Linux Antivirus and Antimalware Solutions

September 9, 2020 | By greg | Filed in: Linux, Security, Technology.

I have always argued that the best antivirus, antilmalware, anti-whatever is common sense.  Prior to Windows 10 and the built-in Windows Defender, I tended to avoid most antivirus products, mainly because they were system resource hogs and if I was downloading torrents or visiting sketchy sites, I would use Linux in a VM to ensure there would be no problems.  These days, there are many different types of sophisticated malware and ransomware, both susceptible to being downloaded and executed accidentally or installed by an attacker gaining remote access to your system.  That is why I now run some sort of protection on all machines I use, in addition to other hardening measures.  This guide will cover the options for antivirus/antimalware on Linux systems and how to use them.

The following utilities will be covered in this guide:

  1. ClamAV
  2. chrootkit
  3. rkhunter
  4. Sophos
  5. Firetools

Note that there is a lot more to all of these programs/scripts than what I have listed here.  While I am showing you how to get them up and running with a basic scan, I highly advise reading the documentation and familiarizing yourself with the capabilities of each.  Each of the section headers for the various tools are a link to that tools website.  Click on it and start from there for the docs, most all of these can be installed from you package manager.

ClamAV is probably the best and in effect, the most well known antivirus for Linux based systems.  This is because it is open source and being updated by users all over thew world at all times, it’s ability to be used in conjuction with Windows and Mac operating systems, and it’s utility in scanning mail servers, web servers, file servers, and even endpoints.

ClamAV is a command line based scanner and for the most control and use of it’s advanced features, users should learn to use it that way.  For beginners looking to pick up the basics, ClamTk is a GUI that can be installed to provide basic scanning functionality and updates.
Upon installing, update the signatures:
sudo freshclam
Then run a scan with the following command:
clamscan -r -i {directory}
This will run a recursive scan (-r) and only print infected files (-i). If not using ClamTk, scheduling scans will need to be performed via cron job.

chkrootkit, aka “Check Rootkit”, is a common and well known shell script that searches for known rootkits on *nix systems.  It does this by checking for known signatures in system binaries as well as comparing the output of /proc with the output of ps via the chkproc script.

chkrootkit is pretty basic in it’s usage.  It is basically a script with a collection of c programs that are all run when performing the full scan.

To run a scan, simply open a shell console and run chkrootkit

You can get more information from your scan by running in expert mode:

chkroot -x | more

rkhunter is another tool similar to chkrootkit that will scan hidden files, permissions, and the kernel for rootkits, worms, and any other backdoors or malicious files.  rkhunter is much more complex than chkrootkit and can be a bit challenging to set up for some, but I feel it is a much better tool and would definitely use both of these.  Download this via your package manager or wget the tarball from Sourceforge then check the steps below.

After installing rkhunter, run the file properties database update tool to create a create the initial database, then use the –update tag to search for various data updates:

sudo rkhunter --propupd

sudo rkhunter --update

Now you can run your initial scan:

sudo rkhunter -c --enable all --disable none

By default, a log of the last system check will be placed at /var/log/rkhunter.log

You will need to parse the log for any false positives that were flagged for your particular distribution.  These false positives can be ignored by editing the configuration file:/etc/rkhunter.conf

Whitelist the false positives using the SCRIPTWHITELIST tag with the following syntax: SCRIPTWHITELIST="script/to/whitelist"

You will need to add an entry for each script.  You can then check the configuration with the -C tag.  Note the capital “C”, not a lowercase that is used to initiate a scan.  If all is well, you can create a cronjob to run scans in the future or manually initiate them with warnings showing in the console using the -rwo tag:

sudo rkhunter -c --enable all --disable none --rwo

I have Sophos listed towards the end of the list simply because it is a closed source program and it isn’t as easy to use as ClamAV.  Aside from that, this is an amazing piece scanner with real-time detection, making it one of the most powerful tools on the list.  It is also super quick in scanning, using much less system resources than ClamAV.

The two main features of Sohpos making it appealing are it’s heuristics scanning and it’s realtime protection that covers Linux, Mac, and Windows malware.  This prevents any malicious files from finding their way onto the machine, then being transferred to another computer on the network to be infected.  Although the malware directory is closed, you can be sure that Sophos is on top of keeping it updated.

One last point to make on using this software is that there is no GUI.  Sophos is solely command line based as the limited web-based GUI was removed a few years ago.  The advanced heuristics more than make up for the downsides of this software though, ensuring even unknown malware will be stopped before causing hell in your environment.

Sophos’ free Linux edition has been discontinued for some reason, but is still functional and updated regularly.  You will need to obtain the tarball from online somewhere, as it seems the only change has been removing it from the site.  A search for filename of sav-linux-free-9.9.tgz produced results for me.  You will extract the folder inside to somewhere such as /tmp, then run the script as root.  Make sure to select the free version, and install it in the default location (/opt).

As Sophos performs real-time protection, you can check it’s status via savdstatus:


On-demand scans are performed with the savdscan command:

savscan {directory}

Enable/Disable on-access scanning:

/opt/sophos-av/bin/savdctl enable

/opt/sophos-av/bin/savdctl disable

Firejail is unlike any of the other tools on this list but I did include it because it can be very useful both in protecting your system and analyzing files that are suspect.  Firetools is basically a frontend for Firejail, an open-source sandboxing application utilizing namespaces and seccomp-bpf.  When starting a program via Firejail, such as Firefox, a “Fake” filesystem is created and access is restricted to only the ~/Downloads and ~/mozilla directories.

To use Firejail, you would typically just run firejail {program name} or use the firecfg tool to set all applications for which there are preconfigured profiles (over 800 now).  Firejail accomplishes this by creating symbolic links in /usr/local/bin pointing to /usr/bin/firejail.

You can view active sandboxes with firejail --list.

Aside from installing Firejail, Firetools, and any dependencies, you won’t spend much time using the command line with this one.  According to the developers, this app is mainly targeted for home users and Linux beginners and that statement is backup by the simplicity of use.  

Check your package manager for this one or git clone and compile from source.

That wraps up my list of antivirus tools for Linux.  I personally use all of these in some form or another, and I would be willing to be most e-mail sent across the internet crosses a server running ClamAV at some point or another.  Traditionally, this type of stuff wasn’t much concern on Linux as Windows and Mac had the overwelming majority of user share and cybercriminals were backed by the government as much or as sophisticated.  Use these tools, use them often, and make sure your servers and endpoints are hardened from the start.  If using a VPS or remote server, always configure SSH immediately; create keys for authentication, and ditch the passwords.  I am currently writing a post on how to do just that, so stay tuned.

Tags: , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *