Notes for running ClamAV Virus Scan on Bootable Kali Linux 25.04 Live USB Thumb Drive

Subject: Notes for running ClamAV Virus Scan on Bootable Kali Linux 25.04 Live USB Thumb Drive


Good day from Singapore,


Thanks to Arnaud Jacques for suggesting to run ClamAV virus scan in Kali Linux.


I have asked ChatGPT.


Below guide is generated by ChatGPT.


Below is a clean, complete workflow to scan a Windows disk from Linux using the fast ClamAV daemon (clamd), including APT / nation-state malware hunting with additional signatures and YARA rules.


This assumes you already booted into Kali Linux (or another Linux environment) and want to scan a Windows partition offline.


The antivirus engine used is ClamAV.


1. Install Required Tools


Open a terminal.


Update packages:


sudo apt update


Install malware-scanning tools:


sudo apt install clamav clamav-daemon yara git wget curl


Verify installation:


clamscan --version

ClamAV 1.4.3/27937/Wed Mar 11 06:24:53 2026


2. Stop Automatic Signature Service (Temporary)


The updater sometimes locks the database.


sudo systemctl stop clamav-freshclam


3. Download Official ClamAV Signatures


Update virus database:


sudo freshclam


You should see downloads such as:


main.cvd

daily.cvd

bytecode.cvd


These are stored in:


/var/lib/clamav/


4. Install Large Third-Party Signature Feeds


These greatly increase detection of APT malware, backdoors, RATs, and espionage tools.


A well-known project aggregates many feeds automatically.


Install:


cd /opt

sudo git clone https://github.com/extremeshok/clamav-unofficial-sigs

cd clamav-unofficial-sigs

***Follow the Generic Installation Instructions in the file INSTALL.md***


This installs feeds from threat-intelligence projects such as:


SaneSecurity


URLHaus


MalwareBazaar


These add tens of thousands of additional signatures.


Update them:


sudo /usr/local/sbin/clamav-unofficial-sigs.sh --force


5. Configure the ClamAV Daemon


Edit daemon configuration:


sudo nano /etc/clamav/clamd.conf


Important performance settings:


MaxThreads 12

MaxScanSize 2000M

MaxFileSize 1000M

MaxRecursion 20

MaxFiles 50000


ScanArchive true

DetectPUA true


LogTime true

LogVerbose true


Enable local socket (fastest communication):


LocalSocket /var/run/clamav/clamd.ctl

LocalSocketMode 666


Database Directory setting:


DatabaseDirectory /var/lib/clamav


Save the file using nano.


6. Restart the ClamAV Daemon


Restart the service:


sudo systemctl restart clamav-daemon


Check status:


sudo systemctl status clamav-daemon


7. Install APT Malware Detection Rules (YARA)


APT malware is often detected by behavioral patterns rather than antivirus signatures.


Install rules:


sudo mkdir /opt/yara-rules

cd /opt/yara-rules


Download common rule sets:


APT malware rules:


sudo git clone https://github.com/Yara-Rules/rules


Advanced malware rules by Florian Roth:


sudo git clone https://github.com/Neo23x0/signature-base


These contain thousands of rules used by threat hunters.


8. Identify the Windows Partition


List disks:


lsblk


Example output:


sda

 ├─sda1 EFI

 ├─sda2 Windows


9. Mount the Windows Partition


Create mount directory:


sudo mkdir /mnt/windows


Mount partition:


sudo mount -t ntfs3 /dev/sdb4 /mnt/windows


Now the Windows filesystem is accessible at:


/mnt/windows



10. Run Fast Malware Scan Using ClamAV Daemon


Skip to step 17.


11. Save Scan Results to a Log File


Skip to step 17.


12. Run APT Malware Threat Hunt Using YARA


This can detect:


espionage malware


command-and-control implants


advanced backdoors


ransomware frameworks


Skip to step 17.


