Cybersecurity 4 min read

ClamAV Antivirus Tutorial: Guide for Linux Security

Suresh Suresh
ClamAV Antivirus Tutorial: Guide for Linux Security

Imagine a security guard who works 24/7, never sleeps, and can identify millions of threats instantly. That’s ClamAV—an open-source antivirus engine designed specifically for Linux environments. While many believe Linux is immune to viruses, the reality is that malware targeting Linux servers has increased by 400% in recent years.

ClamAV (Clam AntiVirus) is the most widely used open-source antivirus solution for Linux systems. It’s the go-to choice for mail servers, file servers, and security-conscious administrators who need reliable malware detection. In 2026, with ransomware and cryptojacking on the rise, ClamAV remains an essential tool in your security arsenal.

This comprehensive guide will walk you through everything from installation to advanced configuration, ensuring your Linux systems stay protected against evolving threats.

What is ClamAV?

ClamAV is a powerful, open-source antivirus engine developed by Cisco. It’s designed specifically for detecting:

  • Viruses and Worms: Traditional malware that replicates and spreads
  • Trojans: Malicious software disguised as legitimate applications
  • rootkits: Software that hides malicious processes
  • [phishing emails](/blog/cybersecurity/spot-phishing-emails): Email-based threats targeting users
  • Malware Archives: Compressed files containing malicious content

Key Features

  • Multi-threaded scanning for high performance
  • Signature-based detection with frequent updates
  • Heuristic analysis for detecting unknown threats
  • Cross-platform support (Linux, Windows, macOS)
  • Integration with mail servers (Postfix, Sendmail)
  • Command-line and daemon modes

Why ClamAV in 2026?

1. Growing Linux Malware Threat

  • Linux cryptojacking attacks increased 300% in 2025
  • Ransomware now targets Linux servers and containers
  • IoT devices running Linux are primary attack vectors

2. Compliance Requirements

  • HIPAA requires antivirus on covered systems
  • PCI-DSS mandates malware protection
  • GDPR emphasizes data protection measures

3. Cost-Effective Security

  • Free and open-source
  • Low system resource usage
  • Large community support

Installing ClamAV

Ubuntu/Debian Installation

# Update package repository
sudo apt update

# Install ClamAV and the daemon
sudo apt install clamav clamav-daemon -y

# Install freshclam (signature updater)
sudo apt install clamav-freshclam -y

# Verify installation
clamscan --version

# Check service status
sudo systemctl status clamav-daemon
sudo systemctl status clamav-freshclam

CentOS/RHEL/Rocky Linux Installation

# Install EPEL repository
sudo dnf install epel-release -y

# Install ClamAV
sudo dnf install clamav clamav-update clamav-server clamav-server-systemd -y

# Initialize database
sudo freshclam

# Start services
sudo systemctl enable clamd@scan
sudo systemctl start clamd@scan

Amazon Linux Installation

# Enable EPEL
sudo amazon-linux-extras install epel -y

# Install ClamAV
sudo yum install clamav clamav-update -y

# Update signatures
sudo freshclam

Alpine Linux Installation

# Install from community repository
apk add clamav clamav-libclamav clamav-daemon clamav-scanner

# Configure freshclam
mkdir -p /var/lib/clamav
chown clamav:clamav /var/lib/clamav

Source Compilation (Advanced)

# Download source
wget https://www.clamav.net/downloads/production/clamav-1.2.0.tar.gz
tar -xzf clamav-1.2.0.tar.gz
cd clamav-1.2.0

