For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Monitor & Secure ClamAV on Linux Server – Full Guide

Prahlad Prajapati 8 min read

To monitor and secure ClamAV on a Linux server, keep virus signatures updated (freshclam), enable real-time on-access scanning, schedule regular full scans, harden clamd/freshclam configs, centralize logs and alerts, quarantine detections, and test with EICAR. Use systemd services and timers for reliability, plus syslog/SIEM integration for visibility and compliance.

ClamAV is a proven, open-source antivirus engine for Linux. In this guide, you’ll learn how to monitor and secure ClamAV on Linux server environments using safe defaults, real-time scanning, scheduled jobs, alerting, and hardening. The steps are beginner-friendly yet production-ready, based on years of hosting and security operations experience.

What Is ClamAV and Why Monitoring Matters

ClamAV provides malware detection for files, archives, email, and web content. Installing it is only half the job—continuous monitoring and secure configuration are what keep servers safe in the real world. Attackers target uploads, temporary directories, web roots, and email spools; without updates, alerting, and on-access scanning, threats can slip by unnoticed.

Core Components You’ll Use

  • clamd: Multithreaded scanning daemon used for speed and concurrent scans.
  • clamscan/clamdscan: On-demand scanners (clamdscan talks to clamd).
  • freshclam: Automatic signature updater.
  • clamonacc: On-access (real-time) scanner using Linux fanotify.

Prerequisites and Quick Checks

  • Linux server with systemd (Ubuntu/Debian, AlmaLinux/RHEL, Rocky, etc.).
  • Root/sudo access.
  • Outbound HTTPS/DNS allowed for signature updates.
  • Basic mail/sendmail or alerting path (optional, for notifications).

Check versions to ensure you’re on a supported build with fanotify support:

clamscan --version
clamd --version
freshclam --version
clamonacc --version

Install and Update ClamAV Properly

Ubuntu/Debian

sudo apt update
sudo apt install -y clamav clamav-daemon clamav-freshclam
sudo systemctl enable --now clamav-freshclam
sudo systemctl enable --now clamav-daemon

# Initial database update (if needed)
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

RHEL/AlmaLinux/Rocky

sudo dnf install -y epel-release
sudo dnf install -y clamav clamav-update clamav-server-systemd clamav-scanner-systemd
sudo sed -i 's/^Example/#Example/' /etc/clamd.d/scan.conf
sudo sed -i 's/^Example/#Example/' /etc/freshclam.conf
sudo systemctl enable --now freshclam
sudo systemctl enable --now clamd@scan

Tip: Always verify freshclam runs automatically and the database is current. Out-of-date signatures are the #1 failure mode we see in incident response.

Secure ClamAV Configuration (clamd.conf and freshclam.conf)

Essential clamd.conf Settings

On Debian/Ubuntu, edit /etc/clamav/clamd.conf. On RHEL-like, edit /etc/clamd.d/scan.conf. Below are safe, production-oriented defaults (adjust paths to your distro):

# Run as unprivileged user
User clamav
AllowSupplementaryGroups yes

# Use a local socket, restrict permissions
LocalSocket /run/clamav/clamd.ctl
LocalSocketMode 660

# Logging
LogFile /var/log/clamav/clamd.log
LogTime yes
LogRotate yes
LogSyslog yes

# Detection features
ScanPE yes
ScanELF yes
DetectPUA no           # set to yes if you can manage potential false positives
HeuristicScanPrecedence yes
Bytecode yes

# Resource limits (tune for your server)
MaxFileSize 200M
MaxScanSize 300M
MaxRecursion 16
MaxThreads 4           # increase on larger CPUs
ReadTimeout 300
StreamMaxLength 300M

# Exclusions (avoid scanning pseudo/virtual FS)
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
ExcludePath ^/run/
ExcludePath ^/var/lib/docker/overlay2/   # tune for containers if applicable

Secure freshclam.conf Settings

On Debian/Ubuntu: /etc/clamav/freshclam.conf. On RHEL-like: /etc/freshclam.conf. Recommended:

# Log updates
UpdateLogFile /var/log/clamav/freshclam.log
LogTime yes

# Official mirror (CDN-aware)
DatabaseMirror database.clamav.net

# Check up to 12 times/day (balanced)
Checks 12

# Optional: use a proxy if egress is restricted
# HTTPProxyServer proxy.example.com
# HTTPProxyPort 3128

If you must expose clamd over TCP (for remote scanners), bind only to localhost or a management network and firewall strictly:

# clamd.conf
TCPSocket 3310
TCPAddr 127.0.0.1
# then use firewalls/VPNs if exposed beyond localhost

Enable Real-Time (On-Access) Scanning with clamonacc

On-access scanning blocks or detects malware the moment it’s created or modified. clamonacc uses Linux fanotify; ensure your kernel supports it (modern distros do).

