Skip to content

Anti virus on linux

Yes, you need it. Unfortunately there's no good AV on Linux at the moment.
I'd still use ClamAV together with rkhunter and chrootkit to scan stuff every now and then until a better option shows up.

ClamAV

Install

sudo apt install clamav clamav-daemon

Configure

Enable ClamAV Daemon
sudo systemctl enable clamav-daemon
Start ClamAV Daemon
sudo systemctl start clamav-daemon

Scan

Manually sudo clamscan --infected --recursive --remove /

–infected: prints only infected files
–remove: removes infected files
–recursive: all the subdirectories in the directory will be scanned

Schedule with cron

In this suggestion we scan the home directory every day and the entire machine every week.

Create a quaranteen directory.
sudo mkdir /root/quarantine

Create the daily cron job
sudo nano /etc/cron.d/daily.clamscan
And add
0 1 * * * root /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /home/

Create the weekly cron job
sudo nano /etc/cron.d/weekly.clamscan
And add
0 1 * * 0 root /usr/bin/clamdscan --fdpass --log=/var/log/clamav/clamdscan.log --move=/root/quarantine /

We need to exclude a few system directories from the scan. This will add the directories to /etc/clamav/clamd.conf
sudo printf "ExcludePath ^/proc\nExcludePath ^/sys\nExcludePath ^/run\nExcludePath ^/dev\nExcludePath ^/snap\nExcludePath ^/var/lib/lxcfs/cgroup\nExcludePath ^/root/quarantine\n" | sudo tee -a /etc/clamav/clamd.conf

Restart clamav-daemon
sudo systemctl restart clamav-daemon

rkhunter

Install

sudo apt install rkhunter pick "No configuration" during install.

Configure

Edit sudo nano /etc/rkhunter.conf
sudo nano /etc/rkhunter.conf

Change these values
UPDATE_MIRRORS=0 to UPDATE_MIRRORS=1
MIRRORS_MODE=1 to MIRRORS_MODE=0
WEB_CMD="/bin/false" to WEB_CMD=""

Update

sudo apt rkhunter --update

Scan

sudo rkhunter -c

Analyse the logs

sudo grep -i warning /var/log/rkhunter.log

chrootkit

Install

sudo apt install chkrootkit

Configure (optional)

If you want to disable the daily scans.
sudo nano /etc/chkrootkit/chkrootkit.conf
Change RUN_DAILY="true" to RUN_DAILY="false"

Scan

sudo chkrootkit > scanresult.log

Analyse the logs

less scanresult.log