Scanning Your Server for Malware

It is often repeated that linux does not get repeated, but in reality this is not quite the case. It is true that there are far more viruses and malware targeting Windows platforms, but this is simply due to the much larger number install base for Windows as compared to Linux.

With the increase in IoT devices, linux malware is massively on the increase. Mirai, a massive botnet which first appeared in 2016, targeted default usernames and passwords on IoT devices running the Linux operating system. Coupled with the popularity of Android, which is itself Linux based, for phones and other devices, you can no longer consider your Ubuntu server immune from the threat of malware infection.

Luckily there are existing anti-virus solutions out there to help protect you and limit the danger.

Clam AV is an open source AV which has been on the market for a long time and can be used on both Linux and Windows servers and desktop systems. It is an effective and well-respected Anti-Virus. The only drawback though is that it does not do continuous monitoring, which is possibly a good thing as this uses up memory and CPU cycles. To counter this, we are going to set up a schedule for it to update itself and run a regular daily scan.

Installing & Updating ClamAV

Clam AV is available in Ubuntu’s software repositories. We are going to install both the Clam AV engine and the daemon, which will allow Clam AV to be run in the background from a scheduled script, and without user intervention.

The next step is to update ClamAV’s anti-virus signatures. To do this, stop the service, update them using the ‘freshclam’ command, and then restart the services

Running a Scan

As soon as ClamAV is installed, run a full system scan:

This will run a scan of the entire filesystem (-r) and report back on any infected files it finds (-i). It will not report any OK files (-o). Depending on the size of your server and how many files are on it, it may take some time.

This scan will not remove any infected files. To remove them you need to add the ‐‐remove=yes option. Be careful about this as the file will be deleted, and this may cause trouble in the case of any false-positive alerts.

A better option may be to quarantine suspected infected files by creating a specific directory for moving suspicious files to, thus allowing you a chance to review and re-test them (virustotal.com) before deleting them. Add the ‐‐move=DIRECTORY option to clamav to have it do this.

Run clamscan -h to see all available options.

Unlike most Windows AV products, ClamAV does not run in the background continuously scanning new files. Instead it is a good idea to schedule a regular scan on your server. This is something we will be covering in another article.