# Install dependencies
sudo apt install build-essential libssl-dev libxml2-dev -y

# Configure and compile
./configure --sysconfdir=/etc/clamav
make
sudo make install

# Create clamav user
sudo groupadd clamav
sudo useradd -g clamav -s /bin/false -c "ClamAV User" clamav

# Set permissions
sudo chown -R clamav:clamav /usr/local/share/clamav

Basic ClamAV Commands

Scanning Files and Directories

# Scan a single file
clamscan /path/to/file

# Scan entire directory recursively
clamscan -r /home/user

# Scan recursively with verbose output
clamscan -r --verbose /home/user

# Scan and remove infected files
clamscan -r --remove /home/user

# Scan and move infected files
clamscan -r --move=/tmp/quarantine /home/user

# Scan and copy infected files
clamscan -r --copy=/tmp/quarantine /home/user

# Scan and display only infected files
clamscan -r --infected /home/user

# Scan with specified number of threads
clamscan -r --threads=4 /home/user

Using Clamscan Options

# Scan with maximum file size
clamscan --max-filesize=50M --max-scansize=100M /home/user

# Scan with archive support
clamscan --scan-archive --archive-verbose /home/user

# Scan with heuristic detection
clamscan --heuristic-scan --heuristic-types=pe,elf,ole2 /home/user

# Scan with phishing detection
clamscan --phishing-scan --phishing-signatures /home/user

# Scan with PUA detection
clamscan --detect-pua=yes /home/user

# Save scan report
clamscan -r /home/user > scan-report-$(date +%Y%m%d).log

# Include all file types
clamscan --allmatch -r /home/user

Signature Updates with freshclam

Basic Update Commands

# Manual signature update
sudo freshclam

# Check current database version
clamscan --version | grep "Database"

# Check signature details
sudo freshclam --verbose

# Force update (ignore local timestamp)
sudo freshclam --force

# Update from specific mirror
sudo freshclam --mirror=your-mirror.com

# Log update activity
sudo freshclam --log=/var/log/clamav/freshclam.log

Configuring freshclam

Edit the freshclam configuration:

sudo nano /etc/clamav/freshclam.conf

Key configuration options:

# Main configuration file
DatabaseDirectory /var/lib/clamav

# Update mirror
# DatabaseMirror db.clamav.net
# DatabaseMirror us-mirror.clamav.net
# DatabaseMirror eu-mirror.clamav.net

# Check for updates (hours)
Checks 12

# HTTP proxy (if needed)
# HTTPProxyServer 192.168.1.100
# HTTPProxyPort 8080
# HTTPProxyUsername proxyuser
# HTTPProxyPassword proxypass

# Notification email
NotifyClamd /etc/clamav/clamd.conf

# Log file
UpdateLogFile /var/log/clamav/freshclam.log

# Log verbosity
LogVerbose false

# Database debug
DatabaseOwner clamav

Automating Updates

# Create a cron job for daily updates
sudo crontab -e
# Add:
0 2 * * * /usr/bin/freshclam --quiet

# Create a weekly full update with verbose logging
0 3 * * 0 /usr/bin/freshclam --verbose >> /var/log/clamav/freshclam-weekly.log 2>&1

# Auto-restart clamav after updates (in freshclam.conf)
NotifyClamd /etc/clamav/clamd.conf

ClamAV Daemon (clamd)

Starting and Managing clamd

# Start clamd
sudo systemctl start clamav-daemon

# Stop clamd
sudo systemctl stop clamav-daemon

# Restart clamd
sudo systemctl restart clamav-daemon

# Check status
sudo systemctl status clamav-daemon

# Enable at boot
sudo systemctl enable clamav-daemon

# Check logs
sudo journalctl -u clamav-daemon -f

Configuring clamd

sudo nano /etc/clamav/clamd.conf

Essential configuration:

# Main configuration
TCPSocket 3310
TCPAddr 127.0.0.1

# Process settings
User clamav
AllowSupplementaryGroups yes

# Logging
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 100M
LogTime yes
LogVerbose no

# Scanning settings
MaxFileSize 100M
MaxScansize 300M
MaxRecursion 10
MaxFiles 10000

# Detection settings
DetectPUA yes
HeuristicScanPrecedence yes

# Archive scanning
ScanArchive yes
ArchiveMaxFiles 1000
ArchiveMaxRecursion 10

# Exclude files
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/

# Virus event notification
VirusEvent /usr/local/bin/clamav-alert.sh

Using clamdscan

# Basic scan
clamdscan /home/user

# Scan with report
clamdscan --stdio /home/user

# Scan and remove infected
clamdscan --remove /home/user

# Scan with multithread
clamdscan --multiscan /home/user

# Check clamd status
clamdscan --ping

# Reload virus database
clamdscan --reload

# Scan with quarantine
clamdscan --move=/tmp/quarantine /home/user

Advanced Scanning Techniques

1. System-Wide Scan

#!/bin/bash
# system-scan.sh
# Comprehensive system scan

echo "=== ClamAV System Scan - $(date) ==="

# Scan critical system directories
clamscan -r --infected --log=/var/log/clamav/system-scan.log \
    /bin /sbin /usr/bin /usr/sbin /etc /var/www

# Scan user home directories
clamscan -r --infected --log=/var/log/clamav/home-scan.log \
    /home/*/Documents /home/*/Downloads

# Scan mail directories
clamscan -r --infected --log=/var/log/clamav/mail-scan.log \
    /var/mail /var/spool/mail

echo "Scan completed - $(date)"

2. Scheduled Cron Jobs

# Create daily scan script
sudo nano /usr/local/bin/daily-scan.sh

#!/bin/bash
# Daily scan with reporting
LOG_DIR="/var/log/clamav"
DATE=$(date +%Y%m%d)

