ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats. It supports multiple file formats, file and archive unpacking, and multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.
ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.
Well in this guide, we are going to learn how to install and use ClamAV on Ubuntu 18.04 to constantly scan for viruses and any other malicious threat.
Install ClamAV
ClamAV is available on Ubuntu repositories and thus you can run the command below to install it.
# apt-get update # apt-get install clamav clamav-daemon -y
Update the ClamAV Singature Database
Once the installation is complete, you should update the ClamAV signatures. Stop the clamav-freshclam service and run the freshclam command to manually update the signatures database.
# systemctl stop clamav-freshclam # freshclam
Once the virus database update is done, start the clamav-freshclam service so it keeps updating the signature database in the background whenever.
# systemctl start clamav-freshclam
You are now ready to use ClamAV to protect your system against viruses. ClamAV comes with a command line utility called clamscan that scans files and directories for viruses.
To see the clamscan command line usage, run either of the commands below.
# clamscan --help # man clamscan
Clamscan CLI Options and Example Usage
From the man pages, the clamscan command syntax is:
clamscan [options] [file/directory/-]
Some of the clamscan command options and their example usage is illustrated below;
-h, --help
Print help information and exit.
# clamscan -h
-V, --version
Print version number and exit.
# clamscan -V
ClamAV 0.100.1/25021/Tue Oct 9 15:52:08 2018
--no-summary
Do not display summary at the end of scanning.
# clamscan --no-sumary /home/
-i, --infected
Only print infected files.
# clamscan -i /home/
-o, --suppress-ok-results
Skip printing OK files
--bell
Sound bell on virus detection.
# clamscan -r --bell -i /home
-d FILE/DIR, --database=FILE/DIR
Load virus database from FILE or load all virus database files from DIR.
# clamscan -d /tmp/newclamdb -r /tmp
-l FILE, --log=FILE
Save scan report to FILE.
-r, --recursive
Scan directories recursively. All the subdirectories in the given directory will be scanned.
# clamscan -r --remove /
-f FILE, --file-list=FILE
Scan files listed line by line in FILE.
--remove[=yes/no(*)]
Remove infected files. Be careful as this removes file completely.
# clamscan -r --remove /home/USER
--move=DIRECTORY
Move infected files into DIRECTORY. Directory must be writable for the user or unprivileged user running clamscan.
# clamscan -r --move=/home/USER/VIRUS /home/
--copy=DIRECTORY
Copy infected files into DIRECTORY. Directory must be writable for the user or unprivileged user running clamscan.
# clamscan -r --copy=/home/USER/VIRUS /home/
Note that most of the options are simple switches which enable or disable some features. Options marked with [=yes/no(*)] can be optionally followed by =yes or =no. If they get called without the boolean argument the scanner will assume ‘yes’. The asterisk marks the default internal setting for a given option.
For a comprehensive list of options, check the clamscan man pages
man clamscan
ClamAV Return Codes
The following are the exit return codes for ClamAV.
- 0 : No virus found.
- 1 : Virus(es) found.
- 2 : Some error(s) occured.
Before we can wrap up this tutorial, it is good to understand that clamscan can be CPU intensive. To limit the clamscan CPU time to certain levels, you can use two tools; nice and cpulimit commands. cpulimit limits absolute cpu time, and nice lowers the priority of clamscan (limits relative cpu time).
To use nice command,
# nice -n 15 clamscan && clamscan -ir /
As long as no other process requires cputime, clamscan will maximize it. But as soon as another process with a higher priority needs cputime, clamscan will lost it.
Using cpulimit;
cpulimit -z -e clamscan -l 50 & clamscan -ir /
In our next tutorial, we will learn how to create a bash script that automates ClamAV Virus Scanning and email results. Stay connected.