13. Scan Critical Windows Malware Locations


Many malware files hide here:


/mnt/windows/Windows/System32

/mnt/windows/Windows/System32/drivers

/mnt/windows/ProgramData

/mnt/windows/Users

/mnt/windows/Temp


Example targeted scan:


sudo clamdscan -r /mnt/windows/Windows/System32


14. Search for Suspicious Executables


Look for unusual binaries:


find /mnt/windows -name "*.exe"

find /mnt/windows -name "*.dll"

find /mnt/windows -name "*.sys"


Large suspicious files:


find /mnt/windows -type f -size +50M


15. Detect Hidden Persistence Locations


Common malware persistence directories:


/mnt/windows/ProgramData

/mnt/windows/Users/*/AppData/Roaming

/mnt/windows/Users/*/AppData/Local/Temp


Scan example:


sudo clamdscan -r /mnt/windows/ProgramData


16. Optional: Scan Windows Registry Hives


Registry files contain persistence entries.


Location:


/mnt/windows/Windows/System32/config


Example analysis:


strings SOFTWARE | less


Look for suspicious autoruns.


17. Full Automated Scan Command


The daemon scanner (clamdscan) is much faster than clamscan.


You can combine everything:


Recommended deep scan:


sudo clamdscan -r \

--fdpass \

--multiscan \

--log=/home/kali/full_windows_scan.log \

/mnt/windows


Explanation:


Option Meaning

-r recursive scan (appears to have been deprecated)

--fdpass bypass Linux file permissions

--multiscan parallel scanning threads


Then run YARA:


Suggested by ChatGPT:

sudo yara -r /opt/yara-rules /mnt/windows >> /home/kali/full_windows_scan.log

/opt/yara-rules(1): error: input in flex scanner failed


Suggested by Google AI:

sudo yara $(find /opt/yara-rules/ -name "*.yar") /mnt/windows >> /home/kali/full_windows_scan.log


I am having a lot of trouble running the above yara commands. Basically both of the above yara commands don't work at all.

Anyone can advise??


This can detect:


- espionage malware


- command-and-control implants


- advanced backdoors


- ransomware frameworks


==============================================================


Important Reality Check


Even with many signatures:


- ClamAV


- YARA


can detect known APT malware, but brand-new nation-state tools are often custom and may evade antivirus.


Professional investigations also use:


- memory forensics


- network traffic analysis


- behavioral monitoring


================================================================


✅ If you want, I can also show you a very powerful technique used by malware analysts:


How to detect stealth rootkits and espionage implants by comparing Windows system files against Microsoft's official hashes.


This method can expose very advanced malware that antivirus completely misses.


================================================================


Important reality:


Even with ClamAV, nation-state APT malware is extremely unlikely to be detected, because such tools usually use:


- custom implants

- fileless malware

- memory-only loaders


Antivirus signatures rarely catch them.


================================================================


All the 3rd party detection signatures can be found in the following Database Directory.


┌──(kali㉿kali)-[/var/lib/clamav]

└─$ ls                

badmacro.ndb                 CVE-2012-0158.yar   CVE-2018-4878.yar                       foxhole_js.ndb         malwarehash.hsb            sanesecurity.ftm           spearl.ndb                         winnow_phish_complete_url.ndb

blurl.ndb                    CVE-2013-0074.yar   daily.cvd                               freshclam.dat          MiscreantPunch099-Low.ldb  Sanesecurity_sigtest.yara  spear.ndb                          winnow_spam_complete.ndb

bofhland_cracked_URL.ndb     CVE-2013-0422.yar   EK_BleedingLife.yar                     hackingteam.hsb        phish.ndb                  Sanesecurity_spam.yara     whitelist.fp                       WShell_ASPXSpy.yar

bofhland_malware_attach.hdb  CVE-2015-1701.yar   EMAIL_Cryptowall.yar                    interserver256.hdb     phishtank.ndb              scam.ndb                   winnow.attachments.hdb             WShell_Drupalgeddon2_icos.yar

bofhland_malware_URL.ndb     CVE-2015-2426.yar   Email_fake_it_maintenance_bulletin.yar  interservertopline.db  porcupine.hsb              scam.yar                   winnow_bad_cw.hdb

bofhland_phishing_URL.ndb    CVE-2015-2545.yar   Email_quota_limit_warning.yar           junk.ndb               porcupine.ndb              shelter.ldb                winnow.complex.patterns.ldb

bytecode.cvd                 CVE-2015-5119.yar   email_Ukraine_BE_powerattack.yar        jurlbla.ndb            rfxn.hdb                   sigwhitelist.ign2          winnow_extended_malware.hdb