Start clamonacc via systemd

Debian/Ubuntu typically provide a clamonacc service. Adjust paths for your server (scan the directories where files arrive—web roots, user homes, uploads):

# Example: monitor /var/www and /home
sudo systemctl enable --now clamav-clamonacc

# Or run manually to test:
sudo clamonacc --fdpass \
  --log=/var/log/clamav/onaccess.log \
  --include=/var/www \
  --include=/home \
  --exclude-dir=/proc \
  --exclude-dir=/sys \
  --exclude-dir=/dev

On RHEL-like systems, you can create a dedicated unit to run clamonacc with your include/exclude set.

# /etc/systemd/system/clamonacc.service
[Unit]
Description=ClamAV On-Access Scanner
After=clamd@scan.service

[Service]
Type=simple
User=root
ExecStart=/usr/bin/clamonacc --fdpass --log=/var/log/clamav/onaccess.log \
  --include=/var/www --include=/home --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/dev
Restart=always

[Install]
WantedBy=multi-user.target

# Enable it
sudo systemctl daemon-reload
sudo systemctl enable --now clamonacc

Keep your include list focused to limit overhead. For high-traffic sites, start with upload directories and expand as needed.

Schedule Regular Full Scans (systemd timers or cron)

Even with on-access scanning, perform scheduled deep scans to catch dormant files and verify exclusions aren’t hiding risks.

# /usr/local/sbin/clamav-scan.sh
#!/usr/bin/env bash
set -euo pipefail
LOG="/var/log/clamav/scan-$(date +%F).log"
mkdir -p /var/log/clamav
/usr/bin/clamdscan -m -i --fdpass --log="$LOG" /var/www /home /srv || true
grep -q "FOUND" "$LOG" && mail -s "ClamAV Malware Found on $(hostname)" root < "$LOG" || true

sudo chmod +x /usr/local/sbin/clamav-scan.sh

# /etc/systemd/system/clamav-scan.service
[Unit]
Description=Nightly ClamAV Scan

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/clamav-scan.sh
# /etc/systemd/system/clamav-scan.timer
[Unit]
Description=Run ClamAV scan nightly

[Timer]
OnCalendar=02:30
Persistent=true

[Install]
WantedBy=timers.target

# Enable the timer
sudo systemctl daemon-reload
sudo systemctl enable --now clamav-scan.timer

Cron Alternative

sudo bash -c 'cat >/etc/cron.daily/clamav-scan <<"EOF"
#!/usr/bin/env bash
/usr/bin/clamdscan -m -i --fdpass --log=/var/log/clamav/cron-scan.log /var/www /home /srv || true
grep -q "FOUND" /var/log/clamav/cron-scan.log && mail -s "ClamAV Malware Found on $(hostname)" root < /var/log/clamav/cron-scan.log || true
EOF
chmod +x /etc/cron.daily/clamav-scan'

Quarantine, Actions, and Exclusions

Create a Safe Quarantine

sudo mkdir -p /var/quarantine
sudo chown clamav:clamav /var/quarantine
sudo chmod 750 /var/quarantine

# Example: move infected files during scans
clamdscan -m --move=/var/quarantine /var/www

You can also hook a VirusEvent to trigger a response script per detection (notify, isolate, delete after backup verification):

# in clamd.conf
VirusEvent /usr/local/bin/clamav-incident.sh --file=%f --malware=%v

Be conservative with deletions; quarantining first is safer. Always exclude ephemeral paths (/proc, /sys, /run) and large immutables (VM images, backup archives) unless you’ve planned the performance impact.

Monitoring and Alerts You Can Trust

Watch Logs and Service Health

# Service status
systemctl status clamav-daemon clamav-freshclam 2>/dev/null || true
systemctl status clamd@scan freshclam 2>/dev/null || true

# Recent logs (systemd)
journalctl -u clamav-daemon -u clamav-freshclam -u clamonacc --since "1 hour ago"
journalctl -u clamd@scan -u freshclam --since "1 hour ago"

# Find detections
grep -R "FOUND" /var/log/clamav/ 2>/dev/null

Email and Syslog Alerts

Enable LogSyslog in clamd.conf and forward syslog/journal to your SIEM. For simple email alerts, pipe log excerpts to mailx as shown in the systemd/cron examples.

