How to Install and Configure ClamAV AntiVirus on Linux

As you descend on this page, you may find yourself asking too many questions.

If that is true, the questions listed below may be your question.

  • Is Linux operating system virus-free?
  • Is the Linux operating system malware-free?
  • Why does Linux need AntiVirus?
  • Does Windows Malware Run on Linux?
  • How many Malware or Viruses have been reported on Linux?

Linux operating system is not virus-free but very few malware or viruses have been reported as of today.

Linux never had a widespread malware-infection compared to Windows.

Linux is very secure in its architecture, so you don’t need to worry about viruses.

However, viruses and other malicious companies are always emerging to beat the latest protections that computer architects and security companies can create.

So, you can choose any AntiVirus application based on your need, which adds extra security to your Linux system.

Today, we are going to discuss ClamAV, which is one of the best known antivirus software for Linux.

What is ClamAV?

ClamAV AntiVirus is an open source anti-virus toolkit designed specifically for e-mail scanning on mail gateways

It offers a number of applications, including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automated database updates.

  • clamdscan – a simple scanning client
  • on-access scanning – provides real-time protection via a clamd instance
  • clamdtop – a resource monitoring interface for clamd

Since the clamd requires an antivirus signature database to run, set the official signatures of the ClamAV before running the clamd using freshclam.

The daemon works by listening for commands on the sockets specified in clamd.conf. Listening is supported over both unix local sockets and TCP sockets.

ClamAV is used to detect viruses, malware, Trojans, malicious software and other forms of malware on Linux-based systems.

ClamAV Features

  • ClamAV is designed to scan files quickly.
  • Real time protection
  • ClamAV detects over 1 million viruses, worms and trojans, mobile malware, and other threats.
  • Supports almost all mail file formats
  • Supports all format of files such as HTML, Flash, RTF, MS Office, MacOffice and PDF
  • Support for various archive formats like Zip, RAR, Dmg, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others

1) How to Install ClamAV on Linux

ClamAV can be easily installed from the distribution official repository.

For Red Hat-based systems, you may need to enable the EPEL repository, as some packages may not be available in the distribution official repository.

For RHEL/CentOS 6 systems, run the below command

$ sudo yum install -y epel-release
$ sudo yum install -y clamav

For RHEL/CentOS 7 systems, use the yum command to install ClamAV.

$ sudo yum install -y epel-release
$ sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

For RHEL/CentOS 8 and Fedora systems, use the dnf command to install ClamAV.

$ sudo yum install -y epel-release
$ sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

For Debian based systems, use the apt command or apt-get command to install ClamAV.

$ sudo apt-get update
$ sudo apt-get install clamav

For openSUSE systems, use the zypper command to install ClamAV.

$ sudo zypper install -y clamav

2) How to Configure SELinux for ClamAV

Red Hat based systems uses SELinux policy so, you may need to manually enable “antivirus_can_scan_system” to function ClamAV properly.

$ sudo setsebool -P antivirus_can_scan_system 1

3) How to Configuring ClamAV

Before using ClamAV, you must remove the “example” string from the configuration file using the sed command.

$ sudo cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.bk
$ sudo sed -i '/^Example/d' /etc/clamd.d/scan.conf

You must also uncomment the following socket option that allows “clamdscan” and other applications to interact with the clamd.

LocalSocket /var/run/clamd.scan/clamd.sock

4) How to Configure freshclam

Before using the freshclam to download updates, you must create a freshclam config file as follows.

$ sudo cp /etc/freshclam.conf /etc/freshclam.conf.bak
$ sudo sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

Now, run the freshclam to manually update the database and check whether the configuration is set up successfully.

$ sudo freshclam

Finally, start and enable the clamd service.

$ sudo systemctl start clamd@scan
$ sudo systemctl enable clamd@scan

5) How to Perform a Scan Using the clamscan Tool

clamscan is a command-line tool that uses libclamav to scan files and/or directories for viruses. Unlike clamdscan, clamscan does not require a functioning clamd instance. Instead, clamscan builds a new engine and loads it into the virus database every time it is run. It scans the files and/or directories specified in the command line and generates a scan report and exits.

Run the below command to scan all users’ home directories.

# clamscan --infected --recursive /home

.
.
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/63FB09C75E6F8F14E5ADCCF2F87244FF5D0C9CB1: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/C8E29843C9F0CBB577037BE9CF8502BB94ECC062: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/2444618B40CA0FC854B6C539AEE4A4E7C479F532: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/58CB865E942E052F00AB01A9A65B5B67949D406F: Exploit.Iframe-1 FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/D75D46B41E962765F93746E5DCA04D3D1891DFAA: HTML.FileDownload_iacenc_dll FOUND
/home/magesh/.cache/mozilla/firefox/rk3npe25.default/cache2/entries/35DFDA5356192EEFB57A0E52FFA8C98721B3B40F: Exploit.Iframe-1 FOUND
/home/magesh/Downloads/mageshm/919134.php: PHP.Webshell-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6702413
Engine version: 0.100.2
Scanned directories: 14303
Scanned files: 129684
Infected files: 9
Data scanned: 12050.80 MB
Data read: 123972.73 MB (ratio 0.10:1)
Time: 2616.052 sec (43 m 36 s)

To scan the entire system, run the command below.

