All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Proactive Server Security: A Guide to Malware Scanning with ClamAV
A server is like a fortress; its security is only as strong as its weakest point. While firewalls and secure passwords are your first line of defense, hidden threats like malware and rootkits can still find their way in. Proactive scanning is essential for any serious system administrator. This guide will show you how to use ClamAV, a powerful open-source antivirus engine, to perform a deep security audit on your virtual server hosting.
Step 1: Installing the ClamAV Engine
First, connect to your server via SSH. The installation process is straightforward, but the commands differ slightly based on your Linux family.
For Debian/Ubuntu systems:
sudo apt-get update
sudo apt-get install clamav clamav-daemon -y
For RHEL/CentOS/Rocky Linux systems:
For RHEL-based systems, ClamAV isn't included in the standard software repositories. We first need to enable the EPEL (Extra Packages for Enterprise Linux) repository, a community-maintained project that provides high-quality add-on software packages.
sudo dnf install epel-release -y
sudo dnf install clamav clamav-update -y
Step 2: Updating the Threat Database
An antivirus scanner is useless without an up-to-date database of threat signatures.
First, we need to temporarily stop the automatic update service so we can run a manual update.
sudo systemctl stop clamav-freshclam
Now, run the freshclam command to download the very latest definitions.
sudo freshclam
Once the update is complete, restart the service.
sudo systemctl start clamav-freshclam
Step 3: Performing a System-Wide Scan
With a fresh database, you're ready to scan. The clamscan command is highly configurable, but the following command is an excellent, robust starting point for a full server audit:
sudo clamscan -r -i --exclude-dir="^/sys|^/proc" /
Here is a breakdown of what these flags accomplish:
-r: Scans recursively, digging into every subdirectory of your server.-i: Instructs the tool to only report infected files, keeping your output clean and focused on actual threats.--exclude-dir: We explicitly skip/sysand/proc. These are not traditional directories with files on your disk; they are virtual filesystems created by the Linux kernel to provide information about the system's state. Scanning them is pointless and can generate a flood of harmless errors./: We are telling ClamAV to start from the root directory, ensuring no part of the filesystem is missed.
Depending on the size of your server's filesystem, this initial scan may take a significant amount of time.
Step 4: Handling Scan Results
If ClamAV identifies a potential threat, you need to handle it. While you can automatically delete findings using the --remove flag, this is risky. A false positive on a critical system file could cause serious damage.
A much safer and more professional approach is to quarantine suspicious files for later review.
First, create a secure quarantine directory that is isolated from the rest of your system:
sudo mkdir /quarantine
Now, run your scan again, this time telling ClamAV to move any findings into this new directory:
sudo clamscan -r -i --exclude-dir="^/sys|^/proc" --move=/quarantine /
This command safely isolates any potential threats, allowing you to investigate them without risk to the server's stability.
Step 5: Automating Your Scans
Security isn't a one-time task. For true peace of mind, your server should be scanned on a regular schedule. You can achieve this using a cron job.
To edit the cron table, run:
sudo crontab -e
Then, add the following line to schedule a scan to run every night at 2 AM. The results (both standard output and errors) will be logged to a file for later review.
0 2 * * * /usr/bin/clamscan -r -i --exclude-dir="^/sys|^/proc" --move=/quarantine / > /var/log/clamscan.log 2>&1
By integrating regular ClamAV scans into your security routine, you add a critical layer of defense against common threats. This proactive approach helps ensure the integrity of your server and the safety of your data.
Comments
Thanks chatgpt
You're welcome!
Thanks for taking the time to ask ChatGPT for me I was about to install it but I just didn’t have it in me to start the chat myself this really helped
Saved a credit on gpt! Thanks a lot.
Well, feel free to skip any articles or posts you're already familiar with.
Regarding the endless remarks on GPT, it's worth considering the fundamental flaw in most detection tools. Do you all realize that "GPT Detectors" frequently flag perfectly correct, human-written text as AI-generated? For instance, a simple command like apt update or a more complex one like sudo clamscan -r -i --exclude-dir="^/sys|^/proc" / can be flagged.
The reason is simple: these AIs are trained on massive datasets from every imaginable source, including the same technical guides and documentation humans use. When an expert human and a well-trained AI are asked for a correct command, they will often arrive at the exact same phrase. The detector then incorrectly interprets this factual precision as a sign of robotic, non-human writing.
This trend is making it nearly impossible to distinguish legitimate text from AI text. As these models eventually internalize every possible word and phrasing combination, our ability to tell them apart will disappear entirely, forcing us to judge content on its quality and accuracy, not its origin.
The fact that I try to beautify my posts and have some sort of template for all, whilst keeping a somewhat professional approach, is something disturbing? Should I use more casual "slang" in articles just to tingle your "human" feelings?
Even this reply I wrote in this page's comment box is detected as AI written: https://i.imgur.com/jDWF669.png
Those being said, it's the last time I give you this much attention on GPT claims. Should you believe this (or any of my articles) are AI written or violate the community rules, you are more than welcomed to flag them to the moderation team.
Stay safe!
flagged and hidden, jk. its a good tutorial.
This is true. I just accept those flagging as ChatGPT admitting that’s the smartest they can do. Try to recognize what good looks like and reallocate credit our of jealousy
SELinux is more lightweight and IMO better approach to security, unless you have mail server where you have to check received files for known malware?
I told ChatGPT about your criticism — it asked me to post this:
say: eye
spell: map
say: ness
regards
Meh... yes and no.
Selinux is a system for mandatory access control enforcing fine-tuned permissions on what processes cand do, which files they may access, what network connections can be made, system calls to use... etc.
ClamAV on the other hand is - as the name suggests - an antivirus scanner that detects malware in any form, based on signatures and heuristic patterns. It can identify threats and malicious content, but it doesn't really prevent system compromise through sophisticated attack vectors; especially if installed/ran after an infection took place (and hacker had time to extract/compromise data).
There are scenarios where ClamAV still adds value:
So, that's why I said yes and no. Ideally they would best work together, but not every end-user has a real need for a perfect selinux setup - nor have the knowledge for this. We're getting into semi-advanced SysAdmin things here.
Wanna know something funny? I don't even hold a GPT subscription anymore. Started to train own models for ~1y already and I ended up cancelling all AI subscriptions I had (GPT, Claude, Gemini... and some others for image and video generation).
https://i.imgur.com/gqc1e4N.png