# Scan critical directories
clamscan -r --infected --log=${LOG_DIR}/daily-scan-${DATE}.log \
    /home /var/www /tmp

# Email report if infected files found
if grep -q "FOUND" ${LOG_DIR}/daily-scan-${DATE}.log; then
    mail -s "[CLAMAV] Infected files found - ${DATE}" admin@domain.com < ${LOG_DIR}/daily-scan-${DATE}.log
fi

# Make executable
sudo chmod +x /usr/local/bin/daily-scan.sh

# Add to crontab
sudo crontab -e
# Add:
0 1 * * * /usr/local/bin/daily-scan.sh

3. Real-Time Scanning (On-Access)

Enable clamav’s on-access scanning:

# Edit clamd configuration
sudo nano /etc/clamav/clamd.conf

# Enable on-access scanning
OnAccessEnable yes
OnAccessMountPath /
OnAccessIncludePath /home
OnAccessIncludePath /var/www
OnAccessPrevention yes

# Exclude specific paths
OnAccessExcludePath /proc
OnAccessExcludePath /sys
OnAccessExcludePath /dev

# Restart clamd
sudo systemctl restart clamav-daemon

4. Scanning in [Docker containers](/blog/cybersecurity/secure-docker-containers)

# Create Dockerfile with ClamAV
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y clamav && freshclam
COPY scan.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/scan.sh
CMD ["/usr/local/bin/scan.sh"]

# Scan container filesystem
docker run --rm -v /:/host:ro clamav clamscan -r /host

# Docker Compose example
version: '3'
services:
  clamav:
    image: clamav/clamav:latest
    volumes:
      - /var/log/clamav:/var/log/clamav
      - /data:/data
    command: clamscan -r /data

5. Scanning Email and Web Traffic

Postfix Integration:

# Install clamav-milter
sudo apt install clamav-milter -y

# Configure milter
sudo nano /etc/clamav/clamav-milter.conf

# In postfix main.cf
smtpd_milters = unix:/var/run/clamav/clamav-milter.sock
non_smtpd_milters = $smtpd_milters

# Restart services
sudo systemctl restart clamav-milter
sudo systemctl restart postfix

ModSecurity Integration:

# Install mod_security with ClamAV
sudo apt install libapache2-mod-security2 clamav-modsec

# Enable ClamAV rule
sudo nano /etc/modsecurity/owasp-crs/rules/clamav-rule.conf

SecRule FILES_TMPNAMES "@clamav" \
    "id:123456,phase:2,deny,msg:'Malware detected in uploaded file'"

Quarantine Management

Setting Up Quarantine

# Create quarantine directory
sudo mkdir -p /var/lib/clamav/quarantine
sudo chown clamav:clamav /var/lib/clamav/quarantine
sudo chmod 750 /var/lib/clamav/quarantine

# Create quarantine script
sudo nano /usr/local/bin/clamav-quarantine.sh

#!/bin/bash
# Quarantine handler
QUARANTINE_DIR="/var/lib/clamav/quarantine"
DATE=$(date +%Y%m%d_%H%M%S)

if [ -n "$1" ]; then
    FILENAME=$(basename "$1")
    mv "$1" "${QUARANTINE_DIR}/${FILENAME}.${DATE}.quar"
    echo "$(date): Quarantined $1" >> /var/log/clamav/quarantine.log
fi

# Make executable
sudo chmod +x /usr/local/bin/clamav-quarantine.sh

# Configure clamd to use quarantine script
sudo nano /etc/clamav/clamd.conf
# Add:
VirusEvent /usr/local/bin/clamav-quarantine.sh "$CLAMAV_VIRUS_FILE"

