Scenario: Suspicious activity on your Fedora system
You notice your CPU spiking at 3 AM. top shows a process named kworker consuming 90% of a core, but you are not compiling anything. Or you see outbound traffic to an IP address you do not recognize. You suspect your system is compromised. You need to scan for rootkits and malware to determine the state of your machine.
Scanning is a snapshot. It tells you what the system looks like at this moment. It does not fix a breach. If you find active malware, isolate the machine from the network immediately. Take a snapshot if you are running a VM. Do not trust the compromised system to delete the malware. Use the scan results to decide whether to rebuild from backup.
What rootkits and malware actually do
A rootkit hides. It modifies system calls or intercepts kernel functions so you cannot see the malicious process or file. A rootkit makes the attacker invisible to standard tools like ps, ls, and netstat.
Malware does damage. It steals data, mines cryptocurrency, or turns your machine into part of a botnet. Malware does not always hide. It might run openly as a script or binary.
Think of a rootkit like a spy who forged your ID and lives in your house. They look like family. Malware is a burglar breaking a window. You can see the broken glass. Scanners check the ID against a database of known forgeries and look for weird footprints in the system.
Fedora includes SELinux by default. SELinux restricts what processes can do. A rootkit often fails because SELinux denies it the permission to hide or execute. Scanning is still necessary. Users install software that bypasses protections. Scanning catches what slipped through.
Update the database before you scan. Stale signatures miss new threats.
Install and configure the scanners
Fedora provides three standard tools. rkhunter checks for rootkit artifacts and system integrity. chkrootkit is a lightweight scanner for known rootkits. ClamAV is an antivirus engine for malware and viruses.
Install all three tools. You can run them independently.
sudo dnf install rkhunter chkrootkit clamav clamav-update
# WHY: Install the rootkit scanners and the ClamAV antivirus engine.
sudo dnf upgrade --refresh
# WHY: Ensure all packages are up to date before installing security tools.
Convention aside: dnf upgrade --refresh is the normal weekly maintenance command. It forces a metadata refresh and updates packages. Run this before installing security tools to avoid version mismatches.
Run rkhunter for rootkit detection
rkhunter performs a deep check. It verifies system binaries against known hashes, checks for hidden files, inspects network settings, and looks for suspicious kernel modules. It produces detailed output but also generates false positives on Fedora due to package build practices.
Update the signature database first. Then run the check.
sudo rkhunter --update
# WHY: Download the latest database of known rootkit signatures and hashes.
sudo rkhunter --check --skip-keygen
# WHY: Run the full scan and skip key generation which can hang on headless systems.
The --skip-keygen flag prevents rkhunter from trying to generate random keys for testing, which can block on systems with low entropy. The scan prints results to the terminal and saves a log to /var/log/rkhunter.log.
Read the warnings. Do not just grep for Found. rkhunter flags standard Fedora binaries as suspicious because of how the package manager builds and signs packages.
[23:45:12] /usr/bin/ssh: Warning: Suspicious file types found: /usr/bin/ssh
[23:45:13] /usr/bin/login: Warning: Suspicious file types found: /usr/bin/login
This warning is often a false positive. Fedora builds binaries with specific optimizations and linker flags. rkhunter sees the file type structure and flags it. Verify the binary integrity using rpm.
rpm -V openssh-clients
# WHY: Verify the SSH client package files against the RPM database.
rpm -V util-linux
# WHY: Verify the login utility package files.
If rpm -V returns no output, the files are intact. The rkhunter warning is a false positive. Trust the package manager. Manual file edits drift, snapshots stay.
After a major system upgrade, update the rkhunter properties database to reduce false positives.
sudo rkhunter --propupd
# WHY: Update the file property database so rkhunter learns the new hashes after an upgrade.
Run chkrootkit for a quick check
chkrootkit is older and simpler. It checks for specific known rootkits by running small test programs. It does not check binary hashes. It is fast and has minimal configuration.
Run it directly. It prints results to the terminal.
sudo chkrootkit
# WHY: Run the chkrootkit scan to check for known rootkit indicators.
Look for lines ending in infected. Most lines will say not found. If you see infected, investigate immediately. chkrootkit can also produce false positives, especially on systems with custom kernel modules or unusual network configurations.
Cross-reference chkrootkit findings with rkhunter. If both tools flag the same issue, the risk is higher. If only chkrootkit flags something, check the specific test name and search for known false positives.
