How to Install and Use ClamAV Antivirus on CentOS/RHEL?

ClamAV is an open-source antivirus. It is used to detect viruses, trojans, and malware. It is mostly used on Linux platforms to scan user directories accessible over FTP or Samba, website directories, or emails on mail servers (as an MTA agent).

In this article, we will show how to install, configure and use the ClamAV on a host running a CentOS or RHEL Linux distros.

Installing ClamAV on CentOS/RHEL

ClamAV is not available in basic Linux repos, so you need to use the EPEL repository to install it on your host:

# yum install epel-release -y

After you have installed the repository, you can proceed with the installation of ClamAV packages. To install it, the yum package manager is used (or dnf in CentOS 8):

# yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Basic Configuration of ClamAV in Linux

To set up your own ClamAV configuration, delete the default configuration in the /etc/clam.d/scan.conf.

# sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf

Then open the configuration file:

# nano /etc/clamd.d/scan.conf

And uncomment the following line:

LocalSocket /run/clamd.scan/clamd.sock

You can also uncomment the lines with the settings you need. For example, you can enable logging or configure the maximum number of connections.

The /etc/clamd.d/scan.conf file contains quite a detailed description of all settings.

To update the anti-virus signature databases for ClamAV, you need to use the freshclam. Backup your current configuration file:

# cp /etc/freshclam.conf /etc/freshclam.conf.bak

Then run this command:

# sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

And update your antivirus definitions:

# freshclam

During the update, you may see some errors if you cannot download any updates. Freshclam will automatically find a mirror to download the updates successfully.

To make freshclam automatically check for updates, you may run it with -d parameter:

# freshclam -d — thus, it will check for updates every 2 hours.

To run it easier, create a service file for freshclam:

# nano /usr/lib/systemd/system/freshclam.service

And add the following contents to it:

[Unit]
Description = freshclam
After = network.target
[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true
RestartSec = 10sec
[Install]
WantedBy=multi-user.target

Reload the systemd daemon:

# systemctl daemon-reload

Then you can start your service and add it to startup:

# systemctl start freshclam.service
# systemctl enable freshclam.service
# systemctl status freshclam.service

Like you did for freshclam, create a service for ClamAV. The configuration file already exists, but you will have to change its name:

# mv /usr/lib/systemd/system/clamd\@.service /usr/lib/systemd/system/clamd.service

To make it more convenient, we have deleted \@.

Also, change the configuration in the file:

[Unit]
Description = clamd scanner daemon
After = syslog.target nss-lookup.target network.target
[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
Restart = on-failure
TimeoutStartSec=420
[Install]
WantedBy = multi-user.target

Then you can run the antivirus service or enable it:

# systemctl start clamd.service
# systemctl enable clamd.service

How to Scan for Viruses with ClamAV?

After you have configured the ClamAV antivirus service, you can scan any server directory for viruses (scanner mode). To scan the specified directory for viruses, use the following command:

# clamscan --infected --remove --recursive /var/www/

With these parameters, the antivirus will immediately delete the infected files. If you want to move suspicious files to a separate directory, run the scan using the —move parameter:

# clamscan --infected --recursive --move=/tmp/clamscan /var/www

This command will scan all contents of the specified directory and move suspicious files to /tmp/clamscan.

As we can see, the infected file has been moved to the specified directory:

You can also add the —log=/var/log/clamscan.log parameter to write all information about the scanning process in the log file you have specified:

If you want to exclude some of the directories from scanning, use the —exclude-dir parameter:

# clamscan -i --recursive --move=/tmp/clamscan --log=/var/log/clamscan.log --exclude-dir="/var/www/administrator" /var/www

To scan for viruses regularly, you can configure a cron job with the settings you want.

There is a graphical frontend for the ClamAV antivirus called ClamTk.