Running your own servers means taking responsibility for their security. While firewalls and intrusion detection systems protect against network-level threats, you also need on-host malware scanning to catch malicious files, rootkits, and trojans that bypass perimeter defenses.
In this guide, we compare the top open-source antivirus and malware scanning tools for Linux servers — ClamAV, Linux Malware Detect (Maldet), rkhunter, and chkrootkit — with practical installation instructions, docker configurations, and advice on building a layered self-hosted security stack.
Why Self-Host Antivirus and Malware Scanning
Commercial antivirus suites are designed for desktop endpoints, not servers. They often require cloud connectivity, telemetry reporting, and licensing fees that don’t fit a self-hosted infrastructure. Self-hosted tools give you:
- Full data sovereignty — scan results never leave your network
- Zero licensing cost — all tools discussed here are open-source and free
- Server-native design — built for headless Linux environments, CLI operation, and automated scanning via cron
- Compliance readiness — on-host scanning satisfies requirements in SOC 2, PCI DSS, and ISO 27001 audit frameworks
For a defense-in-depth strategy, pair these file-level scanners witwazuhself-hosted SIEM like Wazuh or Security Onion](../self-hosted-siem-wazuh-security-onion-elastic-guide/) for centralized log aggregation and alerting, and a WAF like ModSecurity or Coraza for application-layer protection.
Comparison at a Glance
| Feature | ClamAV | Maldet (LMD) | rkhunter | chkrootkit |
|---|
| Primary purpose | General antivirus engine | PHP malware + web shell detection | Rootkit detection | Rootkit detection |
| Best use case | Mail servers, file servers, upload directories | Shared hosting, web application servers | Post-breach forensics, compliance audits | Quick rootkit spot-checks |
| Detection method | Signature database (ClamAV DB) | Hex signatures + MD5 hashes + external ClamAV | Known rootkit hashes, hidden file detection | Known rootkit signatures and behaviors |
| Signature updates | freshclam (automatic) | maldet -u (manual or cron) | rkhunter --update | N/A (static binary) |
| Real-time scanning | Yes (clamonacc) | No (on-demand only) | No (on-demand only) | No (on-demand only) |
| Docker support | Official image available | Community images only | No native Docker image | No native Docker image |
| Resource usage | Moderate (signature DB ~200MB RAM) | Low | Very low | Very low |
| License | GPL-2.0 | GPL-2.0 | GPL-2.0 | GPL |
| GitHub stars | 6,520+ | N/A (not on GitHub) | N/A (sourceforge.net) | N/A (chkrootkit.org) |
| Last updated | April 2026 | 1.6.4 (active) | Actively maintained | Actively maintained |
| On-access scanning | Yes (clamd + clamonacc) | No | No | No |
| Quarantine | Yes (--move flag) | Yes (--quarantine) | No (reporting only) | No (reporting only) |
ClamAV: The Industry Standard Open-Source Antivirus
ClamAV is the most widely deployed open-source antivirus engine. Originally designed for email gateway scanning, it has evolved into a general-purpose malware detection platform that powers mail servers, file servers, and web application firewalls worldwide.
