Free Malware Scanner for Linux Servers — Complete Guide 2026
A compromised server can lose data, serve malware to your users, or become part of a botnet. This guide covers the best free tools for scanning Linux servers for malware, when to use each one, and how to interpret the results.
Key takeaway: No single tool catches everything. A layered approach using ClamAV for file scanning, rkhunter for rootkits, and real-time behavioural monitoring gives you the best protection. The cheapest option is also the most effective: scan early and scan often.
Why You Need a Malware Scanner on Linux
The idea that Linux is immune to malware is a dangerous myth. In 2026, Linux servers are the primary target for cryptominers, ransomware gangs, and DDoS botnet operators. The 2026 Verizon Data Breach Investigations Report shows that Linux servers account for over 60% of compromised assets in web application attacks.
Linux malware comes in many forms:
- Cryptominers — silently consume CPU to mine cryptocurrency, slowing down your applications
- Rootkits — hide deep in the kernel, masking all signs of infection
- Web shells — provide persistent backdoor access through vulnerable web applications
- Ransomware — encrypts files and demands payment, increasingly targeting Linux servers
- DDoS bots — recruit your server into a botnet for launching attacks
- AI-generated malware — polymorphic code that mutates to evade signature detection
Free malware scanners are your first line of defense. They won't replace a full security monitoring platform, but they are far better than nothing.
1. ClamAV — The Standard for File-Based Malware Scanning
ClamAV is the most widely used open-source antivirus engine for Linux. It detects a broad range of malware including viruses, trojans, worms, and phishing domains. It is maintained by Cisco's Talos security group and receives frequent signature updates.
Installation
# Debian / Ubuntu
sudo apt update && sudo apt install clamav clamav-daemon -y
# RHEL / CentOS / Fedora
sudo dnf install clamav clamav-update -y
# Update virus definitions
sudo freshclamBasic Scan
# Scan a specific directory
clamscan -r /home
# Scan the entire filesystem (recursive, verbose)
clamscan -r --bell -i /
# Scan only files modified in the last 7 days
find / -type f -mtime -7 -exec clamscan --quiet {} + 2>/dev/nullUse the -i flag to show only infected files and --remove to automatically delete detected malware. For production servers, always review detected files manually before removing them.
Pro tip: Schedule a daily ClamAV scan with cron. Run it during low-traffic hours and email the results. A server that has been infected for a week is far harder to clean than one caught on day one.
ClamAV Daemon Mode (Real-Time Protection)
# Start the daemon
sudo systemctl enable --now clamav-daemon
# Check status
sudo systemctl status clamav-daemon
# Monitor the scan log
tail -f /var/log/clamav/clamav.logThe ClamAV daemon watches files in real time using fanotify. It adds overhead to disk I/O, so test carefully on production systems with high file churn.
2. Rkhunter — Rootkit Detection Specialist
Rkhunter (Rootkit Hunter) scans for rootkits, backdoors, and local exploits. It checks system binaries against known-good hashes, looks for hidden processes and ports, and scans for suspicious kernel modules.
Installation
# Debian / Ubuntu
sudo apt install rkhunter -y
# RHEL / Fedora
sudo dnf install rkhunter -yRun a Scan
# Update the tool's file properties database first
sudo rkhunter --propupd
# Run a full system check
sudo rkhunter --check --skip-keypress
# Run only the rootkit checks (faster)
sudo rkhunter --check --skip-keypress --enable all --disable noneRkhunter produces warnings for many legitimate system changes (kernel updates, package upgrades, browser plug-ins). The key is to look for RED warnings, not yellow ones. Review /var/log/rkhunter.log for details.
Common Rkhunter Warnings — What They Mean
- Warning: /bin/ps — The ps binary hash does not match. This is normal after an OS update. Run
rkhunter --propupdto update the baseline. - Warning: Suspicious kernel module loaded — Investigate immediately. Malicious kernel modules are a strong indicator of a rootkit.
- Warning: Hidden directory — Rkhunter checks for hidden files in /dev, /etc, and other locations. Legitimate software can trigger this, but always verify.
3. Chkrootkit — Lightweight Rootkit Scanner
Chkrootkit is faster and less verbose than rkhunter. It checks for a specific list of known rootkits by looking for their signatures, strings, and behavioural patterns. It is best used as a complement to rkhunter.
# Installation
sudo apt install chkrootkit -y
# Run a scan
sudo chkrootkit
# Check for suspicious strings in system binaries
sudo chkrootkit -x | lessChkrootkit takes only a few seconds to run, making it ideal for regular cron jobs. Its downside is a higher false-positive rate on modern systems. Treat its output as leads, not conclusions.
4. Lynis — Security Auditing for Compliance
Lynis is not strictly a malware scanner — it is a security auditing tool that checks hundreds of system configurations, identifies misconfigurations, and flags potential vulnerabilities. In the context of malware detection, it is invaluable because attackers almost always exploit misconfigurations to gain access.
# Download and run (no install required)
wget -O - https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz | tar xz
cd lynis && ./lynis audit system
# Or install via package manager
sudo apt install lynis -y
sudo lynis audit systemLynis produces a detailed report with scores and actionable hardening suggestions. Run it after a fresh install to lock down your server, and periodically to catch configuration drift that could open doors for malware.
5. RootCrak — AI-Powered Behavioural Detection (Free Tier)
The tools above share a fundamental limitation: they rely on signatures or known patterns. A 2026 AI-generated rootkit that has never been seen before will pass ClamAV, rkhunter, and chkrootkit without raising a single alert.
