Configure ClamAV to detect trojans, viruses, malware, and other threats on Linux-based systems using this open-source antivirus engine. It is commonly used on servers that handle emails, files, or external data sources to prevent the distribution of infected content. Though Linux is less vulnerable than other platforms, ClamAV is useful for ensuring that Linux systems don’t become passive carriers of malicious files, especially in shared environments.

System administrators often configure ClamAV to run scheduled scans or integrate it with mail servers and file upload services for proactive protection.
This article outlines the process to properly install, configure, and use ClamAV on a Linux server.
Prerequisites
Before starting the configuration process, ensure the following requirements are met:
- A Linux-based server (Ubuntu, Debian, RHEL, CentOS, Fedora, etc.)
- Root or sudo user access
- Terminal or SSH access
- Active internet connection (for package installation and updates)
Configure ClamAV on Linux
The following sections describe how to install, update, scan, schedule, and manage ClamAV for practical antivirus protection on Linux systems.
Install ClamAV
Before configuring ClamAV, you need to install ClamAV on your Linux machine.
- For Ubuntu/Debian:
sudo apt update
sudo apt install clamav clamav-daemon -y
- For RHEL/CentOS:
Enable EPEL (if required):
sudo dnf install epel-release -y
sudo dnf install clamav clamav-update -y
- For Fedora:
sudo dnf install clamav clamav-update -y
- Verify installation:
clamscan --version
Update Virus Definitions
ClamAV uses signature files to detect threats. These must be updated regularly using the freshclam
tool.
- Manual update:
sudo freshclam
If you get a socket or permission error, stop the daemon and run it again:
sudo systemctl stop clamav-freshclam
sudo freshclam
Enable automatic updates:
sudo systemctl enable --now clamav-freshclam
Run On-Demand Scans
ClamAV’s clamscan
command can be used to scan files or directories manually.
- Basic usage:
clamscan -r /home
Useful options:
-r
: Recursive scan--remove
: Automatically delete infected files--log=FILE
: Write output to a specified log file
Example:
clamscan -r /var/www --log=/var/log/clamav/manual-scan.log
This command recursively scans the /var/www
directory for malware and logs the results to /var/log/clamav/manual-scan.log
.
Explanation:
clamscan
: This is the ClamAV command-line virus scanner.-r
: This tellsclamscan
to recursively scan all directories and subdirectories inside/var/www
./var/www
: The target directory to be scanned.--log=/var/log/clamav/manual-scan.log
: This option saves the scan results (including any detections) to the specified log file at/var/log/clamav/manual-scan.log
.
Check Out | Configure FirewallD on Linux Server: Step-by-Step Setup Guide
Schedule Automatic Scans with Cron
You can automate regular scans using cron
.
- Example daily scan at 3 AM:
sudo crontab -e
Add:
0 3 * * * clamscan -r /var/www --log=/var/log/clamav/daily-scan.log
Ensure /var/log/clamav
directory exists and has correct permissions.
Enable and Configure clamd
clamd
is the ClamAV daemon that offers better performance for frequent or large scans.
- Enable the daemon:
sudo systemctl enable --now clamd@scan
Configuration file path (varies by distro):
/etc/clamd.d/scan.conf
(RHEL/CentOS/Fedora)/etc/clamav/clamd.conf
(Debian/Ubuntu)
Ensure the following is set inside the config file:
LogFile /var/log/clamav/clamd.log
TCPSocket 3310
TCPAddr 127.0.0.1
- Restart after editing:
sudo systemctl restart clamd@scan
View Logs and Scan Reports
Default logs (if enabled):
/var/log/clamav/clamav.log
- Custom logs defined during
clamscan
To check for infected files:
grep "FOUND" /var/log/clamav/scan.log
Log rotation should be configured for large or frequent scan outputs.
Remove or Disable ClamAV
If ClamAV is no longer needed, it can be removed.
- Debian/Ubuntu:
sudo apt remove clamav clamav-daemon -y
RHEL/CentOS:
sudo dnf remove clamav clamav-update -y
Disable services without uninstalling:
sudo systemctl disable --now clamav-freshclam
sudo systemctl disable --now clamd@scan
Conclusion
This document outlines is complete process of configuring ClamAV on Linux servers, including installation, virus signature updates, on-demand and automated scans, daemon configuration, and logging. ClamAV adds a security layer for Linux systems that interact with files from external or untrusted sources. Maintaining updated definitions and regularly scanning key directories is essential to detect and handle potential threats effectively in a production or shared environment.