AndreiC.
08-26-2025, 03:34 AM
https://www.phoronix.net/image.php?id=2022&image=clamav
A server is like a fortress; its security is only as strong as its weakest point. While firewalls and secure passwords are your first line of defense, hidden threats like malware and rootkits can still find their way in. Proactive scanning is essential for any serious system administrator. This guide will show you how to use ClamAV, a powerful open-source antivirus engine, to perform a deep security audit on your virtual server hosting (https://www.enginyring.com/en/virtual-servers). Usually, people that use a web hosting (https://www.enginyring.com/en/webhosting) service, will have those audits done by their hosting company (or that should happen in theory)
Step 1: Installing the ClamAV Engine
First, connect to your server via SSH. The installation process is straightforward, but the commands differ slightly based on your Linux family.
For Debian/Ubuntu systems:
sudo apt-get update
sudo apt-get install clamav clamav-daemon -y
For RHEL/CentOS/Rocky Linux systems:
For RHEL-based systems, ClamAV isn't included in the standard software repositories. We first need to enable the EPEL (Extra Packages for Enterprise Linux) repository, a community-maintained project that provides high-quality add-on software packages.
sudo dnf install epel-release -y
sudo dnf install clamav clamav-update -y
Step 2: Updating the Threat Database
An antivirus scanner is useless without an up-to-date database of threat signatures.
First, we need to temporarily stop the automatic update service so we can run a manual update.
sudo systemctl stop clamav-freshclam
Now, run the freshclam command to download the very latest definitions.
sudo freshclam
Once the update is complete, restart the service.
sudo systemctl start clamav-freshclam
Step 3: Performing a System-Wide Scan
With a fresh database, you're ready to scan. The clamscan command is highly configurable, but the following command is an excellent, robust starting point for a full server audit:
sudo clamscan -r -i --exclude-dir="^/sys|^/proc" /
Here is a breakdown of what these flags accomplish:
-r: Scans recursively, digging into every subdirectory of your server.
-i: Instructs the tool to only report infected files, keeping your output clean and focused on actual threats.
--exclude-dir: We explicitly skip /sys and /proc. These are not traditional directories with files on your disk; they are virtual filesystems created by the Linux kernel to provide information about the system's state. Scanning them is pointless and can generate a flood of harmless errors.
/: We are telling ClamAV to start from the root directory, ensuring no part of the filesystem is missed.
Depending on the size of your server's filesystem, this initial scan may take a significant amount of time.
Step 4: Handling Scan Results
If ClamAV identifies a potential threat, you need to handle it. While you can automatically delete findings using the --remove flag, this is risky. A false positive on a critical system file could cause serious damage.
A much safer and more professional approach is to quarantine suspicious files for later review.
First, create a secure quarantine directory that is isolated from the rest of your system:
sudo mkdir /quarantine
Now, run your scan again, this time telling ClamAV to move any findings into this new directory:
sudo clamscan -r -i --exclude-dir="^/sys|^/proc" --move=/quarantine /
This command safely isolates any potential threats, allowing you to investigate them without risk to the server's stability.
Step 5: Automating Your Scans
Security isn't a one-time task. For true peace of mind, your server should be scanned on a regular schedule. You can achieve this using a cron job.
To edit the cron table, run:
sudo crontab -e
Then, add the following line to schedule a scan to run every night at 2 AM. The results (both standard output and errors) will be logged to a file for later review.
0 2 * * * /usr/bin/clamscan -r -i --exclude-dir="^/sys|^/proc" --move=/quarantine / > /var/log/clamscan.log 2>&1
By integrating regular ClamAV scans into your security routine, you add a critical layer of defense against common threats. This proactive approach helps ensure the integrity of your server and the safety of your data.
A server is like a fortress; its security is only as strong as its weakest point. While firewalls and secure passwords are your first line of defense, hidden threats like malware and rootkits can still find their way in. Proactive scanning is essential for any serious system administrator. This guide will show you how to use ClamAV, a powerful open-source antivirus engine, to perform a deep security audit on your virtual server hosting (https://www.enginyring.com/en/virtual-servers). Usually, people that use a web hosting (https://www.enginyring.com/en/webhosting) service, will have those audits done by their hosting company (or that should happen in theory)
Step 1: Installing the ClamAV Engine
First, connect to your server via SSH. The installation process is straightforward, but the commands differ slightly based on your Linux family.
For Debian/Ubuntu systems:
sudo apt-get update
sudo apt-get install clamav clamav-daemon -y
For RHEL/CentOS/Rocky Linux systems:
For RHEL-based systems, ClamAV isn't included in the standard software repositories. We first need to enable the EPEL (Extra Packages for Enterprise Linux) repository, a community-maintained project that provides high-quality add-on software packages.
sudo dnf install epel-release -y
sudo dnf install clamav clamav-update -y
Step 2: Updating the Threat Database
An antivirus scanner is useless without an up-to-date database of threat signatures.
First, we need to temporarily stop the automatic update service so we can run a manual update.
sudo systemctl stop clamav-freshclam
Now, run the freshclam command to download the very latest definitions.
sudo freshclam
Once the update is complete, restart the service.
sudo systemctl start clamav-freshclam
Step 3: Performing a System-Wide Scan
With a fresh database, you're ready to scan. The clamscan command is highly configurable, but the following command is an excellent, robust starting point for a full server audit:
sudo clamscan -r -i --exclude-dir="^/sys|^/proc" /
Here is a breakdown of what these flags accomplish:
-r: Scans recursively, digging into every subdirectory of your server.
-i: Instructs the tool to only report infected files, keeping your output clean and focused on actual threats.
--exclude-dir: We explicitly skip /sys and /proc. These are not traditional directories with files on your disk; they are virtual filesystems created by the Linux kernel to provide information about the system's state. Scanning them is pointless and can generate a flood of harmless errors.
/: We are telling ClamAV to start from the root directory, ensuring no part of the filesystem is missed.
Depending on the size of your server's filesystem, this initial scan may take a significant amount of time.
Step 4: Handling Scan Results
If ClamAV identifies a potential threat, you need to handle it. While you can automatically delete findings using the --remove flag, this is risky. A false positive on a critical system file could cause serious damage.
A much safer and more professional approach is to quarantine suspicious files for later review.
First, create a secure quarantine directory that is isolated from the rest of your system:
sudo mkdir /quarantine
Now, run your scan again, this time telling ClamAV to move any findings into this new directory:
sudo clamscan -r -i --exclude-dir="^/sys|^/proc" --move=/quarantine /
This command safely isolates any potential threats, allowing you to investigate them without risk to the server's stability.
Step 5: Automating Your Scans
Security isn't a one-time task. For true peace of mind, your server should be scanned on a regular schedule. You can achieve this using a cron job.
To edit the cron table, run:
sudo crontab -e
Then, add the following line to schedule a scan to run every night at 2 AM. The results (both standard output and errors) will be logged to a file for later review.
0 2 * * * /usr/bin/clamscan -r -i --exclude-dir="^/sys|^/proc" --move=/quarantine / > /var/log/clamscan.log 2>&1
By integrating regular ClamAV scans into your security routine, you add a critical layer of defense against common threats. This proactive approach helps ensure the integrity of your server and the safety of your data.