For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

How to Configure ClamAV on Linux Server – (Step-by-Step Guide 2026)

Prahlad Prajapati 7 min read

To configure ClamAV on a Linux server in 2026, install the ClamAV engine and daemon, update signatures with FreshClam, tune clamd.conf for logging and exclusions, run an initial scan, set a quarantine path, schedule recurring scans, and optionally enable on‑access scanning via clamonacc. Use systemd to enable services and verify with the EICAR test file.

This step-by-step guide shows you how to configure ClamAV on a Linux server so it’s fast, reliable, and production-ready. We’ll cover installation across major distributions, FreshClam updates, daemon tuning, exclusions, quarantining, scheduled and on-access scans, verification, and troubleshooting. Whether you administer a VPS or a dedicated server, this setup is secure and practical.

What Is ClamAV and Why Use It on a Linux Server?

What Is ClamAV and Why Use It on a Linux Server?

ClamAV is an open-source antivirus engine used to detect trojans, malware, and malicious scripts on Linux. It’s commonly deployed on web servers, mail gateways, and developer hosts to scan uploads, attachments, and files at rest. With the clamd daemon and FreshClam updates, ClamAV offers fast, signature-based detection plus optional on-access scanning support.

Prerequisites and Best-Fit Use Cases

Before you begin, ensure:

  • Root or sudo access
  • A supported distribution (Ubuntu/Debian, RHEL/AlmaLinux/Rocky, or similar)
  • Outbound HTTPS access for signature updates
  • Sufficient disk I/O and CPU for scanning (clamd speeds up repeated scans)

ClamAV is ideal when you need to scan web roots, mail flow (with MTAs), user uploads, archives, container volumes, and developer environments for known malware.

Step-by-Step: Configure ClamAV on Linux Server (2026)

1) Install ClamAV Packages

Debian/Ubuntu/Mint:

sudo apt update
sudo apt install -y clamav clamav-daemon clamav-freshclam

RHEL/CentOS/AlmaLinux/Rocky:

sudo dnf install -y epel-release
sudo dnf install -y clamav clamd clamav-update

These packages provide the scanning engine, the clamd daemon for fast scans, and FreshClam for automatic signature updates.

2) Update Virus Signatures (FreshClam)

Run an initial update to seed the database:

sudo systemctl stop clamav-freshclam 2>/dev/null || true
sudo freshclam

Then enable the update service:

# Debian/Ubuntu
sudo systemctl enable --now clamav-freshclam

# RHEL/Alma/Rocky
sudo systemctl enable --now freshclam

FreshClam will periodically fetch the latest definitions so your server remains protected.

3) Configure clamd and Logging

ClamAV daemon config files differ by distro. Common paths:

  • Debian/Ubuntu: /etc/clamav/clamd.conf and /etc/clamav/freshclam.conf
  • RHEL-family: /etc/clamd.d/scan.conf and /etc/freshclam.conf

Edit clamd configuration and set logging and a communication socket. Example (adjust to your distro path):

# Example for Debian/Ubuntu: /etc/clamav/clamd.conf
LogFile /var/log/clamav/clamd.log
LogTime yes
LogRotate yes
LocalSocket /run/clamav/clamd.ctl
FixStaleSocket yes
# Optional: reduce noise
LogVerbose no

# Optional: Exclude busy or virtual FS
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/

On RHEL-family systems, the file is often /etc/clamd.d/scan.conf and may reference /run/clamd.scan/clamd.sock by default. Ensure the log directory exists and is writable by the ClamAV user.

sudo mkdir -p /var/log/clamav /var/quarantine
sudo chown -R clamav:clamav /var/log/clamav
sudo chown -R clamav:clamav /var/quarantine

4) Start and Enable clamd

Start the daemon and enable at boot:

# Debian/Ubuntu
sudo systemctl enable --now clamav-daemon

# RHEL-family
sudo systemctl enable --now clamd@scan

Verify status and that it’s listening on its socket:

systemctl status clamav-daemon 2>/dev/null || systemctl status clamd@scan
sudo lsof -U | grep clamd

