Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -2 articles for you...
78
security advisoryrisk managementclamavWhat Is ClamAV? A Linux Admin’s Guide to Risk, Monitoring, and Real-World Use
If you’ve worked with Linux long enough, ClamAV has probably crossed your path. It shows up in package repositories, mail server documentation, and the occasional compliance discussion around Linux antivirus. . In many environments, it gets added once a system starts handling untrusted files, such as mail flow, user uploads, shared storage, or cross-platform file exchange. Sometimes that decision is deliberate. Sometimes it is just the default recommendation. Either way, it tends to appear when a Linux host becomes a content boundary. What matters is whether it meaningfully reduces risk in that role or simply satisfies an expectation. The difference comes down to placement, scope, and understanding what ClamAV is designed to do. What Capabilities Does ClamAV Provide? ClamAV is a signature-based antimalware engine. At its core, it compares files against a database of known malicious patterns. That sounds basic, but in the right place it’s effective. It scans files on disk, mail attachments, and file streams. It can unpack common archive formats and inspect nested content. That matters if you’re dealing with compressed attachments or bundled payloads. ClamAV is known for two defining features: First, it supports content inspection beyond just “is this malware?” You can use it to enforce file type rules, block specific file patterns, and inspect archives deeply. In practice, that gives you lightweight DLP-style controls. Not full enterprise DLP , but enough to flag unexpected executables or restricted content moving through mail or upload paths. Second, it’s open source. The signature database is maintained publicly, and you can create and deploy your own signatures. That makes ClamAV closer to a scanning framework than a fixed product. If your environment has known bad artifacts, internal red team samples, or policy-based file restrictions, you can encode those as custom signatures. You’re not waiting on a vendor to define what “bad” means. That flexibilityis one of its real advantages. Do You Actually Need ClamAV? Start with exposure. Are you accepting untrusted files from the internet? Are users uploading documents to your applications? Are you hosting Samba shares for Windows clients? If yes, you have a file-based risk crossing a boundary. ClamAV is designed for that boundary. If your server is a minimal API node with no file uploads and no shared storage, ClamAV probably doesn’t change your risk profile. It won’t stop SSH key abuse, privilege escalation , or kernel exploits. It won’t detect lateral movement through valid credentials. Here’s the practical rule. If your Linux host is acting as a content gateway or file broker, ClamAV is worth evaluating. If it’s just running services with no file ingestion, your effort is usually better spent on patching, hardening, and logging. Does ClamAV Scan Your Whole System? By default, no. ClamAV does not automatically scan your entire filesystem in real time. You decide what gets scanned. You can: Run on-demand scans against specific directories Schedule recurring scans with cron Use clamd for faster scanning of high-traffic paths Integrate it with mail servers or upload workflows There is on-access scanning support on some platforms using fanotify, but that adds overhead and needs careful testing. Most production deployments focus on ingestion points. Mail spool directories. Upload folders. Shared mounts. Scanning / recursively on a busy production server is usually unnecessary and expensive. If you’re thinking, “Does it watch every process and file like endpoint security?” the answer is no. That’s not its model. What Does ClamAV Prevent? ClamAV is strongest against known, file-based threats. It helps prevent: Commodity malware delivered via email attachments Infected files are being redistributed from shared storage Obvious malicious uploads in web applications Known ransomware samples at the file stage Policyviolations based on file signatures or types What Are ClamAV’s Limitations? ClamAV does not prevent: Zero-day kernel exploits Credential abuse over SSH Privilege escalation via local vulnerabilities Fileless attacks Post-exploitation activity in memory In a real incident, you might see ClamAV catch a malicious macro document before a Windows user downloads it. That’s useful. But if an attacker logs in with stolen keys and starts moving laterally, the signal will be in auth logs and process telemetry, not in ClamAV output. It’s a file inspection control. Not a behavior engine. What Are ClamAV’s Requirements? ClamAV is not heavy, but it isn’t free from cost. You need: Enough CPU to handle scans, especially for large archives Memory for the signature database, particularly with clamd Disk I/O capacity if scanning large directory trees A process for monitoring freshclam updates Log aggregation so detections are visible On a mail gateway or file server, this overhead is usually acceptable. On a performance-sensitive application node, you’ll want to test under load. In practice, update failures cause more problems than CPU or memory limits. If freshclam stops running, the database becomes outdated quickly, and detection quality drops. It is crucial to keep in mind that any deployment should include monitoring for signature updates and scan health. How Long Does ClamAV Take to Run? This depends entirely on the scope. Scanning a single attachment through a mail filter is fast, often measured in milliseconds to seconds, depending on size. Scanning a multi-gigabyte directory tree with nested archives can take minutes or longer. Archive depth and compression matter. Large compressed files are expensive to unpack and inspect. If you care about performance, test against real data. Drop representative files into the target directory and measure scan time under load. Don’t assume lab behavior matches production traffic. Is ClamAV Difficult to Use? Operationally, no. Installation is straightforward on most distributions. Configuration is text-based and predictable. Integration with mail servers and upload workflows takes some plumbing, but it’s well documented and widely deployed. The complexity is not in running it. It’s in placing it correctly and monitoring it consistently. You need to: Confirm signatures update regularly Test detection with something like the EICAR file Ensure detections are logged centrally Define who handles alerts Without clear ownership, alerts are likely to be ignored. Does ClamAV Provide DLP? Not in the enterprise, policy-heavy sense. But it does give you content inspection controls. You can: Block specific file types Detect embedded executables inside archives