Linux rootkit scanners


Rootkits itself have the goal to keep itself hidden by intercepting system calls or overwriting common system binaries. A rootkit scanner has the goal to uncover any suspicious behavior of standard system calls or commands. This can be achieved by inspecting binaries, process listings, and traces on the disk.


Linux rootkit scanners are typically used for malware detection and malware scanning.

Users for these tools include forensic specialists, security professionals, system administrators.


Popular Linux rootkit scanners

ClamAV (malware scanner)

malware analysis, malware detection, malware scanning

ClamAV is a popular tool to detect malicious software or malware. While it calls itself an antivirus engine, it probably won't encounter many viruses, as they have become rare. It is more likely to find other forms of malware like worms, backdoors, and ransomware. ClamAV can be used in a few ways, from doing an occasional scan up to scanning in batch. ClamAV does not do on-access scanning but can be combined with other tools to obtain similar functionality. ClamAV is often u…

Rootkit Hunter (malware scanner)

malware detection, malware scanning

Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix

chkrootkit (malware scanner)

malware detection, malware scanning

Chkrootkit is typically used to perform daily security scans to detect traces of malware.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.

Related topics

Looking for more specific topics within this tool group? Have a look at the following relevant topics.