Key Features
- Virus database with 8.6M+ signatures — updated multiple times daily via
freshclam - Multi-format scanning — supports ZIP, RAR, tar, gzip, bzip2, OLE2, PDF, HTML, ELF, PE, and many more archive and executable formats
- On-access scanning —
clamonacc integrates with Linux Fanotify for real-time file monitoring - Daemonized scanning —
clamd runs as a persistent service, reducing load for repeated scans - Integration ecosystem — native plugins for Postfix, Sendmail, Squid, and amavisd-new
Installation (Ubuntu/Debian)
1
2
3
4
5
6
7
8
9
10
11
| sudo apt update
sudo apt install clamav clamav-daemon clamav-freshclam
# Stop the daemon to update the database
sudo systemctl stop clamav-freshclam
sudo freshclam
# Restart and enable
sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-daemon
sudo systemctl enable clamav-freshclam
|
Docker Deployment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| # docker-compose.yml
services:
clamav:
image: clamav/clamav:1.4
container_name: clamav
restart: unless-stopped
ports:
- "3310:3310" # clamd TCP port
volumes:
- clamav_db:/var/lib/clamav
- /srv/data:/data:ro # Mount the directory you want to scan (read-only)
environment:
- CLAMAV_NO_CLAMD=false
- CLAMAV_NO_FRESHCLAMD=false
- CLAMAV_NO_MILTERD=true
- CLAMAV_FRESHCLAMD_OPTS="--checks=12 --daemon-notify"
healthcheck:
test: ["CMD", "clamdcheck"]
interval: 30s
timeout: 10s
retries: 3
volumes:
clamav_db:
|
On-Demand Scan
1
2
3
4
5
6
7
8
| # Scan a directory recursively with verbose output
clamscan -r -i --log=/var/log/clamav/scan.log /srv/data
# Scan and move infected files to quarantine
clamscan -r --move=/var/lib/clamav/quarantine --log=/var/log/clamav/quarantine.log /srv/data
# Scan using the daemon (much faster for repeated scans)
clamdscan /srv/data
|
Scheduled Scan via Cron
1
2
3
| # /etc/cron.d/clamav-scan
# Run daily at 2:00 AM, scan /srv/data, quarantine threats, log results
0 2 * * * root clamscan -r --move=/var/lib/clamav/quarantine --log=/var/log/clamav/daily-scan.log /srv/data
|
Linux Malware Detect (Maldet): Web Server Threat Hunter
Linux Malware Detect, commonly known as Maldet or LMD, is purpose-built for detecting malware in shared hosting and web application environments. Developed by R-fx Networks, it maintains a signature database specifically tuned for PHP malware, web shells, base64-encoded backdoors, and obfuscated code commonly found in compromised WordPress, Joomla, and Drupal installations.
Key Features
- Web-specific signatures — 20,000+ hex signatures targeting PHP malware, web shells, and drive-by download code
- ClamAV integration — optionally uses ClamAV’s engine as a scanning backend, combining both databases for maximum coverage
- Quarantine and cleanup — built-in quarantine system with restore capability and optional automatic cleanup of injected code
- Hit-based reporting — email notifications with detailed hit reports including file paths, malware type, and line numbers
- Inotify real-time monitoring — optional
lmd-monitor daemon for real-time file change detection
Installation
1
2
3
4
5
6
7
8
| # Download and install Maldet
cd /tmp
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
sudo ./install.sh
# Configuration file: /usr/local/maldetect/conf.maldet
|
Configuration (conf.maldet)
1
2
3
4
5
6
7
8
| # /usr/local/maldetect/conf.maldet — key settings
email_alert="1"
email_addr="admin@example.com"
quarantine_hits="1"
quarantine_clean="1"
default_monitor_mode="users"
scan_clamscan="1" # Use ClamAV engine if available
scan_ignore_root="0" # Also scan root-owned files
|
Usage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # Scan a web root directory
maldet -a /var/www/html
# Scan with quarantine enabled
maldet --scan-all /var/www
# View recent scan reports
maldet --report list
# Quarantine all hits from a specific scan
maldet --quarantine SCANID
# Update signature database
maldet -u
|
Scheduled Scanning
1
2
3
| # /etc/cron.daily/maldet
#!/bin/bash
/usr/local/maldetect/maldet --scan-all /var/www /var/www2 /home/*/public_html
|
Note: Maldet requires root access and cannot run inside a Docker container because it needs direct filesystem and process-level access. It is designed to run directly on the host OS.
rkhunter: Rootkit Detection and System Integrity
Rootkit Hunter (rkhunter) scans for rootkits, backdoors, and possible local exploits by checking for known rootkit files, comparing MD5 hashes, detecting hidden files, and verifying permissions on binaries. Unlike signature-based antivirus tools, rkhunter focuses on detecting unauthorized modifications to system files and the presence of known rootkit artifacts.
