11.11.2019

How to install Clam AntiVirus (ClamAV) on a VPS or server with CentOS

How to install Clam AntiVirus (ClamAV) on a VPS or server with CentOS

ClamAV (Clam AntiVirus) - antivirus software for UNIX systems (there are versions for other operating systems - Windows, Apple Mac OS X), a popular free product licensed under the GNU General Public License.

ClamAV Efficiency

Using ClamAV, you can find malicious files on the server, but still it does not give a 100% guarantee of the accuracy of analysis and scanning for malicious threats for sites, scripts, engines, and other software. So, for example, ClamAV encoded PHP or JavaScript malicious code will not cause any suspicions and the report will indicate that there are no malicious files (Infected files: 0). In addition, if the malicious code is not in the engine files, but in the database, then ClamAV will also not help. But, nevertheless, ClamAV scanning is the first thing to do if there is a suspicion of malware on the server. Antivirus quite well detects all kinds of Web shells - see examples of scan reports below.

Installing Clam AntiVirus (ClamAV) on a VPS / VDS or CentOS Server

So, now we’ll take a closer look at installing Clam AntiVirus (ClamAV) on VPS / VDS or a dedicated server with CentOS OS step by step.

1. Install / enable EPEL repository.

2. Install Clam AntiVirus (ClamAV) on the server:

yum install clamav clamd

3. We start the clamd service (for scanning mail) and put it in autorun

/etc/init.d/clamd on
chkconfig clamd on
/etc/init.d/clamd start

4. Updating the signature database

/usr/bin/freshclam

Set up daily ClamAV scanning

Now let's set up a daily scan of the directory with our sites, for example /var/www/

5. Create a cron file

vim /etc/cron.daily/manual_clamscan

6. Add the following lines to the file

#!/bin/bash
SCAN_DIR="/var/www"
LOG_FILE="/var/log/clamav/manual_clamscan.log"
/usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE

Where SCAN_DIR - this is the directory to be scanned.

7. Now make our crown script executable

chmod +x /etc/cron.daily/manual_clamscan

That's all! Clam AntiVirus (ClamAV) is installed and will perform a daily scan of the SCAN_DIR directory (in our case it is /var/www/).

If mail is not used on the server, then you can skip clamd. And you can install ClamAV with the following command

yum --enablerepo=epel -y install clamav
[root@server ~]# yum --enablerepo=epel -y install clamav
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.serverspace.co.uk
 * epel: mirror.bytemark.co.uk
 * extras: centos.serverspace.co.uk
 * openvz-kernel-rhel5: ftp.ticklers.org
 * updates: centos.serverspace.co.uk
epel                                                     | 3.6 kB     00:00
epel/primary_db                                          | 2.9 MB     00:00
Excluding Packages from CentOS-5 - Updates
Finished
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package clamav.i386 0:0.99-3.el5 set to be updated
--> Processing Dependency: clamav-db = 0.99-3.el5 for package: clamav
---> Package clamav.x86_64 0:0.99-3.el5 set to be updated
--> Running transaction check
---> Package clamav-db.x86_64 0:0.99-3.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch             Version              Repository      Size
================================================================================
Installing:
 clamav              i386             0.99-3.el5           epel           1.8 M
 clamav              x86_64           0.99-3.el5           epel           1.6 M
Installing for dependencies:
 clamav-db           x86_64           0.99-3.el5           epel           102 M

Transaction Summary
================================================================================
Install       3 Package(s)
Upgrade       0 Package(s)

Total download size: 106 M
Downloading Packages:
(1/3): clamav-0.99-3.el5.x86_64.rpm                      | 1.6 MB     00:00
(2/3): clamav-0.99-3.el5.i386.rpm                        | 1.8 MB     00:00
(3/3): clamav-db-0.99-3.el5.x86_64.rpm                   | 102 MB     00:14
--------------------------------------------------------------------------------
Total                                           7.0 MB/s | 106 MB     00:15
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : clamav-db                                                1/3
  Installing     : clamav                                                   2/3
  Installing     : clamav                                                   3/3

Installed:
  clamav.i386 0:0.99-3.el5              clamav.x86_64 0:0.99-3.el5

Dependency Installed:
  clamav-db.x86_64 0:0.99-3.el5

Complete!

If you want to run a ClamAV scan, enter the command clamscan with the flags -i (scan files in subdirectories) and -r (display information only about infected files)

clamscan -r -i

If no malicious files are detected, the report will contain a line Infected files: 0

---------- SCAN SUMMARY -----------
Known viruses: 3105755
Engine version: 0.98.1
Scanned directories: 867
Scanned files: 7102
Infected files: 0
Data scanned: 54.85 MB
Data read: 33.64 MB (ratio 1.63:1)

