To set up ClamAV on a Linux server, install the packages for your distro, update the virus database with FreshClam, start the clamd daemon, and schedule scans or enable on-access scanning. This guide shows step-by-step installation, configuration, performance tuning, exclusions, automation, and troubleshooting for a secure, lightweight malware defense.
In this beginner-friendly guide, you’ll learn how to setup ClamAV on Linux server the right way. We’ll cover installation on popular distributions, ClamAV configuration, updating with FreshClam, on-demand and real-time scanning, exclusions, automation with cron/systemd, and integrations for web and mail servers.
What is ClamAV and Why Use it on a Linux Server?
ClamAV is an open-source antivirus engine for detecting malware, viruses, trojans, and malicious scripts. It’s widely used on mail gateways, web servers, and file servers to scan attachments, uploads, and user directories. With low overhead and flexible tools (clamscan, clamd, clamonacc), ClamAV adds an essential layer to your Linux server’s defense-in-depth strategy.
Prerequisites and Supported Distributions
- Root or sudo access
- Outbound internet for FreshClam (DNS + HTTP)
- Recommended: 1+ GB RAM for clamd on busy servers
- Distributions: Ubuntu/Debian, RHEL/CentOS/AlmaLinux/Rocky, openSUSE, Arch/Manjaro
Install ClamAV on Popular Linux Distros
Ubuntu / Debian
sudo apt update
sudo apt install -y clamav clamav-daemon
# Update the database (stop service to avoid lock)
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl enable --now clamav-freshclam
# Start the daemon for faster scans
sudo systemctl enable --now clamav-daemonRHEL / CentOS / AlmaLinux / Rocky
sudo dnf install -y epel-release
sudo dnf install -y clamav clamav-update clamav-scanner systemd
# Seed the database
sudo freshclam
# Enable clamd@scan (provided by distribution)
sudo systemctl enable --now clamd@scan
# Optional: enable FreshClam as a timer or service if available
# On some releases:
# sudo systemctl enable --now clamav-freshclamopenSUSE / SLES
sudo zypper refresh
sudo zypper install -y clamav clamav-daemon
sudo systemctl enable --now freshclam
sudo systemctl enable --now clamdArch / Manjaro
sudo pacman -Syu --noconfirm
sudo pacman -S --noconfirm clamav
# Initialize and enable services
sudo freshclam
sudo systemctl enable --now clamav-freshclam
sudo systemctl enable --now clamav-daemonUpdate Virus Databases with FreshClam
FreshClam retrieves signatures from the ClamAV network. Ensure it runs as a service or timer so your server always scans with the latest database.
# Check FreshClam status and logs
sudo systemctl status clamav-freshclam || systemctl status freshclam
sudo tail -f /var/log/clamav/freshclam.log
# Manual update
sudo freshclamIf you see mirror/DNS errors, confirm your server can resolve database.clamav.net and outbound HTTP/HTTPS is allowed.
Run On-Demand Scans (clamscan and clamdscan)
Use clamscan for direct scans, or clamdscan for faster scans via the clamd daemon. For first runs on big file trees, clamdscan is significantly quicker.
# Quick test
clamscan --version
freshclam --version
# Scan a directory (report only infected)
sudo clamscan -r -i /var/www
# Faster: use clamd (requires clamav-daemon/clamd@scan running)
sudo clamdscan --fdpass -i /var/wwwUseful flags:
- -r: recursive
- -i: print only infected files
- –remove: delete infected files (use with caution)
- –move=/quarantine: isolate infected files
- –exclude-dir, –exclude: skip noisy or irrelevant paths
Configure clamd for Performance and Security
Daemon configs vary by distro:
- Debian/Ubuntu: /etc/clamav/clamd.conf
- RHEL-family: /etc/clamd.d/scan.conf (service clamd@scan)
- Logs: typically /var/log/clamav/clamav.log
# Common tuning options (examples)
$ sudo editor /etc/clamav/clamd.conf # or /etc/clamd.d/scan.conf
# Example directives to review:
LogFile /var/log/clamav/clamav.log
LogTime yes
LogClean yes
TCPSocket 3310
TCPAddr 127.0.0.1
# Or use a local Socket
# LocalSocket /run/clamav/clamd.ctl
# Resource controls (adjust to server size)
MaxFileSize 200M
MaxScanSize 400M
MaxRecursion 20
FollowFileSymlinks falseAfter edits, restart services:
sudo systemctl restart clamav-daemon || sudo systemctl restart clamd@scan
sudo systemctl restart clamav-freshclam || sudo systemctl restart freshclamEnable On-Access (Real-Time) Scanning with clamonacc
ClamAV provides on-access scanning with clamonacc (fanotify). It inspects file open events and hands them to clamd. This is ideal for uploads and shared directories. Ensure your kernel supports fanotify (modern distros do).
