ClamAV - Linux antivirus and malware protection

So you are using Linux in your infrastructure and want to protect it against malware. An excellent choice. There used to be a myth, that Unix and Linux systems would not be attacked (that much) due to its system structure and permissions sets, when configured properly. Well, that is long gone. Since pretty much all cloud systems now run on Linux-based infrastructure, the interest of certain parties to attack either for fun or for profit has increased exponentially.

There still are not that many solutions available, compared to Windows or MacOS. But since server systems tend to be online all the time, they provide a much easier target than many think. So doing the best you can including proper firewallis, selinux, permissions etc includes malware protection. And here comes ClamAV to the play. There might be other systems as well, but ClamAV is well settled and supported.

Limitations you have to be aware of:

There is No real-time file system protection like on Windows or macOS desktops.
It Does not disinfect files — it either detects, deletes, or quarantines.
It Only detects known threats or patterns — zero-day or highly obfuscated malware might evade detection.

Actually its strength is much more like server-side scanning. For instance if you have a website where users can upload files. Then you could use it to scan files during the upload process and deny the upload if the file is infected.

So instead you need to do some scanning yourself, either manually or through a cron job. Best thing is to set up a shell script doing all your required functions including email alerts if some suspicious is found.

While there are many websites telling you how to manually configure and set up ClamAV. But since I am using Puppet to manage my infrastructure, I naturally wrote a puppet module for ClamAV , so I can easily apply it within minutes to my infrastructure. If you use puppet as well, feel free to clone and use it.

That’s it for now, happy coding!