Key Features
- Rootkit signature database — detects over 500 known rootkits including SunOS Rootkit, lrk, RSHA, and modern variants
- MD5 hash comparison — verifies integrity of system binaries against a known-good baseline
- Hidden file detection — finds files hidden by rootkit techniques (e.g., LD_PRELOAD hooks, patched syscalls)
- Configuration file checks — detects unauthorized changes to SSH config, inetd.conf, and other critical system files
- Application version checks — flags outdated versions of Apache, OpenSSH, GnuPG, and other common server software
Installation
1
2
3
4
5
6
7
8
| # Ubuntu/Debian
sudo apt install rkhunter
# RHEL/CentOS/Rocky
sudo dnf install rkhunter
# Arch Linux
sudo pacman -S rkhunter
|
Initial Setup
1
2
3
4
5
6
7
8
| # Update the file properties database (run on a known-clean system)
sudo rkhunter --propupd
# Update the database
sudo rkhunter --update
# Run a full scan (non-interactive mode)
sudo rkhunter --check --sk --rwo # --sk: skip keypress, --rwo: report warnings only
|
Key Configuration (/etc/rkhunter.conf)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # Enable email reports
MAIL-ON-WARNING="admin@example.com"
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
# Allow whitelisted applications
ALLOWHIDDENDIR=/dev/.udev
ALLOWPROCDELFILE=1
# Enable automatic database updates
UPDATE_MIRRORS=1
MIRRORS_MODE=0
# Scan specific directories
SCAN_MODE_DEV=1
|
Scheduled Scanning
1
2
3
4
5
| # /etc/cron.daily/rkhunter.sh
#!/bin/bash
/usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --report-warnings-only
|
chkrootkit: Lightweight RootKit Checker
chkrootkit is one of the oldest and simplest rootkit detection tools for Unix-like systems. It consists of a shell script that checks system binaries for signs of rootkit modification, looking for altered ls, ps, netstat, and other core utilities that rootkits commonly replace or patch.
Key Features
- Zero dependencies — pure shell script with standard Unix utilities
- Fast execution — completes a full scan in seconds
- 60+ rootkit signatures — checks for known rootkit file patterns and modified system binaries
- Promiscuous interface detection — detects network interfaces in promiscuous mode (potential sniffer indicator)
- Wted check — verifies system binaries against known-good versions
Installation
1
2
3
4
5
6
7
8
9
10
11
12
| # Ubuntu/Debian
sudo apt install chkrootkit
# RHEL/CentOS/Rocky
sudo dnf install chkrootkit
# Compile from source
wget https://chkrootkit.org/download/chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-*
sudo make sense
sudo cp chkrootkit /usr/local/bin/
|
Usage
1
2
3
4
5
6
7
8
9
10
11
| # Run as root for full system scan
sudo chkrootkit
# Quiet mode (only show warnings)
sudo chkrootkit -q
# Check specific directories only
sudo chkrootkit /usr /bin /sbin
# Output to log file
sudo chkrootkit 2>&1 | tee /var/log/chkrootkit.log
|
Scheduled Scanning
1
2
3
4
5
| # /etc/cron.daily/chkrootkit
#!/bin/bash
(
/usr/sbin/chkrootkit 2>&1 | grep -v "not infected" | grep -v "not tested" | grep -v "file not found"
) | mail -s "chkrootkit daily report" admin@example.com
|
| Scenario | Recommended Tool | Why |
|---|
| Mail server attachment scanning | ClamAV | Industry standard, native MTA integration |
| Web server / shared hosting | Maldet + ClamAV | Web-specific signatures + general AV coverage |
| Docker host / container registry | ClamAV | Official Docker image, on-access scanning |
| Compliance audit (SOC 2, PCI DSS) | rkhunter + ClamAV | System integrity + malware scanning |
| Quick post-incident check | chkrootkit + rkhunter | Fast rootkit detection, minimal setup |
| File upload directory | ClamAV (on-access) | Real-time scanning with clamonacc |
| WordPress server | Maldet | PHP malware and web shell specialization |
Building a Layered Self-Hosted Security Stack
No single tool provides complete protection. A robust self-hosted server security posture combines multiple layers:
