Updated on 24.5.2023

How to scan CentOS server for malware

Linux malware

Some unexpected behaviour on a Linux server could be a result of malware infection, while other malicious software might not alert to their presence. Scanning your system for different types of unwanted programs can help identify issues, or at least give you peace of mind for having a clean server.

There are multiple options for making sure your cloud server is clean of any malware, this guide goes over a couple of scanning software you can utilise for checking your system.


ClamAV is a popular open-source antivirus engine available on a multitude of platforms including the majority of Linux distributions. Install it on CentOS 7 with the following command.

sudo yum install clamav clamav-update clamav-scanner-systemd clamav-server-systemd

Afterwards, you’ll need to edit the configuration a little by commenting out the Example text from two files, the simplest way to do so is to use sed for some fast editing with these commands.

sudo sed -i -e "s/^Example/#Example/" /etc/freshclam.conf
sudo sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf

With the required modules installed and configured, next, you should update the virus database for ClamAV.

First, stop the related processes to allow for the update the proceed.

sudo systemctl stop clamav-freshclam

Then use the command below to run the updater application.

sudo freshclam

When you’ve finished updating the virus definitions, start and enable the services.

sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-freshclam

Then do a test scan to your home directory just to make sure the scanning works as it should use the following command.

sudo clamscan -r /home

Granted that your home directory didn’t contain any viruses or other types of malware, the scan should come back empty.

So how do you know it works?

For this, you can download an anti-virus test file, which is a small completely harmless program that most anti-virus software report as infected, though with an obvious test file name EICAR-AV-Test. Use the following command to download the test file to your home directory.

wget -P ~/ http://www.eicar.org/download/eicar.com

Now scan your home folder again with the same command as above, you should receive notice of one infected file at the end summary after the scan is completed. When you’ve confirmed that ClamAV finds the test file correctly, use the command below to scan it again and remove the infected file once found.

sudo clamscan --infected --remove --recursive /home

Be careful when using the –remove parameter. First, run a broader scan without it, and then a more localized scan when removing files or removing them manually.

To perform a complete scan of your cloud server, use this command.

sudo clamscan --infected --recursive --exclude-dir="^/sys" /

The scan goes through each directory in your system root recursively, but skips /sys just to avoid unnecessary warning printouts, as the virtual file system consists of some unreadable files, which could not contain viruses anyway.


Rkhunter is a common option for scanning your system for rootkits and general vulnerabilities. It can be easily installed from the package manager on CentOS using the following command.

sudo yum install rkhunter

Once installed and before scanning, you’ll need to update the file properties database.

sudo rkhunter --propupd

This lets the scanner know the current state of certain files to prevent some false alarms. After the update, simply run the scanner with the following.

sudo rkhunter --checkall

The scanner goes through some system commands, checks for actual rootkits and some malware, network and local host settings, and then give you the summary as well as recording the findings to a log file.

Afterwards, you can get a condensed look at the scan log with this command.

sudo cat /var/log/rkhunter/rkhunter.log | grep -i warning

Go through the output to get some tips on what you could do to improve your system security.

Janne Ruostemaa


  1. Sorry, I have no sudo, now what?

  2. Janne Ruostemaa

    Hi Chris, thanks for the question. Firstly, I would highly recommend installing sudo, but if that is not an option, log into the root account and use the same commands without sudo.

  3. ClamAV taking 100% CPU .. any setting to fix it at 50% MAX?

  4. Janne Ruostemaa

    Hi Sunil, thanks for the question. Apparently clamscan can be resource-intensive if it runs in the emergency mode which happens if clamav server is not running.

  5. Hello, thank for the article.

    How to configure a Cron Job for both modules?


  6. Janne Ruostemaa

    Hi there, thanks for the question. Updates for ClamAV should already be running as a service, check that with sudo systemctl status clamav-freshclam but the scanning will need a few steps to automate. You can find an example of this in the how-to guide here.
    Rkhunter, on the other hand, is quite simple to schedule with cronjob. Open the cronjob list for edit with sudo crontab -e and create a cronjob for rkhunter, for example 00 06,12 * * * /usr/bin/rkhunter --cronjob --update This will scan the system twice a day, at 6am and 12pm, which you can change to match your needs.

  7. I have a .sql file. How can I scan it. Thank you in advance .

  8. Janne Ruostemaa

    Hi Tarique, thanks for the question. I’m not entirely sure it’s possible to scan database files as it would be quite difficult for the scanner to detect. Instead, it’s commonly recommended to take preventative measures. You might want to enable query logging and use it to cross-reference regular antivirus scanning results if something is detected. Also, it’s best to disallow access to a database server by not connecting them to the public internet.

  9. Fernando Zamora

    Hi, thanks for sharing, you save my server… one webshell was installed so I removed it and the backdoor too, thanks!

  10. Hello guys
    I have cloud server where network has been blocked. I can manage it only by console.
    Unknown service scans 5432 port of random ip adresses from random ports. I must find and remove malware to unblock my server.

    Does anybody know how to fix it?

  11. Janne Ruostemaa

    Hi Elvin, thanks for the question. Port 5432 is commonly used by the PostgreSQL database and one example of malware targeting this port is PgMiner. Even if it’s not this particular malware, since it’s only using a single port, you could block that using a firewall and restore other network connectivity for easier troubleshooting.

  12. Hi janne, does this clamAv antivirus scan our Azure cloud storage in schedule basis ?

  13. Janne Ruostemaa

    Hi Kiran, thanks for the question. ClamAV doesn’t include automation for the scanning but you can find an example of how to set up daily scans in the how-to guide here.

  14. top guide, thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top