Your Linux servers could use a system to scan for malicious files. Jack Wallen shows you how with the help of ClamAV.
Linux is a very secure platform. However, that doesn’t mean it’s invulnerable to malware and other types of attacks. Because of that, you must take every precaution possible to prevent and/or detect issues.
One of the many things you can do is install and use ClamAV, which is an open source antivirus engine for detecting trojans, viruses, malware, and other malicious threats. ClamAV is reliable, free, and easy to use.
I’m going to walk you through the installation of ClamAV on Ubuntu Server 20.04. Once installed, we’ll test it against the well-known Eicar test file and then we’ll set up an automated task to run the scans.
SEE: Identity theft protection policy (TechRepublic Premium)
What you’ll need
- A running instance of Ubuntu Server 20.04
- A user with sudo privileges
How to install ClamAV
ClamAV is not installed by default. To install everything necessary, log in to your Ubuntu Server instance and issue the command:
sudo apt-get install clamav clamav-daemon mailutils -y
After the installation is complete, you’ll need to stop the daemon, so you can update the ClamAV database manually. Stop the daemon with the command:
sudo systemctl stop clamav-freshclam
With the daemon stopped, update ClamAV with the command:
When freshclam completes, download the latest database signature file with the command:
sudo wget https://database.clamav.net/daily.cvd
Copy that file into the necessary directory with the command:
sudo cp daily.cvd /var/lib/clamav/
Start the freshclam daemon with the command:
sudo systemctl start clamav-freshclam
How to manually scan a directory
Let’s run a quick manual scan on our system. Say your server is a web server and everything is housed in the standard Apache document root. You can run a manual scan on that directory with a command like:
sudo clamscan --infected --detect-pua=yes --recursive /var/www/html/
The above command will run a recursive scan on /var/www/html/ and look for both infected files and possibly unwanted applications. Depending on how much data is in that directory, the scan can take some time.
When the scan completes it should, hopefully, return nothing suspect found. If you want to make sure that ClamAV is working properly, follow the steps below.
Download the Eicar file with the command:
wget -P ~/ http://www.eicar.org/download/eicar.com
Move that file into your home directory with the command:
mv eicar.com ~/
Run the scan on the downloaded file with the command:
sudo clamscan --infected --remove --recursive ~/
ClamAV should detect the malicious file and remove it.
How to set ClamAV to scan automatically
Now we’ll create a bash script that will scan the /var/www/html/ directory and then create a cron job to run it nightly. How you do this will depend on if you can send email from the machine. If so, you might be able to use the script as is, or you might have to modify it, based on what SMTP server you’ve set up on the server. The example below will use the mail command.
First, create the script with the command:
In that file, paste the following:
#!/bin/bash LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log"; EMAIL_MSG="Please see the log file attached"; EMAIL_FROM="email@example.com"; EMAIL_TO="firstname.lastname@example.org"; DIRTOSCAN="/var/www/html"; for S in $DIRTOSCAN; do DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1); echo "Starting scan of "$S" directory. Directory size: "$DIRSIZE"."; clamscan -ri --remove --detect-pua=yes "$S" >> "$LOGFILE"; #find /var/log/clamav/ -type f -mtime +30 -exec rm ; MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3); if [ "$MALWARE" -ne "0" ];then echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"; fi done exit 0
Where email@example.com is the FROM address and firstname.lastname@example.org is the email address any alerts will be sent to.
Give that file executable permissions with the command:
sudo chmod u+x /usr/local/bin/clamscan_daily.sh
Create the cron job with the command:
sudo crontab -e
At the bottom of the file, add the following line to run the scan every day at 1 am:
1 1 * * * /usrlocal/bin/clamscan_daily.sh > /dev/null 2>&1
Save and close the file.
At this point, ClamAV will automatically scan the /var/www/html directory for malicious files and alert you if it finds anything. If your server isn’t set up, such that it can actually send out email, you’ll then need to manually view the generated log file with the command:
Where DATE is the timestamp of the file you need to view. If you aren’t setting this up for manual email alerts, make sure you routinely check the ClamAV log file.
And that’s all there is to setting ClamAV up on your Ubuntu Server, to help detect and keep it free from malicious files.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.