ClamAV is a free open source antivirus engine for Linux that detects malware, viruses, and trojans on servers.
To use ClamAV on a Linux server: install the packages, update the virus database with freshclam, run scans with clamscan or clamdscan, review logs, and automate nightly scans with cron for continuous protection.
If you’re learning how to use ClamAV on Linux server environments, this guide walks you through installation, updates, on demand and real time scanning, scheduling, tuning, and best practices.
Written from a hosting and security perspective, it’s designed for beginners and sysadmins who want a dependable, lightweight malware scanner.
What is ClamAV and Why Use it on Linux Servers?
ClamAV is an open source antivirus toolkit maintained by Cisco Talos. It’s widely used on Linux servers to scan files, web roots, mailboxes, and user uploads for known malware.
While Linux is resilient, servers hosting websites, email, or file uploads benefit from signature based scanning to prevent distribution of malicious content.
Common use cases include:
- Web servers: Scan /var/www for infected PHP shells or backdoors.
- Mail servers: Filter attachments for malware before delivery.
- Shared hosting: Protect user accounts in /home from distributing malware.
- Incident response: Verify and clean compromised directories.
Prerequisites
Before you start:
- Root or sudo access to the server.
- Outbound internet access to update signatures (freshclam).
- At least 1–2 GB free disk space in /var for signatures and logs.
- Defined scan targets (e.g., /var/www, /home, maildirs).
Install ClamAV on Popular Linux Distributions
Debian/Ubuntu
sudo apt update
sudo apt install -y clamav clamav-daemonThis installs the user space scanner (clamscan) and the daemon (clamd) for faster scanning via clamdscan.
RHEL/CentOS/AlmaLinux/Rocky
sudo dnf install -y epel-release
sudo dnf install -y clamav clamav-update clamav-daemonEPEL provides current ClamAV packages for the Enterprise Linux family.
Update Virus Definitions with freshclam
Signatures must be current for reliable detection. Update once manually, then enable the update service.
# Stop the updater if it runs as a service (Ubuntu/Debian)
sudo systemctl stop clamav-freshclam 2>/dev/null || true
# Manual update
sudo freshclam
# Enable the automatic updater service
# Ubuntu/Debian:
sudo systemctl enable --now clamav-freshclam
# RHEL-based (if provided as a timer/service):
sudo systemctl enable --now freshclamfreshclam fetches main.cvd and daily.cvd from official mirrors. Keep this running to avoid stale databases and false negatives.
Run Your First Scan with clamscan
Use clamscan for on-demand scanning. The -r flag scans recursively, and -i only prints infected files.
# Scan a web root and log results
sudo clamscan -r -i /var/www \
--exclude-dir="^/proc|^/sys|^/dev" \
-l /var/log/clamav/first-scan.logTo quarantine infected files, move them to a safe directory:
sudo mkdir -p /var/quarantine
sudo clamscan -r -i /var/www \
--move=/var/quarantine \
--exclude-dir="^/proc|^/sys|^/dev" \
-l /var/log/clamav/quarantine.logUse –remove=yes only if you have verified backups; it permanently deletes infected files.
Test Detection with EICAR
The EICAR file is a harmless test string recognized by antivirus tools.
cd /tmp
curl -fLO https://secure.eicar.org/eicar_com.txt
clamscan eicar_com.txtYou should see “Eicar-Test-Signature FOUND”. Delete the file afterward.
Speed Up Scans with clamd and clamdscan
clamd is a persistent daemon that keeps signatures in memory for faster scanning. clamdscan sends files to clamd and is typically much quicker than clamscan on large trees.
# Ubuntu/Debian
sudo systemctl enable --now clamav-daemon
# RHEL-based (common unit)
sudo systemctl enable --now clamd@scan
# Scan via daemon
sudo clamdscan -i /var/www \
--fdpass \
--log=/var/log/clamav/clamdscan.log–fdpass passes file descriptors so clamd can read files requiring elevated privileges. Ensure /etc/clamav/clamd.conf (or /etc/clamd.d/scan.conf) has a valid LocalSocket and proper permissions.
Recommended clamscan/clamdscan Options
- -r: Recursive scan.
- -i: Print only infected files.
- –exclude-dir: Skip virtual and system paths like /proc, /sys, /dev.
- –max-filesize=200M and –max-scansize=400M: Prevent huge files from stalling scans.
- –move=/var/quarantine or –copy=DIR: Quarantine instead of deleting.
- -l /path/to/log: Persist results for auditing and alerts.
Automate with Cron (Daily/Weekly Scans)
Automated scans keep your server clean without manual intervention. Create a daily cron job that logs and emails results.
sudo tee /etc/cron.daily/clamav-scan >/dev/null <<'EOF'
#!/bin/bash
TARGETS="/var/www /home"
LOG="/var/log/clamav/daily-scan.log"
QUAR="/var/quarantine"
mkdir -p "$(dirname "$LOG")" "$QUAR"
# Use clamdscan if the daemon is running, else fall back to clamscan
if systemctl is-active --quiet clamav-daemon || systemctl is-active --quiet clamd@scan; then
clamdscan -i $TARGETS --fdpass --move="$QUAR" --log="$LOG"
else
clamscan -r -i $TARGETS --move="$QUAR" --exclude-dir="^/proc|^/sys|^/dev" -l "$LOG"
fi
# Optional: email report (requires mailx)
# mail -s "ClamAV Daily Scan $(hostname -f)" admin@yourdomain.com < "$LOG"
EOF
sudo chmod +x /etc/cron.daily/clamav-scanThis job quarantines infections safely and leaves an audit trail in /var/log/clamav.
