ClamAV is an open-source and free antivirus software toolkit able to detect many types of malicious software, including viruses, trojans, malware, adware, rootkits, and other malicious threats. One of its primary uses of ClamAV is on mail servers as a server-side email virus scanner or used on file hosting servers to periodically scan to make sure files are clean, especially if the public can upload to the server.
ClamAV supports multiple file formats (documents, executables, or archives), utilizes multi-thread scanner features, and receives updates for its signature database daily to sometimes multiple times per day for the latest protection.
In the following tutorial, you will learn how to configure ClamAV on Ubuntu 20.04 LTS Focal Fossa desktop or server and some basic scan commands using the command line terminal.
Table of Contents
Before you proceed, run a quick update on Ubuntu to ensure all packages are up-to-date to avoid any conflicts during the installation of ClamAV.
sudo apt update && sudo apt upgrade -y
Install ClamAV from the APT repository by executing the following command.
sudo apt install clamav clamav-daemon -y
Now that you have installed ClamAV, you can proceed to update the virus database.
Update the ClamAV Virus Database
With ClamAV installed, update your ClamAV database before using the virus scanner (clamscan). To update the definitions, you will need your system to be connected to the Internet using the (freshclam) terminal command.
Firstly, you need to stop the (clamav-freshclam) service before you can update. To do this, type in the following command:
sudo systemctl stop clamav-freshclam
Now you can proceed to update your virus definition database by the following terminal command:
Once the database is updated, you can start the (clamav-freshclam) service.
sudo systemctl enable clamav-freshclam --now
The above command will activate the service and automatically enable it on system boot, which is highly recommended.
In the future, if you need to disable clamav-freshclam, the following command will do the trick.
sudo systemctl disable clamav-freshclam --now
Note, (freshclam) downloads the ClamAV CVDS and databases in the directory location (/var/lib/clamav).
Lastly, for learning purposes, to view the directory of clamav and the dates of files, use the (ls -l) command.
ls -l /var/lib/clamav/
How Scan with ClamAV (Clamscan)
Now that you have installed and updated ClamAV, it is time to scan your system to make sure it is clean. This is done with the (clamscan) command.
An example of the syntax is below.
sudo clamscan [options] [file/directory/-]
The following is a list of examples:
Print ClamAV help:
sudo clamscan -h
Scan a file:
sudo clamscan /home/script.sh
Scan a directory:
sudo clamscan /home/
Print infected files only:
sudo clamscan -i /home/
Skip printing OK files:
sudo clamscan -o /home/
Do not print the summary at the end of the scan:
sudo clamscan --no-summary /home/
Bell notification on virus detection:
sudo clamscan --bell -i /home
Scan directories recursively:
sudo clamscan --bell -i -r /home
Save scan report to file:
sudo clamscan --bell -i -r /home -l output.txt
Scan files listed line by line in the file:
sudo clamscan -i -f /tmp/scan
Remove infected files:
sudo clamscan -r --remove /home/USER
Note that this deletes the file from your system. If it’s a false positive, you won’t be able to retrieve the file.
Move infected files into the quarantine directory:
sudo clamscan -r -i --move=/home/USER/infected /home/
Limit ClamAV CPU Usage
ClamAV during scanning can be quite CPU intensive, and systems that operate on limited or older hardware may find the process too taxing on their systems. A simple way to limit the (CPU) during the scan is to use the (nice) command before each ClamAV command.
Example of a (nice) command to reduce ClamAV CPU:
sudo nice -n 15 clamscan && sudo clamscan --bell -i -r /home
The great benefit of using this method is that if nothing else is using the CPU, ClamAV using (clamscan) will maximize CPU usage. However, if another process with a higher priority requires CPU, then clamscan will scale down effectively to allow the other process to take priority.
However, there are a few other options; the (nice) command is the best solution. It will maximize CPU if free and scale down when other processors need it, effectively giving you the best combination of performance and safety.
How to Update/Upgrade ClamAV
Given that ClamAV was installed using APT package manager, use the following command as you would with any APT package to update.
sudo apt update && sudo apt upgrade
For desktop users, you should use the terminal command even with auto-notifications or automatic upgrades set. This ensures all packages are being updated correctly, and the terminal will never fail.
How to Remove (Uninstall) ClamAV
First, disable the service for users who are no longer interested in using ClamAV.
sudo systemctl disable clamav --now
Next, use the following command to remove all traces of the ClamAV and its dependencies.
sudo apt autoremove clamav* -y
Comments and Conclusion
Overall, ClamAV is an excellent virus scanner. Is it the best? Well, that is up to a constant debate with other products rising and falling; however, ClamAV is always in the top 1 to 3 in most people’s books and is a solid effort to help protect your operating system and email and or web servers from viruses, malware, and other threats.
Please note, as much as these types of antivirus software are available to use freely on your system, it should not give you the sense of protection as much as making sure your webserver or desktop is hardened with good procedures will most likely save you more than any software can. However, ClamAV is another tool in the arsenal to combat the ever-growing threat of cyber ransomware, malware, and more if you do the procedures first.
For more information on using ClamAV, visit the official documentation.