Subject: Notes for running ClamAV Virus Scan on Bootable Kali Linux 25.04 Live USB Thumb Drive
Good day from Singapore, Thanks to Arnaud Jacques for suggesting to run ClamAV virus scan in Kali Linux. I have asked ChatGPT. Below guide is generated by ChatGPT. Below is a clean, complete workflow to scan a Windows disk from Linux using the fast ClamAV daemon (clamd), including APT / nation-state malware hunting with additional signatures and YARA rules. This assumes you already booted into Kali Linux (or another Linux environment) and want to scan a Windows partition offline. The antivirus engine used is ClamAV. 1. Install Required Tools Open a terminal. Update packages: sudo apt update Install malware-scanning tools: sudo apt install clamav clamav-daemon yara git wget curl Verify installation: clamscan --version ClamAV 1.4.3/27937/Wed Mar 11 06:24:53 2026 2. Stop Automatic Signature Service (Temporary) The updater sometimes locks the database. sudo systemctl stop clamav-freshclam 3. Download Official ClamAV Signatures Update virus database: sudo freshclam You should see downloads such as: main.cvd daily.cvd bytecode.cvd These are stored in: /var/lib/clamav/ 4. Install Large Third-Party Signature Feeds These greatly increase detection of APT malware, backdoors, RATs, and espionage tools. A well-known project aggregates many feeds automatically. Install: cd /opt sudo git clone https://github.com/extremeshok/clamav-unofficial-sigs cd clamav-unofficial-sigs ***Follow the Generic Installation Instructions in the file INSTALL.md*** This installs feeds from threat-intelligence projects such as: SaneSecurity URLHaus MalwareBazaar These add tens of thousands of additional signatures. Update them: sudo /usr/local/sbin/clamav-unofficial-sigs.sh --force 5. Configure the ClamAV Daemon Edit daemon configuration: sudo nano /etc/clamav/clamd.conf Important performance settings: MaxThreads 12 MaxScanSize 2000M MaxFileSize 1000M MaxRecursion 20 MaxFiles 50000 ScanArchive true DetectPUA true LogTime true LogVerbose true Enable local socket (fastest communication): LocalSocket /var/run/clamav/clamd.ctl LocalSocketMode 666 Database Directory setting: DatabaseDirectory /var/lib/clamav Save the file using nano. 6. Restart the ClamAV Daemon Restart the service: sudo systemctl restart clamav-daemon Check status: sudo systemctl status clamav-daemon 7. Install APT Malware Detection Rules (YARA) APT malware is often detected by behavioral patterns rather than antivirus signatures. Install rules: sudo mkdir /opt/yara-rules cd /opt/yara-rules Download common rule sets: APT malware rules: sudo git clone https://github.com/Yara-Rules/rules Advanced malware rules by Florian Roth: sudo git clone https://github.com/Neo23x0/signature-base These contain thousands of rules used by threat hunters. 8. Identify the Windows Partition List disks: lsblk Example output: sda ├─sda1 EFI ├─sda2 Windows 9. Mount the Windows Partition Create mount directory: sudo mkdir /mnt/windows Mount partition: sudo mount -t ntfs3 /dev/sdb4 /mnt/windows Now the Windows filesystem is accessible at: /mnt/windows 10. Run Fast Malware Scan Using ClamAV Daemon Skip to step 17. 11. Save Scan Results to a Log File Skip to step 17. 12. Run APT Malware Threat Hunt Using YARA This can detect: espionage malware command-and-control implants advanced backdoors ransomware frameworks Skip to step 17. 13. Scan Critical Windows Malware Locations Many malware files hide here: /mnt/windows/Windows/System32 /mnt/windows/Windows/System32/drivers /mnt/windows/ProgramData /mnt/windows/Users /mnt/windows/Temp Example targeted scan: sudo clamdscan -r /mnt/windows/Windows/System32 14. Search for Suspicious Executables Look for unusual binaries: find /mnt/windows -name "*.exe" find /mnt/windows -name "*.dll" find /mnt/windows -name "*.sys" Large suspicious files: find /mnt/windows -type f -size +50M 15. Detect Hidden Persistence Locations Common malware persistence directories: /mnt/windows/ProgramData /mnt/windows/Users/*/AppData/Roaming /mnt/windows/Users/*/AppData/Local/Temp Scan example: sudo clamdscan -r /mnt/windows/ProgramData 16. Optional: Scan Windows Registry Hives Registry files contain persistence entries. Location: /mnt/windows/Windows/System32/config Example analysis: strings SOFTWARE | less Look for suspicious autoruns. 