Create custom signatures for sensitive patterns Enforce limits on archive recursion and size In practical terms, that lets you prevent obvious data exfiltration methods or policy violations passing through mail or upload paths. It’s lightweight, but for many environments that’s enough. This is where ClamAV’s open source model matters. You can define what you care about and encode it. Detection logic is not limited to a vendor-defined rule set. Are There Alternatives to ClamAV? Yes. Commercial Linux antivirus and EDR products provide behavioral detection, centralized management, and deeper host visibility. They’re closer to full endpoint protection. There are other open-source scanning tools , but ClamAV remains one of the most widely packaged and integrated options for mail and file workflows. If your goal is behavioral detection and response, evaluate EDR platforms. If your goal is file-based malware scanning at ingestion points, ClamAV is often sufficient. Final Thoughts: When ClamAV Makes Sense ClamAV makes sense when a Linux system is acting as a file ingestion point. Mail gateways, web applications that accept uploads, shared storageserving Windows clients, and any workflow that moves untrusted files across systems are practical examples. In those scenarios, it provides measurable value by scanning content at the point of entry and blocking known file-based threats before they propagate. That is its strength. It is less relevant on systems that do not handle external files. On application nodes with no upload paths or file exchange, effort is usually better spent on patching, access control, logging, and hardening. ClamAV is a signature-based antimalware engine with a defined scope. When deployed at clear ingestion points and monitored properly, it reduces predictable file-based risk. Outside of that role, its impact is limited. . Explore ClamAV's role in Linux security, highlighting its application in malware detection and risk management.. ClamAV antivirus Linux, malware scanning, Linux security controls, file-based malware. . Brittany Day
Feb 28, 2026
•
Vendors/Products
77
DebianUbuntumalware protectionAutomatically Scan Uploaded Files Using PHP And ClamAV on Debian and Ubuntu
This guide describes how you can automatically scan files uploaded by users through a web form on your server using PHP and ClamAV. That way you can make sure that your upload form will not be abused to distribute malware. To glue PHP and ClamAV, we install the package php5-clamavlib/php4-clamavlib which is rather undocumented at this time. That package is available for Debian Etch and Sid and also for Ubuntu Dapper Drake and Edgy Eft, so make sure you use one of these platforms. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you! . As I said before, your system must use Debian Etch, Sid, Ubuntu Dapper Drake or Ubuntu Edgy Eft, and you should already have Apache2 and PHP4 or PHP5 installed. If you are on Debian Sarge, you can install the php-clamavlib package from backports.org: I assume that you use /var/www as the default document root. If you have multiple web sites on your server already, adjust the document root to your needs. Also, I use 192.168.0.100 as the IP address of my server in this example. Adjust this as well, and if you have multiple web sites with a name-based vhost configuration, you must use the respective domain/FQDN to access the web site instead of the IP address. I do all the steps here as the root user. So make sure you're logged in as root or, if you are on Ubuntu, prepend all commands with sudo, e.g. The link for this article located at How To Forge is no longer available. . Implement automatic scanning for uploaded files using PHP and ClamAV. Follow these steps to secure your server against malware threats with ease. ClamAV Scan, PHP Malware Detection, File Upload Security, Server Protection. . LinuxSecurity.com Team
Jan 16, 2007
•
Server Security
77
antivirusmalware protectionsecurity solutionRAV AntiVirus for Samba: File Security Against Malware Threats
RAV AntiVirus for Samba (Linux) is, as the name describes it, an antivirus product 100% dedicated to Linux, protecting file servers from viruses and other malwares, regardless of the systems targeted. Due to integration of a cutting edge technology named "total platform independence", RAV engine detects all malwares, be it for Windows, Linux or other OS. . .. RAV AntiVirus for Samba (Linux) is, as the name describes it, an antivirus product 100% dedicated to Linux, protecting file servers from viruses and other malwares, regardless of the systems targeted. Due to integration of a cutting edge technology named "total platform independence", RAV engine detects all malwares, be it for Windows, Linux or other OS . This is very important, never mind useful, especially when samba shares are used on a file server. RAV AntiVirus for Samba (Linux) scans on open and on close all files copied to or accessed from samba shares. Completely configurable using command lines, the antivirus provided by GeCAD Software runs as a service, and is designed to use an internal cache for recently used files, technology that increases speed when the on access scan is performed. Speed is also optimized due to the Integrity Checker technology within the engine that increases the detection speed with more than 50%. Given that file servers are particularly demanding when it comes to protection measures for the stored files, an antivirus comes as a must on such systems. The advantage of server shares is that the stored files are being backed up periodically. The major downside consists in the mere nature of shares, which are available to some users in the network for creating/modifying files. If a file is infected, the virus will spread to the other files on the server. From there on, the infection is hard to control. If RAV AntiVirus for Samba (Linux) is installed on that server, the on access scan will detect the infected file and clean/delete/block it, avoiding the spreading and any virus inflicted damage. About RAV AntiVirus RAVAntiVirus is a reliable, proprietary engine antivirus, produced by GeCAD Software and distributed in over 100 countries on all continents. RAV family also includes RAV AntiVirus Desktop, RAV AntiVirus for Mail Servers and RAV AntiVirus MailFilter. All RAV products use the total platform independent RAV engine, which now detects nearly 74,000 virus signatures. The link for this article located at NewsForge is no longer available. . RAV Protection Suite for Samba (Linux) delivers robust defense against malicious software for file hosting solutions and fortifies safety on Samba directories.. RAV AntiVirus, Samba Security, File Server Protection. . LinuxSecurity.com Team
Nov 21, 2002
•
Server Security
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More