$ sudo clamscan --recursive /

Scan all the files on the system, but only display the infected files and if found, sound the bell

# clamscan -r --bell -i /

Move all affected files to a separate file for later analysis.

# clamscan -r /folder/to/scan/ | grep FOUND >> /path/to/save/report/file.txt

Run the command below to scan the files in the user’s home directory and save the affected files to a specific file.

# clamscan -ril /var/log/clamscan.log /home/$USER	

Run the below command to scan files in the user’s home directory and remove infected files

# clamscan -r --remove /home/$USER

Run the command below to scan all the user’s home directory and exclude only the “2daygeek” account.

# clamscan --exclude=2daygeek -i -r /home/$USER

6) How to Perform a Scan Using the clamdscan Tool

clamdscan is a clamd client that greatly simplifies the process of scanning files with clamd. It sends commands to the clamd daemon across the socket specified in clamd.conf and generates a scan report when all scanning requested by the daemon is complete.

Make sure you already have a clamd running instance to run clamdscan.

# clamdscan --recursive /home

7) How to Auto Scan Using ClamAV on Linux

If you want to scan on a daily basis, add the following shell script to the daily cronjob directory.

# vi /etc/cron.daily/clamav_scan.sh                                              

#!/bin/bash
SCAN_DIR="/home"
LOG_FILE="/var/log/clamav/dailyscan.log"
/usr/bin/clamscan -ri $SCAN_DIR >> $LOG_FILE

Set an executable permission to the file “/etc/cron.daily/clamav_scan.sh”.

# chmod +x /etc/cron.daily/clamav_scan.sh

It runs everyday and stores the affected files in the /var/log/clamav/dailyscan.log file.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

14 Comments on “How to Install and Configure ClamAV AntiVirus on Linux”

  1. Unfortunately the commands to install or update clamav don’t work in the distros I have here. The mailguard server has been issuing warnings for days that clamav-0.98.7 is outdated, and yet Ubuntu and Centos still have only 0.98.7 available in the repos. This is a long standing problem I’ve seen with Linux vendors, and even resources like epel, who happily sit on outdated software for months. Yeah, I could grab the tarball and build it myself, but, isn’t that like 1993 all over again?

    1. @Akebono,
      The latest version of ClamAV 0.99 got released on December 1, 2015. Most probably we will get the updated version from distro official repository ASAP because Ubuntu ClamAV PPA maintainer withdrawn the PPA update because its added to backport official repository. Don’t compile from source code this will make trouble when we need to upgrade.

  2. [Dell desktops, Mint 17.1] I have a 120kb/sec connection, resulting in confusion because freshclam updater runs in background, taking several minutes to populate the definition files, in the meantime claiming things are outdated, going haywire, etc. After giving it time to load the definitions after the ‘Starting….freshclam’ instruction, it runs quite nicely. I also downloaded ClamTK, the graphic frontend, to make it easier to use and handle scheduling. Thank you!! MUCH easier than my first installation attempt.

  3. [Dell desktops, Mint 17.1] I have a 120kb/sec connection, resulting in confusion because freshclam updater runs in background, taking several minutes to populate the definition files, in the meantime claiming things are outdated, going haywire, etc. After giving it time to load the definitions after the ‘Starting….freshclam’ instruction, it runs quite nicely. I also downloaded ClamTK, the graphic frontend, to make it easier to use and handle scheduling.

  4. I am new to Linux and CamAv you not only helped me make sure I am not passing problems on to other users on my network, you led me to learn much more about Linux (Mint). If all my questions are answered this completely, I am looking forward to learning more. Thank you.

  5. Wow Thanks a lot. Great easy to follow tutorial. Got ClamAV installed nice and tested on my Debian 7 server. Appreciate the really easy explanations as i’m a total noob. Thank you!

  6. I am the newest of newbies here after 40 yrs on mainframes and using PCs/Windows since before DOS 3.1 came out I find Linux refreshing altho sometimes a bit baffling but I wade on thru and have enjoyed it a lot. Ubuntu 14.04 now and am looking forward to more informative articles such as this one..
    thanks, Bill

  7. sudo /etc/init.d/clamav-freshclam restart
    [sudo] password for richard:
    [….] Stopping ClamAV virus database updater: freshclamNo freshclam found running; none killed.
    . ok
    [….] Starting ClamAV virus database updater: freshclamERROR: Parse error at line 4: Unknown option LocalSocket
    ERROR: Can’t open/parse the config file /etc/clamav/freshclam.conf
    failed!
    I’m using Debian 7.7. Thank you for your help

  8. Step 3 didn’t work for me. I got this message:
    * Starting ClamAV virus database updater freshclam start-stop-daemon: unable to set gid to 125 (Operation not permitted)

    … any ideas?

    Thanks,
    Cary

Leave a Reply to Ramya Nuvvula Cancel reply

Your email address will not be published. Required fields are marked *