How to Remove Windows Viruses with Linux

Linuxvirus Tux

While Microsoft has improved the Windows Defender to a great extent, your system is still not impermeable to viruses. The worst case is when the virus takes over your system, and you can’t boot it up. When this happens, you may want to use a live Linux distro to remove the Windows viruses. This tutorial shows you how to get it done.

Why Use Linux?

If your Windows desktop refuses to boot properly in safe mode, and you’d like to explore the file system and operate the computer, you will need a live environment for that. Sure, you can flash Windows onto a USB drive and just use its recovery command line, but your options there are limited.

Flashing a USB drive with a Linux distro gives you several advantages, such as:

  • A graphical environment to use on your system
  • A light resource profile
  • Access to a package manager that lets you install applications on the fly to a temporary space
  • A sandboxed environment that doesn’t get contaminated by what’s affecting your Windows installation

For most use cases, especially when removing infections affecting the file system, using a live Linux distro is the path of least resistance.

Note: if you have already dual-booted your system with Linux and Windows, there is no need to use a live Linux USB drive. You can boot directly into your Linux OS and run the following steps.

Which Distro Should I Use?

In the majority of cases, Ubuntu presents a compelling option, with its large repository, graphical interface, and ease of use. For simplicity’s sake, many of the instructions in this tutorial will be relevant to Ubuntu.

Since we are using the Linux-native ClamAV to scan for viruses and other threats infecting your system, you can also use Arch and Fedora if you are more familiar with them.

Before going any further, flash the distro of your choice to your USB drive by using a tool like balenaEtcher.

Booting Into the Live OS

To properly boot from a USB drive, you will have to configure your motherboard’s BIOS to boot from the USB drive. Generally, you may access your BIOS by repeatedly pressing either F1, F2, F10, F12, or Del. Once you’re in, look for “Boot” or “Boot Order.” Make sure your USB drive is on the top. If there’s a “UEFI” boot option for the USB drive, move that up as well, above any other options.

Let the drive boot. You’ll be greeted by a GRUB screen that allows you to choose from multiple options. Select “Try or Install Ubuntu” and press Enter.

Linuxvirus Grub

Once the USB drive is done loading the operating system into memory, it will give you a choice between trying Ubuntu or installing it.

Linuxvirus Ubuntulive

Choose “Try Ubuntu,” which should land you on the Desktop.

Tip: there are several antivirus programs for Linux, but ClamAV is the easiest to use and is free.

Installing ClamAV

  1. Press Ctrl + Alt + T to open the terminal.
  2. Update the repositories with a fresh version:
sudo apt update
  1. Install ClamAV:
sudo apt install clamav
Linuxvirus Terminal

Now that you have ClamAV, it’s time to use it to scan your system.

  1. Open your file manager. In Ubuntu, it’s an icon of a folder on the dock to the left of the desktop.
  2. Click on “Other Locations” near the bottom of the left sidebar.
  3. Choose the Windows drive you’d like ClamAV to scan.
Linuxvirus Partitions
  1. Select the drive. If you have a ton of partitions, you’ll know you chose the right one if the following folders are visible: “Program Files,” “Users,” and “Windows.”
  2. Right-click on any empty space within the file manager and click “Open in Terminal.” This provides a terminal window with the drive’s root folder already open.
  3. Start ClamAV through the clamscan command:
sudo clamscan -r .

This will scan files in the current directory (your Windows root directory) recursively, looking for viruses along the way. The . represents “this directory,” and the -r flag tells it to scan through the entire tree of folders recursively.

With this command, you will do a dry run. It won’t remove any files. This lets you see which files ClamAV picks up as viruses so that you can judge for yourself whether you’d like them removed.

  1. At any point during the process, if you’d like to cancel the scan, just press Ctrl + C on your keyboard.
  2. If you want ClamAV to remove the files for you, pass the --remove=yes option like so:
sudo clamscan -r . --remove=yes
  1. If you don’t want it to scan certain file types, pass the --exclude= flag as many times as you need.
sudo clamscan -r . --remove=yes --exclude=.png

The above example would exclude PNG image files, as they often do not have anything that poses a threat written into them.

  1. Add --verbose to this command if you’d like to see everything ClamAV is doing when it runs a scan. The --infected flag may actually be more useful here, only letting you know when an infected file has been found.
  1. Be aware that ClamAV will use a significant amount of system memory (I recorded over 1.3 GB of RAM use) during the scan process. Also, since it uses only one processing thread for the scanning process, it could take a long time to fully scan a drive.

After putting in a proof-of-concept virus that would simulate a worst-case scenario where Windows doesn’t boot correctly, ClamAV was able to find the culprit and zap it within an hour. It was a long process, but it seems that this old antivirus software still does its job very well.


When doing the dry-run procedure (without the --remove flag), you may want to place the output of the scan in a file that you can search later:

sudo clamscan -r . | tee ~/output.txt

This command tells ClamAV to do a recursive scan of the current directory and output the result to an “output.txt” file in your USB drive’s home directory.

Tip: learn how to use pipe redirection in the Linux command line.

You can later go to “output.txt” and search for the term “FOUND” to see each virus it detected. This helps you quickly find the threats on your system without having to wade through miles of muddy terminal output after the fact!

Frequently Asked Questions

Does ClamAV use updated virus definitions?

Yes, when you install ClamAV, a service known as clamav-freshclam is installed and started on your live system. This service keeps the heuristics database updated for you.

Is there a GUI for using ClamAV?

You can install the clamtk package, which is a limited GUI front end for ClamAV.

In Ubuntu, you can use the link found within the developer’s GitLab repository for Ubuntu/Debian. Once you download the .deb file, run it, and it should install ClamTK for you!

Can ClamAV be installed on Windows directly?

Yes. If you’re able to boot your Windows system, ClamAV has a Windows version that you can download from the developer’s site.

Miguel Leiva-Gomez
Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox