ClamAV: antivirus for Linux servers

ClamAV: antivirus for Linux servers

Install ClamAV to scan uploads, SMB shares, mail attachments. Open-source antivirus maintained by Cisco, daily-updated signatures, over 9 million signatures.

Introduction

Linux is less exposed to malware than Windows, but remains a vector:

  • Web server receiving uploads
  • Samba / NFS shares with Windows clients
  • Mail server scanning attachments
  • SaaS apps where clients upload files

ClamAV is the open-source reference solution: signatures updated daily by Cisco Talos, CLI or daemon scan, native integration with Postfix, Dovecot, Samba.

Prerequisites

  • Linux VPS (Debian / Ubuntu)
  • 2 GB RAM minimum (ClamAV loads entire DB in memory)
  • Root access

Step 1: Installation

sudo apt update
sudo apt install -y clamav clamav-daemon clamav-freshclam
clamscan --version

Step 2: Update signatures

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

The clamav-freshclam service auto-updates signatures multiple times per day.

Step 3: First scan

sudo clamscan /tmp/suspect.exe
sudo clamscan -r /var/www/uploads
sudo clamscan -r --bell -i /var/www/uploads     # infected only

# EICAR test
curl -O https://secure.eicar.org/eicar.com
clamscan eicar.com
# Result: Eicar-Signature FOUND

Step 4: Enable clamd daemon

sudo systemctl enable --now clamav-daemon
sudo systemctl status clamav-daemon

First start loads DB into RAM (1-2 min).

clamdscan /tmp/suspect.exe

100x faster than clamscan because DB already in RAM.

Step 5: Automatic upload scan

sudo nano /usr/local/bin/scan-uploads.sh
#!/bin/bash
UPLOAD_DIR="/var/www/uploads"
QUARANTINE="/var/lib/clamav/quarantine"
LOG="/var/log/clamav/scan-uploads.log"
mkdir -p "$QUARANTINE"

clamdscan -r --infected --move="$QUARANTINE" "$UPLOAD_DIR" >> "$LOG" 2>&1

if grep -q "FOUND" "$LOG"; then
    echo "Virus detected" | mail -s "ALERT virus on $(hostname)" [email protected]
fi
sudo chmod +x /usr/local/bin/scan-uploads.sh
echo "*/15 * * * * /usr/local/bin/scan-uploads.sh" | sudo crontab -

Real-time with inotify

sudo apt install -y inotify-tools
#!/bin/bash
inotifywait -m -r -e create,moved_to /var/www/uploads --format "%w%f" |
while read FILE; do
    clamdscan --infected --move=/var/lib/clamav/quarantine "$FILE"
done

Step 6: Postfix integration

sudo apt install -y amavisd-new

amavisd-new sits between Postfix and delivery, checks each mail via ClamAV + SpamAssassin.

Step 7: Samba integration

sudo apt install -y samba-vfs-modules

/etc/samba/smb.conf:

[share]
    path = /srv/samba/share
    vfs objects = virusfilter
    virusfilter:scanner = clamav
    virusfilter:socket path = /var/run/clamav/clamd.ctl
    virusfilter:infected file action = quarantine
    virusfilter:quarantine directory = /srv/quarantine
sudo systemctl restart smbd

Step 8: Performance

/etc/clamav/clamd.conf:

MaxThreads 12
MaxQueue 200
MaxFileSize 100M
MaxScanSize 400M
MaxRecursion 16
MaxFiles 10000
sudo systemctl restart clamav-daemon

Step 9: Additional signatures

sudo apt install -y clamav-unofficial-sigs
sudo nano /etc/clamav-unofficial-sigs/master.conf
declare -A enabled_dbs=(
    [sanesecurity]="yes"
    [securiteinfo]="yes"
)
sudo clamav-unofficial-sigs.sh

Adds ~2M extra signatures.

Step 10: Quarantine

clamscan -r --move=/var/quarantine /var/www      # move
clamscan -r --remove /var/www                    # delete

⚠️ Always dry-run first to identify false positives.

Step 11: Whitelist (false positives)

sudo nano /var/lib/clamav/whitelist.fp
<sha256>:legitimate-file.zip
sha256sum /path/to/file

Troubleshooting

"ERROR: Can't connect to clamd"

sudo systemctl restart clamav-daemon

Very long first start

Normal, ClamAV loads ~2 GB in RAM. Wait 1-2 min.

freshclam update fails

sudo freshclam -v

Check outbound firewall and DNS.

Very slow scan

Use clamdscan (daemon) instead of clamscan. Increase MaxThreads.

OOM Killer — clamd killed

Not enough RAM. ClamAV needs ~2 GB.

Useful commands

sudo freshclam                     # manual update
clamdscan --fdpass /path           # scan via daemon
clamdtop                           # real-time stats
clamscan --version                 # DB version
ls -la /var/lib/clamav/quarantine
clamscan --include="\.(exe|dll|pdf)$" -r /var/www
clamscan --max-filesize=100M -r /var/www

Conclusion

ClamAV effectively protects uploads, mail, network shares, backups.

Going further:

  • Combine with Wazuh for multi-layer detection
  • Use maldet (Linux Malware Detect) as complement
  • For intense mail servers, Rspamd + ClamAV

Resources

Rejoignez notre serveur communautaire Discord

Pour toute question, suggestion ou simplement pour discuter avec la communauté, rejoignez-nous sur Discord !

900+Membres