RootCrak's free tier takes a different approach. Instead of looking for known bad files, it monitors server behaviour continuously:
- Process creation and termination patterns
- Outbound network connections and data transfer volumes
- File system changes in sensitive directories
- User login anomalies and privilege escalation events
- CPU and memory usage anomalies
When the AI model detects behaviour that does not match the server's baseline, it raises an alert within seconds — regardless of whether the malware is known or novel.
Important: Signature-based scanners (ClamAV, rkhunter) catch known threats. Behavioural monitoring catches unknown threats. Both categories of tools detect only what they are designed to look for. Use them together for the best results.
Building a Scanning Schedule
Here is a practical schedule for keeping your Linux server clean:
# Daily scan (low-impact, fast checks)
0 3 * * * /usr/bin/chkrootkit > /var/log/chkrootkit/daily.log 2>&1
# Weekly deep scan (resource intensive)
0 2 * * 0 /usr/bin/clamscan -r --quiet -i / > /var/log/clamav/weekly.log 2>&1
# Monthly full audit
0 2 1 * * /usr/bin/lynis audit system --quiet > /var/log/lynis/monthly.log 2>&1
# After every package update
# Run: sudo rkhunter --propupd && sudo rkhunter --checkConfigure logwatch or a simple mail command to send scan results to your team. A scan that nobody reads is as good as no scan at all.
What to Do When You Find Malware
If your scanner reports a positive detection, follow these steps:
- Do not remove it immediately. Document the full path, filename, permissions, and any associated processes.
- Check the system time. Use
statto find when the file was created. Cross-reference with auth logs to identify the entry vector. - Run a second scanner. If ClamAV flagged a file, scan it with rkhunter. If both flag it, the confidence level is high.
- Kill associated processes. Use
kill -9on any process associated with the malware. Verify withss -tunapthat outbound connections stop. - Remove the file. Quarantine it to a safe location first, then delete it after confirming the system is stable.
- Find and patch the entry point. Malware does not appear on a server by magic. An outdated package, weak password, or exposed API let it in. Fix the root cause or it will return.
Hard truth: If you find a confirmed rootkit or backdoor user, the safest remediation is rebuilding the server from scratch. You can never fully trust a machine that has hosted a persistent attacker. Back up your data, wipe the system, and restore from a known-clean backup.
Comparing Free Malware Scanners for Linux
Here is a quick comparison to help you choose which tools to install based on your threat model:
- ClamAV: Best for file-based malware (viruses, worms, trojans). Essential for mail servers and file servers. High signature coverage, moderate resource usage.
- Rkhunter: Best for rootkit detection. Essential for every production server. Low resource usage, moderate false-positive rate.
- Chkrootkit: Best for quick daily checks. Complements rkhunter. Very low resource usage, higher false-positive rate.
- Lynis: Best for configuration auditing. Run monthly to catch misconfigurations that enable malware. No malware signatures, but identifies vulnerabilities.
- RootCrak (free tier): Best for real-time, AI-powered detection. Catches novel and zero-day threats that signature scanners miss. Low overhead, continuous monitoring.
The Bottom Line
Free malware scanners are not a replacement for a comprehensive security strategy, but they are a critical component. Install ClamAV and rkhunter on every server. Schedule daily chkrootkit checks and weekly ClamAV scans. Run Lynis at least monthly to audit your configuration.
And remember: the best malware scanner is the one that runs automatically and alerts you immediately. A scan you run manually after you suspect a problem has already failed its most important job — catching the threat early.
Frequently Asked Questions
What is the best free malware scanner for Linux?
The best free malware scanner depends on what you need to detect. ClamAV is excellent for file-based malware and viruses. rkhunter and chkrootkit specialise in rootkit detection. Lynis provides a comprehensive security audit. For real-time behavioural monitoring, RootCrak's free tier offers automated detection with AI-powered analysis. A layered approach using multiple tools gives the best coverage.
Can ClamAV detect rootkits on Linux?
ClamAV is primarily a file-based antivirus scanner and has limited rootkit detection capability. It can detect known malware binaries but will not detect rootkits that hide processes, files, and network connections from the operating system. For rootkit detection, use rkhunter or chkrootkit, which check for signs of kernel-level compromise such as hidden processes, modified system binaries, and suspicious kernel modules.
How often should I scan my Linux server for malware?
Manual scans should be run at least weekly for production servers. Automated scans should run daily during low-traffic periods. For critical infrastructure, continuous real-time monitoring is recommended. Attackers can compromise a server and exfiltrate data within minutes, so a once-a-day scan leaves a wide window of opportunity. Real-time behavioural monitoring tools catch threats as they happen rather than hours later.
Do I need antivirus on a Linux server?
Yes. While Linux is more secure than Windows by design, it is not immune to malware. Linux servers face threats including cryptominers, ransomware, rootkits, web shell backdoors, and DDoS bots. The 2026 threat landscape shows an increase in AI-generated Linux malware that adapts to evade signature-based detection. Running antivirus and rootkit detection tools is an essential layer of defense.
What is the difference between ClamAV and rkhunter?
ClamAV detects file-based malware by scanning files against a database of known malware signatures — similar to traditional antivirus on Windows. Rkhunter (Rootkit Hunter) checks for rootkits by examining system binaries for modifications, checking for hidden processes and ports, scanning for suspicious kernel modules, and looking for known rootkit signatures. They complement each other: ClamAV catches malicious files, rkhunter catches kernel-level compromises. Use both for complete coverage.
Get a free security audit
Not sure if your server is clean? RootCrak's AI Watchdog scans your infrastructure for malware, rootkits, and misconfigurations — and gives you a clear security score. No installation required.
Start Free Audit