Using ClamAV (clamscan) on a Linux server

ClamAV is an open source antivirus that allows you to detect trojans, rootkits and other nasty things. Clamscan is a scanning module.

It can be installed from software repositories. In the case of RedHat/CentOS you need to enable Epel.

yum install clamav clamav-clamav-update clamav-scanner

The release history is available at http://pkgs.repoforge.org/clamav/

After installation you need to update it:

freshclam

The scan module has a bunch of options. You can check them with:

clamscan-help

Scanning is performed by the following command:

clamscan

If you want to scan files in a specific directory:

clamscan -r /home/

To write a log file:

clamscan -r /home/ -log=/var/log/clamscan.log

By default the module will display information about all files that it has scanned. It is quite convenient to use the -i switch and get information only about infected files.

Infected files can be copied or moved to the specified location on the server. For example:

clamscan -i -copy=/var/suspicious -r /home/ -log=/var/log/clamscan.log

or

clamscan -i -move=/var/infected -r /home/ -log=/var/log/clamscan.log

The /var/infected and /var/suspicious folders must exist.

Clamscan can be used to check files uploaded via ftp.