Many of the popular Windows antivirus programs have a Linux equivalent (F-Secure, Sophos, ESET NOD32, Comodo, F-PROT). But more often than not these do little more than scan for signatures of Windows viruses. This doesn’t mean they should be disregarded outright!
If you use Wine to run Windows programs then you could inadvertently use it to run Windows malware. Also, if you run an email server then it’s absolutely in your interests to scan incoming messages for Windows threats. Even if you don’t, maybe you’d rather know if that file you can’t remember downloading contains a Windows nasty, and maybe you’d feel safer scanning it from Linux.
We’re going to look at what appears to be the only open source antivirus software, ClamAV.
Many popular Linux distributions include a nearly latest up-to-date version of ClamAV on repositories, or you can compile it yourself if you’re feeling brave enough. But generally speaking you’re also fine with an older version since it will still download up-to-date virus database definitions.
Be aware, ClamAV IS NOT a real-time virus scanner. That is, it won’t scan files as you open them. Nonetheless, it comes with some other essential features including:
- Command-line scanner
- Milter interface for sendmail
- Advanced database updater with support for scripted updates and digital signatures
- Virus database updated multiple times per day
- Built-in support for all standard mail file formats
- Built-in support for various archive formats, including Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others
- Built-in support for ELF executables and Portable Executable files packed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
- Built-in support for popular document formats including MS Office and Mac Office files, HTML, Flash, RTF and PDF
Now we will look how to install different distributions families. This will install command line tools to update virus database signatures and scanner.
Ubuntu, Debian, Mint, Kali
As always we start with the deb based distributions.
$ sudo apt install clamav clamtk
The recent versions start to use only dnf as package manager. So we will use dnf package manager in order to install clamav.
$ sudo dnf install clamav clamtk
As old friend we will use yum package manager in order to install clamav.
$ sudo yum install clamav clamtk
The core of ClamAV features three main components:
- clamscan – a command line tool for scanning files and directories.
- clamd – a daemon that runs in the background allowing files to be scanned on access.
- freshclam – a tool to update the virus signature database.
The daemon is included in a separate package, so if you’re not interested in on-access scanning (which may slow down your system or use lots of memory), don’t follow up with installing package: clamav-daemon
Now you can run:
$ sudo freshclam
This is for manually updating the database, but a systemd service file is provided to do this automatically. As it turns out, if you try to run that command while the server is running, you’ll get an error. Said service can be stopped with the command:
$ sudo systemctl stop clamav-freshclam
This may be of interest for people that want to set up a cron job.
Meanwhile, let’s get on with testing our glorious antivirus. We’ll download the EICAR test file, which contains a (harmless!) signature that ClamAV ought to recognise:
$ wget https://www.eicar.org/download/eicar.com.txt
$ clamscan eicar.com.txt
You should see output matching the screenshot (below). For general on-demand use, you can just call clamscan with the file(s) or directories you’d like to scan.
For delving into directories, or entire filesystems, use the command:
$ clamscan --recursive /
If you’re feeling paranoid, a number of third-party signatures can be downloaded from the repository at
These come from various sources (including the Linux-focused Linux Malware Detect, another open source malware scanner), and will increase the chances of false positives, but may also increase your peace of mind.
Windows anti-malware programs are characterised by over-the-top GUIs and paranoid ‘Threat Detected’ klaxxons. ClamTk is a graphical interface to ClamAV, but it is much more reserved in its appearance. It comes in its own package, clamtk (screenshot on top), and can also be found in many popular distro repositories, as shown in tutorial above. ClamTK is definitely simplifying the process, so I suggest that you install it along with ClamAV as well. There are also dedicated Linux programs, a couple of which deserve a mention here, if only because they’ve been around for a long time: rkhunter and chkrootkit.
These are command-line tools for the detection of rootkits and other nasty stuff.
Lastly I hope the steps from the article to configure ClamAV on Linux was helpful. So, let me know your suggestions and feedback using the comment section.