Signup/Sign In

Anti-Virus Protection and Rootkit detection with ClamAV and rkhunter

On Debian and Ubuntu, you can install ClamAV using the aptitude package management; on CentOS, you can use the yum package manager. The techniques in this manual can be customised for CentOS with yum and include apt examples. For management, ClamAV needs the clamav utility and the clamav-daemon.

Run the following command to install the ClamAV tools:

sudo apt install clamav clamav-daemon

After installation, you may run the following command to see what version of ClamAV was put in place:

clamscan —version

Check clamav version from Linux terminal

Make sure that all necessary ClamAV services and daemons are up and functioning before beginning any scanning. The freshclam service, which is in charge of refreshing the signature database, is the first service you should launch.

ClamAV scans need to be conducted with an active and current signature database. It is advised that you regularly keep your database current.

You must halt the freshclam service in order to update your signature database. Run the following command to achieve this:

  1. sudo systemctl stop clamav-freshclam
  2. You can now update the signature database by running the freshclam command:

    sudo freshclam
  3. After the signature database has been updated you can now start the freshclam service by running the following command:

    sudo systemctl start clamav-freshclam

Scanning with ClamAV

Scanning with ClamAV is simple and can be invoked by running the clamscan command in the terminal. You can get started by scanning a particular directory.

  1. For example, if you want to scan the /etc/ directory for infected files, run the following command:

    sudo clamscan -i -r --remove /etc
    • -i: prints only infected files
    • --remove: removes infected files
    • --r: recursive scan, all the subdirectories in the directory are scanned

    To learn more about the commands you can use with clamscan check the manual.

  2. If you want to scan the entire system, run the following command:

    sudo clamscan -i -r --remove /
  3. After the scan is completed, a summary is displayed.

    ----------- SCAN SUMMARY -----------
    Known viruses: 8930484
    Engine version: 0.102.4
    Scanned directories: 150
    Scanned files: 439
    Infected files: 0
    Data scanned: 2.15 MB
    Data read: 0.93 MB (ratio 2.32:1)
    Time: 100.447 sec (1 m 40 s)
clamscan --help

Clamscan tool in Linux terminal

RKHunter tool:

A Unix-based tool called rkhunter (Rootkit Hunter) searches for rootkits, back doors, and potential local exploits. It accomplishes this by comparing the SHA-1 hashes of critical files with those of known-good ones in internet databases, looking for rootkit default folders, incorrect permissions, hidden files, suspicious strings in kernel modules, and performing particular tests for Linux and FreeBSD. In the repositories of the majority of Linux distributions, Rkhunter is offered as a package.

sudo rkhunter --check

Hunting rootkit with rkhunter tool from Linux terminal


ClamAV and rkhunter are really effective tool in securing Linux systems from malware, security threats and rootkits. By following this tutorial, you're able to detect and remove those issues.

About the author:
Pradeep has expertise in Linux, Go, Nginx, Apache, CyberSecurity, AppSec and various other technical areas. He has contributed to numerous publications and websites, providing his readers with insightful and informative content.