Configure ClamAV on Linux Server: Step-by-Step Installation Guide

Himanshu Joshi Knowledgebase

Configure ClamAV to detect trojans, viruses, malware, and other threats on Linux-based systems using this open-source antivirus engine. It is commonly used on servers that handle emails, files, or external data sources to prevent the distribution of infected content. Though Linux is less vulnerable than other platforms, ClamAV is useful for ensuring that Linux systems don’t become passive carriers of malicious files, especially in shared environments.

ClamAV on a Linux Server

System administrators often configure ClamAV to run scheduled scans or integrate it with mail servers and file upload services for proactive protection.

This article outlines the process to properly install, configure, and use ClamAV on a Linux server.

Prerequisites

Before starting the configuration process, ensure the following requirements are met:

  • A Linux-based server (Ubuntu, Debian, RHEL, CentOS, Fedora, etc.)
  • Root or sudo user access
  • Terminal or SSH access
  • Active internet connection (for package installation and updates)

Configure ClamAV on Linux

The following sections describe how to install, update, scan, schedule, and manage ClamAV for practical antivirus protection on Linux systems.

Install ClamAV

Before configuring ClamAV, you need to install ClamAV on your Linux machine.

  • For Ubuntu/Debian:
sudo apt update
sudo apt install clamav clamav-daemon -y
  • For RHEL/CentOS:

Enable EPEL (if required):

sudo dnf install epel-release -y
sudo dnf install clamav clamav-update -y
  • For Fedora:
sudo dnf install clamav clamav-update -y
  • Verify installation:
clamscan --version

Update Virus Definitions

ClamAV uses signature files to detect threats. These must be updated regularly using the freshclam tool.

  • Manual update:
sudo freshclam

If you get a socket or permission error, stop the daemon and run it again:

sudo systemctl stop clamav-freshclam
sudo freshclam

Enable automatic updates:

sudo systemctl enable --now clamav-freshclam

Run On-Demand Scans

ClamAV’s clamscan command can be used to scan files or directories manually.

  • Basic usage:
clamscan -r /home

Useful options:

  • -r: Recursive scan
  • --remove: Automatically delete infected files
  • --log=FILE: Write output to a specified log file

Example:

clamscan -r /var/www --log=/var/log/clamav/manual-scan.log

This command recursively scans the /var/www directory for malware and logs the results to /var/log/clamav/manual-scan.log.

Explanation:

  • clamscan: This is the ClamAV command-line virus scanner.
  • -r: This tells clamscan to recursively scan all directories and subdirectories inside /var/www.
  • /var/www: The target directory to be scanned.
  • --log=/var/log/clamav/manual-scan.log: This option saves the scan results (including any detections) to the specified log file at /var/log/clamav/manual-scan.log.

Check Out | Configure FirewallD on Linux Server: Step-by-Step Setup Guide

Schedule Automatic Scans with Cron

You can automate regular scans using cron.

  • Example daily scan at 3 AM:
sudo crontab -e

Add:

0 3 * * * clamscan -r /var/www --log=/var/log/clamav/daily-scan.log

Ensure /var/log/clamav directory exists and has correct permissions.

Enable and Configure clamd

clamd is the ClamAV daemon that offers better performance for frequent or large scans.

  • Enable the daemon:
sudo systemctl enable --now clamd@scan

Configuration file path (varies by distro):

  • /etc/clamd.d/scan.conf (RHEL/CentOS/Fedora)
  • /etc/clamav/clamd.conf (Debian/Ubuntu)

Ensure the following is set inside the config file:

LogFile /var/log/clamav/clamd.log
TCPSocket 3310
TCPAddr 127.0.0.1
  • Restart after editing:
sudo systemctl restart clamd@scan

View Logs and Scan Reports

Default logs (if enabled):

  • /var/log/clamav/clamav.log
  • Custom logs defined during clamscan

To check for infected files:

grep "FOUND" /var/log/clamav/scan.log

Log rotation should be configured for large or frequent scan outputs.

Remove or Disable ClamAV

If ClamAV is no longer needed, it can be removed.

  • Debian/Ubuntu:
sudo apt remove clamav clamav-daemon -y

RHEL/CentOS:

sudo dnf remove clamav clamav-update -y

Disable services without uninstalling:

sudo systemctl disable --now clamav-freshclam
sudo systemctl disable --now clamd@scan

Conclusion

This document outlines is complete process of configuring ClamAV on Linux servers, including installation, virus signature updates, on-demand and automated scans, daemon configuration, and logging. ClamAV adds a security layer for Linux systems that interact with files from external or untrusted sources. Maintaining updated definitions and regularly scanning key directories is essential to detect and handle potential threats effectively in a production or shared environment.

Tags:
Leave A Comment