Cybersecurity Lab Tutorial

How to Detect and Remove Malware with ClamAV on Kali Linux

By Dr. Pritam Gajkumar Shah

Contributors: Mr Kiran Shrestha · Mr Rafael Oliveira de Magalhaes · Mr Rishan Tamrakar · Bishal Adhikari

A simple step-by-step lab that shows how to install ClamAV, create a safe test virus file, scan a folder, and remove the infected file — with real screenshots from a Kali Linux virtual machine.

📑 What this article covers
  1. What is ClamAV and why use it
  2. Step 1 — Install ClamAV
  3. Step 2 — Create a test folder and two files
  4. Step 3 — Scan the folder
  5. Step 4 — Remove or quarantine the infected file
  6. Step 5 — Scan again to confirm
  7. Fixing the "404 Not Found" error
  8. Conclusion

🛡️ What is ClamAV and why use it?

ClamAV is a free, open-source antivirus tool that runs on Linux. It is used to scan files and folders for viruses, trojans, and other malware. Because Kali Linux is often used for security testing, knowing how to use ClamAV is an important skill for every cybersecurity student.

In this lab, we will not use real malware. Instead, we will use the EICAR test file. This is a small text string that every antivirus in the world is built to detect. It is completely safe — it cannot harm your computer — but it lets us test that ClamAV is working properly.

✅ What you need before starting:
Advertisement

1Install ClamAV

Open a terminal in Kali Linux and run the following commands one by one:

sudo apt update
sudo apt install clamav clamav-daemon -y

When I first ran this command, I got a "404 Not Found" error because my package list was out of date. If this happens to you, do not worry — see the troubleshooting section below.

Terminal showing a 404 Not Found error during ClamAV installation on Kali Linux
The 404 error that can happen during the first install attempt.

After running sudo apt update again, the installation worked correctly and started downloading the packages:

Terminal showing ClamAV packages downloading successfully
ClamAV and its dependencies downloading successfully.

Update the virus database

After installation, we need to download the latest virus signatures. The ClamAV daemon must be stopped first, otherwise the update will fail with a "lock" error:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
clamscan --version
Terminal showing the freshclam virus database update completing and clamscan version output
The virus database is up to date and ClamAV version 1.4.4 is installed.

2Create a test folder and two files

Now we will create a new folder for our lab work, then make two files inside it: one fake virus, and one normal clean file.

mkdir ~/clamav-lab
cd ~/clamav-lab
Terminal showing the clamav-lab folder created in the home directory
The new clamav-lab folder is now in our home directory.

Create the fake virus file (EICAR)

Type this command exactly as shown. The text inside the quotes is the official EICAR test string:

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > fakevirus.txt

Create the clean file

echo "This is a normal clean file for testing." > cleanfile.txt
ls
Terminal showing both fakevirus.txt and cleanfile.txt created in the clamav-lab folder
Both files are now ready: fakevirus.txt and cleanfile.txt.
⚠️ Important: The EICAR string is the only safe way to test antivirus software. Never download real malware from the internet for testing — it can harm your computer and is illegal in many countries.

3Scan the folder

Now we ask ClamAV to scan the whole folder:

clamscan ~/clamav-lab

ClamAV will take about 30 seconds to load its database, then check every file. You will see:

ClamAV scan results showing the EICAR signature was detected in fakevirus.txt
ClamAV correctly found the EICAR signature in fakevirus.txt and ignored the clean file.
Advertisement

4Remove or quarantine the infected file

ClamAV gives us two safe ways to handle an infected file:

Option A — Delete it

clamscan --remove ~/clamav-lab

Option B — Move it to a quarantine folder (safer)

This is the option I used in the lab. We make a new folder called quarantine, then tell ClamAV to move any infected files there instead of deleting them. This is safer because you can study the file later if needed.

mkdir ~/quarantine
clamscan --move=~/quarantine ~/clamav-lab
ClamAV moving the infected fakevirus.txt file to the quarantine folder
ClamAV moved fakevirus.txt to /home/kali/quarantine/.

5Scan again to confirm

Finally, we run the scan one more time to make sure the folder is clean:

clamscan ~/clamav-lab
ls

This time we should see Infected files: 0 and only cleanfile.txt remaining in the folder.

Final scan showing the folder is now clean with only cleanfile.txt remaining
The folder is now clean — only cleanfile.txt is left.

🔧 Fixing the "404 Not Found" error

Kali Linux is a "rolling release", which means its packages change all the time. Sometimes the local package list points to an old version that has already been replaced. When this happens, apt install fails with a 404 error.

The fix is simple — refresh the package list and try again:

sudo apt update --fix-missing
sudo apt full-upgrade -y
sudo apt install clamav clamav-daemon -y

If that still does not work, clear the cache completely and refresh:

sudo apt clean
sudo rm -rf /var/lib/apt/lists/*
sudo apt update
sudo apt install clamav clamav-daemon -y

🎯 Conclusion

In this lab, we did five simple things:

  1. Installed ClamAV on Kali Linux.
  2. Created a safe test virus file (EICAR) and a clean file.
  3. Scanned the folder and confirmed ClamAV could spot the virus.
  4. Moved the infected file to a quarantine folder.
  5. Scanned again to confirm the folder was clean.

This is the same basic process used in real-world incident response — detect, isolate, verify. The tools may be more advanced in a corporate environment, but the steps are the same. Once students understand this workflow on a simple test file, they are ready to apply the same thinking to bigger problems.