CVE-2010-0805.yar            CVE-2016-5195.yar   foxhole_filename.cdb                    jurlbl.ndb             rfxn.ndb                   spamattach.hdb             winnow_extended_malware_links.ndb

CVE-2010-0887.yar            CVE-2017-11882.yar  foxhole_generic.cdb                     lott.ndb               rfxn.yara                  spamimg.hdb                winnow_malware.hdb

CVE-2010-1297.yar            CVE-2018-20250.yar  foxhole_js.cdb                          main.cvd               rogue.hdb                  spam.ldb                   winnow_malware_links.ndb


=================================================================


Important reality:


Even with ClamAV, nation-state APT malware is extremely unlikely to be detected, because such tools usually use:


- custom implants

- fileless malware

- memory-only loaders


Antivirus signatures rarely catch them.


Regards,


Mr. Turritopsis Dohrnii Teo En Ming

Extremely Democratic People's Republic of Singapore

12 Mar 2026 Thursday 1.10 am Singapore Time





REFERENCES

============


[1] https://lists.clamav.net/pipermail/clamav-users/2026-March/014509.html


[2] https://mail-archive.com/clamav-users@lists.clamav.net/msg53704.html


[3] https://marc.info/?l=clamav-users&m=177325180630448&w=2


Comments

Post a Comment

Popular posts from this blog

Estimated Total Expenses in Taiwan from 6 Aug 2025 to 12 Aug 2025 (Version 15 Aug 2025)

Subject: Estimated Total Expenses in Taiwan from 6 Aug 2025 to 12 Aug 2025 (Version 15 Aug 2025) ========================= Teo En Ming's Government ========================= =============================== Auditor General's Office (AGO) =============================== Scoot return air tickets $401.12 3-star hotel for 7 days 6 nights $446.42 FWD travel insurance $43.88 New backpack/haversack $54 Comfort taxi from home to Changi Airport $28 Cash withdrawal at Changi Airport $100 Changi Wi-Fi Router $55.13 Express Entry tickets to Taipei Red Expo 2025 (Taiwan Adult Expo) for 3 days 3 x $67 = $201 8 Aug 2025 Friday ================== Taiwanese model Bai Yun 20 face vouchers JAV actresses Matsumoto Ichika and Nozomi Aliyoshi 27 face vouchers JAV actress Futaba Sara 3 face vouchers Spent money on 4 girls on Friday 9 Aug 2025 Saturday ==================== JAV actress Jun Amaki round 1 - 8 face vouchers JAV actress Jun Amaki round 2 - 35 face vouchers JAV actress Ashina Honoka 3 face v...
Read more

Teo En Ming’s Book 2 (13 June 2025 Edition) Cloud Storage Download Links

Subject: Teo En Ming’s Book 2 (13 June 2025 Edition) Cloud Storage Download Links [1] Amazon Cloud Drive – Pending [2] https://www.icloud.com/iclouddrive/0e4VABr6DntnxrgSUFZr6ydlw#book_2_-_20250613 [3] https://app.box.com/s/4n5zrbshgxoo5q7tkgu2xgb6oin2n61l [4] https://www.dropbox.com/scl/fi/kb61379g5g70hlro4sate/book-2-20250613.pdf?rlkey=m7cuujx4cb3r5hq6nkmq9byfo&st=ymotp8x0&dl=0 [5] https://mega.nz/file/PDojHAxa#PfzrKz8ON1Z6Tu7BEh6XNsp_QeoeqSgKY5AMqdnGPdg [6] https://1drv.ms/b/c/b51e5540123fa1b6/EZRqzdsm4ZFFo9NKwUhE9J4BOXczJSCGKyoty-qbuRCH6Q?e=euh7KO
Read more