Scanning with ClamAV¶
In this article
ClamAV is a free, cross‑platform, open‑source antivirus designed to detect trojans, viruses, malware, and other threats. It is most commonly used on servers and mail gateways.
Installation¶
Ubuntu / Debian¶
Note
Starting with Ubuntu 22.04 and Debian 11+, the clamav-daemon package (including clamd) is recommended to be installed separately if background scanning or integration with other services is planned.
CentOS / RHEL / Fedora¶
For RHEL/CentOS 7 / 8 / 9 (EPEL must be enabled)
For Fedora / RHEL 9+ (using dnf)Note
On systems with systemd (all modern distributions), the clamav-freshclam service manages automatic database updates.
Updating Signatures¶
Before first use, be sure to update the virus signature databases.
Standard method (when freshclam is running)¶
If you encounter an error ERROR: Can't open /var/lib/clamav/main.cvd: Permission denied or ERROR: Database lock file exists, the clamav-freshclam service may already be running and blocking the update. In that case, use:
Resource Requirements¶
- RAM: For full scans, at least 1–1.5 GB of free RAM is recommended.
- Swap: If no swap partition or file exists, set it up, especially on VPS with limited memory:
Scanning Examples¶
| Task | Command |
|---|---|
| Scan a single file | clamscan /path/to/file |
| Recursive folder scan (infected only) | clamscan -r -i /folder |
| Move infected files | clamscan -r --move=/quarantine /folder |
| Automatically delete infected files | clamscan -r --remove /folder |
| Output report to file | clamscan -r -i /folder > scan_report.txt |
Use the clamd daemon (faster, less RAM on repeats) | clamdscan -r /folder |
Note
The --remove option permanently deletes files. Use it only after testing and with a backup.
To speed up repeated scans, it is recommended to use clamdscan (runs via the clamd daemon), after starting the service:
Useful Tips¶
- To check if
clamdis running: - Scanning logs (by default) are located in
/var/log/clamav/. - To schedule regular scans, set up
cron: