Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clam av


  • Please log in to reply
25 replies to this topic

#1 altonius

altonius

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 21 January 2015 - 10:35 PM

I have been using Clam TK on my Lubuntu 14.04 every couple of weeks.

It gives you a choice of scan and I always click on "Home folder recursive".

Am I right in thinking that this scans the entire disk or is there some other, better way that I should be doing this?

As always, I would appreciate any info you might share.



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,681 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:01 PM

Posted 21 January 2015 - 10:41 PM

 

As always, I would appreciate any info you might share.

 

Hope this helps.

Options

Most of the options are simple switches which enable or disable some features. Options marked with [=yes/no(*)] can be optionally followed by =yes/=no; if they get called without the boolean argument the scanner will assume 'yes'. The asterisk marks the default internal setting for a given option.

-h, --help
    Print help information and exit. 
-V, --version
    Print version number and exit. 
-v, --verbose
    Be verbose. 
--debug
    Display debug messages from libclamav. 
--quiet
    Be quiet (only print error messages). 
--stdout
    Write all messages (except for libclamav output) to the standard output (stdout). 
-d FILE/DIR, --database=FILE/DIR
    Load virus database from FILE or load all virus database files from DIR. 
--official-db-only=[yes/no(*)]
    Only load the official signatures published by the ClamAV project. 
-l FILE, --log=FILE
    Save scan report to FILE. 
--tempdir=DIRECTORY
    Create temporary files in DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. 
--leave-temps
    Do not remove temporary files. 
-f FILE, --file-list=FILE
    Scan files listed line by line in FILE. 
-r, --recursive
    Scan directories recursively. All the subdirectories in the given directory will be scanned. 
--cross-fs=[yes(*)/no]
    Scan files and directories on other filesystems. 
--follow-dir-symlinks=[0/1(*)/2]
    Follow directory symlinks. There are 3 options: 0 - never follow directory symlinks, 1 (default) - only follow directory symlinks, which are passed as direct arguments to clamscan. 2 - always follow directory symlinks. 
--follow-file-symlinks=[0/1(*)/2]
    Follow file symlinks. There are 3 options: 0 - never follow file symlinks, 1 (default) - only follow file symlinks, which are passed as direct arguments to clamscan. 2 - always follow file symlinks. 
--bell
    Sound bell on virus detection. 
--no-summary
    Do not display summary at the end of scanning. 
--exclude=REGEX, --exclude-dir=REGEX
    Don't scan file/directory names matching regular expression. These options can be used multiple times. 
--include=REGEX, --include-dir=REGEX
    Only scan file/directory matching regular expression. These options can be used multiple times. 
-i, --infected
    Only print infected files. 
--remove[=yes/no(*)]
    Remove infected files. Be careful. 
--move=DIRECTORY
    Move infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. 
--copy=DIRECTORY
    Copy infected files into DIRECTORY. Directory must be writable for the '' user or unprivileged user running clamscan. 
--bytecode[=yes(*)/no]
    With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses. 
--bytecode-unsigned[=yes/no(*)]
    Allow loading bytecode from outside digitally signed .c[lv]d files. 
--bytecode-timeout=N
    Set bytecode timeout in milliseconds (default: 60000 = 60s) 
--detect-pua[=yes/no(*)]
    Detect Possibly Unwanted Applications. 
--exclude-pua=CATEGORY
    Exclude a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA 
--include-pua=CATEGORY
    Only include a specific PUA category. This option can be used multiple times. See http://www.clamav.net/support/pua for the complete list of PUA 
--detect-structured[=yes/no(*)]
    Use the DLP (Data Loss Prevention) module to detect SSN and Credit Card numbers inside documents/text files. 
--structured-ssn-format=X
    X=0: search for valid SSNs formatted as xxx-yy-zzzz (normal); X=1: search for valid SSNs formatted as xxxyyzzzz (stripped); X=2: search for both formats. Default is 0. 
--structured-ssn-count=#n
    This option sets the lowest number of Social Security Numbers found in a file to generate a detect (default: 3). 
--structured-cc-count=#n
    This option sets the lowest number of Credit Card numbers found in a file to generate a detect (default: 3). 
--scan-mail[=yes(*)/no]
    Scan mail files. If you turn off this option, the original files will still be scanned, but without parsing individual messages/attachments. 
--phishing-sigs[=yes(*)/no]
    Use the signature-based phishing detection. 
--phishing-scan-urls[=yes(*)/no]
    Use the url-based heuristic phishing detection (Phishing.Heuristics.Email.*) 
--heuristic-scan-precedence[=yes/no(*)]
    Allow heuristic match to take precedence. When enabled, if a heuristic scan (such as phishingScan) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time. When disabled, virus/phish detected by heuristic scans will be reported only at the end of a scan. If an archive contains both a heuristically detected virus/phish, and a real malware, the real malware will be reported Keep this disabled if you intend to handle "*.Heuristics.*" viruses differently from "real" malware. If a non-heuristically-detected virus (signature-based) is found first, the scan is interrupted immediately, regardless of this config option. 
--phishing-ssl[=yes/no(*)]
    Block SSL mismatches in URLs (might lead to false positives!). 
--phishing-cloak[=yes/no(*)]
    Block cloaked URLs (might lead to some false positives). 
--algorithmic-detection[=yes(*)/no]
    In some cases (eg. complex malware, exploits in graphic files, and others), ClamAV uses special algorithms to provide accurate detection. This option can be used to control the algorithmic detection. 
--scan-pe[=yes(*)/no]
    PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows operating systems. By default ClamAV performs deeper analysis of executable files and attempts to decompress popular executable packers such as UPX, Petite, and FSG. If you turn off this option, the original files will still be scanned but without additional processing. 
--scan-elf[=yes(*)/no]
    Executable and Linking Format is a standard format for UN*X executables. This option controls the ELF support. If you turn it off, the original files will still be scanned but without additional processing. 
--scan-ole2[=yes(*)/no]
    Scan Microsoft Office documents and .msi files. If you turn off this option, the original files will still be scanned but without additional processing. 
--scan-pdf[=yes(*)/no]
    Scan within PDF files. If you turn off this option, the original files will still be scanned, but without decoding and additional processing. 
--scan-html[=yes(*)/no]
    Detect, normalize/decrypt and scan HTML files and embedded scripts. If you turn off this option, the original files will still be scanned, but without additional processing. 
--scan-archive[=yes(*)/no]
    Scan archives supported by libclamav. If you turn off this option, the original files will still be scanned, but without unpacking and additional processing. 
--detect-broken[=yes/no(*)]
    Mark broken executables as viruses (Broken.Executable). 
--block-encrypted[=yes/no(*)]
    Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). 
--max-files=#n
    Extract at most #n files from each scanned file (when this is an archive, a document or another kind of container). This option protects your system against DoS attacks (default: 10000) 
--max-filesize=#n
    Extract and scan at most #n kilobytes from each archive. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 25 MB, max: <4 GB) 
--max-scansize=#n
    Extract and scan at most #n kilobytes from each scanned file. You may pass the value in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 100 MB, max: <4 GB) 
--max-recursion=#n
    Set archive recursion level limit. This option protects your system against DoS attacks (default: 16). 
--max-dir-recursion=#n
    Maximum depth directories are scanned at (default: 15).

