Security
Difficulty: Beginner
3 min read

ClamAV: Open-Source Antivirus for Linux

Detailed tutorial to install and configure ClamAV, an open-source antivirus, to protect your system against malware.

Back to tutorials
What is ClamAV?
ClamAV is an open-source antivirus engine designed to detect trojans, viruses, malware and other threats. It is a popular security solution for mail servers, web gateways and file scanning on Linux systems.

Why Use ClamAV?

  • Open-Source and Free: A security solution available with no licensing cost.
  • Cross-platform: Runs on Linux, Windows and macOS.
  • Flexibility: Can be used on the command line, as a daemon, or integrated into other applications (mail servers, proxies).
  • Up-to-date signature database: The community maintains a regularly updated threat database.

Prerequisites

  • A Linux server (Ubuntu/Debian, CentOS/RHEL, etc.).
  • Root access or sudo privileges.

Installation

Step 1: Install the packages

# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y clamav clamav-daemon

# On CentOS / RHEL (requires the EPEL repository)
sudo yum install -y epel-release
sudo yum install -y clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-server-systemd

Step 2: Update the virus signature database

First of all, you need to download the latest signature database. The `freshclam` service handles this.

# Stop the service for the first manual update
sudo systemctl stop clamav-freshclam

# Run the update manually (may take a few minutes)
sudo freshclam

# Restart the services
sudo systemctl start clamav-freshclam
sudo systemctl start clamav-daemon

Check that the services are running:

sudo systemctl status clamav-freshclam
sudo systemctl status clamav-daemon
Ready to scan!
ClamAV is installed and its database is up to date. The `clamav-daemon` daemon runs in the background for fast scans and `clamav-freshclam` will update the signatures automatically.

Command-Line Usage

The main tool to run a manual scan is clamscan.

Scan a file

clamscan my_file.zip

Scan a directory recursively

# -r for recursive
clamscan -r /home/user

Useful options

  • --infected: Only displays infected files.
  • --remove: Directly deletes infected files (use with caution!).
  • --move=/quarantine/directory: Moves infected files to a quarantine directory.
  • -l /var/log/clamav_scan.log: Saves the scan report to a log file.

Example of a complete, safe scan

The following command scans the entire system, only shows infected files, moves them to quarantine and saves a report.

sudo clamscan -r --infected --move=/var/quarantine/clamav / -l /var/log/clamav/manual_scan.log

Automation with Cron

Automating scans is essential. Here is how to schedule a weekly scan with cron.

sudo nano /etc/cron.weekly/clamav_scan

Add the following content and make the file executable:

#!/bin/bash
LOG_FILE="/var/log/clamav/weekly_scan_$(date +\%Y-\%m-\%d).log"
QUARANTINE_DIR="/var/quarantine/clamav"

mkdir -p $QUARANTINE_DIR

# Scan the filesystem, excluding a few system directories
clamscan -r --infected --move=$QUARANTINE_DIR \
    --exclude-dir="^/sys" --exclude-dir="^/proc" --exclude-dir="^/dev" \
    / > $LOG_FILE 2>&1
sudo chmod +x /etc/cron.weekly/clamav_scan
Performance impact
A full filesystem scan can be very intensive in terms of I/O and CPU. Schedule it during off-peak hours.

Conclusion

ClamAV is a robust and flexible antivirus solution for Linux environments. It is simple to install, and its use, whether manually or via cron automation, adds an essential layer of security to your servers. Never forget that security is a matter of defense in depth: an antivirus is one tool among others (firewall, updates, hardened configuration).

Written by

Morgann Riu

Cybersecurity and Linux administration expert. I share my knowledge through free tutorials and training to help system administrators and developers secure their infrastructures.

Share this tutorial

Did you enjoy this article?

Comments

Checklist Sécurité Linux

30 points essentiels pour sécuriser un serveur Linux. Recevez aussi les nouveaux tutoriels par email.

Pas de spam. Désabonnement en 1 clic.