{"id":5816,"date":"2020-05-06T16:35:20","date_gmt":"2020-05-06T13:35:20","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5816"},"modified":"2024-03-14T20:38:37","modified_gmt":"2024-03-14T17:38:37","slug":"install-and-use-clamav-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-use-clamav-on-ubuntu-20-04\/","title":{"rendered":"Install and use ClamAV on Ubuntu 20.04"},"content":{"rendered":"\n<p>In this tutorial, we are going to learn how to install and use ClamAV on Ubuntu 20.04. <a rel=\"noreferrer noopener\" href=\"https:\/\/www.clamav.net\/\" target=\"_blank\">ClamAV<\/a> is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats.<\/p>\n\n\n\n<p>Some of the features of ClamAV include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>built-in support for various archive formats, including Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.<\/li>\n\n\n\n<li>built-in support for almost all mail file formats<\/li>\n\n\n\n<li>built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;<\/li>\n\n\n\n<li>built-in support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.<\/li>\n\n\n\n<li>support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.<\/li>\n<\/ul>\n\n\n\n<p>ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing ClamAV on Ubuntu 20.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Update System Package Cache<\/h3>\n\n\n\n<p>To begin with, update system package cache.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install ClamAV on Ubuntu 20.04<\/h3>\n\n\n\n<p>The default Ubuntu 20.04 repositories contains the latest stable release version of ClamAV. You can simply install it and its utilities by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install clamav clamav-daemon -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Update the ClamAV Signature Database<\/h3>\n\n\n\n<p>For scanning to work, you need am updated virus database. There are two options for updating ClamAV database:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code><strong>clamav-freshclam<\/strong><\/code>: updates the database from Internet. This is recommended with Internet access.<\/li>\n\n\n\n<li><code><strong>Offline update<\/strong><\/code> for systems with no direct internet access.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Update Signature Database with <code>clamav-freshclam<\/code><\/h4>\n\n\n\n<p>If you have internet access, you can use <strong><code>clamav-freshclam<\/code><\/strong> to update the ClamAV virus signature database.<\/p>\n\n\n\n<p>To use this method, stop the <code>clamav-freshclam<\/code> service (if it is running) and execute <code>freshclam<\/code>, the virus database update tool.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop clamav-freshclam<\/code><\/pre>\n\n\n\n<p>Then update the virus database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>freshclam<\/code><\/pre>\n\n\n\n<p>If the database is up-to-date, then you might get an output similar to below (Otherwise, the command will pull database updates)<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nWed May  6 05:58:42 2020 -&gt; ClamAV update process started at Wed May  6 05:58:42 2020\nWed May  6 05:58:42 2020 -&gt; daily.cvd database is up to date (version: 25803, sigs: 2358438, f-level: 63, builder: raynman)\nWed May  6 05:58:42 2020 -&gt; main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)\nWed May  6 05:58:42 2020 -&gt; bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)\n<\/code><\/pre>\n\n\n\n<p>Next, start the <code>clamav-freshclam <\/code>service so it keeps updating the signature database in the background whenever.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start clamav-freshclam<\/code><\/pre>\n\n\n\n<p>Ensure the service is enabled to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable clamav-freshclam<\/code><\/pre>\n\n\n\n<p><code><strong>freshclam<\/strong><\/code> downloads the ClamAV databases, CVDs, and place them on under, <code>\/var\/lib\/clamav\/<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/var\/lib\/clamav\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>bytecode.cvd daily.cvd main.cvd<\/code><\/pre>\n\n\n\n<p>Restart ClamAV userspace daemon as well;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart clamav-daemon<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Offline Database Update<\/h4>\n\n\n\n<p>If your system do not have internet access, consider updating the database via a private local mirror, check how to on <a href=\"https:\/\/www.clamav.net\/documents\/private-local-mirrors\" target=\"_blank\" rel=\"noreferrer noopener\">documentation page<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Clamscan CLI Options and Example Usage<\/h3>\n\n\n\n<p>Clamscan is used to scan files and directories for viruses. From the man pages, the clamscan command syntax is:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan [options] [file\/directory\/-]<\/code><\/pre>\n\n\n\n<p>Some of the clamscan command options and their example usage is illustrated below;<\/p>\n\n\n\n<p>Print help information using <code>-h<\/code> or <code>--help<\/code> option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan -h<\/code><\/pre>\n\n\n\n<p class=\"has-very-dark-gray-color has-text-color\"><strong>Note:<\/strong> Options marked with [=yes\/no(*)] can be optionally followed by&nbsp;<strong>=yes&nbsp;<\/strong>or&nbsp;<strong>=no.&nbsp;<\/strong>If they get called without the boolean argument the scanner will assume \u2018yes\u2019. The asterisk marks the default internal setting for a given option.