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌─────────────────────────────────────────┐
│ Layer 1: Network Firewall │ ← iptables/nftables rules, [UFW or firewalld](../self-hosted-firewall-ufw-firewalld-iptables/)
├─────────────────────────────────────────┤
│ Layer 2: Intrusion Detection │ ← [Suricata, Snort, or Zeek](../2026-04-18-suricata-vs-snort-vs-zeek-self-hosted-ids-ips-guide-2026/) for network traffic analysis
├─────────────────────────────────────────┤
│ Layer 3: Web Application Firewall │ ← ModSecurity or Coraza with OWASP CRS
├─────────────────────────────────────────┤
│ Layer 4: File-Level Malware Scanning │ ← ClamAV + Maldet for on-host scanning
├─────────────────────────────────────────┤
│ Layer 5: Rootkit Detection │ ← rkhunter + chkrootkit for system integrity
├─────────────────────────────────────────┤
│ Layer 6: Centralized Monitoring │ ← [Wazuh / Security Onion](../self-hosted-siem-wazuh-security-onion-elastic-guide/) for SIEM and alerting
└─────────────────────────────────────────┘
|
For network-level threat detection, deploy an IDS/IPS like Suricata or Snort alongside your file-level scanners. For centralized alerting and compliance reporting, feed scan logs into a SIEM. And don’t forget vulnerability management — tools like Trivy or Grype complement malware scanners by finding unpatched CVEs before they’re exploited.
FAQ
Can I run ClamAV inside a Docker container and scan the host filesystem?
Yes, but with limitations. You can mount the host filesystem as a read-only volume into the ClamAV container: docker run -v /:/data:ro clamav/clamav clamscan -r /data. However, on-access scanning (clamonacc) requires host-level Fanotify access and cannot run inside a container. For production use, install ClamAV directly on the host or run a dedicated scanning container that periodically mounts target directories.
Does Maldet work on non-web servers?
Maldet can scan any directory, but its signature database is optimized for web-based malware (PHP shells, obfuscated JavaScript, WordPress backdoors). On a database server or API host with no web content, Maldet’s detection rate will be low. Use ClamAV as the primary scanner on non-web servers and reserve Maldet fonginxhines running Apache, Nginx, or PHP-FPM.
Is rkhunter better than chkrootkit for rootkit detection?
rkhunter is generally considered more comprehensive — it checks 500+ rootkit signatures, verifies file integrity with MD5 hashes, detects hidden files and processes, and checks for suspicious kernel modules. chkrootkit is simpler and faster but covers fewer rootkits. Running both in a cron job takes only a few extra minutes and provides broader coverage.
How often should I update ClamAV’s virus database?
ClamAV’s freshclam service checks for updates 12 times per day by default. This is appropriate for production servers. You can reduce this to 4 checks per day by setting Checks 4 in /etc/clamav/freshclam.conf to save bandwidth on low-traffic servers. Never disable automatic updates entirely — the threat landscape changes daily.
No tool detects truly unknown malware. ClamAV relies on known signatures, Maldet on known web malware patterns, and rkhunter/chkrootkit on known rootkit behaviors. For zero-day protection, combine signature-based scanning with behavioral monitoring (file integrity monitoring, anomalous process detection) and keep all software patched. Consider deploying a honeypot like Cowrie or T-Pot to detect novel attack patterns in your environment.
Can I use ClamAV to scan files uploaded through a web application?
Yes. This is one of ClamAV’s most common use cases. Run clamd as a daemon and connect to it from your application via the TCP socket (port 3310) or Unix socket. Libraries like pyclamd (Python), clamav-client (Node.js), and go-clamav (Go) provide simple APIs to scan uploaded files before saving them to disk. This is the standard pattern for securing file upload endpoints in web applications.