msgbartop
MAC OS X, Linux, Windows and other IT Tips and Tricks
msgbarbottom

19 Nov 15 Scanning for viruses on a Debian/Ubuntu server

Situation:
Although most viruses would be mostly harmless in a Linux environment if the viruses are just files laying around, BUT since a server is meant to SERVE it is one of the best place to spread the viruses to other systems where it could do damages.

Solution: Scan the system or certain vulnerable directories

Method: Install and use ClamAV
STEPS:
Install ClamAV and virus signatures updater(freshclam)
apt-get install clamav
Update the viruses database before starting the scanning process:
freshclam
Note: The is program will fetch the 1.1 Million (and growing) virus signatures from ClamAV repository and save it locally.

Important: Make sure only the absolute necessary or trusted processes are running to avoid propagation/camouflage of viruses during the scanning process.

Do the virus scanning.
In order to avoid unnecessary delays and errors we exclude some directories. Eg /proc /sys & /dev
We also exclude the reporting of any files being OK, Empty Files or Symlinks.
Scanning the full system:
clamscan --recursive --stdout --infected --exclude-dir=^/proc/ --exclude-dir=^/sys/ --exclude-dir=^/dev/ /
Scanning a single directory without exceptions:
clamscan clamscan --recursive --stdout --infected /dir/to/scan
If you need to see the filenames of infected files inside a scanned archive then add the option :
--archive-verbose
For more options see the result of the command:
clamscan --help
The last step:
IMPORTANT:Make sure that all the reported infected files are REALLY to be deleted.
Redo the same scan but by adding the option ‘–remove=yes’
eg.
clamscan clamscan --recursive --infected --remove=yes /dir/to/scan

Important note: In the above example we are scanning a live system and excluding some system directories that would normally require root user access to be able to write in them. This is not the ultimate guarantee that your system is 100% clean. If needed to get that closer to 100% clean, you would need to the following procedure:
– Restart your server using a separate completely clean minimal system. Normally via Network booting a rescue system.
– Mount all the involved partitions to be scanned, especially the root partition.
– Install ClamAV and freshclam, refresh the clamav virus signatures database by running freshclam and proceed to do the scanning of the mounted all the partitions(except the root partition of the present running system).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: