ClamAV is an open source anti-virus utility for Linux designed to detect viruses, malware, and our favorite – php script exploits. It does a great job at picking up php files containing backdoors, remote file managers, spam mailer bots, etc. We run this on all of our hosting servers daily. It is especially useful for detecting and removing files uploaded by the numerous exploitable WordPress 3rd party plugins.
To begin, we need to enable the EPEL repository. At the time of writing this post, the latest version was 7.5. We always recommend checking for newer versions before blindly copy/pasting a command.
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm rpm -ivh epel-release-7-5.noarch.rpm
Next, install all of the required ClamAV packages using yum
yum install clamav-server clamav-data clamav-update clamav-filesystem clamav
When you first install ClamAV, it creates a config file with a line “Example” that needs to be removed. Edit the file vim /etc/freshclam.conf, using your favorite editor, and remove the “Example” line. In our file, it was on line 8. Then you can run freshclam, a utility to update the ClamAV database.
vim /etc/freshclam.conf freshclam
Enable and start the service
systemctl enable clamd.service systemctl start clamd.service
You should be all set. You can run the command below to make sure the process is running.
ps aux | grep clam