17. Full Automated Scan Command The daemon scanner (clamdscan) is much faster than clamscan. You can combine everything: Recommended deep scan: sudo clamdscan -r \ --fdpass \ --multiscan \ --log=/home/kali/full_windows_scan.log \ /mnt/windows Explanation: Option Meaning -r recursive scan (appears to have been deprecated) --fdpass bypass Linux file permissions --multiscan parallel scanning threads Then run YARA: Suggested by ChatGPT: sudo yara -r /opt/yara-rules /mnt/windows >> /home/kali/full_windows_scan.log /opt/yara-rules(1): error: input in flex scanner failed Suggested by Google AI: sudo yara $(find /opt/yara-rules/ -name "*.yar") /mnt/windows >> /home/kali/full_windows_scan.log I am having a lot of trouble running the above yara commands. Basically both of the above yara commands don't work at all. Anyone can advise?? This can detect: - espionage malware - command-and-control implants - advanced backdoors - ransomware frameworks ============================================================== Important Reality Check Even with many signatures: - ClamAV - YARA can detect known APT malware, but brand-new nation-state tools are often custom and may evade antivirus. Professional investigations also use: - memory forensics - network traffic analysis - behavioral monitoring ================================================================ ✅ If you want, I can also show you a very powerful technique used by malware analysts: How to detect stealth rootkits and espionage implants by comparing Windows system files against Microsoft's official hashes. This method can expose very advanced malware that antivirus completely misses. ================================================================ Important reality: Even with ClamAV, nation-state APT malware is extremely unlikely to be detected, because such tools usually use: - custom implants - fileless malware - memory-only loaders Antivirus signatures rarely catch them. ================================================================ All the 3rd party detection signatures can be found in the following Database Directory. ┌──(kali㉿kali)-[/var/lib/clamav] └─$ ls badmacro.ndb CVE-2012-0158.yar CVE-2018-4878.yar foxhole_js.ndb malwarehash.hsb sanesecurity.ftm spearl.ndb winnow_phish_complete_url.ndb blurl.ndb CVE-2013-0074.yar daily.cvd freshclam.dat MiscreantPunch099-Low.ldb Sanesecurity_sigtest.yara spear.ndb winnow_spam_complete.ndb bofhland_cracked_URL.ndb CVE-2013-0422.yar EK_BleedingLife.yar hackingteam.hsb phish.ndb Sanesecurity_spam.yara whitelist.fp WShell_ASPXSpy.yar bofhland_malware_attach.hdb CVE-2015-1701.yar EMAIL_Cryptowall.yar interserver256.hdb phishtank.ndb scam.ndb winnow.attachments.hdb WShell_Drupalgeddon2_icos.yar bofhland_malware_URL.ndb CVE-2015-2426.yar Email_fake_it_maintenance_bulletin.yar interservertopline.db porcupine.hsb scam.yar winnow_bad_cw.hdb bofhland_phishing_URL.ndb CVE-2015-2545.yar Email_quota_limit_warning.yar junk.ndb porcupine.ndb shelter.ldb winnow.complex.patterns.ldb bytecode.cvd CVE-2015-5119.yar email_Ukraine_BE_powerattack.yar jurlbla.ndb rfxn.hdb sigwhitelist.ign2 winnow_extended_malware.hdb CVE-2010-0805.yar CVE-2016-5195.yar foxhole_filename.cdb jurlbl.ndb rfxn.ndb spamattach.hdb winnow_extended_malware_links.ndb CVE-2010-0887.yar CVE-2017-11882.yar foxhole_generic.cdb lott.ndb rfxn.yara spamimg.hdb winnow_malware.hdb CVE-2010-1297.yar CVE-2018-20250.yar foxhole_js.cdb main.cvd rogue.hdb spam.ldb winnow_malware_links.ndb ================================================================= Important reality: Even with ClamAV, nation-state APT malware is extremely unlikely to be detected, because such tools usually use: - custom implants - fileless malware - memory-only loaders Antivirus signatures rarely catch them. Regards, Mr. Turritopsis Dohrnii Teo En Ming Extremely Democratic People's Republic of Singapore 12 Mar 2026 Thursday 1.10 am Singapore Time _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