<\/p>\n\n\n\n<p>Scan specific directory or file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan \/home\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan \/home\/filename.docx<\/code><\/pre>\n\n\n\n<p>Do not display summary at the end of scanning.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan --no-summary \/home\/<\/code><\/pre>\n\n\n\n<p>Print infected files only (<strong><code>-i<\/code><\/strong>, <code><strong>--infected<\/strong><\/code>);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan -i \/<\/code><\/pre>\n\n\n\n<p>Skip printing OK files (<strong><code>-o<\/code>, <code>--suppress-ok-results<\/code><\/strong>);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan <strong>-o<\/strong> \/home\/<\/code><\/pre>\n\n\n\n<p>Sound a bell on virus detection (<strong><code>--bell<\/code><\/strong>);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan <strong>--bell<\/strong> -i \/home<\/code><\/pre>\n\n\n\n<p>Scan directories recursively <em>(<code>-r<\/code><\/em>, <em><code>--recursive<\/code><\/em>).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan --bell -i <strong>-r<\/strong> \/home<\/code><\/pre>\n\n\n\n<p>Save scan report to FILE (<em><strong><code>-l FILE<\/code>, <code>--log=FILE<\/code><\/strong><\/em>);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan --bell -i <strong>-r<\/strong> \/home <strong>-l home-scan.txt<\/strong><\/code><\/pre>\n\n\n\n<p>Scan files listed line by line in FILE (<strong><code>-f FILE<\/code>,<code> --file-list=FILE<\/code><\/strong>).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan -i <strong>-f \/tmp\/scan<\/strong><\/code><\/pre>\n\n\n\n<p>Remove infected files (<code><strong>--remove[=yes\/no(*)]<\/strong><\/code>). Be careful as this removes file completely.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>&nbsp;clamscan -r --remove \/home\/USER<\/code><\/pre>\n\n\n\n<p>Move infected files into DIRECTORY <code>(--move=DIRECTORY<\/code>). Directory must be writable for the user or unprivileged user running clamscan.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan -r -i --move=\/home\/USER\/infected \/home\/<\/code><\/pre>\n\n\n\n<p>Copy infected files into DIRECTORY (&#8211;copy=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>clamscan -r -i --copy=\/home\/USER\/infected \/home\/<\/code><\/pre>\n\n\n\n<p>There is quite long list of options for various usage of clamscan. Consult <code>man clamscan<\/code> for more details.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ClamAV Return Codes<\/h3>\n\n\n\n<p>The following are the exit return codes for ClamAV.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0 : No virus found.<\/li>\n\n\n\n<li>1 : Virus(es) found.<\/li>\n\n\n\n<li>2 : Some error(s) occurred.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Limiting Clamscan CPU Usage<\/h3>\n\n\n\n<p><code>clamscan<\/code> can be CPU intensive especially if it scanning a large directory.<\/p>\n\n\n\n<p>To limit the clamscan CPU time to certain levels, you can use two tools;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>nice<\/code><\/strong>: lowers the priority of clamscan (limits relative cpu time).<\/li>\n\n\n\n<li><strong><code>cpulimit<\/code><\/strong>: limits absolute cpu time.<\/li>\n<\/ul>\n\n\n\n<p>To use nice command,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nice -n 15 clamscan &amp;&amp; clamscan -ir \/<\/code><\/pre>\n\n\n\n<p>As long as no other process requires cputime, clamscan will maximize it. But as soon as another process with a higher priority needs cputime, clamscan will lost it.<\/p>\n\n\n\n<p>Using cpulimit;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cpulimit -z -e clamscan -l 15 &amp; clamscan -ir \/<\/code><\/pre>\n\n\n\n<p>Limits clamscan cpu time to 15% when scanning the entire root directory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/www.clamav.net\/documents\/clam-antivirus-user-manual\" target=\"_blank\">ClamAV User Manual<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-wpscan-on-ubuntu-20-04\/\" target=\"_blank\">Install WPScan on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-nessus-professional-scanner-on-debian-10\/\" target=\"_blank\">Install Nessus Professional Scanner on Debian 10<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-and-use-clamav-antivirus-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Install and Use ClamAV Antivirus on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we are going to learn how to install and use ClamAV on Ubuntu 20.04. ClamAV is an open source antivirus engine for<\/p>\n","protected":false},"author":3,"featured_media":11896,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,168,34,150],"tags":[169,1579,1577,1578,1575,1576,1200],"class_list":["post-5816","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-antivirus","category-security","category-vulnerability-scanners","tag-clamav","tag-clamav-cvds","tag-clamscan","tag-freshclam","tag-install-clamav-on-ubuntu-20-04","tag-setup-clamav-ubuntu-20-04","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5816"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5816"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5816\/revisions"}],"predecessor-version":[{"id":21396,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5816\/revisions\/21396"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11896"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}