Examples

(0) Scan a single file:

    clamscan file 
(1) Scan a current working directory:

    clamscan 
(2) Scan all files (and subdirectories) in /home:

    clamscan -r /home 
(3) Load database from a file:

    clamscan -d /tmp/newclamdb -r /tmp 
(4) Scan a data stream:

    cat testfile | clamscan - 
(5) Scan a mail spool directory:

    clamscan -r /var/spool/mail

http://linux.die.net/man/1/clamscan


Edited by NickAu, 21 January 2015 - 10:44 PM.


#3 bmike1

bmike1

  • Members
  • 596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:05:01 AM

Posted 22 January 2015 - 01:48 AM

if you want to scan the whole disk do recursive from /. Recursive from /home  just scans the /home directory. But I have to ask.... why are you doing this? Every time I ever ran a virus scan I just got false positives. Poor refugees from windows..... still thinking you need to scan your disks.


A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.


#4 pcpunk

pcpunk

  • Members
  • 5,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:01 AM

Posted 22 January 2015 - 03:15 PM

I won't pretend to know anything about this lol, but I also never get anything but PUP's etc for the last seven months.  I believe others here use it often but I have not figured out the best way to scan.  I have done scans of the whole OS but don't think it is necessary.  I'm guessing that it is a good practice if you are surfing certain sites and downloading stuff.  I always use it to scan downloads before opening.

 

What Nick has posted above should be very valuable tool when needed.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,681 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:01 PM

Posted 22 January 2015 - 03:21 PM

 

I won't pretend to know anything about this lol, but I also never get anything but PUP's etc for the last seven months.

You get PUPs (potentially unwanted programs) on Linux?

 

 

 

 

The phrase “potentially unwanted program” (PUP) is popping up more frequently in discussions of security and anti-malware protection. To me, “PUP” means malware; it’s software that I never wanted, didn’t deliberately install, and that makes my life more difficult. The awkward attempt to avoid offending its developers seems ridiculous. Here's what you need to know about PUPs, how they sneak in, how to remove them, and how to avoid PUPs in the first place..

http://askbobrankin.com/alert_potentially_unwanted_software.html


Edited by NickAu, 22 January 2015 - 04:22 PM.


#6 altonius

altonius
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 23 January 2015 - 12:01 AM

Thanks guys. Much appreciated.



#7 pcpunk

pcpunk

  • Members
  • 5,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:01 AM

Posted 24 January 2015 - 07:00 PM

I'm sorry-PUA's  This is what I got on a few occasions, I posted some of this a while back and was told that they were not an issue.  If I remember right, they were quarantined and then deleted.  If this is an issue please notify me and I will take action: 

Found 5 possible threats (138337 files scanned).
 
/usr/lib/linuxmint/mintWifi/drivers/i386/Broadcom4318_Dell1390/bcmwl5.sys      PUA.Win32.Packer.PrivateExeProte-7     
/usr/lib/linuxmint/mintWifi/drivers/i386/WUSB54Gv4/rt2500usb.sys               PUA.Win32.Packer.NspackDotnetNor-1     
/usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys                PUA.Win32.Packer.PrivateExeProte-7     
/usr/lib/mono/4.0/mscorlib.dll                                                 PUA.Win32.Packer.PrivateExeProte-7     
/usr/lib/mono/4.5/mscorlib.dll                                                 PUA.Win32.Packer.PrivateExeProte-7     
-------------------------------------------------------------------------------------------------------------------
And on a different date:
 
Found 8 possible threats (2247 files scanned).
 
/home/chris/.cache/google-chrome/Default/Cache/f_000c00      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003b06      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_00413f      PUA.Script.Packed-2      
/home/chris/.cache/google-chrome/Default/Cache/f_0014d8      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003695      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_00306b      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003ace      PUA.Phishing.Bank        
/home/chris/.cache/google-chrome/Default/Cache/f_00035e      PUA.JS.Xored             

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#8 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,681 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:01 PM

Posted 24 January 2015 - 07:41 PM

 

I'm sorry-PUA's  This is what I got on a few occasions, I posted some of this a while back and was told that they were not an issue.  If I remember right, they were quarantined and then deleted.  If this is an issue please notify me and I will take action: 

Found 5 possible threats (138337 files scanned).
 
/usr/lib/linuxmint/mintWifi/drivers/i386/Broadcom4318_Dell1390/bcmwl5.sys      PUA.Win32.Packer.PrivateExeProte-7     
/usr/lib/linuxmint/mintWifi/drivers/i386/WUSB54Gv4/rt2500usb.sys               PUA.Win32.Packer.NspackDotnetNor-1     
/usr/lib/linuxmint/mintWifi/drivers/i386/Dell_bcmwl5/bcmwl5.sys                PUA.Win32.Packer.PrivateExeProte-7     
/usr/lib/mono/4.0/mscorlib.dll                                                 PUA.Win32.Packer.PrivateExeProte-7     
/usr/lib/mono/4.5/mscorlib.dll                                                 PUA.Win32.Packer.PrivateExeProte-7     
-------------------------------------------------------------------------------------------------------------------
And on a different date:
 
Found 8 possible threats (2247 files scanned).
 
/home/chris/.cache/google-chrome/Default/Cache/f_000c00      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003b06      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_00413f      PUA.Script.Packed-2      
/home/chris/.cache/google-chrome/Default/Cache/f_0014d8      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003695      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_00306b      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003ace      PUA.Phishing.Bank        
/home/chris/.cache/google-chrome/Default/Cache/f_00035e      PUA.JS.Xored             

 

Didn't we cover this in another topic already PC?

Linux Mint17 Infection - Linux & Unix - Bleeping Computer

#9 pcpunk

pcpunk

  • Members
  • 5,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:01 AM

Posted 24 January 2015 - 11:38 PM

Yes-thanks Nick, I looked over most of that stuff, more tomorrow when I got more time.  Actually I looked over all of it but need to look at some of it closer.  And posted on that Thread again.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#10 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,998 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:01 AM

Posted 25 January 2015 - 02:37 AM

 

 

You get PUPs (potentially unwanted programs) on Linux?

 

Depends on what's in the Downloads folder. I downloaded some tools to transfer some files from an old Motorola cell phone and a wad of PUP's was shown by ClamTK (ESET NOD32 for Unices also flagged some of these in real time). Though these were transferred to a Flash drive afterwards, I left them in the downloads folder for 'just in case'. 