Prometheus/Nagios Integration

  • Nagios/Icinga: use a plugin to verify freshclam age and clamd health.
  • Prometheus: expose log-derived metrics (detections, database age) via node_exporter’s textfile collector or a community clamav_exporter.

Test Detection with EICAR

curl -fsSL -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
clamscan /tmp/eicar.com.txt
# Expect: EICAR test file FOUND

If on-access is enabled for /tmp, simply writing the file should trigger a detection logged in onaccess.log or clamd.log.

Performance Tuning and Best Practices

  • Use clamdscan (daemon) for speed; avoid clamscan in production.
  • Tune MaxThreads to CPU cores (start with 2–4, test under load).
  • Scan during off-peak hours; prioritize high-risk paths (/var/www, uploads, homes).
  • Right-size MaxScanSize/MaxFileSize to avoid thrashing on multi-GB artifacts.
  • Cache-friendly: exclude container layers, VM images, and backup mounts from on-access; scan them in scheduled jobs instead.

Advanced Hardening

User, MAC Policies, and Sockets

  • Run clamd as the clamav user (default). Avoid root unless required for fdpass.
  • Keep LocalSocket permissions restrictive (660) and group-owned by a service group that needs access.
  • Enable and tune SELinux/AppArmor profiles to confine clamd and clamonacc.
  • If using TCP, bind to 127.0.0.1 or a management subnet; enforce firewalls and no public exposure.

Optional: Community Signatures

You can enhance detection using reputable third-party signatures (e.g., Sanesecurity, SecuriteInfo). Validate sources, automate updates cautiously, and track false positives. Test in staging before rolling out to production.

Email and Web Stack Integration

  • Mail servers: integrate clamav-milter with Postfix/Sendmail to scan inbound mail.
  • Web servers: scan uploads at the application layer, and let clamonacc cover file writes at the OS layer.

Troubleshooting Common Issues

freshclam Fails or Is Throttled

  • Check connectivity and DNS: dig database.clamav.net.
  • Reduce Checks if you’re hitting rate limits.
  • If behind a proxy, set HTTPProxy in freshclam.conf.
  • Review /var/log/clamav/freshclam.log for specific errors.

On-Access Errors (fanotify)

  • Ensure clamd is running before clamonacc.
  • Run clamonacc with –fdpass when needed so it can pass file descriptors to clamd.
  • Exclude network filesystems or special mounts that don’t support fanotify.

False Positives

  • Confirm with VirusTotal or multiple scanners.
  • Temporarily exclude specific paths or hashes while you report upstream.
  • Keep PUA disabled unless you can review alerts quickly.

FAQs: Monitor and Secure ClamAV on Linux Server

How often should I update ClamAV signatures?

Set freshclam to check 6–12 times per day. This balances bandwidth and freshness. In high-risk environments, tighten to hourly checks. Always verify that freshclam is enabled at boot and logs updates successfully.

Is on-access scanning required if I run daily scans?

Yes, for most internet-facing servers. On-access scanning catches threats immediately—before they’re executed or served. Scheduled scans are still important to catch dormant files and verify exclusions.

What should I scan to reduce load on busy servers?

Prioritize web roots, upload directories, email spools, and user homes. Exclude virtual filesystems and large immutable artifacts. Use on-access for high-risk paths and nightly deep scans for the rest.

How do I get alerted when ClamAV finds malware?

Parse “FOUND” lines from clamd/freshclam logs and send email via mailx, or forward logs to your SIEM/Syslog and create rules. The sample systemd timer script in this guide demonstrates a simple email alert.

Can I use third-party signatures safely?

Yes, from reputable providers like Sanesecurity or SecuriteInfo. Test in staging first, monitor for false positives, and document your update process. Keep official databases enabled as your baseline.

By combining timely updates, on-access scanning, scheduled deep scans, robust logging, and alerting, you can confidently monitor and secure ClamAV on Linux server workloads. Adopt the configuration snippets above, test with EICAR, and iterate on exclusions and performance settings for your environment.

Prahlad Prajapati

Prahlad is a web hosting specialist and SEO-focused organic growth expert from India. Active in the digital space since 2019, he helps people grow their websites through clean, sustainable strategies. Passionate about learning and adapting fast, he believes small details create big success. Discover his insights on web hosting and SEO to elevate your online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top