Wednesday, November 14, 2012

ClamAV - Linux Antivirus Software

Antivirus for Linux sounds unnecessary due to the low probability of Linux being infected by a virus. However because Linux can communicate and share files with Windows, antivirus is another piece of software that will prevent the spread of malware between Windows clients where Linux could be the conduit.

ClamAV is included in most Linux distribution repositories. ClamAV is, “...designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.” Even though ClamAV is designed for mail gateways, to scan incoming e-mail, there are tools to manually scan media for viruses. Normally a systems home folder, which contains the users home directories, or shared folders like SAMBA shares with Windows clients are scanned on a schedule. ClamAV is not normally used to scan the complete filesystem of a Linux machine. This in conjunction with Windows antivirus software will helpfully prevent any malware outbreaks in your home or organization.

Installing ClamAV is a fairly simple task, and in this article I will use Ubuntu 12.04 as the example system for installation and use. ClamTK is a GUI front end for ClamAV and is a easy way to scan media and schedule system scans. ClamAV and ClamTK can be instaled via the Ubuntu Software Center or by the command line using the apt-get utility.

$ sudo apt-get install clamav clamtk
$ sudo freshclam

The first command will install both ClamAV and ClamTK on a Ubuntu Linux computer. The second command will initially update the antivirus database.

In Ubuntu 12.04, the installation will also setup ClamAV in daemon mode to update the antivirus database automatically so manual update is unnecessary. We can see if ClamAV is running in daemon mode by issuing the following command:

$ sudo service clamav-freshclam status

If the service is running the following should be the result.

* freshclam is running

By default the antivirus database is checked twenty-four times a day. To manually scan your home folder, use either the command line utility clamscan or the GUI interface ClamTK. When starting ClamTK, the application will check and report the versions of the GUI interface, antivirus engine and antivirus definitions. If your particular distribution has not updated their repository to the latest version of ClamTK it should not be a major issue, but if you want the latest you may need to enable any backport repositories to get the latest update.

ClamTK Interface

There are some preferences for ClamTK, most notable are “Scan files beginning with a dot (.*)”, which will scan hidden files. “Scan all files and directories within a directory”, which enable recursive scanning. “Scan files larger than 20 MB”, which will scan large files. I enable these three options which makes scanning my home folder an easy task by just clicking the Home icon in the ClamTK interface.

ClamTK Preferences

Another use of ClamAV that has come in handy is scanning removable media, like USB drives. I found the easiest and most complete way to scan a USB device is to do a recursive scan. Select Scan, then Recursive Scan from the ClamTK menu and navigate to the removable media and scan the device.

Scanning a USB Drive

ClamTK can also create a user level cron job to schedule scans on a per user basis, if you have multiple users on our Linux machine. From the ClamTK menu select Advanced then Scheduler. In the diagram I have scheduled a daily scan of my home folder at 8:00PM.

Daily Scan at 8:00PM

Though antivirus on Linux may seem unnecessary, there are other clients in use that are susceptible to virus infection and other malware. ClamAV and ClamTK are tools that can prevent Linux from being a carrier of malware.


jaheaga said...

HI, you should fix the command "sudo freschclam" there is a "c", the correct command is "sudo freshclam"

The Small Box Admin said...

Thanks for catching the typo.