ClamAV is an open-source and free antivirus software toolkit able to detect many types of malicious software, including viruses, trojans, malware, adware, rootkits, and other malicious threats. One of its main uses of ClamAV is on mail servers as a server-side email virus scanner or used on file hosting servers to periodically scan to make sure files are clean, especially if the public can upload to the server.
ClamAV supports multiple file formats (documents, executables, or archives), utilizes multi-thread scanner features, and receives updates for its signature database daily to sometimes multiple times per day for the latest protection.
In the following tutorial, you will learn how to install and use ClamAV on AlmaLinux 8.
- Recommended OS: AlmaLinux 8.
- User account: A user account with sudo privilages or root access (su command).
Updating Operating System
Update your AlmaLinux operating system to make sure all existing packages are up to date:
sudo dnf update && sudo dnf upgrade -y
The following installation is designed for the default AlmaLinux kernel; any modified Linux Kernel installations may not work.
The first step is to import the repository from EPEL (Extra Packages for Enterprise Linux) as follows:
sudo dnf install epel-release
Type Y, then press the enter key to proceed.
Verify if the repository was added successfully; this can be done with the dnf repolist command as below:
sudo dnf repolist
The EPEL repository has been added correctly.
Handy hint, you can reuse this command to see any future repository imports.
With the repository added to get the latest release of ClamAV, you can now install the actual software, including the clamd package that will run the update schedule and antivirus software in the background.
To install ClamAV from the EPEL Repository, execute the following command:
sudo dnf install clamav clamd clamav-update
Type Y, then press enter key to proceed with the installation.
The installation that you just installed on your system includes:
- clamd – Clam Antivirus Daemon.
- clamav – Clam user tools for using the Clam Antivirus.
- clamavupdate – Clam Antivirus auto-updater for data-files.
To verify if the installation was successful and to confirm the version and build number use the following:
Like all RHEL distribution families, AlmaLinux utilizes SELinux; given how ClamAV works, you will need to configure it, so there is no interference. To do this, run the following command:
sudo setsebool -P antivirus_can_scan_system 1
Now that you have installed ClamAV, you can proceed to update the virus database.
Update the ClamAV Virus Database
You will now need to update your ClamAV database before beginning using the virus scanner (clamscan). To update the definitions, you will need your system to be connected to the Internet using the (freshclam) terminal command.
Firstly, it is recommended to stop the (clamav-freshclam) service before you can update. To do this, type in the following command:
sudo systemctl stop clamav-freshclam
Now you can proceed to update your virus definition database by the following terminal command:
In the output, you should get the following as an example:
ClamAV update process started at Thur Sep 9 01:22:19 2021
daily.cld database is up-to-date (version: 26276, sigs: 1968691, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Once the database is updated, you can start the (clamav-freshclam) service, so it keeps updating the signature database in the background with the following command:
sudo systemctl start clamav-freshclam
After you have started freshclam after the update, verify it is on as follows:
sudo systemctl status clamav-freshclam
Note, make sure you have enabled or disabled ClamAV on boot. You would mostly want this enabled; however, you can have this automatically disabled for limited resources systems and or need to be manually used on the odd occasion when you need to perform manual scans.
Enable ClamAV on startup:
sudo systemctl enable clamav-freshclam
Created symlink /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service → /usr/lib/systemd/system/clamav-freshclam.service.
Disable ClamAV on startup:
sudo systemctl disable clamav-freshclam
Note, (freshclam) downloads the ClamAV CVDS and databases in the directory location (/var/lib/clamav).
To view the directory, use the (ls) command:
bytecode.cvd daily.cld freshclam.dat main.cvd
How to use Clamscan with Examples
Now that you have installed and updated ClamAV, it is time to scan your system to make sure it is clean. This is done with the (clamscan) command. An example of the syntax:
sudo clamscan [options] [file/directory/-]
The following is a list of examples:
Print ClamAV help:
sudo clamscan -h
Scan a file:
sudo clamscan /home/script.sh
Scan a directory:
sudo clamscan /home/
Print infected files only:
sudo clamscan -i /home/
Skip printing OK files:
sudo clamscan -o /home/
Do not print summary at the end of scan:
sudo clamscan --no-summary /home/
Bell notification on virus detection:
sudo clamscan --bell -i /home
Scan directories recursively:
sudo clamscan --bell -i -r /home
Save scan report to file:
sudo clamscan --bell -i -r /home -l output.txt
Scan files listed line by line in file:
sudo clamscan -i -f /tmp/scan
Remove infected files:
sudo clamscan -r --remove /home/USER
Note, this deletes the file from your system. If it’s a false positive, you won’t be able to retrieve the file.
Move infected files into quarantine directory:
sudo clamscan -r -i --move=/home/USER/infected /home/
Limit ClamAV CPU Usage
ClamAV during scanning can be quite CPU intensive, and systems that operate on limited or older hardware may find the process to taxing on their systems. A simple way is to limit the (CPU) during the scan is to use the (nice) command before each ClamAV command.
Example of a (nice) command to reduce ClamAV CPU:
sudo nice -n 15 clamscan && sudo clamscan --bell -i -r /home
The great benefit of using this method is that if nothing else is using the CPU, ClamAV using (clamscan) will maximize CPU usage. However, if another process with a higher priority requires CPU, then clamscan will scale down effectively to allow the other process to take priority.
There are a few other options; however, the (nice) command is the best solution. It will maximize CPU if free and scale down when other processors need it, effectively giving you the best combination of performance and safety.
How to Uninstall ClamAV
To remove ClamAV from your operating system is a quick process. Execute the following terminal command to remove:
sudo dnf autoremove clamav clamd clamav-update -y
Note, this will remove all unused dependencies that were installed with ClamAV for a full uninstallation.
Comments and Conclusion
In the following tutorial, you have learned how to install, update, and use ClamAV examples on your AlmaLinux 8 distribution. Overall, ClamAV is a great virus scanner. Is it the best? Well, that is up to a constant debate with other products rising and falling; however, ClamAV is always in the top 1 to 3 in most people’s books and is a solid effort to help protect your operating system and email and or web servers from viruses, malware, and other threats.
Please note, as much as these types of antivirus software are available to use freely on your system, it should not give you the sense of protection as much as making sure your webserver or desktop is hardened with good procedures will most likely save you more than any software can. However, ClamAV is another tool in the arsenal to combat the ever-growing threat of cyber ransomware, malware, and more if you do the procedures first.
For more information on using ClamAV, visiting the official documentation.