Install ClamAV Antivirus in Debian 11 Bullseye and Ubuntu 20.04

ClamAV 0.104.1 Free Antivirus Package Upgrading

ClamAV is an open-source Antivirus tool available for Linux distributions. It integrates Mail servers to scan attachments received. In addition to scanning mail attachments, it provides protection to corporate networks. Other functions also include web scanning.
In this article, we would discuss how to install ClamAV Antivirus in Debian 11 Bullseye and Ubuntu 20.04.

Features of ClamAV:

  • built-in support for various archive formats, including Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
  • built-in support for almost all mail file formats
  • built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
  • built-in support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.
  • support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.

ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.

Install and use ClamAV on Debian 11 Bullseye / Ubuntu 20.04

Type the following command to update and install repositories and ClamAV Antivirus respectively.

$ sudo apt update
$ sudo apt install clamav clamav-daemon

After the installation is complete, you’ll need to stop the daemon, so you can update the ClamAV database manually. Stop the daemon with the command:

$ sudo systemctl stop clamav-freshclam

With the daemon stopped, update ClamAV with the command:

$ sudo freshclam

When freshclam completes, download the latest database signature file with the command:

$ sudo wget https://database.clamav.net/daily.cvd

Copy that file into the necessary directory with the command:

$ sudo cp daily.cvd /var/lib/clamav/

Start the freshclam daemon with the command:

$ sudo systemctl start clamav-freshclam

How to manually scan a directory

To scan directories we need to type the following command in terminal:

$ clamscan -r -i --bell /home/

where:

-r, to scan sub directories recursively,

-i, to print infected files,

–bell, a bell sound if it detects a virus,

/home/, directory we intend to scan – you can use directories of your choiceThis command only scan directories and provides us with the list of infected files. But, what if we plan to move infected files to some other directory. It could be a better choice as removing an infected file may break our system. Hence, we tread with caution and move the infected file to some other directory. We need to type the following command in terminal:

$ clamscan -i -r --move="/home//Downloads/" /home

The above command will scan the directory /home/ and if infected files are detected then, it will move those files to the directory /home/<home-directory>/Downloads/.
Type clamscan -h for more options.

How to set ClamAV to scan automatically

Now we’ll create a bash script that will scan the /var/www/html/ directory and then create a cron job to run it nightly. How you do this will depend on if you can send email from the machine. If so, you might be able to use the script as is, or you might have to modify it, based on what SMTP server you’ve set up on the server. The example below will use the mail command.
First, create the script with the command:

$ nano /usr/local/bin/clamscan_daily.sh

In that file, paste the following:

#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached";
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/var/www/html";
 

for S in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
 echo "Starting scan of "$S" directory.
 Directory size: "$DIRSIZE".";
 clamscan -ri --remove --detect-pua=yes "$S" >> "$LOGFILE";
 #find /var/log/clamav/ -type f -mtime +30 -exec rm {} \;
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

  if [ "$MALWARE" -ne "0" ];then
     echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";
  fi

done

exit 0

Where [email protected] is the FROM address and [email protected] is the email address any alerts will be sent to.
Give that file executable permissions with the command:

$ sudo chmod u+x /usr/local/bin/clamscan_daily.sh

Create the cron job with the command:

$ sudo crontab -e

At the bottom of the file, add the following line to run the scan every day at 1 am:

1 1 * * * /usrlocal/bin/clamscan_daily.sh > /dev/null 2>&1

Save and close the file.
At this point, ClamAV will automatically scan the /var/www/html directory for malicious files and alert you if it finds anything. If your server isn’t set up, such that it can actually send out email, you’ll then need to manually view the generated log file with the command:

less /var/log/clamav/clamav-DATE

Where DATE is the timestamp of the file you need to view. If you aren’t setting this up for manual email alerts, make sure you routinely check the ClamAV log file.

Conclusion

And that’s all it takes to set up ClamAV on your Debian 11 server, to detect and protect against malicious files. If you have any questions, feel free to leave a comment

1 Trackback / Pingback

  1. 20 Basic Ubuntu Commands for Beginners - LinuxStoney

Leave a Reply

Your email address will not be published.


*