Enable On-Access (Real-Time) Scanning with clamonacc
For real-time protection, clamonacc uses Linux fanotify to scan files on access. This adds overhead; apply it narrowly to high-risk paths like upload directories.
# Ensure clamd is running
sudo systemctl enable --now clamav-daemon 2>/dev/null || sudo systemctl enable --now clamd@scan
# Monitor specific paths (example: web uploads and user homes)
sudo clamonacc --fdpass -i \
--move=/var/quarantine \
--log=/var/log/clamav/onaccess.log \
--exclude-dir="^/proc|^/sys|^/dev" \
--monitor /var/www/uploads /homeStart clamonacc under a supervisor (systemd unit or screen/tmux) if you need it persistent. Avoid monitoring entire filesystems to reduce performance impact.
Tuning, Performance, and Best Practices
- Prefer clamd/clamdscan for large trees; it’s faster than clamscan because signatures stay in memory.
- Exclude pseudo filesystems: /proc, /sys, /dev, and transient caches (e.g., /var/lib/docker/overlay2 if not required).
- Set sensible size limits with –max-filesize and –max-scansize to avoid scanning huge archives.
- Schedule full scans during off-peak hours; run quick scans (upload dirs) more frequently.
- Quarantine first, review, then delete. False positives can occur in compressed archives and custom binaries.
- Log everything. Integrate with logrotate to manage /var/log/clamav/*.log growth.
clamscan vs clamdscan (Quick Comparison)
- clamscan: Standalone; simpler; slower on big scans; no persistent memory of signatures.
- clamdscan: Uses clamd daemon; faster; supports –fdpass; recommended for servers.
Handling Results, Alerts, and Exit Codes
ClamAV exit codes are useful in automation: 0 = no virus found, 1 = infected files found, >1 = errors. You can pipe results to monitoring or alerting tools.
# Example: fail a CI step if malware is found
clamscan -r -i /var/www
if [ $? -eq 1 ]; then
echo "Malware detected!" >&2
exit 1
fiFor email alerts, use mailx in your cron script. For centralized logging, ship ClamAV logs to your SIEM via rsyslog or a log agent.
Common Issues and Fixes
- freshclam errors: Check network/firewall; ensure only one updater is running; restart with systemctl restart clamav-freshclam.
- Permission denied: Run scans with sudo; for clamdscan, add –fdpass; verify clamd’s LocalSocket permissions and user group.
- Slow scans: Switch to clamdscan, add exclusions, limit sizes, and schedule during off-peak hours.
- Too many files: Use targeted scans on upload/mail dirs daily and full scans weekly.
- Docker images: Export or save images to scan. Example: docker save image:tag | clamscan -; scanning overlay2 directly is noisy and slow.
Security Context: What ClamAV Can and Can’t Do
- Great at detecting known signatures in files, archives, and mail.
- Not a substitute for patching, least privilege, WAF, backups, or kernel hardening.
- Combine with file integrity monitoring (AIDE), rootkit detection (rkhunter), and web app security best practices.
- For PHP/WordPress sites, scan wp-content/uploads and plugins regularly and maintain vetted themes/plugins.
Optional: Enhance Detection with Community Signatures
Advanced users add vetted third-party signatures (e.g., SaneSecurity) for better web malware coverage. Only use reputable sources and test on staging first to avoid false positives in shared hosting environments.
How YouStable Can Help
At YouStable, our managed Linux hosting stacks are hardened with routine malware scanning, signature updates, and proactive monitoring. If you prefer experts to implement, tune, and maintain ClamAV with backups and incident response, our team can handle it end-to-end while you focus on your applications.
Step-by-Step Quick Reference
- Install: apt install clamav clamav-daemon or dnf install clamav clamav-update clamav-daemon.
- Update DB: freshclam and enable clamav-freshclam service.
- First scan: clamscan -r -i /var/www -l /var/log/clamav/scan.log.
- Daemon speed: systemctl enable –now clamav-daemon or clamd@scan; use clamdscan -i /path.
- Quarantine: –move=/var/quarantine and review before deletion.
- Automate: daily cron job for key paths, weekly full scan off peak.
- Real time: clamonacc for specific upload/mail directories.
FAQ’s
Is ClamAV necessary on Linux servers?
Yes, if your server handles user uploads, email, or public web content. ClamAV prevents your host from distributing known malware, helps with incident response, and can be integrated into CI/CD pipelines and mail workflows. It complements, not replaces, patching, WAFs, backups, and least-privilege access.
How do I exclude directories in ClamAV scans?
Use –exclude-dir with a regex. For example: –exclude-dir=”^/proc|^/sys|^/dev|^/var/lib/docker/overlay2″. Exclusions reduce noise and speed scans by skipping virtual and high-churn paths that don’t contain user content.
What’s the difference between clamscan and clamdscan?
clamscan loads signatures each run and is slower on large trees. clamdscan uses the clamd daemon, which caches signatures in memory and scans much faster. On servers, prefer clamdscan with –fdpass for performance and fewer permission issues.
How do I keep signatures updated automatically?
Enable the updater service: systemctl enable –now clamav-freshclam (Debian/Ubuntu) or freshclam service/timer on RHEL-based systems. This keeps daily.cvd current and dramatically improves detection rates over time.
Can ClamAV scan Docker containers or cPanel accounts?
Yes. For containers, export or save images and pipe them into ClamAV, or scan mounted volumes. For shared hosting (e.g., cPanel), target user homes and public_html with exclusions for system paths, and schedule scans off-peak to minimize impact.
Conclusion
Learning how to use ClamAV on Linux server environments gives you a solid first line of defense against known malware. Keep signatures updated, scan the right paths, quarantine carefully, and automate your workflow. For hands off, production ready implementation, YouStable’s managed hosting includes expert setup and continuous monitoring.
