Antivirus & Antimalware for Linux Servers

Antivirus & Antimalware for Linux Servers

Posted:  September 21, 2021

Antivirus & Antimalware for Linux Servers

Scanning your system for different types of unwanted programs can help identify issues, or at least give you the peace of mind for having a clean server.

There are multiple options for making sure your server is clean of any malware, this guide goes over the top scanning software you can utilize for checking your system, keeping your servers clean, and your files safe.

ClamAV

ClamAV is a popular open source antivirus engine available on a multitude of platforms including the majority of Linux distributions. Install it with the command below.

sudo apt-get install clamav clamav-daemon

With the required modules installed, next, you should update the virus database for ClamAV by running the updater application.

sudo freshclam

When you’ve finished updating the virus definitions, do a test scan to your home directory just to make sure the scanning works as it should use the following command.

sudo clamscan -r /home

Granted that your home directory didn’t contain any viruses or other types of malware, the scan should come back empty.

So how do you know it works?

For this, you can download an anti-virus test file, which is a small completely harmless program that most anti-virus software report as infected, though with an obvious test file name EICAR-AV-Test. Use the following command to download the test file to your home directory.

wget -P ~/ http://www.eicar.org/download/eicar.com

Now scan your home folder again with the same command as above, you should receive notice of one infected file at the end summary after the scan is completed. When you’ve confirmed that ClamAV finds the test file correctly, use the command below to scan it again and remove the infected file once found.

sudo clamscan --infected --remove --recursive /home

Be careful when using the –remove parameter. First, run a broader scan without it, and then more localized scan when removing files or remove them manually.

To perform a complete scan of your cloud server, use this command

sudo clamscan --infected --recursive --exclude-dir="^/sys" /

The scan goes through each directory in your system root recursively, but skips /sys just to avoid unnecessary warning printouts, as the virtual file system consists of some unreadable files, which could not contain viruses anyway.

Rkhunter

Rkhunter is a common option for scanning your system for rootkits and general vulnerabilities. It can be easily installed using the package manager.

sudo apt-get install rkhunter

Once installed and before scanning, you’ll need to update the file properties database.

sudo rkhunter --propupd

This lets the scanner to know the current state of certain files to prevent some false alarms. After the update, simply start the scanner with the following.

sudo rkhunter --checkall

The scanner runs through some system commands, checks for actual rootkits and some malware, network and local host settings, and then gives you the summary as well as recording the findings to a log file.

Afterwards, you can get a condensed look at the scan log with this command.

sudo cat /var/log/rkhunter.log | grep -i warning

Go through the output to get some tips on what you could do to improve your system security.

Chkrootkit

Chkrootkit is another popular rootkit scanner, which runs a lot of useful checks and can direct suspicions towards finding a solution. It can be installed on most distributions with the package manager, on an Ubuntu systems use the following.

sudo apt-get install chkrootkit

Once done, scan your server with this command.

sudo chkrootkit

The scan will check for many types of infections and print out its findings. You can scroll through the output to check for any warnings. Note that on Ubuntu 14.04 using chkrootkit version 0.49 it’s possible to get a false positive warning for Suckit rootkit, use rkhunter to double check.

Chkrootkit doesn’t write report other than outputting to the screen by default, but if you wish to automate the checks or to take a look at the findings later, use tee to redirect the printout to a log file.

sudo chkrootkit | sudo tee /var/log/chkrootkit/chkrootkit.log

You can then check the log for any warnings.

sudo cat /var/log/chkrootkit/chkrootkit.log | grep -i warning

While chkrootkit can be used to help determine if a machine has been compromised, it shouldn’t be taken as the ‘final word’, use it in conjunction with other scanners to diagnose any possible infections.

Maldet

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV.

It is a bit of a process to install, but well worth utilizing. To install make sure you are shelled into your server and run the following commands:

sudo mkdir -p /usr/local/src/maldetect-current
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz -P /usr/local/src/
tar -xzf /usr/local/src/maldetect-current.tar.gz -C /usr/local/src/maldetect-current
sudo mv /usr/local/src/maldetect-current/* /usr/local/src/maldetect-current/maldet/
cd /usr/local/src/maldetect-current/maldet/
sudo bash install.sh

Let the install complete then remove the /usr/local/src/maldetect-current directory. Once removed open/create the text file /usr/local/maldetect/monitor_paths and type in the paths you wish to monitor. This will monitor the paths continuously scanning for threats.

To update simply shell into your server and run sudo maldet -u && sudo maldet -d

If you wish to manually scan a path, run the following command and replace THE_PATH with the path you wish to scan sudo maldet -a /THE_PATH, not that you can use wildcards in THE_PATH if you wish.

Kevin Pirnie

20+ Years of PC and server maintenance & over 15+ years of web development/design experience; you can rest assured that I take every measure possible to ensure your computers are running to their peak potentials. I treat them as if they were mine, and I am quite a stickler about keeping my machines up to date and optimized to run as well as they can.