Automatically detecting files placed in my Downloads directory in Gentoo Linux and scanning them for viruses

I have been using Linux for almost a decade and have never been unduly concerned about viruses on my machines running Linux. However, I do receive files from people who use Windows and Mac OS, and some of those files might contain Windows or Mac OS viruses, so, as a matter of courtesy and assistance to others, it would make some sense to scan those files before passing them on. Furthermore, as I use some Windows applications under WINE, it would also make sense to scan received files for Windows viruses if I am going to use those files with a Windows application running under WINE.

External files could get into my Gentoo Linux installations via pen drives, memory cards, optical discs, e-mails, my Dropbox directory and downloads from Web sites. In this post I am going to concentrate on the last of these. All the various e-mail account providers I use already scan e-mails for viruses on their e-mail servers before I even download e-mail into the e-mail client on my laptop (standard practice these days), so e-mail is not a particular worry.

I have had ClamAV and its GUI, ClamTk, installed for a long time. Whilst ClamTk can be used to schedule a daily update of virus signatures and a daily scan of one’s home directory by ClamAV, I normally run ClamTk and ClamAV ad hoc. However, I can see some benefit in launching ClamAV automatically when I download a file from the Internet, so I decided to do the following …

Automatically scan a file downloaded via a Web browser

I use Firefox to browse the Web, and had configured it to download files to the directory /home/fitzcarraldo/Downloads/. I decided to monitor automatically the Downloads directory for the addition of any file. As I use the ext4 file system, the method I opted to use is inotify, specifically the inotifywait command which is available once you install the package sys-fs/inotify-tools.

It is surprisingly easy to create a shell script to detect files downloaded into a directory. The following script, running continuously in a terminal, would detect any files created in my /home/fitzcarraldo/Downloads directory, scan the new files with ClamAV and display a report in the terminal window:



inotifywait -q -m -e create --format '%w%f' $DIR | while read FILE
     echo "File $FILE has been detected. Scanning it for viruses now ..."
     clamscan $FILE

A usable script would need to be a bit more sophisticated than the one shown above, because an existing file in the directory could be overwritten by one with the same name, or opened and amended. Furthermore, the script above would need a permanently open terminal window. Therefore I created a script to run in the background and use a GUI dialogue tool to pop up a window with the virus scanner’s report when the script detects a new or changed file in the Downloads directory. As this laptop has KDE 4 installed I opted to use KDialog to display the pop-up window, but I could instead have used Zenity. The final script is shown below.



# Get rid of old log file
rm $HOME/virus-scan.log 2> /dev/null

inotifywait -q -m -e close_write,moved_to --format '%w%f' $DIR | while read FILE
     # Have to check file length is nonzero otherwise commands may be repeated
     if [ -s $FILE ]; then
          date > $HOME/virus-scan.log
          clamscan $FILE >> $HOME/virus-scan.log
          kdialog --title "Virus scan of $FILE" --msgbox "$(cat $HOME/virus-scan.log)"

Now when I download a file in Firefox, a window pops up, displaying a message similar to the following:

Virus scan of /home/fitzcarraldo/Downloads/ – KDialog

Fri 19 Feb 23:42:02 GMT 2016
/home/fitzcarraldo/Downloads/ Eicar-Test-Signature FOUND

———– SCAN SUMMARY ———–
Known viruses: 4259980
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 4.595 sec (0 m 4 s)

Notice in the above message that ClamAV detected a virus in a file that I downloaded from the European Expert Group for IT Security Web site (originally ‘European Institute for Computer Antivirus Research’). In fact the executable does not contain a real virus; it was designed to contain a known signature that virus scanner creators and users can use in checking anti-virus software. You can find out more about the virus test files on the EICAR Web site.

Of course, if I use applications other than Firefox to download files, I need to make sure they download the files into the applicable directory so that the script can detect and scan the files:

fitzcarraldo@clevow230ss ~ $ cd Downloads/
fitzcarraldo@clevow230ss ~/Downloads $ youtube-dl -o Carnavalito.mp4 -f 18
ZDUL3w7zFD4: Downloading webpage
ZDUL3w7zFD4: Downloading video info webpage
ZDUL3w7zFD4: Extracting video information
ZDUL3w7zFD4: Downloading MPD manifest
[download] Destination: Carnavalito.mp4
[download] 100% of 16.61MiB in 00:05

So, now I have a shell script that pops up a window informing me whether or not any file I put in $HOME/Downloads/ contains a virus. But I would like the script to be launched automatically when I login to the Desktop Environment. Therefore, as I use KDE 4, I selected ‘System Settings’ > ‘Startup and Shutdown’ and, in the ‘Autostart’ pane, clicked on ‘Add Script…’ and entered the path to my shell script (I left ‘create as symlink’ ticked). Now, every time I use KDE, any file placed (automatically or manually) into $HOME/Downloads/ is scanned for viruses automatically and a window pops up giving the result.

As my laptop is not always connected to the Internet, I prefer to update the ClamAV virus signatures database manually, which I do either using the ClamTk GUI or via the command line using the freshclam command:

fitzcarraldo@clevow230ss ~ $ su
clevow230ss fitzcarraldo # freshclam
ClamAV update process started at Sat Feb 20 10:51:01 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.7 Recommended version: 0.99
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Downloading daily-21375.cdiff [100%]
Downloading daily-21376.cdiff [100%]
Downloading daily-21377.cdiff [100%]
Downloading daily-21378.cdiff [100%]
Downloading daily-21379.cdiff [100%]
Downloading daily-21380.cdiff [100%]
Downloading daily-21381.cdiff [100%]
Downloading daily-21382.cdiff [100%]
Downloading daily-21383.cdiff [100%]
Downloading daily-21384.cdiff [100%]
Downloading daily-21385.cdiff [100%]
Downloading daily-21386.cdiff [100%]
Downloading daily-21387.cdiff [100%]
Downloading daily-21388.cdiff [100%]
Downloading daily-21389.cdiff [100%]
Downloading daily-21390.cdiff [100%]
Downloading daily-21391.cdiff [100%]
daily.cld updated (version: 21391, sigs: 1850214, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)
Database updated (4274486 signatures) from (IP:
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory

About Fitzcarraldo
A Linux user with an interest in all things technical.

12 Responses to Automatically detecting files placed in my Downloads directory in Gentoo Linux and scanning them for viruses

  1. svantoviit says:

    Thanks for the nice idea Fitzcarraldo!

    I slightly modified the script to use zenity and show the notification only if a virus has been found (or an error occurred). I Removed the rm directive, the log file is overwritten by the date command anyway.



    while read file; do
    # Have to check file length is nonzero otherwise commands may be repeated
    if [[ -s "${file}" ]]; then
    date > "${LOG}"
    clamscan --quiet -l "${LOG}" "${file}"
    # Display notification only if virus found or error occurred
    if [[ $? -ne 0 ]]; then
    zenity --warning --title "Virus scan of ${file##*/}" \
    --text "$(cat "${LOG}")" 2>/dev/null
    done < <(inotifywait -q -m -e close_write,moved_to --format '%w%f' "${DIR}")

  2. Hello, Fitz,

    since the script is pretty useful I’d like to reblog and translate it into German at my techblog over at

    Are you fine with that? Which license shall I apply? Of course I’ll backlink to this article!
    What about putting the code on GitHub?

  3. Pingback: Automatisches Prüfen von Dateien in Downloads-Ordner | Pub Rika

  4. irenicus09 says:

    Hi Mr. Fitz,

    Thanks for the tutorial, I haven’t used any antivirus on Linux since basically I found none but I could be wrong. Should I be concerned about virus threats on Linux? Also isn’t vendors like Clamav lagging behind when it comes to virus signatures? Thanks

    • Fitzcarraldo says:

      I’m not concerned about virus threats in Linux (although I believe a tiny number of viruses, trojans and other malware exist in Linux). My use of ClamAV to scan files downloaded from the Web is to give me a little comfort in case I want to pass a file to someone with a Windows machine or I want to use it with an application running in WINE and the file has a Windows virus (as I stated at the beginning of my post).

      As to ClamAV’s efficacy, well it won’t be perfect, but it’s better than nothing I suppose. You can check benchmarks for various anti-virus scanners, including ClamAV for Linux, on the Shadowserver Foundation’s Web site: Shadowserver :: Viruses.

      Since the company that owns ClamAV is Cisco (notice ‘© 2004 – 2015 Cisco and/or its affiliates. All rights reserved.‘ at the bottom of the ClamAV Web site pages), I’m fairly confident it has at least some serious effort put into its signatures and detection algorithms.

  5. Pingback: Using the ClamAV daemon to scan files placed in my Downloads directory in Gentoo Linux | Fitzcarraldo's Blog

  6. Pingback: ClamAV bei Zugriff - Ralf Kerkhoff

  7. progkix says:

    I ran across your blog post above while searching for just such a script. I figured someone else had already done something similar.

    The question I have is how do you handle downloads that for whatever reason just stop leaving the partially downloaded file in the folder being watched?

    For example, I start a download and Firefox creates 2 files: filename.ext (0 length) and filename.ext.part. When the download completes, the file downloaded is obviously filename.ext with it real length.

    Would these incomplete downloads not cause a problem?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.