To install ClamAV on a Linux server, update your package index, install ClamAV and its daemon, update virus signatures with FreshClam, then start and enable the services. Use clamscan for on-demand scans or clamd/clamdscan for faster, daemon-powered scanning. Schedule regular scans and updates to keep malware detection current.
Setting up antivirus on a Linux host is a practical way to catch malware in uploaded files, email attachments, and web content before it spreads. In this guide, you’ll learn how to install ClamAV on Linux server distributions (Ubuntu/Debian, RHEL/CentOS/AlmaLinux/Rocky, and openSUSE), configure updates, run fast scans, schedule jobs, and troubleshoot common issues with a simple, production-ready approach.
What Is ClamAV and Why Use It on a Linux Server?
ClamAV is an open-source antivirus engine that detects malware, viruses, trojans, and potentially unwanted applications across multiple file types. On Linux servers, it’s widely used to scan user uploads, web roots, mail queues, and backups. It does not replace good patching and hardening, but it adds an important layer of defense—especially for shared hosting, mail servers, and file gateways.
Prerequisites
- Root or sudo access
- A supported Linux distribution (Ubuntu/Debian, RHEL/CentOS/AlmaLinux/Rocky, openSUSE)
- Network access (for downloading signature updates)
- 1–2 GB RAM recommended for clamd; more for large file sets
How to Install ClamAV on Linux (All Major Distros)
Ubuntu/Debian
sudo apt update
sudo apt install -y clamav clamav-daemon
# Stop FreshClam temporarily to update signatures manually the first time
sudo systemctl stop clamav-freshclam
sudo freshclam
# Start and enable services
sudo systemctl enable --now clamav-freshclam
sudo systemctl enable --now clamav-daemon
# Verify
clamscan --version
systemctl status clamav-daemon clamav-freshclamDebian/Ubuntu packages typically place configs in /etc/clamav/. The clamd local socket is usually /var/run/clamav/clamd.ctl and FreshClam manages signature files automatically.
RHEL/CentOS/AlmaLinux/Rocky (8/9)
# Enable EPEL for ClamAV packages
sudo dnf install -y epel-release
# Install ClamAV components
sudo dnf install -y clamav clamav-update clamav-scanner-systemd
# Update signatures (first run)
sudo freshclam
# Enable and start the scanning daemon instance
sudo systemctl enable --now clamd@scan
# Optionally enable FreshClam service if provided by your distro
# (some RHEL-based systems rely on freshclam via cron)
# sudo systemctl enable --now clamav-freshclam
# Verify
clamscan --version
systemctl status clamd@scanOn RHEL-based distros, clamd configuration often lives in /etc/clamd.d/scan.conf and uses a systemd instance clamd@scan. FreshClam may run as a service or via cron depending on your repository.
openSUSE/SUSE Linux Enterprise
sudo zypper refresh
sudo zypper install -y clamav clamav-daemon
# Update signatures and start services
sudo systemctl stop freshclam
sudo freshclam
sudo systemctl enable --now freshclam
sudo systemctl enable --now clamd
# Verify
clamscan --version
systemctl status clamd freshclamUpdate Virus Signatures with FreshClam
FreshClam keeps ClamAV’s virus definitions up to date. After installation, ensure FreshClam is enabled and running, or configure a cron job if your distro doesn’t ship a service.
# Run a manual update
sudo freshclam
# Check service (if available)
systemctl status clamav-freshclam
# or
systemctl status freshclamConfiguration paths are typically /etc/clamav/freshclam.conf (Debian/Ubuntu) or /etc/freshclam.conf (RHEL-based). Keep DatabaseMirror defaults unless you maintain a local mirror.
Configure clamd for Faster Scanning
The clamd daemon keeps signatures in memory and uses a local socket for fast scanning. Verify the socket path and file permissions so clamdscan can communicate with the daemon.
# Debian/Ubuntu: /etc/clamav/clamd.conf (ensure these lines exist/uncommented)
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
User clamav
LogFile /var/log/clamav/clamd.log
LogTime yes
# RHEL-based: /etc/clamd.d/scan.conf (common defaults)
LocalSocket /run/clamd.scan/clamd.sock
FixStaleSocket yes
User clamscan
LogFile /var/log/clamd.scan
LogTime yes
# After editing, restart clamd service
sudo systemctl restart clamav-daemon # Debian/Ubuntu
# or
sudo systemctl restart clamd@scan # RHEL-basedUse clamdscan for on-demand scans through the daemon. It is significantly faster than clamscan on large directories.
Run Your First Scan (On-Demand)
Quick checks
# Scan a specific file or directory
clamscan /path/to/file
clamscan -r /var/www
# Use the daemon for speed (recommended)
clamdscan /var/www
# Print only infected results and summary
clamscan -r --infected --bell --log=/var/log/clamav/manual-scan.log /var/www
# Move infected files to quarantine
sudo mkdir -p /var/quarantine
sudo chown -R root:root /var/quarantine
clamscan -r --infected --move=/var/quarantine /homeBe careful with –remove; consider using –move to quarantine, review logs, and then delete if confirmed malicious.
Schedule Automatic Scans
Automating malware checks ensures consistency. Cron is simplest, but you can also use systemd timers.
Cron example (daily scan at 02:30)
sudo crontab -e
# Add:
30 2 * * * /usr/bin/clamdscan --fdpass --infected --move=/var/quarantine /var/www >> /var/log/clamav/daily-webroot.log 2>&1Use –fdpass when clamd runs as a different user so file descriptors are passed correctly. If clamdscan is unavailable, switch to clamscan with similar options.