 

They've since been whitelisted to prevent future detection. 

 

Being that I'm on Linux Mint for over 70% of my using of the computer, I grab software for my other OS's on it also, though with some, I'll use Down Them All & point these to go to the Windows data drive, if going to be installed on the same computer. It was how I grabbed all of my updated Dell drivers & was able to check the SHA-256 hashes also with the browser extension. Other than NoScript & Adblock Plus, DTA is the Firefox extension I use the most, it's free & a full featured download manager. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#11 pcpunk

pcpunk

  • Members
  • 5,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:01 AM

Posted 11 April 2015 - 06:10 PM

cat, you have said that I should not use clamav for windows virus detection or something to that effect.  Can you clarify what you mean, as this article is saying that you can do just this via LiveDVD.  Number #1 third paragraph:  https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F219481%2Fwhy_you_need_to_have_a_linux_livecd.html&ei=KacpVcbAL6rasATPkIDgBA&usg=AFQjCNGWqHaYTDSxSgwEyAmP-sWGSFhsUg&sig2=cUytX1BnxxNFDCrUYf5jaQ


Edited by pcpunk, 11 April 2015 - 06:11 PM.

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#12 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,998 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:01 AM

Posted 11 April 2015 - 08:54 PM

 

 

cat, you have said that I should not use clamav for windows virus detection or something to that effect.

 

pcpunk, what I stated several times was that one should not use ClamTK for scanning Windows drives. It'll find thousands of 'infected' files that are native to the Windows system, and if any are quarantined or deleted, the system will be unbootable. It 'sees' many .exe files as infected, whether or not they're a threat or clean. Which is why I depend on ESET's protection instead. 

 

Many gets confused over this, it's ClamAV that's used for Windows scanning, in fact there is a free ClamAV for Windows. 

 

Yet not ClamTK. 

 

That article you linked is 4 years old.  I agree with the rest of it, yet wouldn't dare again to scan a Windows system with ClamTK, I tried this once before with fatal after effects, the computer wouldn't boot. An experiment I tried 3-4 years back on a badly infected drive that wasn't mine. Had there not been a reinstall media set, I'd never had attempted this. 

 

http://www.pcworld.com/article/219481/why_you_need_to_have_a_linux_livecd.html

 

In recent years, have been running the Emsisoft Emergency Kit for this (if bootable), if not will remove the drive & place it in my docking station & scan the drive with the same. 

 

There are downloadable bootable Linux based AV rescue ISO's of popular brands that can be used to scan Windows systems with, however some experts warns these aren't 100% safe. Here are several. 

 

https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=downloadable%20rescue%20av%20iso%27s

 

However, if it's your computer & willing to bear the risk, you can scan & clean the system with any tool, including ClamTK, that you wish. I'm just sharing my experience with performing the ClamTK scan, what it did (quarantine protected Windows files) & the aftermath (unbootable computer). Had I known of the other options at the time, would have went that route instead. 

 

The other thing about ClamTK, is that if a file is quarantined, the user has to know where to replace it back to. 

 

In fact, I have a couple of bootable Linux based rescue CD's, AVG & Bitdefender, though it's been a while since using these. 

 

Have fun! :P

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#13 pcpunk

pcpunk

  • Members
  • 5,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:01 AM

Posted 12 April 2015 - 06:16 PM

I see cat, thanks.  I don't understand about the clamtk and clamav though.  I thought TK was just the GUI, and AV was the engine/software as Al000 has stated many times.  So I thought I knew the difference between clamTK and AV but guess I don't?


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#14 shadow-warrior

shadow-warrior

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nicaragua
  • Local time:04:01 AM

Posted 12 April 2015 - 07:11 PM

I used to do a lot of work removing viruses and spyware on windows and have tried most of the different offering that have been available. I found ClamAV not to be very good at all on windows too many false positives,  though it may have improved a lot since i used it last... But if the windows version has problems with detecting true malware etc..then I doubt it will be any better for scanning windows files from Linux using ClamTK....

 

I don't remember if Clam uses a automatic quarantine but I would disable that if you can  and review any  seen possible threats,  for any thing like windows system files etc..then edit the list ..

 

Personally I have never used an Antivirus on Linux since i started using it in 2002 .....

 

I shouldnt be too hard on Clam as a larger well known company recently flagged itself as malware and bricked a few windows systems..( large black and white bear) without saying names



#15 pcpunk

pcpunk

  • Members
  • 5,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:01 AM

Posted 12 April 2015 - 07:42 PM

Okay I won't bother with it for this application.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users