Read the actual error before guessing.
Run ClamAV for malware and viruses
ClamAV scans files for malware signatures. It detects viruses, trojans, and suspicious scripts. It does not check kernel integrity or rootkit artifacts. Use it to scan user directories, downloads, and email attachments.
Update the virus database before scanning.
sudo freshclam
# WHY: Download the latest ClamAV virus definition database.
Run the scan. Exclude virtual filesystems. Scanning /proc, /sys, and /dev causes errors and wastes time. These directories are generated by the kernel and do not contain files.
sudo clamscan -r / --exclude-dir='/proc|/sys|/dev'
# WHY: Recursively scan the root filesystem while excluding virtual filesystems.
ClamAV can consume significant memory. On systems with limited RAM, add --max-filesize to skip large files or run the scan with lower priority.
sudo clamscan -r /home --max-filesize=500M
# WHY: Scan only user home directories and skip files larger than 500MB to save memory.
The scan ends with a summary. Look for Infected files: 0. If infections are found, ClamAV prints the file path and the virus name. Do not delete files automatically. Move them to a quarantine directory for analysis.
sudo clamscan -r /home --move=/var/quarantine
# WHY: Scan and move infected files to a quarantine directory instead of deleting them.
Exclude virtual filesystems. Scanning /proc breaks the scanner and wastes time.
Interpret the results and handle false positives
Security scanners produce noise. False positives are common. A warning does not mean you are compromised. It means the tool found something unusual.
For rkhunter, check the log file for the full context.
tail -n 50 /var/log/rkhunter.log
# WHY: Review the last 50 lines of the rkhunter log for detailed warnings.
If rkhunter flags a binary in /usr/bin, verify it with rpm -V. If the package is intact, add the path to the ALLOWHIDDENFILE or ALLOWSSHPORT variables in /etc/rkhunter.conf to suppress the warning. Never edit files in /usr/lib/. Edit /etc/ only.
For ClamAV, check the virus name. Some detections are heuristic and may flag legitimate software. Search the virus name in the ClamAV database or community forums. If the file is a known false positive, add an exclusion to /etc/clamav/clamd.conf.
If you find confirmed malware, do not rely on the scanner to clean it. Malware can reinstall itself. Rebuild the system from a known good backup. Scan the backup before restoring.
Trust the package manager. If rkhunter flags a binary in /usr/bin, check the rpm signature first.
Verify the scan completed successfully
Verify that the scans ran to completion and produced logs.
Check rkhunter log existence and size.
ls -lh /var/log/rkhunter.log
# WHY: Confirm the rkhunter log file exists and has content.
grep "Scan completed" /var/log/rkhunter.log
# WHY: Verify the scan finished without interruption.
Check ClamAV summary.
clamscan -r /home --exclude-dir='/proc|/sys|/dev' 2>&1 | tail -n 5
# WHY: Run a quick scan and show the last 5 lines to verify the summary output.
If the scan was interrupted, check system resources. High memory usage or disk I/O can cause timeouts. Run scans during low-usage periods.
Run journalctl first. Read the actual error before guessing.
Common pitfalls and error messages
Scanning tools fail when misconfigured. Here are the most common issues.
rkhunter refuses to run as a non-root user. It needs access to system files.
Error: You must be root to run rkhunter.
Run the command with sudo.
ClamAV fails to update. The database server might be unreachable or the configuration is wrong.
ERROR: getpatch: Can't connect to port 80 of host db.local.clamav.net
Check your network connection and firewall rules. Ensure port 80 or 443 is open for outbound traffic. firewall-cmd --reload after every rule change. Otherwise the runtime config and the persistent config diverge.
chkrootkit reports Connection refused for network tests. This happens when the system has no network interface or the firewall blocks the test. This is not a rootkit indicator. It means the test could not complete.
SELinux denials show up in journalctl -t setroubleshoot with a one-line summary. Read those before disabling SELinux. If a scanner is blocked by SELinux, check the audit logs. The scanner might need a policy adjustment, not a full disable.
When to use each tool
Use rkhunter when you need a comprehensive check for rootkit artifacts and system binary integrity.
Use chkrootkit when you want a quick, lightweight scan with minimal configuration overhead.
Use ClamAV when you are scanning for traditional malware, viruses, or suspicious files in user directories.
Use manual inspection when automated tools report anomalies and you need to verify the root cause.