5) Run Your First On-Demand Scan

Use clamdscan (faster, via daemon) or clamscan (standalone):

# Scan a directory and list only infected files
sudo clamdscan -i /var/www

# Or standalone (slower but independent of clamd)
sudo clamscan -r -i /var/www

To move infections to quarantine during the scan:

sudo clamdscan -i --move=/var/quarantine /var/www
# or
sudo clamscan -r -i --move=/var/quarantine /var/www

6) Set Exclusions and Quarantine Defaults

Exclude paths that cause noise or heavy I/O. You can use command-line flags or conf file directives:

# In clamd.conf (preferred for daemon scans)
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
ExcludePath ^/var/lib/docker/overlay2/

Tip: Keep at least one scheduled full scan monthly with limited exclusions, and more frequent targeted scans for web roots, mail, and user upload directories.

7) Schedule Automatic Scans

Use cron for a daily off-peak scan and a weekly deep scan. Example cron entries (system-wide crontab):

sudo bash -c 'cat >> /etc/crontab' << "EOF"
# Daily quick scan (infected only), logs to daily.log
02 3 * * * root clamdscan -i --log=/var/log/clamav/daily.log /var/www

# Weekly full scan with quarantine
30 2 * * 0 root clamscan -r -i --exclude-dir="^/proc|^/sys|^/dev" \
 --log=/var/log/clamav/weekly.log --move=/var/quarantine /
EOF

FreshClam already runs as a service; you don’t need a separate cron for updates unless your distro uses cron by default. Confirm with systemctl status.

8) Optional: Enable On-Access Scanning (clamonacc)

On-access scanning watches file operations using fanotify. Ensure your kernel supports fanotify (modern distributions do). Quick start:

# Run clamonacc in the foreground to test
sudo clamonacc --verbose \
  --log=/var/log/clamav/clamonacc.log \
  --move=/var/quarantine \
  --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/dev \
  --include=/var/www

If your distro ships a clamonacc systemd unit (e.g., clamav-clamonacc), enable it. Otherwise, create a simple unit:

sudo bash -c 'cat > /etc/systemd/system/clamonacc.service' << "EOF"
[Unit]
Description=ClamAV On-Access Scanner
After=network.target clamav-daemon.service

[Service]
Type=simple
ExecStart=/usr/bin/clamonacc --log=/var/log/clamav/clamonacc.log \
 --move=/var/quarantine --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/dev \
 --include=/var/www
User=root
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now clamonacc

Start conservatively with specific include paths (e.g., /var/www) to limit overhead on busy servers.

Hardening and Performance Tuning

  • Use clamd for speed: clamdscan reuses loaded signatures, significantly reducing scan time on repeated runs.
  • Target web and mail paths: Focus on /var/www, /home/*/public_html, and mail queues to reduce noise.
  • Quarantine safely: Store quarantined files outside web roots, with strict permissions.
  • Log rotation: Enable LogRotate in clamd.conf or integrate with your system’s logrotate to prevent log growth.
  • Resource limits: If I/O-bound, throttle scans via cron timing and smaller batches; if CPU-bound, schedule off-peak hours and reduce parallel jobs.
  • Secure updates: Keep FreshClam enabled; investigate errors promptly to avoid stale signatures.

Verify Protection with EICAR Test and Troubleshooting

Test Detection (EICAR)

Download the harmless EICAR test file to confirm detection:

curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
sudo clamdscan -i /tmp/eicar.com.txt
# Expected: FOUND and moved/deleted if configured

Common Issues and Fixes

  • Permission denied: Run scans with sudo for system paths; ensure clamd’s socket and log dirs are owned by the ClamAV user.
  • FreshClam errors: Check network/DNS; run sudo freshclam to see explicit errors; ensure only one FreshClam instance runs.
  • Daemon not starting: Validate clamd.conf paths and sockets; remove stale sockets (FixStaleSocket yes); check systemctl logs.
  • High I/O or CPU: Narrow target paths, increase exclusions, or split scans into smaller cron jobs.
  • False positives: Quarantine instead of deleting; review signatures and restore clean files if needed.

