Skip to content

ClamAV

ClamAV

Install ClamAV in Ubuntu

ClamAV is a free, open-source antivirus program for detecting trojans, viruses, and malware on your server. In this overview, we will show you how to install ClamAV in Ubuntu, make sure ClamAV starts automatically, and scan your server daily.

Installing ClamAV

Installing ClamAV in Ubuntu is straightforward and can be done with the command: 

apt -y install clamav

Do you want ClamAV to automatically scan your server and protect it against viruses in real-time? Then also install the ClamAV daemon with the command below.

The daemon uses a fair amount of RAM (quickly +- 600MB), so it is recommended to account for this when installing the daemon, or alternatively just use the basic version together with a Cronjob, see the cronjob instructions later in this overview.

apt -y install clamav-daemon

Updating the virus database

ClamAV comes with a tool called Freshclam to update the virus database of ClamAV. Freshclam automatically checks for virus database updates 24x per day.

Freshclam is executed automatically. You can check the current status with: 

systemctl status clamav-freshclam

Manual update

If you disable freshclam (with sudo systemctl stop clamav-freshclam) and want to update manually, use the command: 

freshclam
If you use the above command while freshclam is still running, you will get the message: 
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

Automatically scan your server

Automatically scan with the ClamAV daemon

If you use the daemon version of ClamAV, the ClamAV daemon (ClamD) will automatically run as a service and will also start automatically after a restart of your server.

ClamD will not automatically protect your server in real-time. For this, it uses the additional On-Access Scanning tool. To enable this, first make some adjustments in the ClamD configuration:

Step 1

Open the ClamD configuration 

nano /etc/clamav/clamd.conf
Step 2

Add the following content to the bottom of the file (see the explanation): 

ScanOnAccess yes
OnAccessIncludePath /home
OnAccessIncludePath /etc
OnAccessIncludePath /var
OnAccessPrevention yes

  • ScanOnAccess yes : enable On-Access scanning
  • OnAccessIncludePath : the folders defined here (/home /etc /var) are scanned recursively.
  • OnAccessPrevention yes : blocks viruses, with 'no' only a notification is made but no action is taken.

There are more options, such as excluding folders with OnAccessExcludePath. More information about all available options can be found on this page https://blog.clamav.net and some use cases are discussed here.

Step 3

You can only implement the changes when the clamav-daemon service is disabled. So disable it as follows: 

systemctl stop clamav-daemon

Step 4

First start ClamD and then the associated service: 

clamd
systemctl start clamav-daemon

It will take a moment for clamd to start.

Additional tips:

  • You can check the status of the ClamAV daemon with the command: 
    systemctl status clamav-daemon
  • You can find the log files in: 
    nano /var/log/clamav/clamav.log
  • Clamd has a resource monitor similar to top/htop. You use this with the command: 
    clamdtop
````
- If you get a message that inotify has exhausted the maximum number of watchpoints, you can add more with:
    $ echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches 
    **Automatically scan your server with a cronjob**

At the beginning of this overview we mentioned that the ClamAV daemon uses quite a bit of RAM. Alternatively, you can also not install the ClamAV daemon and create a cronjob that automatically performs the manual ClamAV scan (with a cronjob you create a task on your VPS to execute one or more commands at fixed times). This works as follows:

**Step 1**

Create a cronjob with the command:
    crontab -e 
    **Step 2**

For example, give your cronjob the following content:
    SHELL=/bin/bash HOME=/
  • */1 * * * date >> /var/log/clamav_log
  • /1 * * * clamscan --exclude-dir=/proc/ --exclude-dir=/sys/* -i -r / 
    In short, the above does the following:

- The cronjob is executed every hour (defined by * */1 * * *). Would you rather scan daily at a specific time? For example, for every day at 18:00 you use * 18 * * *. At https://crontab.guru/ you can see how to specify specific times in a cronjob.
- date >> /var/log/clamav_log: this part ensures that every time the cronjob is executed in /var/log/clamav_log, the date and time of the synchronization are listed on a new line at the end of /var/log/clamav_log.
- The Clamscan command is explained in more detail under 'manual scanning with ClamAV'.

!!! Info "Warning"
    Running the clamscan command will cause increased hardware usage while the scan is running. Keep this in mind when determining the times at which you want the scan to run.

If desired, remove the cronjob (i.e. all cronjobs in crontab) as follows:
    crontab -r 
    Or modify the existing one with:
    crontab -e 
    You can check your cronjob itself (without modifying it) with:
    crontab -l 
    !!! Info "Info"
    Note: if you use a custom logfile directory as above, don't forget to create it (mkdir /var/log/siteupdates).

###**Scanning your server manually**

**Scanning manually with ClamAV**

ClamAV only scans files to which the executing user has rights. Therefore, always scan as the root user, or use sudo.

For the manual version, use the command:
    clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / 
    - With the addition --exclude-dir=/proc/* and --exclude-dir=/sys/* you ensure that ClamAV does not scan these folders. The /proc/ and /sys/ folders are virtual file systems that, among other things, provide communication between the hardware of your VPS / the processes of your VPS and your OS.
- -i (infected) ensures that only infected files are shown
- -r (recursive) ensures that all subfolders are scanned
- / indicates that all folders of your VPS are scanned. You can also use this to scan specific folders, e.g. /etc/

**Manual scanning with ClamD**

You can also scan your OS manually with the ClamAV daemon, but it has fewer scan options than clamscan and is mainly intended to scan specific folders, not your entire OS at once. The syntax you can use for this is:
    clamdscan --fdpass -i /etc 
    - --fdpass: the ClamAV daemon is run by the user ClamAV and has few rights to folders. With --fdpass you give the rights of the user you are working with to clamdscan. If you run this command as the root user, then clamdscan with --fdpass has rights to scan all folders that the root user has access to.
- -i (infected) ensures that only infected files are shown
- /etc Specifies which folder you want to scan (recursively).

Scanning with ClamD uses the configuration in clamd.conf. You can edit this file to customize the scanning to your liking:
    nano /etc/clamav/clamd.conf 
    Configure with graphical interface
    dpkg-reconfigure clamav-daemon ```