Unexpected behaviors on a Linux server or desktop could be the result of a Malware infection and need to be investigated as soon as possible. Linux computers have a wrong reputation for being completely safe and virus free, despite the layers of security and sudo authentication contribute to a more secure OS, this statement ends up leading many users to neglect their installations and consequently their security. Periodically scanning your linux computer with specialized programs is highly recommended, especially for those people who have the habit of running any internet code with sudo , don't do that, seriously !

There are excellent programs that can help identify compromised systems and possible threats on your machine. In this article we'll cover 3 programs that I use and recommend:

  • ClamAV
  • Sophos Antivirus
  • Rkhunter
  • Chkrootkit

Update your package information

First of all let's update our OS packages:

$ sudo apt-get install clamav clamav-daemon


THE ClamAV is a very popular open source antivirus that is available on many platforms, including most Linux distributions .

Install with the command below:

$ sudo apt-get install clamav clamav-daemon

After installation we need to update the antivirus database ClamAV :

$ sudo freshclam

Now that our antivirus is up to date we can begin our investigation by scanning the folder home :

$ sudo clamscan -r /home

If everything goes as expected and there are no infected files in your folder home , the command nothing will return .

How to test if the antivirus really works?

To test it, we can download a harmless file that is intended to be easily identifiable by antiviruses. Run the following command to download the program into your folder home :

$wget -P ~/ http://www.eicar.org/download/eicar.com

Now rescan your home folder with the same commands as in the first step and note that you will receive a message informing you that an infected file has been identified. Now that you've confirmed that it works, run the command below to scan and remove the infected file:

$ sudo clamscan --infected --remove --recursive /home

Be very careful when running the command with the remove option, always run an initial scan without it so as not to delete any files that could be falsely identified by mistake.

To do a complete analysis of your server run the command below:

$ sudo clamscan --infected --recursive --exclude-dir="^/sys" /

This command checks all directories recursively, skipping only the folder. /sys to avoid unnecessary alerts.

Sophos Antivirus

To install antivirus sophos we need to create an account on the official website and accept the terms to download the tarball file that contains the installation.

Download in an easily accessible location and extract the tarball file:

$ tar xzf sav-linux-free-9.tgz

Navigate to the extracted folder and run the script installation:

$cd sophos-av
$ sudo ./install.sh

Accept the End User License Agreement ( EULA )

Once the installer starts we need to accept the license agreement. Scroll down to the end and accept to proceed with the installation:

I accept the Sophos End User License Agreement and acknowledge the Sophos Privacy Policy. Yes(Y)/No(N)[N]
> Y

Select the place of installation. By default the installation will take place in the folder /opt/sophos-av :

Where do you want to install Sophos Anti-Virus?[/opt/sophos-av]

Then we can choose to activate the "on-access scan mode", I recommend that you activate:

Do you want to enable on-access scanning? Yes(Y)/No(N)[Y]

Now Sophos will ask for permission to update automatically, I recommend that you activate to always keep up to date the new identified Malwares:

Sophos recommends that you configure Sophos Anti-Virus to auto-update.

It can update either from Sophos directly (requiring username/password details) or from your own server (directory or website (possibly requiring

Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n)[s]

Now select the free version by typing " f " and pressing enter.

Do you wish to install the Free(f) or Supported(s) version of SAV for Linux?[s]
> f

After all questions are finished and installation is finished, a result similar to the one below should be returned:

Fetching free update credentials.
Installing Sophos Anti-Virus.
Selecting appropriate kernel support...

Installation completed.
Your computer is now protected by Sophos Anti-Virus.

This means Sophos Antivirus has been successfully installed and is already protecting your computer.

Important commands for using Sophos Antivirus

Check if Sophos Antivirus is running:

$ /opt/sophos-av/bin/savdstatus
Sophos Anti-Virus is active and on-access scanning is running

Enable or disable loading at system startup:

$ /opt/sophos-av/bin/savdctl enableOnBoot savd
$ /opt/sophos-av/bin/savdctl disableOnBoot savd

Enable or disable Sophos Antivirus "on-access mode":

/opt/sophos-av/bin/savdctl enable # Enable
/opt/sophos-av/bin/savdctl disable # Disable

Run an on-demand scan:

$ savscan /home/shadowlik


Rkhunter is a very famous solution for scanning your system for rootkits and other vulnerabilities. Its installation is available directly from the package manager:

$ sudo apt-get install rkhunter

Once installed, before starting to scan the computer, we need to update its property bank:

$ sudo rkhunter --propupd

This allows the program to know the current status of some files to prevent false alerts. Now let's start scanning:

$ sudo rkhunter --checkall

The program scans for some standard system commands, checking for rootkits, some Malware and also network settings. The result of the analysis is displayed on the terminal and saved in a file. log with the summary of the operation.

To check the result saved in the log file:

$ sudo cat /var/log/rkhunter.log | grep -i warning

Take your time to read the report and consider the tips to improve your system.


Chkrootkit is another very popular solution to scan your system for rootkits, it performs a series of useful checks that manage to direct you the way to identify possible vulnerabilities.

$ sudo apt-get install chkrootkit

To scan just run the command below:

$ sudo chkrootkit

Chkrootkit different from Rkhunter does not save any files from log , just returns the result in the terminal. If you want to save the report for later analysis, use the command tee to direct the return to a file on disk.

$ sudo chkrootkit | sudo tee /var/log/chkrootkit/chkrootkit.log

Now check your file filtering for warnings like warning:

$ sudo cat /var/log/chkrootkit/chkrootkit.log | grep -i warning

Chkrootkit can be very useful in determining if your machine has been compromised, but don't use it as your only answer, always in conjunction with another program to further analyze possible damage to your installation.

0 0 votos
Nota do Artigo
Notify of

0 Comentários
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x