can proceed to update the virus database.
Step 3 – Update the Virus Database
Next, you will need to update the virus database in order for scanning to work. You can update it over the internet using the freshclam command.
Before updating the database, you will need to stop the clamav-freshclam service. You can stop it with the following command:
systemctl stop clamav-freshclam
Next, update the database using the following command:
freshclam
Once the database is updated, you should get the following output:
Thu Sep 17 06:11:23 2020 -> ClamAV update process started at Thu Sep 17 06:11:23 2020 Thu Sep 17 06:11:23 2020 -> daily.cvd database is up to date (version: 25930, sigs: 4317819, f-level: 63, builder: raynman) Thu Sep 17 06:11:23 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Thu Sep 17 06:11:23 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Next, start the clamav-freshclam service and enable it to start at system reboot with the following command:
systemctl start clamav-freshclam systemctl enable clamav-freshclam
By default, freshclam stores all databases inside /var/lib/clamav/ directory. You can list them with the following command:
ls /var/lib/clamav/
You should get the following output:
bytecode.cvd daily.cvd main.cvd
Step 4 – Use Clamscan to Scan the Directory
Clamscan is used to scan files and directories for viruses and delete them immediately.
The basic syntax of Clamscan is shown below:
clamscan [options] [files-or-directories]
A brief explanation of most commonly used options are shown below:
- –infected : This option display a list of all infected files.
- –remove : This option removes all infected files from your system.
- –recursive : This option will scan all directories and sub-directories.
For example, you can scan the /etc directory with the following command:
clamscan --infected --remove --recursive /etc
You should see the following output:
----------- SCAN SUMMARY ----------- Known viruses: 8908044 Engine version: 0.102.4 Scanned directories: 240 Scanned files: 754 Infected files: 0 Data scanned: 3.25 MB Data read: 1.41 MB (ratio 2.30:1) Time: 42.391 sec (0 m 42 s)
You can print all available option with clamscan using the following command:
clamscan -h
You should get the following output:
<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-536869121 1107305727 33554432 0 415 0;} @font-face {font-family:"Liberation Serif"; mso-font-alt:"Times New Roman"; mso-font-charset:1; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:"Droid Sans Fallback"; panose-1:0 0 0 0 0 0 0 0 0 0; mso-font-charset:0; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:FreeSans; panose-1:0 0 0 0 0 0 0 0 0 0; mso-font-alt:Cambria; mso-font-charset:0; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; mso-pagination:none; mso-hyphenate:none; font-size:12.0pt; font-family:"Liberation Serif",serif; mso-fareast-font-family:"Droid Sans Fallback"; mso-bidi-font-family:FreeSans; color:#00000A; mso-ansi-language:EN-IN; mso-fareast-language:ZH-CN; mso-bidi-language:HI;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:12.0pt; mso-ansi-font-size:12.0pt; mso-bidi-font-size:12.0pt; font-family:"Liberation Serif",serif; mso-ascii-font-family:"Liberation Serif"; mso-fareast-font-family:"Droid Sans Fallback"; mso-hansi-font-family:"Liberation Serif"; mso-bidi-font-family:FreeSans; mso-ansi-language:EN-IN; mso-fareast-language:ZH-CN; mso-bidi-language:HI;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> Clam AntiVirus: Scanner 0.102.4 By The ClamAV Team: https://www.clamav.net/about.html#credits (C) 2020 Cisco Systems, Inc. clamscan [options] [file/directory/-] --help -h Show this help --version -V Print version number --verbose -v Be verbose --archive-verbose -a Show filenames inside scanned archives --debug Enable libclamav's debug messages --quiet Only output error messages --stdout Write to stdout instead of stderr. Does not affect 'debug' messages. --no-summary Disable summary at end of scanning --infected -i Only print infected files --suppress-ok-results -o Skip printing OK files --bell Sound bell on virus detection --tempdir=DIRECTORY Create temporary files in DIRECTORY --leave-temps[=yes/no(*)] Do not remove temporary files --gen-json[=yes/no(*)] Generate JSON description of scanned file(s). JSON will be printed and also- dropped to the temp directory if --leave-temps is enabled. --database=FILE/DIR -d FILE/DIR Load virus database from FILE or load all supported db files from DIR --official-db-only[=yes/no(*)] Only load official signatures --log=FILE -l FILE Save scan report to FILE --recursive[=yes/no(*)] -r Scan subdirectories recursively --allmatch[=yes/no(*)] -z Continue scanning within file after finding a match --cross-fs[=yes(*)/no] Scan files and directories on other filesystems --follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always) --follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always) --file-list=FILE -f FILE Scan files from FILE --remove[=yes/no(*)] Remove infected files. Be careful! --move=DIRECTORY Move infected files into DIRECTORY --copy=DIRECTORY Copy infected files into DIRECTORY --exclude=REGEX Don't scan file names matching REGEX --exclude-dir=REGEX Don't scan directories matching REGEX --include=REGEX Only scan file names matching REGEX --include-dir=REGEX Only scan directories matching REGEX --bytecode[=yes(*)/no] Load bytecode from the database --bytecode-unsigned[=yes/no(*)] Load unsigned bytecode --bytecode-timeout=N Set bytecode timeout (in milliseconds) --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics --detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications --exclude-pua=CAT Skip PUA sigs of category CAT --include-pua=CAT Load PUA sigs of category CAT --detect-structured[=yes/no(*)] Detect structured data (SSN, Credit Card) --structured-ssn-format=X SSN format (0=normal,1=stripped,2=both) --structured-ssn-count=N Min SSN count to generate a detect --structured-cc-count=N Min CC count to generate a detect --scan-mail[=yes(*)/no] Scan mail files --phishing-sigs[=yes(*)/no] Enable email signature-based phishing detection --phishing-scan-urls[=yes(*)/no] Enable URL signature-based phishing detection --heuristic-alerts[=yes(*)/no] Heuristic alerts --heuristic-scan-precedence[=yes/no(*)] Stop scanning as soon as a heuristic match is found --normalize[=yes(*)/no] Normalize html, script, and text files. Use normalize=no for yara compatibility --scan-pe[=yes(*)/no] Scan PE files --scan-elf[=yes(*)/no] Scan ELF files --scan-ole2[=yes(*)/no] Scan OLE2 containers --scan-pdf[=yes(*)/no] Scan PDF files --scan-swf[=yes(*)/no] Scan SWF files --scan-html[=yes(*)/no] Scan HTML files --scan-xmldocs[=yes(*)/no] Scan xml-based document files --scan-hwp3[=yes(*)/no] Scan HWP3 files --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav) --alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF) --alert-encrypted[=yes/no(*)] Alert on encrypted archives and documents --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives --alert-encrypted-doc[=yes/no(*)] Alert on encrypted documents --alert-macros[=yes/no(*)] Alert on OLE2 files containing VBA macros --alert-exceeds-max[=yes/no(*)] Alert on files that exceed max file size, max scan size, or max recursion limit --alert-phishing-ssl[=yes/no(*)] Alert on emails containing SSL mismatches in URLs --alert-phishing-cloak[=yes/no(*)] Alert on emails containing cloaked URLs --alert-partition-intersection[=yes/no(*)] Alert on raw DMG image files containing partition intersections --nocerts Disable authenticode certificate chain verification in PE files --dumpcerts Dump authenticode certificate chain in PE files --max-scantime=#n Scan time longer than this will be skipped and assumed clean --max-filesize=#n Files larger than this will be skipped and assumed clean --max-scansize=#n The maximum amount of data to scan for each container file (**) --max-files=#n The maximum number of files to scan for each container file (**) --max-recursion=#n Maximum archive recursion level for container file (**) --max-dir-recursion=#n Maximum directory recursion level --max-embeddedpe=#n Maximum size file to check for embedded PE --max-htmlnormalize=#n Maximum size of HTML file to normalize --max-htmlnotags=#n Maximum size of normalized HTML file to scan --max-scriptnormalize=#n Maximum size of script file to normalize --max-ziptypercg=#n Maximum size zip to type reanalyze --max-partitions=#n Maximum number of partitions in disk image to be scanned --max-iconspe=#n Maximum number of icons in PE file to be scanned --max-rechwp3=#n Maximum recursive calls to HWP3 parsing function --pcre-match-limit=#n Maximum calls to the PCRE match function. --pcre-recmatch-limit=#n Maximum recursive calls to the PCRE match function. --pcre-max-filesize=#n Maximum size file to perform PCRE subsig matching. --disable-cache Disable caching and cache checks for hash sums of scanned files.
Conclusion
In the above guide, you learned how to install ClamAV and use it to remove the various types of viruses from your systems. You should now have enough knowledge to use ClamAV in the production environment to clean the system. Get started with ClamAV today on VPS Hosting from Atlantic.Net!