Managing Quarantine

# List quarantined files
ls -la /var/lib/clamav/quarantine/

# Check quarantine log
sudo tail -f /var/log/clamav/quarantine.log

# Restore file from quarantine
sudo cp /var/lib/clamav/quarantine/file.quar /path/to/restore/

# Clean old quarantine files (30 days)
find /var/lib/clamav/quarantine -name "*.quar" -mtime +30 -delete

# Check quarantine database
clamscan -r --infected /var/lib/clamav/quarantine

Performance Tuning

Optimizing ClamAV Performance

# Multi-threaded scanning
clamscan -r --threads=8 /home/user

# Limit file sizes for faster scanning
clamscan -r --max-filesize=50M --max-scansize=100M /home/user

# Reduce memory usage (in clamd.conf)
MaxMemory 256M
CompressCache yes

# Disable archive scanning for speed
clamscan -r --no-archive /home/user

# Use cache for repeated scans
clamscan -r --cache-file=/tmp/clamav.cache /home/user

Benchmarking Performance

# Time a scan
time clamscan -r --infected /home/user

# Check CPU usage
top -p $(pgrep clamscan)

# Monitor memory usage
ps aux | grep clamscan

# Test with large archive
clamscan --test --debug /path/to/test-file

Troubleshooting Common Issues

Issue 1: Database Outdated

# Force update
sudo freshclam --force

# Check network connectivity
ping db.clamav.net

# Check proxy settings
cat /etc/clamav/freshclam.conf | grep Proxy

# Clear database and re-download
sudo rm -rf /var/lib/clamav/*.cvd
sudo freshclam

Issue 2: ClamAV Service Won’t Start

# Check logs
sudo journalctl -u clamav-daemon -n 50

# Check configuration syntax
clamd -t

# Check socket permissions
ls -la /var/run/clamav/

# Fix permissions
sudo chown -R clamav:clamav /var/lib/clamav
sudo chown -R clamav:clamav /var/run/clamav

Issue 3: High Memory Usage

# Modify clamd.conf
MaxMemory 128M
MaxScanSize 100M
MaxFileSize 25M

# Restart clamd
sudo systemctl restart clamav-daemon

# Use limited scanning
clamscan --max-filesize=10M /home/user

Issue 4: False Positives

# Add file to whitelist
# In clamd.conf:
ExcludeFile /path/to/false-positive

# Exclude by name
ExcludeFile "^(file-name)$"

# Disable specific signatures
# In /etc/clamav/clamd.conf:
DetectBrokenExecutables no

# Submit false positive to ClamAV
# https://www.clamav.net/reports/fp

Issue 5: Cannot Scan Special Files

# Skip special file types
clamscan -r --no-archive /proc

# Use different file type detection
clamscan -r --filetype-list=/etc/clamav/filetypes.conf

# Scan all files including special ones
clamscan -r --include-magic /proc

Integration with Other Tools

OSSEC Integration

# Add ClamAV to OSSEC rules
sudo nano /var/ossec/etc/rules/clamav_rules.xml

<group name="clamav">
    <rule id="500001" level="7">
        <decoded_as>clamav</decoded_as>
        <match>FOUND</match>
        <description>ClamAV detected malware: $(virus_name)</description>
    </rule>
</group>

ELK Stack Integration

# Filebeat configuration for ClamAV logs
sudo nano /etc/filebeat/filebeat.yml

# Add ClamAV log path
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/clamav/*.log

# Add custom fields
fields:
  service: clamav
  type: security

# Restart filebeat
sudo systemctl restart filebeat

Nagios Monitoring

# Install Nagios plugin
sudo apt install nagios-plugins-contrib

# Check clamd status
/usr/lib/nagios/plugins/check_clamd -H localhost -p 3310

# Add to Nagios configuration
define service {
    use                 generic-service
    host_name           linux-server
    service_description ClamAV Daemon
    check_command       check_clamd!localhost!3310
}

Best Practices

1. Regular Updates

# Automate daily updates
sudo freshclam --quiet

# Monitor update status
sudo freshclam --stats

# Configure multiple mirrors for redundancy
DatabaseMirror db.clamav.net
DatabaseMirror db.local.clamav.net
DatabaseMirror db.remote.clamav.net

2. Scheduled Scans

# Weekly full system scan
0 2 * * 0 /usr/bin/clamscan -r --infected --log=/var/log/clamav/weekly-scan.log /

# Daily user directory scan
0 3 * * * /usr/bin/clamscan -r --infected --log=/var/log/clamav/daily-scan.log /home

# Monthly web directory scan
0 4 1 * * /usr/bin/clamscan -r --infected --log=/var/log/clamav/web-scan.log /var/www

3. Log Rotation

# Create logrotate configuration
sudo nano /etc/logrotate.d/clamav

/var/log/clamav/*.log {
    weekly
    rotate 4
    compress
    delaycompress
    missingok
    notifempty
    create 0640 clamav clamav
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP clamav-daemon
    endscript
}

4. Monitoring and Alerts

#!/bin/bash
# clamav-monitor.sh

# Check for recent infections
INFECTED=$(grep "FOUND" /var/log/clamav/*.log | tail -10)

if [ ! -z "$INFECTED" ]; then
    echo "ClamAV Detected Infections:" >> /var/log/clamav/alerts.log
    echo "$INFECTED" >> /var/log/clamav/alerts.log
    echo "$INFECTED" | mail -s "[ALERT] ClamAV Infections" admin@domain.com
fi

