How to Install and Configure ClamAV AntiVirus on Linux

As you descend on this page, you may find yourself asking too many questions.

If that is true, the questions listed below may be your question.

  • Is Linux operating system virus-free?
  • Is the Linux operating system malware-free?
  • Why does Linux need AntiVirus?
  • Does Windows Malware Run on Linux?
  • How many Malware or Viruses have been reported on Linux?

Linux operating system is not virus-free but very few malware or viruses have been reported as of today.

Linux never had a widespread malware-infection compared to Windows.

Linux is very secure in its architecture, so you don’t need to worry about viruses.

However, viruses and other malicious companies are always emerging to beat the latest protections that computer architects and security companies can create.

So, you can choose any AntiVirus application based on your need, which adds extra security to your Linux system.

Today, we are going to discuss ClamAV, which is one of the best known antivirus software for Linux.

What is ClamAV?

ClamAV AntiVirus is an open source anti-virus toolkit designed specifically for e-mail scanning on mail gateways

It offers a number of applications, including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automated database updates.

  • clamdscan – a simple scanning client
  • on-access scanning – provides real-time protection via a clamd instance
  • clamdtop – a resource monitoring interface for clamd

Since the clamd requires an antivirus signature database to run, set the official signatures of the ClamAV before running the clamd using freshclam.

The daemon works by listening for commands on the sockets specified in clamd.conf. Listening is supported over both unix local sockets and TCP sockets.

ClamAV is used to detect viruses, malware, Trojans, malicious software and other forms of malware on Linux-based systems.

ClamAV Features

  • ClamAV is designed to scan files quickly.
  • Real time protection
  • ClamAV detects over 1 million viruses, worms and trojans, mobile malware, and other threats.
  • Supports almost all mail file formats
  • Supports all format of files such as HTML, Flash, RTF, MS Office, MacOffice and PDF
  • Support for various archive formats like Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others

1) How to Install ClamAV on Linux

ClamAV can be easily installed from the distribution official repository.

For Red Hat-based systems, you may need to enable the EPEL repository, as some packages may not be available in the distribution official repository.

For RHEL/CentOS 6 systems, run the below command

$ sudo yum install -y epel-release
$ sudo yum install -y clamav

For RHEL/CentOS 7 systems, use the yum command to install ClamAV.

$ sudo yum install -y epel-release
$ sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

For RHEL/CentOS 8 and Fedora systems, use the dnf command to install ClamAV.

$ sudo yum install -y epel-release
$ sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

For Debian based systems, use the apt command or apt-get command to install ClamAV.

$ sudo apt-get update
$ sudo apt-get install clamav

For openSUSE systems, use the zypper command to install ClamAV.

$ sudo zypper install -y clamav

2) How to Configure SELinux for ClamAV

Red Hat based systems uses SELinux policy so, you may need to manually enable “antivirus_can_scan_system” to function ClamAV properly.

$ sudo setsebool -P antivirus_can_scan_system 1

3) How to Configuring ClamAV

Before using ClamAV, you must remove the “example” string from the configuration file using the sed command.

$ sudo cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.bk
$ sudo sed -i '/^Example/d' /etc/clamd.d/scan.conf

You must also uncomment the following socket option that allows “clamdscan” and other applications to interact with the clamd.

LocalSocket /var/run/clamd.scan/clamd.sock

4) How to Configure freshclam

Before using the freshclam to download updates, you must create a freshclam config file as follows.

$ sudo cp /etc/freshclam.conf /etc/freshclam.conf.bak
$ sudo sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

Now, run the freshclam to manually update the database and check whether the configuration is set up successfully.

$ sudo freshclam

Finally, start and enable the clamd service.

$ sudo systemctl start [email protected]
$ sudo systemctl enable [email protected]

5) How to Perform a Scan Using the clamscan Tool

clamscan is a command-line tool that uses libclamav to scan files and/or directories for viruses. Unlike clamdscan, clamscan does not require a functioning clamd instance. Instead, clamscan builds a new engine and loads it into the virus database every time it is run. It scans the files and/or directories specified in the command line and generates a scan report and exits.

Run the below command to scan all users’ home directories.

# clamscan --infected --recursive /home

.
.
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/63FB09C75E6F8F14E5ADCCF2F87244FF5D0C9CB1: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/C8E29843C9F0CBB577037BE9CF8502BB94ECC062: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/2444618B40CA0FC854B6C539AEE4A4E7C479F532: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/58CB865E942E052F00AB01A9A65B5B67949D406F: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/D75D46B41E962765F93746E5DCA04D3D1891DFAA: HTML.FileDownload_iacenc_dll FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/35DFDA5356192EEFB57A0E52FFA8C98721B3B40F: Exploit.Iframe-1 FOUND
/home/magesh/Downloads/mageshm/919134.php: PHP.Webshell-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6702413
Engine version: 0.100.2
Scanned directories: 14303
Scanned files: 129684
Infected files: 9
Data scanned: 12050.80 MB
Data read: 123972.73 MB (ratio 0.10:1)
Time: 2616.052 sec (43 m 36 s)

To scan the entire system, run the command below.

$ sudo clamscan --recursive /

Scan all the files on the system, but only display the infected files and if found, sound the bell

# clamscan -r --bell -i /

Move all affected files to a separate file for later analysis.

# clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

Run the command below to scan the files in the user’s home directory and save the affected files to a specific file.

# clamscan -ril /var/log/clamscan.log /home/$USER	

Run the below command to scan files in the user’s home directory and remove infected files

# clamscan -r --remove /home/$USER

Run the command below to scan all the user’s home directory and exclude only the “2daygeek” account.

# clamscan --exclude=2daygeek -i -r /home/$USER

6) How to Perform a Scan Using the clamdscan Tool

clamdscan is a clamd client that greatly simplifies the process of scanning files with clamd. It sends commands to the clamd daemon across the socket specified in clamd.conf and generates a scan report when all scanning requested by the daemon is complete.

Make sure you already have a clamd running instance to run clamdscan.

# clamdscan --recursive /home

7) How to Auto Scan Using ClamAV on Linux

If you want to scan on a daily basis, add the following shell script to the daily cronjob directory.

# vi /etc/cron.daily/clamav_scan.sh                                              

#!/bin/bash
SCAN_DIR="/home"
LOG_FILE="/var/log/clamav/dailyscan.log"
/usr/bin/clamscan -ri $SCAN_DIR >> $LOG_FILE

Set an executable permission to the file “/etc/cron.daily/clamav_scan.sh”.

# chmod +x /etc/cron.daily/clamav_scan.sh

It runs everyday and stores the affected files in the /var/log/clamav/dailyscan.log file.

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...