How to Check for Viruses on Linux (And Remove Them)

Running Linux doesn’t make you bulletproof against malware – even though it’s more secure than other operating systems, threats still exist. Whether you’re a newcomer to Linux or a seasoned user, knowing how to check for and remove unwanted visitors on your system is crucial for maintaining your digital security.

In this guide, we’ll walk you through practical steps to check for viruses on Linux, detect suspicious activity, use powerful Linux security tools, and implement smart practices to keep your system clean. No complex jargon, just clear, actionable steps to ensure your Linux machine stays secure and performs at its best.

Recognizing the Signs of a Virus Infection on Linux

Identifying potential threatware on your Linux system is crucial for timely action. Common indicators of infection include:

• System slowdown: Your computer operates slower than usual, with high CPU or memory usage.
• Unexpected crashes: Applications crash frequently, or the system becomes unstable.
• Unknown processes: Suspicious processes run in the background without your knowledge.
• High network activity: Unusual network traffic occurs even when you’re not using the internet.
• Anomalous system behavior: Configuration changes, altered files, or unexpected error messages.
• Unauthorized access: Accounts are accessed without permission, or new user accounts appear.
• Excessive disk activity: The hard drive runs continuously, possibly indicating malicious activity.

If you notice any of these signs, you must check your Linux system for malware.

How to Check for Viruses on Linux

1. Update your system and software

Keeping your system and applications up to date ensures you have the latest security patches.

• Update package lists:
  • Open a terminal.
  • For Debian/Ubuntu-based systems, run: sudo apt update
• Upgrade installed packages:
• Update system kernel and distribution:
  • For a full upgrade on Debian/Ubuntu, run: sudo apt full-upgrade

2. Install ClamAV antivirus software

ClamAV is a free, open-source antivirus engine available for Linux.

• Install ClamAV:
  • On Debian/Ubuntu: sudo apt install clamav clamav-daemon
  • On CentOS/Fedora: sudo dnf install clamav clamav-update
• Update virus definitions:
  • Stop the ClamAV daemon: sudo systemctl stop clamav-freshclam
  • Manually update: sudo freshclam
  • Restart the daemon: sudo systemctl start clamav-freshclam

3. Scan your system with ClamAV

• Perform a scan:
  • To scan your entire system: sudo clamscan -r –bell -i /
  • Options explained:
    • -r: Recursive scan.
    • –bell: Beep when a virus is found.
    • -i: Only show infected files.
• View scan results:
  • Infected files will be listed in the terminal output.

4. Use Rkhunter to Check for Rootkits

Rkhunter (Rootkit Hunter) scans for rootkits, backdoors, and local exploits.

• Install Rkhunter:
  • On Debian/Ubuntu: sudo apt install rkhunter
• Update database:
  • Run: sudo rkhunter –update
• Run a scan:
  • Execute: sudo rkhunter –check
• Review warnings:
  • After the scan, Rkhunter will display warnings for potential issues.

5. Use Chkrootkit to detect rootkits

Chkrootkit is another tool for detecting rootkits on Unix systems.

• Install Chkrootkit:
  • On Debian/Ubuntu: sudo apt install chkrootkit
• Run a scan:
• Interpret results:
  • The tool will output findings; investigate any ‘INFECTED’ entries.

6. Analyze network connections

Check for unusual network activity that may indicate malware communication.

• Use Netstat or SS:
  • Run: sudo netstat -tulpn or sudo ss -tulpn
• Review Open Ports:
  • Look for unknown services listening on ports.
• Monitor Network Traffic:
  • Use tools like iftop or nethogs to see real-time network usage.

7. Check for suspicious processes

Identify and investigate unknown or suspicious processes.

• List running processes:
  • Use top or htop to view active processes.
• Investigate processes:
  • For any unfamiliar process, check its purpose and origin.
  • Find the executable path: which [process_name] or ps aux | grep [process_name]

8. Review system logs

System logs can provide clues about malicious activities.

