Skip to content
A fully featured malware scanner for Linux desktops and servers.
Branch: 1.x
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitlab-ci.yml Updated doc paths Nov 27, 2018 Added better information output when attempting a run and lockfile al… Nov 26, 2018
LICENSE RC9 release Mar 22, 2018
freshclam.conf 1.7.0-d19 updates Jul 9, 2016
installer Final v1.8.0 release changes Oct 16, 2018
malscan Added better information output when attempting a run and lockfile al… Nov 26, 2018
malscan.conf RC9 release Mar 22, 2018


ClamAV-based malware scanner for Linux web servers.

Latest version GitHub license Build status

Table of Contents


malscan is a scanning platform for Linux servers that simplifies keeping your web servers secure and malware-free. It is built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.


  • Multiple channels of malware signatures
    • RFX Networks Signatures
    • Metasploit Signatures
    • malscan Signatures
    • ClamAV Main Signatures
  • Multiple Detection Methods
    • Standard HEX or MD5 based detections
      • Includes a database of over 30,000 signatures
      • Uses both HEX and hash based detections
    • String length detections
      • Identifies long obfuscated strings.
      • Non-signature based, to help detect zero day code injections
    • MimeType mismatch detections
      • Detects PHP files that are masquerading as other file types.
      • Identifies certain common obfuscated attack vectors, such as command shells hiding as .png files.
    • Tripwire detection mode
      • Allows you to whitelist files in a known clean configuration.
      • Compares the file tree to previously whitelisted states to identify changes.
      • Can be hooked into common deploy tools, such as capistrano or dpl.
  • Easy File Quarantining
  • Custom email notifications


  • Linux Server / Desktop
  • Full root access, or the ability to install:
    • ClamAV
    • File
    • Postfix or Exim, if using email notifications.
  • SSH Access


NOTE: New installation procedures will be deployed shortly for CentOS 6, 7, Fedora, and Puppet Community/Enterprise.


Puppet is the primary supported installation method for malscan.

The malscan Puppet module is currently under development. You can find the status of the module's development here

Red Hat Enterprise Linux, CentOS, and Fedora

RPM packages are available for RHEL, CentOS, and Fedora. Packages are generated only for currently supported operating systems. Support includes:

Operating System Version
RHEL / CentOS 7
RHEL / CentOS 6
Fedora 28
Fedora 27
Fedora 26

Guides on how to set up the malscan yum repository can be found here:

Other Operating Systems

We make every effort to support as many operating systems as possible. Currently, we officially support the following operating systems:

  • Alpine Linux
  • Debian
  • Unbuntu (LTS only)

All of the above are supported via the malscan installer. This installer will automatically identify your operating system, and install required dependencies.

NOTE: For Alpine Linux, you must install bash before you can run the installer.

To install via the installer on a supported system, simply run:

curl -sSL | bash

We strongly recommend reading through the installer before running it. Running scripts without knowing what they do is dumb.


See malscan -h for more detailed program usage.


If you're interested in contributing to malscan, I am looking for the following help:

  • Feature development
  • Documentation
  • Web design
  • Logo design

Contact me at if you're interested.

Licensing and Terms of Usage

The malscan application is released under the MIT license, which is included in the repository. This software is provided as is, with absolutely no warranty provided for it. As this application does alter file/directory structure for this server, make sure that you understand exactly what this application does and the security ramifications of it.

You can’t perform that action at this time.