# Example: monitor /var/www and /home
sudo mkdir -p /var/log/clamav
sudo clamonacc --fdpass --log=/var/log/clamav/clamonacc.log \
--move=/quarantine --include=/var/www --include=/home
# Systemd service (generic example)
# /etc/systemd/system/clamonacc.service
[Unit]
Description=ClamAV On-Access Scanner
After=network.target clamd@scan.service
[Service]
Type=simple
ExecStart=/usr/bin/clamonacc --fdpass --log=/var/log/clamav/clamonacc.log \
--include=/var/www --include=/home
Restart=on-failure
[Install]
WantedBy=multi-user.target
# Enable it
sudo systemctl daemon-reload
sudo systemctl enable --now clamonaccStart with small include paths to avoid high CPU usage. Combine on-access scanning with sensible exclusions for performance.
Exclusions and Performance Tuning
- Exclude ephemeral paths: /proc, /sys, /dev, /run, /var/lib/docker, VM images
- Exclude caches and backups: node_modules, .cache, vendor/.cache, tmp/
- Scan uploads and user dirs: /var/www, /home, shared storage
- Use clamdscan over clamscan for repeated scans
- Tune MaxScanSize/MaxFileSize based on your workload
# Example exclusion usage
sudo clamscan -r -i / \
--exclude-dir='^/proc' --exclude-dir='^/sys' --exclude-dir='^/dev' \
--exclude-dir='^/run' --exclude-dir='^/var/lib/docker' \
--exclude='\.iso$' --exclude='\.img$'Automate Scans with Cron or systemd Timers
Schedule nightly scans and signature refresh to keep protection consistent without manual work.
# User crontab (sudo crontab -e)
# Nightly scan at 2:15 AM, quarantine infections
15 2 * * * /usr/bin/clamdscan --fdpass -i /var/www --move=/quarantine >> /var/log/clamav/nightly.log 2>&1
# Weekly full scan (Sunday 03:00)
0 3 * * 0 /usr/bin/clamdscan --fdpass -i / --exclude-dir='^/(proc|sys|dev|run|var/lib/docker)' \
--log=/var/log/clamav/weekly.logIntegrations: Web and Mail Servers
- Mail gateways (Postfix/Exim) via Amavis or direct clamd integration to scan attachments.
- Web servers (Apache/Nginx) and PHP apps: scan file uploads by calling clamdscan on upload events.
- FTP/SFTP servers: schedule or on-access scan upload directories.
For cPanel or DirectAdmin, enable the ClamAV plugin if available, or run clamd and schedule scans for user homes. Always test on a staging domain before enforcing removal/quarantine policies.
Troubleshooting and Logs
- FreshClam logs: /var/log/clamav/freshclam.log
- ClamAV logs: /var/log/clamav/clamav.log
- System journal: journalctl -u clamav-daemon, -u clamd@scan, -u clamav-freshclam
# Common fixes
# 1) Database lock or update conflict
sudo systemctl stop clamav-freshclam || true
sudo rm -f /var/lib/clamav/*.cld.lock /var/lib/clamav/*.cvd.lock
sudo freshclam
sudo systemctl start clamav-freshclam || true
# 2) clamd won't start: check permissions/sockets
sudo getent group clamav
sudo ls -l /run/clamav
sudo grep -E '^(LogFile|LocalSocket|TCPSocket|TCPAddr)' /etc/clamav/clamd.conf 2>/dev/null || \
grep -E '^(LogFile|LocalSocket|TCPSocket|TCPAddr)' /etc/clamd.d/scan.confUninstall or Disable ClamAV
# Debian/Ubuntu
sudo systemctl disable --now clamav-daemon clamav-freshclam
sudo apt remove --purge -y clamav clamav-daemon clamav-freshclam
# RHEL-family
sudo systemctl disable --now clamd@scan
sudo dnf remove -y clamav\*Best Practices from Real-World Hosting
- Scan uploads at the edge: web upload dir, mail queues, shared storage.
- Quarantine first, delete later. Review logs to avoid false positives.
- Keep databases fresh (FreshClam) and monitor failures via alerts.
- Combine with WAF, PHP hardening, and least-privilege file permissions.
- Benchmark clamd vs clamscan on your workload to tune resources.
If you prefer managed security hardening, the YouStable team can deploy and tune ClamAV, WAF rules, and server monitoring across dedicated, VPS, or cloud servers, so you can focus on your apps.
FAQs: Setup ClamAV on Linux Server
Is ClamAV necessary on Linux servers?
Yes, especially for servers handling user content (uploads, email, shared files). ClamAV detects malware, webshells, and trojans, reducing infection risk and preventing distribution to other systems.
How do I update ClamAV signatures automatically?
Enable FreshClam as a service or timer. On Debian/Ubuntu: systemctl enable –now clamav-freshclam. On RHEL/openSUSE variants, enable the freshclam service or create a cron job running freshclam regularly.
What’s the difference between clamscan and clamdscan?
clamscan runs the scanning engine directly and is slower on repeated scans. clamdscan sends files to the long-running clamd daemon, which caches signatures in memory and dramatically speeds up scanning.
Can ClamAV provide real-time protection on Linux?
Yes, via clamonacc (fanotify-based on-access scanning). It monitors paths and scans files on open events through clamd. Start with limited include paths and add exclusions to control CPU and I/O impact.
Which directories should I scan or exclude?
Scan uploads, mail queues, /var/www, and user home directories. Exclude /proc, /sys, /dev, /run, container layers (/var/lib/docker), and large image backups. Use –exclude-dir and size limits to balance speed and coverage.