Real-World Use Cases and Integrations

  • Web hosting: Scan WordPress uploads and plugin directories to catch injected PHP malware or webshells.
  • Mail servers: Integrate ClamAV with your MTA (e.g., Postfix + Amavis) to scan inbound attachments.
  • CI/CD pipelines: Scan build artifacts or container layers before promotion to production.
  • With Linux Malware Detect (Maldet): If maldet is installed, it can use ClamAV’s engine to improve detection speed.

Complete Example: From Zero to Protected

Here’s a concise sequence that works on most servers:

# 1) Install
# Debian/Ubuntu
sudo apt update && sudo apt install -y clamav clamav-daemon clamav-freshclam
# RHEL-family
sudo dnf install -y epel-release && sudo dnf install -y clamav clamd clamav-update

# 2) Seed signatures and enable updates
sudo systemctl stop clamav-freshclam 2>/dev/null || true
sudo freshclam
sudo systemctl enable --now clamav-freshclam 2>/dev/null || sudo systemctl enable --now freshclam

# 3) Configure logging and exclusions
sudo mkdir -p /var/log/clamav /var/quarantine
sudo chown -R clamav:clamav /var/log/clamav /var/quarantine
# Edit clamd.conf or scan.conf accordingly (see above)

# 4) Enable daemon
sudo systemctl enable --now clamav-daemon 2>/dev/null || sudo systemctl enable --now clamd@scan

# 5) First scan
sudo clamdscan -i --move=/var/quarantine /var/www

# 6) Schedule scans
echo '02 3 * * * root clamdscan -i --log=/var/log/clamav/daily.log /var/www' | sudo tee -a /etc/crontab

FAQs: Configure ClamAV on Linux Server

Is ClamAV sufficient for Linux server protection?

ClamAV is excellent for detecting known malware and scanning files at rest or in transit (mail, uploads). For layered security, combine it with a firewall, fail2ban, a WAF (e.g., ModSecurity), secure configs, and timely patching. Many hosts pair ClamAV with malware detection tools like Maldet and integrity monitoring.

How do I schedule automatic ClamAV scans?

Use cron to run clamdscan or clamscan at off-peak hours. For example, add a daily job in /etc/crontab and log results to /var/log/clamav/. FreshClam typically runs as a systemd service by default, so you don’t need a separate update cron.

Does ClamAV support real-time (on-access) scanning?

Yes, via clamonacc with fanotify support. It can monitor paths like /var/www for file events. Start with narrow include paths to limit overhead, and run it as a systemd service if your distribution provides a unit or create one manually.

What directories should I exclude from ClamAV scans?

Exclude virtual and ephemeral paths like /proc, /sys, /dev, and heavy container layers like /var/lib/docker/overlay2. Consider excluding large cache directories. Always scan web roots, user uploads, and mail queues where risk is highest.

How can I test that ClamAV is working correctly?

Download the harmless EICAR test file and scan it. You should see a detection event and, if configured, the file moved to quarantine. Also check clamd and FreshClam service status, logs in /var/log/clamav/, and verify that scheduled scans generate reports.

Conclusion

Configuring ClamAV on a Linux server is straightforward: keep signatures fresh, run clamd for speed, scan the right paths, and automate. With on-access monitoring and sensible exclusions, you’ll balance security and performance. Need a managed, security-first stack? YouStable can deploy, tune, and maintain ClamAV as part of a complete server hardening strategy.

Prahlad Prajapati

Prahlad is a web hosting specialist and SEO-focused organic growth expert from India. Active in the digital space since 2019, he helps people grow their websites through clean, sustainable strategies. Passionate about learning and adapting fast, he believes small details create big success. Discover his insights on web hosting and SEO to elevate your online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top