# Check update status
LAST_UPDATE=$(stat -c %Y /var/lib/clamav/daily.cvd)
CURRENT=$(date +%s)
DIFF=$((($CURRENT - $LAST_UPDATE) / 86400))

if [ $DIFF -gt 7 ]; then
    echo "Warning: ClamAV signatures older than 7 days" | mail -s "[WARNING] ClamAV Outdated" admin@domain.com
fi

5. Emergency Response Procedures

#!/bin/bash
# emergency-scan.sh

LOG_DIR="/var/log/clamav"
DATE=$(date +%Y%m%d_%H%M%S)
LOG_FILE="$LOG_DIR/emergency-scan-$DATE.log"

# Run emergency full scan
echo "=== EMERGENCY SCAN - $DATE ===" >> $LOG_FILE

# Scan with maximum detection settings
clamscan -r \
    --infected \
    --log=$LOG_FILE \
    --detect-pua=yes \
    --heuristic-scan \
    --heuristic-types=pe,elf,ole2 \
    --phishing-scan \
    --phishing-signatures \
    --allmatch \
    / /home /var/www /tmp

# Alert if infected files found
if grep -q "FOUND" $LOG_FILE; then
    echo "EMERGENCY: Infected files found!" | mail -s "[EMERGENCY] ClamAV Found Infections" admin@domain.com
    # Additional actions: isolate, quarantine, investigate
fi

Command Reference

Essential Commands Quick Reference

CommandPurposeExample
clamscanScan files/directoriesclamscan -r /home
freshclamUpdate virus definitionssudo freshclam
clamdscanScan using clamd daemonclamdscan /home
clamav-daemonClamAV service managementsystemctl start clamav-daemon
clamdClamAV daemonclamd -c /etc/clamav/clamd.conf
clamav-milterEmail scanningclamav-milter
sigtoolSignature analysissigtool --info

Useful One-Liners

# Quick system check
clamscan -r --infected / | grep FOUND

# Find and quarantine all infected files
clamscan -r --move=/tmp/quarantine --infected /

# Scan only changed files (using find)
find /home -type f -mtime -1 -exec clamscan {} \;

# Scan and send email report
clamscan -r /home | mail -s "ClamAV Scan Results" admin@domain.com

# Monitor logs in real-time
sudo tail -f /var/log/clamav/clamd.log /var/log/clamav/freshclam.log

# Update and scan in one command
sudo freshclam && clamscan -r /home

# Check database age
echo "Database age: $(($(date +%s) - $(stat -c %Y /var/lib/clamav/daily.cvd))) seconds"

Conclusion

ClamAV remains an essential security tool for Linux systems in 2026. Its open-source nature, regular updates, and robust detection capabilities make it invaluable for protecting against evolving malware threats.

Key Takeaways:

  • Install ClamAV with regular automated updates
  • Implement scheduled scans for critical directories
  • Use both clamscan and clamd for different scenarios
  • Integrate ClamAV with other security tools
  • Monitor logs and set up alerts for infections
  • Maintain proper quarantine procedures

Remember: ClamAV is one layer of defense. Combine it with firewalls, intrusion detection, and regular system updates for comprehensive security.

Enhance your security stack: Explore our Complete Linux Security Guide for more protection strategies.

Frequently Asked Questions (FAQs)

Q: Is ClamAV free to use? A: Yes, ClamAV is completely open-source and free for commercial and personal use.

Q: Does ClamAV detect Windows viruses? A: Yes, ClamAV can detect Windows, Linux, and macOS malware. It’s commonly used on mail servers to scan attachments.

Q: How often are virus definitions updated? A: ClamAV receives multiple updates daily, with new signatures being added continuously.

Q: Can ClamAV run on minimal hardware? A: Yes, ClamAV can run on systems with 512MB RAM, though performance improves with more resources.

Q: Does ClamAV conflict with SELinux? A: SELinux may block ClamAV. Use setsebool -P clamd_use_jit 1 to allow JIT compilation if needed.

Q: How do I test if ClamAV is working? A: Use the EICAR test file: echo "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" > test.txt and run clamscan test.txt.

Suresh S

Written by Suresh S

Founder of FreeTechLearner, a technology blog dedicated to Linux, Open Source, Cybersecurity, Cloud Computing, Self-Hosting, and AI. I create practical tutorials and learning resources that help students, beginners, and tech enthusiasts build real-world skills and stay updated with modern technology.

#clamav#antivirus#malware-protection#linux-security#system-administration

Discussion

Loading comments...