And now some real reports with the threats found

/var/www/user/data/www/domain.com/images/stories/.logs/xh: Hacktool.Fakeproc FOUND
/var/www/user/data/www/domain.com/images/stories/.logs/crot: Trojan.Eggdrop-117 FOUND
/var/www/user/data/www/domain.com/images/stories/.logs/httpd: Trojan.Eggdrop-118 FOUND
/var/www/user/data/www/domain.com/images/stories/.logs/t3394: Linux.RST.B FOUND
/var/www/user/data/www/domain.com/images/stories/xbot.jpg: Trojan.Perlbot FOUND
/var/www/user/data/www/domain.com/images/stories/petx.php: PHP.Hide FOUND
/var/www/user/data/www/domain.com/images/stories/x.php: PHP.Shell-22 FOUND
/var/www/user/data/www/domain.com/images/stories/eggMAGIC.tar.gz: Linux.RST.B FOUND
/var/www/user/data/www/domain.com/images/stories/mind.php: PHP.Shell-22 FOUND
/var/www/user/data/www/domain.com/icon0.php: PHP.Hide FOUND
/var/www/user/data/www/domain.com/logs/rdp/psc: Trojan.Linux.RST.b FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3578535
Engine version: 0.98.4
Scanned directories: 3422
Scanned files: 24841
Infected files: 11
Data scanned: 155.40 MB
Data read: 125.98 MB (ratio 1.23:1)
/var/www/user/data/www/domain.net/images/smilies/index.php: PHP.Shell-38 FOUND
/var/www/user/data/www/domain.net/images/banners/index.php: PHP.Shell-38 FOUND
/var/www/user/data/www/domain.net/images/stories/0d4y.php: PHP.Hide FOUND
/var/www/user/data/www/domain.net/images/stories/0d4y.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.net/images/stories/mua.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.net/images/stories/nethome.gif: PHP.Hide FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3009764
Engine version: 0.97.8
Scanned directories: 2153
Scanned files: 46223
Infected files: 6 
/var/www/user/data/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/administrator/mobileSgh.php: PHP.Trojan.Spambot FOUND
/var/www/user/data/www/domain.org/images/stories/img848m.php.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/im1067n1g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/img599m.php.gif: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/images/stories/img418m.php.gif: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/images/stories/im1847n4g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/im4045n8g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/im6436n2g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/img839m.php.gif: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/images/stories/im1215n7g.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/img987m.php.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.org/images/stories/pageinfo.php: PHP.Hide FOUND
/var/www/user/data/www/domain.org/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/cache/wp-conf.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.org/cache/wthm9521g.php: Trojan.PHP-43 FOUND
/var/www/user/data/www/domain.in/sydata.php: PHP.Shell-84 FOUND
/var/www/user/data/www/domain.in/sys.php: PHP.Shell-38 FOUND
/var/www/user/data/www/domain.ru/images/images.php: PHP.Hide FOUND                                                     
/var/www/user/data/www/domain.ru/images/stories/muakero.php:PHP.Hide FOUND                                                                                                                                   
/var/www/user/data/www/domain.ru/images/stories/tir1683.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/tir1657.gif: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/explore.php: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/3xp.php: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/images/stories/functions.php: PHP.Hide FOUND
/var/www/user/data/www/domain.ru/cache/images.php: PHP.Hide FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3226138
Engine version: 0.98.1
Scanned directories: 1805
Scanned files: 14565
Infected files: 8
Data scanned: 247.81 MB
Data read: 387.98 MB (ratio 0.64:1)
Time: 79.985 sec (1 m 19 s)   

Latest news

HostingHutor.com is now in Telegram: chat with support, bot, channel
04.05.2020
HostingHutor.com is now in Telegram: chat with support, bot, channel
Dear users! Now we are in Telegram! Support chat, bot for sending notifications from your personal account and channel.
Schedule and payment processing for the May day holidays
29.04.2020
Schedule and payment processing for the May day holidays
Dear users! Check out the schedule for processing bank transfers during the May day holidays.
Google Chrome will soon blocking insecure HTTP downloads
03.03.2020
Google Chrome will soon blocking insecure HTTP downloads
At first, Chrome will warn, but in future releases it will already block unsafe HTTP downloads.
Starting January 13, only the new IBAN bank account standard is valid!
13.01.2020
Starting January 13, only the new IBAN bank account standard is valid!
Starting today, the bank code and current account in Ukraine will replace the bank account number according to the IBAN standard.

Latest Blog Posts

New virus Coronavirus (COVID-19) and cyber fraud on the Internet
02.03.2020
New virus Coronavirus (COVID-19) and cyber fraud on the Internet
The panic surrounding the coronavirus COVID-19 is used by cyber fraudsters on the Internet - phishing, selling masks, vaccines and tests.
Mail is not sent - check if the internet provider is blocking port 25
11.01.2020
Mail is not sent - check if the internet provider is blocking port 25
How to check if provider is blocking port 25 using the command line in Windows. How to send mail if port 25 is blocked.
How to install Clam AntiVirus (ClamAV) on a VPS or server with CentOS
11.11.2019
How to install Clam AntiVirus (ClamAV) on a VPS or server with CentOS
Install Clam AntiVirus (ClamAV) on VPS / VDS or a dedicated server with CentOS OS and configure daily server scan.
ISPmanager no longer supports backup to Yandex.Disk
20.10.2019
ISPmanager no longer supports backup to Yandex.Disk
Within a week, Yandex.Disk will disappear from the list of backup storage in the ISPmanager panel and other ISPsystem products.

Popular domains