In this tutorial, we’ll be explaining how to install ClamAV on your Debian 9 VPS, as well as how to use it to check for and remove any malware or security vulnerabilities.
Clam AntiVirus (ClamAV) is an open-source anti-virus framework used by millions of people and companies all around the world, providing free malware protection by default for everyone. It is especially effective on email servers, as it works on just about all possible MTAs (postfix, exim, etc). It is easy to set up, customizable and has a reliable method of virus definition updates.
ClamAV is written in C/C++ and is currently maintained by Cisco Systems. It is licensed under GNU General Public License and at the time of writing this article, the latest stable version is currently 0.101.2. Let’s get started with the installation.
First, let’s go over some of the most important features provided by ClamAV:
- Powerful command-line based scanner
- On-Access Scanning capabilities
- Configurable background scanning behavior
- Provides milter interface for Sendmail service
- A robust, consistent, and reliable method of updating the virus definition database
- Ability to scan various archive file-formats including Zip, Rar, Tar, Gzip, Bzip, and others
- Ability to scan different mail file formats
Table of Contents
Step 1: Checking for Updates and Dependencies
To begin with, log in to your Linux server via SSH using your preferred terminal:
ssh [username]@[server public IP address]
[username] variable with the account name of a root-privileged user found on the server (or the root user itself), and replace
[server public IP address] variable with the IP address of your server.
If your server does not use the default port number, you can add
-p [port number] to the end of your command, and replace [port number] with your VPS’s port number. It is recommended to use the root account for this.
After logging in, it is best to update Debian with the latest packages available for bug fixes and improvements.
apt-get -y update apt-get -y upgrade
It is also best to install basic Debian libraries and dependencies to avoid any missing library issues during the installation.
apt-get install software-properties-common build-essential curl -y
Step 2: Installing ClamAV
Installing the main package of ClamAV is very easy. To proceed, supply the following command:
apt-get install clamav clamav-daemon
The clamAV package is the command-line based virus scanner, while the clamAV-daemon package is the on-access scanner, which runs in the background.
After installation, an update of the virus definition database will automatically start. Basically, a freshclam command has been activated. You can watch the logs using:
tail -f /var/log/clamav/freshclam.log
You should be able to see the following message as the update is in progress:
Fri Aug 2 21:22:05 2019 -> -------------------------------------- Fri Aug 2 21:22:05 2019 -> freshclam daemon 0.100.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Fri Aug 2 21:22:05 2019 -> ClamAV update process started at Fri Aug 2 21:22:05 2019 Fri Aug 2 21:22:05 2019 -> WARNING: Your ClamAV installation is OUTDATED! Fri Aug 2 21:22:05 2019 -> WARNING: Local version: 0.100.3 Recommended version: 0.101.2 Fri Aug 2 21:22:05 2019 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav Fri Aug 2 21:22:07 2019 -> Downloading main.cvd [100%] Fri Aug 2 21:22:20 2019 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Can't query main.188.8.131.52.6810DB54.ping.clamav.net Fri Aug 2 21:22:58 2019 -> Downloading daily.cvd [100%] Fri Aug 2 21:23:27 2019 -> daily.cvd updated (version: 25529, sigs: 1694663, f-level: 63, builder: raynman) Can't query daily.255184.108.40.206.6810DB54.ping.clamav.net Fri Aug 2 21:24:04 2019 -> Downloading bytecode.cvd [100%] Fri Aug 2 21:24:05 2019 -> bytecode.cvd updated (version: 330, sigs: 94, f-level: 63, builder: neo) Can't query bytecode.3220.127.116.11.6810DB54.ping.clamav.net Fri Aug 2 21:24:45 2019 -> Database updated (6261006 signatures) from db.local.clamav.net (IP: 18.104.22.168)
The last line indicates that we are now using the latest virus definition database of ClamAV. The database files are saved in:
/var/lib/clamav/daily.cvd (daily update file for ClamAV virus databases)
/var/lib/clamav/main.cvd (main ClamAV virus database file)
/var/lib/clamav/bytecode.cvd (signatures to detect bytecode in files)
Verify that the main ClamAV-freshclam service is running to make sure the virus definition database is always up-to-date:
systemctl status clamav-freshclam
Almost the same output should appear:
● clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor Active: active (running) since Fri 2019-08-02 21:22:05 EDT; 44min ago
Finally, run the main ClamAV on-access scanner service and verify its status.
systemctl start clamav-daemon systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor pr Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: active (running) since Fri 2019-08-02 22:09:56 EDT; 18min ago
Step 3: Configuring ClamAV
By default, ClamAV’s configuration is already optimized for general use. If you want to adjust some settings for the on-access scanner service, you can check the file:
Do not forget to restart the service after saving the modified file:
systemctl restart clamav-daemon
To test and verify our ClamAV installation, we can try to scan the EICAR test file (a harmless signature with no virus code). To start the sample scan, supply the following command:
curl https://www.eicar.org/download/eicar.com.txt | clamscan -
The scan time will take some time and this is a normal behavior of ClamAV as it will need to read a number of signatures. The output should show:
stdin: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6251170 Engine version: 0.100.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 49.993 sec (0 m 49 s
Once it is detected, we can now confirm that our ClamAV installation is working.
Starting a scan with ClamAV
There are many scan options available for a one-time scan which is handled by clamscan. To remove the infected file automatically, add to the option
--remove. To move the file to a quarantine folder, use the
--move=/dir option. ClamAV also supports logging of the scan which you can enable by using the
-l /path/to/file option.
To scan a file:
To scan a directory:
clamscan --recursive --infected /mydir
To scan larger files (ClamAV will not scan files larger than 20MB by default):
clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /mydir
To learn more about the available options, check out ClamAV’s official OneTime scanning documentation.
That’s it! – you now have an active anti-virus in the background and an on-demand scanner for your Debian 9 server.
Of course, you don’t have to install ClamAV on Debian 9 if you have a managed Debian VPS hosting plan with us. You can simply ask our support team to help out, after which they will install, set up, and do an initial scan for you, as well as perform other threat preventions if needed. They are available 24/7 and will be able to help you with anything that you might need.
PS. If you enjoyed reading this blog post on how to install and scan vulnerabilities with ClamAV on Debian 9, feel free to share it on social networks using the shortcuts below, or simply leave a comment in the comments section. Thanks.