System scanners include packages that scan for possible rootkits that may be installed or active on your system, and virus scanners. The packages rkhunter and chkrootkit are two of the most used rootkit detection packages. The Tiger package is a somewhat more comprehensive scanner that uses chkrootkit and Tripwire or AIDE as well as its own scripts to perform a full audit of your system's security. After the first audit of your clean system, Tiger will alert you to changes in your system's vulnerabilities.
The only major function absent from Tiger is virus scanning, which can be handled by the clamav package, which also provides live scanning of email.
A final word on remote logging
One of the first things an accomplished hacker will do once he penetrates a system is attempt to erase all signs of system compromise. TIris includes removing entries from log files, hiding files, and network connections so they can't be shown using normal utilities, and so on. They may even go so far as to install their own compromised versions of your intrusion detection software, and your file and system scanners that won't report any sign of their illicit activities. One of the best countermeasures for this is to set your system up to write your system logs and NIDS and scan results to a remote system. Many scanners also provide ways to encrypt and verify configuration files and scan databases to protect them from compromise as well.
If your system is subject to frequent attacks, set up remote logging, reporting, and alerting, and secure the configuration files and databases of your system and file scanners and your intrusion Detection System.