Recommended Exclusions and Performance Tuning
- Exclude temp and cache directories to reduce noise and I/O:
clamscan -r --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/dev --exclude-dir=/var/cache / - For clamd, use ExcludePath in the config for permanent exclusions.
- Set sensible size limits for large files and archives if needed (in clamd.conf):
MaxFileSize 200M
MaxScanSize 400M
MaxRecursion 16 - Prefer clamdscan over clamscan for large trees.
- Place signatures and sockets on fast local storage; avoid network mounts for the socket.
Real-Time (On-Access) Scanning with clamonacc
ClamAV supports on-access scanning via clamonacc (fanotify). It watches directories and submits files to clamd when accessed. This adds overhead and should be targeted to high-risk paths like upload folders rather than the entire filesystem.
# Example (adjust paths for your distro)
sudo mkdir -p /var/quarantine
sudo clamonacc \
--log=/var/log/clamav/clamonacc.log \
--move=/var/quarantine \
--exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/dev \
--fdpass \
--config-file=/etc/clamav/clamd.conf \
--path=/var/www/html/wp-content/uploadsRun clamd first, and consider creating a dedicated systemd service or using provided units if your distribution ships them. Limit on-access to specific directories to avoid heavy CPU and I/O usage.
Logging, Alerts, and Reporting
- Logs: clamd logs in /var/log/clamav/ or /var/log/clamd.scan (distro-dependent). FreshClam logs updates to freshclam.log.
- Enable LogTime yes and optionally LogClean no to reduce verbosity.
- Integrate alerts with your monitoring: tail logs and notify via mailx, Slack webhooks, or your SIEM.
# Show infected detections from the latest log
grep -i "FOUND" /var/log/clamav/*.logUse Cases: Web and Mail Servers
- Web servers: Scan /var/www and specifically user-upload directories. Automate scans after deployments and nightly.
- Mail servers: Pair ClamAV with Amavis/SpamAssassin, Postfix, or Exim to scan inbound/outbound mail queues.
- File gateways: Scan NFS/Samba shares before files reach user endpoints.
Troubleshooting Common Issues
- FreshClam “locked database” or permission errors: Stop service, update manually, then restart:
sudo systemctl stop clamav-freshclam || true
sudo freshclam
sudo systemctl start clamav-freshclam || true - “Can’t connect to clamd”: Check LocalSocket path in clamd.conf and permissions; confirm clamd is running.
- High CPU or slow scans: Add exclusions, increase MaxFileSize judiciously, and use clamdscan.
- False positives: Quarantine first, review logs, whitelist hashes or paths where appropriate.
- Signature update failures: Verify DNS and HTTP egress; ensure mirrors aren’t blocked by a firewall or proxy.
Uninstall or Disable ClamAV
If you need to remove ClamAV, stop services first and then remove packages. Only do this if you have alternative protections in place.
# Ubuntu/Debian
sudo systemctl disable --now clamav-daemon clamav-freshclam
sudo apt remove --purge -y clamav clamav-daemon
# RHEL-based
sudo systemctl disable --now clamd@scan
sudo dnf remove -y clamav*Security Best Practices with ClamAV
- Keep the OS and ClamAV updated; signatures age quickly.
- Use least privilege: run clamd as the clamav/clamscan user.
- Scan only what matters (uploads, mail queues, user homes). Don’t waste cycles on /proc, /sys, or immutable system dirs.
- Quarantine before deletion and review detections.
- Log and alert on infections; integrate with your monitoring stack.
- Combine with other layers: WAF, secure configurations, principle of least privilege, and timely patching.
Why This Matters for Hosting: A Note from YouStable
If you manage client websites, shared hosting, or business email, ClamAV significantly reduces the risk of distributing malware from your server. At YouStable, our managed VPS and dedicated servers can ship with ClamAV preconfigured, automated updates, and scheduled scans—so your stack stays secure while you focus on growth.
FAQ: Install ClamAV on Linux Server
Is ClamAV real-time antivirus on Linux?
Yes, with clamonacc (fanotify) it can monitor directories in real time. It’s best to restrict monitoring to high-risk paths like upload folders. Full-system on-access scanning can be heavy; schedule periodic full scans instead.
What’s the difference between clamscan and clamdscan?
clamscan is a standalone scanner that loads signatures each run (slower). clamdscan uses the clamd daemon, which keeps signatures in memory (faster). For servers and scheduled tasks, clamdscan is recommended.
How do I update ClamAV signatures automatically?
Enable the FreshClam service (clamav-freshclam or freshclam) so it checks mirrors regularly. If your distro doesn’t ship a service, add a cron job that runs freshclam every hour.
Can ClamAV remove or quarantine threats?
Yes. Use –move=/path/to/quarantine with clamscan or configure clamdscan with a quarantine directory. Review quarantined files before deletion to avoid data loss from false positives.
Which directories should I scan on a web server?
Focus on /var/www (or your doc roots), user home directories, and upload/temp locations used by applications (for example, WordPress wp-content/uploads). Exclude system paths like /proc, /sys, and /dev.
Does ClamAV detect Windows malware on Linux?
Yes. ClamAV detects a wide range of Windows and cross-platform malware. This is critical for mail and file servers to prevent passing infected files to Windows endpoints.
How often should I schedule scans?
For most servers, daily or weekly scans of key directories are sufficient, plus near real-time scanning of upload locations if feasible. Always keep FreshClam updating hourly or at least several times a day.
Final Thoughts
Installing ClamAV on a Linux server is straightforward and adds a dependable layer to your defense-in-depth strategy. Keep signatures fresh, scan the right paths, and log results. If you prefer a hands-off setup, consider a managed server from YouStable with ClamAV and security best practices pre-tuned for your workloads.