• Check auth logs:
  • View authentication logs: sudo cat /var/log/auth.log
• Review Syslog:
  • General system logs: sudo cat /var/log/syslog
• Analyze logs:
  • Look for repeated failed login attempts or suspicious error messages.

How to remove viruses from your Linux system

Once you finish checking for viruses, if malware is detected, follow these steps to remove it:

1. Remove infected files with ClamAV

• Delete or Quarantine Files:
  • To remove infected files: sudo clamscan –remove -r /path/to/directory
  • To move files to a quarantine directory: sudo clamscan –move=/quarantine -r /path/to/directory

2. Eliminate rootkits with Rkhunter and Chkrootkit

• Investigate warnings:
  • Manually verify any files flagged by Rkhunter or Chkrootkit.
• Reinstall infected software:
  • If system binaries are infected, reinstall the associated packages.
    • Example: sudo apt reinstall coreutils

3. Terminate malicious processes

• Kill suspicious processes:
  • Use kill command: sudo kill [PID]
  • Replace [PID] with the process ID obtained from top or ps.

4. Remove unauthorized users and access

• Check user accounts:
  • List user accounts: cat /etc/passwd
  • Remove unauthorized accounts: sudo deluser [username]
• Change passwords:
  • Update passwords for all users (use a password manager to keep track of them): sudo passwd [username]

5. Clean up scheduled tasks

Malware may add tasks to cron jobs.

• List cron jobs:
  • System-wide cron jobs: sudo cat /etc/crontab
  • User-specific cron jobs: crontab -l
• Remove suspicious entries:
  • Edit cron jobs: crontab -e
  • Delete any unknown tasks.

6. Reinstall the operating system (if necessary)

• Backup data:
  • Save important files to an external drive.
• Perform clean installation:
  • Use a bootable USB stick to reinstall Linux.
• Restore files carefully:

How to prevent future virus infections

Implementing proactive measures can help keep your Linux system secure.

Install software from trusted sources

• Use official repositories:
  • Install applications using your distribution’s package manager (apt, dnf, pacman, etc.).
• Verify downloads:
  • Check checksums (e.g., MD5, SHA256) for downloaded files when provided.

Keep your system and software updated

• Enable automatic updates:
  • Configure your system to install updates automatically or regularly check for updates.
• Regularly update applications:
  • Keep applications, especially web browsers and network-facing services, up to date.

Employ principle of least privilege

• Use standard user accounts:
  • Operate as a non-root user for daily tasks.
• Limit sudo usage:
  • Only use sudo when necessary.

Configure a firewall

• Set Up firewall rules:
  • Use tools like UFW (Uncomplicated Firewall) or Firewalld.
  • Example to allow SSH and deny other incoming connections:
    • Enable UFW: sudo ufw enable
    • Allow SSH: sudo ufw allow ssh
    • Deny all other incoming traffic by default.

Use security tools

• Install Intrusion Detection Systems:
  • Tools like Aide (Advanced Intrusion Detection Environment) can monitor file system changes.
• Implement SELinux or AppArmor:
  • These provide mandatory access control to restrict programs.

Practice safe browsing and email habits

• Be wary of phishing attempts:
  • Do not click on suspicious links or attachments in emails that could contain phishing scams.
• Avoid untrusted websites:
  • Do not visit sites that are known for distributing malware.

Regularly backup your data

• Automate backups:
  • Use tools like rsync, tar, or backup software to save copies of important data routinely.
• Store backups securely:

Monitor system logs

• Set up log monitoring:
  • Use log management tools like Logwatch or Splunk to receive regular reports.
• React to anomalies:
  • Investigate and respond promptly to any unusual log entries.

Use Strong authentication methods

• Strong passwords:
  • Create complex passwords and change them regularly.
• SSH key authentication:
  • Use SSH keys instead of passwords for remote logins.
• Two-Factor Authentication:
  • Implement 2FA for system access when possible.

Stay vigilant and proactive to maintain the security of your Linux system. Regular updates, cautious behavior, and utilizing security tools significantly reduce the risk of malware infections. Protecting your computer ensures optimal performance and the safety of your personal and professional data.

Related: Best VPNs for Linux