PUBLISHED ON: FEBRUARY 13, 2023
Anti-Virus Protection and Rootkit detection with ClamAV and rkhunter
On Debian and Ubuntu, you can install ClamAV using the aptitude package management; on CentOS, you can use the yum package manager. The techniques in this manual can be customised for CentOS with yum and include apt examples. For management, ClamAV needs the clamav utility and the clamav-daemon.
Run the following command to install the ClamAV tools:
sudo apt install clamav clamav-daemon
After installation, you may run the following command to see what version of ClamAV was put in place:
clamscan —version
Make sure that all necessary ClamAV services and daemons are up and functioning before beginning any scanning. The freshclam service, which is in charge of refreshing the signature database, is the first service you should launch.
ClamAV scans need to be conducted with an active and current signature database. It is advised that you regularly keep your database current.
You must halt the freshclam service in order to update your signature database. Run the following command to achieve this:
-
sudo systemctl stop clamav-freshclam
-
You can now update the signature database by running the freshclam command:
sudo freshclam
-
After the signature database has been updated you can now start the freshclam service by running the following command:
sudo systemctl start clamav-freshclam
Scanning with ClamAV
Scanning with ClamAV is simple and can be invoked by running the clamscan
command in the terminal. You can get started by scanning a particular directory.
-
For example, if you want to scan the /etc/
directory for infected files, run the following command:
sudo clamscan -i -r --remove /etc
-i
: prints only infected files
--remove
: removes infected files
--r
: recursive scan, all the subdirectories in the directory are scanned
To learn more about the commands you can use with clamscan
check the manual.
-
If you want to scan the entire system, run the following command:
sudo clamscan -i -r --remove /
-
After the scan is completed, a summary is displayed.
----------- SCAN SUMMARY -----------
Known viruses: 8930484
Engine version: 0.102.4
Scanned directories: 150
Scanned files: 439
Infected files: 0
Data scanned: 2.15 MB
Data read: 0.93 MB (ratio 2.32:1)
Time: 100.447 sec (1 m 40 s)
clamscan --help
RKHunter tool:
A Unix-based tool called rkhunter (Rootkit Hunter) searches for rootkits, back doors, and potential local exploits. It accomplishes this by comparing the SHA-1 hashes of critical files with those of known-good ones in internet databases, looking for rootkit default folders, incorrect permissions, hidden files, suspicious strings in kernel modules, and performing particular tests for Linux and FreeBSD. In the repositories of the majority of Linux distributions, Rkhunter is offered as a package.
sudo rkhunter --check
Conclusion
ClamAV and rkhunter are really effective tool in securing Linux systems from malware, security threats and rootkits. By following this tutorial, you're able to detect and remove those issues.