Published on April 15, 2025

Scan files for viruses, using ClamAV on linux, inside docker!

By Alireza Alavi • 2 minutes read •

Note: I am not a security expert.

There was a USB stick sent to me that contained Gigabytes of log files for debugging something. I didn't fully trust the people who sent this to me and I am a pessimist.

The vectors of attack for me didn't include physical or hardware attacks, since that wouldn't benefit the people who sent me this. So I just wanted to scan for viruses and malware. (Yes, I did come across some people worrying about a USB stick that might release plutonium or toxic gas! But I'm not important enough for that.)

Steps

NOTE: Preferably rootless podman container as it is much more secure

Boot into a live USB Linux session, so you have more isolation. Some malware might still infect your system's BIOS or firmware, or cross-contaminate other drives so this is not completely safe either.
Pull docker ClamAV image according to it's docs
Disconnect from any network, so the virus can't spread through the network
Connect USB device but don't mount it
Run the ClamAV container
- Mount the storage device to your container (--device /dev/sdb)
- Give the capability of mounting filesystems to the container (--cap-add SYS_ADMIN)
- Mount the storage to filesystem within the container itself I used this command:
```
docker run \
          -it \
          --rm \
          --name "clam_container_01" \
          --device /dev/sdb \
          --cap-add SYS_ADMIN \
          clamav/clamav
```

Enter the container's shell

docker exec -it "clam_container_01" /bin/sh

setup and configure ClamAV according to the docs
update the signature DB according to the docs (run freshclam).
mount the device to filesystem (Only for unix filesystems. TODO: Figure out ntfs filesystem)
```
mount /dev/sdb /mnt
```
scan the files in the mounted
```
clamscan /mnt
```

NOTE: I'm not 100% sure what --device /dev/sdb does internally, So I'm not sure if it is completely safe and the device doesn't get mounted on the host first or something like this.

NTFS filesystem

Install fuse, ntfs-3g inside the container to mount the filesystem

apk add ntfs-3g fuse
mount -o ro -t ntfs /dev/sdb1 /mnt

Currently I get errors doing this. Within the container, the partitions within sdb (sdb1) are not recognized and I cannot mount them.