How to Install ClamAV on Fedora Linux

ClamAV detects viruses, trojans, and malware on Fedora Linux systems through on-demand scanning and automated monitoring. Use it to scan email attachments before opening them, verify downloaded files from untrusted sources, or audit server directories for compromised scripts. By the end of this guide, you’ll have automated daily virus definition updates, scheduled system scans that quarantine infected files, and command-line tools to scan individual files or entire directory trees. The setup includes CPU throttling to prevent scan operations from overwhelming system resources and an optional graphical interface for users who prefer point-and-click operation over terminal commands.

Choose Your ClamAV Installation Method

ClamAV offers multiple installation approaches depending on your workflow. The base package provides command-line scanning with clamscan, while the clamd daemon enables faster multi-threaded scans through clamdscan. Additionally, desktop users who prefer graphical interfaces can install ClamTk for point-and-click operation. Most users should start with the base installation and add the daemon or GUI later if needed.

Method	Interface	Performance	Best For
Base Installation (clamscan)	Command-line	Single-threaded, reloads database each scan	Occasional scans, cron jobs, simple setups
clamd Daemon (clamdscan)	Command-line client	Multi-threaded, database kept in memory	Frequent scans, server environments, performance-critical workflows
ClamTk GUI	Graphical desktop app	Uses clamscan backend	Desktop users who prefer graphical tools over terminal commands

This guide covers the base installation first, then explains how to enable the clamd daemon for faster scanning and install the ClamTk GUI for desktop workflows. All three methods use the same virus definition database and scanning engine, differing only in interface and performance characteristics.

Update System Packages

Before installing ClamAV, run a quick update to ensure all packages are up-to-date to avoid conflicts during installation.

sudo dnf upgrade --refresh

Install ClamAV

ClamAV is available in Fedora’s default repositories, so you can install it directly with the following command:

sudo dnf install clamav clamd clamav-update

Expected output:

Last metadata expiration check: 0:01:23 ago on Thu 28 Nov 2024 10:45:12 AM EST.
Dependencies resolved.
================================================================================
 Package                   Arch      Version           Repository      Size
================================================================================
Installing:
 clamav                   x86_64    1.4.1-1.fc41      updates         520 k
 clamd                    x86_64    1.4.1-1.fc41      updates         125 k
 clamav-update            x86_64    1.4.1-1.fc41      updates          90 k

Transaction Summary
================================================================================
Install  3 Packages

Complete!

Once installation completes, verify the installation by checking the version:

clamscan --version

Expected output:

ClamAV 1.4.1/27450/Thu Nov 28 10:00:00 2024

With ClamAV installed and verified, you can now proceed to update the virus database.

Update the ClamAV Virus Database

Before beginning, ensure your system connects to the Internet to update the virus definitions. Then, stop the clamav-freshclam service:

sudo systemctl stop clamav-freshclam

After stopping the service, update your virus definition database by running the freshclam command:

sudo freshclam

Expected output:

ClamAV update process started at Thu Nov 28 10:50:15 2024
daily.cvd database is up-to-date (version: 27419, sigs: 2055771)
main.cvd database is up-to-date (version: 62, sigs: 6647427)
bytecode.cvd database is up-to-date (version: 334, sigs: 91)
Database updated and loaded.

Once the database is updated, start the clamav-freshclam service and enable it to run automatically on system boot:

sudo systemctl enable clamav-freshclam --now

Expected output:

Created symlink /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service → /usr/lib/systemd/system/clamav-freshclam.service.

Next, verify the service is running correctly:

sudo systemctl status clamav-freshclam

Expected output:

● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; preset: disabled)
   Active: active (running) since Thu 2024-11-28 10:51:20 EST; 2min ago

Additionally, to view the ClamAV database directory and file timestamps:

ls -l /var/lib/clamav/

Expected output:

total 178M
-rw-r--r-- 1 clamupdate clamupdate  450K Nov 28 10:50 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate   68M Nov 28 10:50 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate  110M Nov 28 10:50 main.cvd

Scan Directories with ClamAV

Now that you’ve installed and updated ClamAV on your Fedora Linux system, you can run a scan to check for malware. The clamscan command handles all scanning operations.

Basic Clamscan Command Syntax

Generally, the basic syntax for the clamscan command is straightforward:

sudo clamscan [options] [file/directory/-]

clamscan vs clamdscan: Which to Use

ClamAV provides two scanning tools: clamscan for on-demand scanning and clamdscan for daemon-based scanning. Therefore, understanding the differences helps you choose the right tool for your workflow:

clamscan is the standalone scanner that:

• Runs with user permissions (can be elevated with sudo)
• Uses an unconfined SELinux context
• Loads the virus database each time it starts
• Performs single-threaded scanning

In contrast, clamdscan is a client that connects to the clamd daemon:

• Runs with service permissions (configurable)
• Uses a confined SELinux context
• Keeps the virus database in memory for faster scans
• Allows multi-threaded scanning

For quick, occasional scans, clamscan is simpler. However, for frequent scans or integration with other services, clamdscan offers better performance since it doesn’t reload the database each time.

Test ClamAV with EICAR Test File

Before scanning real files, you should first verify that ClamAV detects malware correctly using the standard EICAR test file. Notably, this harmless test signature is recognized by all antivirus software:

wget -P ~ https://secure.eicar.org/eicar.com
clamscan ~/eicar.com

Expected output:

/home/user/eicar.com: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8702198
Engine version: 1.4.1
Scanned files: 1
Infected files: 1
Time: 0.015 sec (0 m 0 s)

Once testing is complete, remove the test file:

rm ~/eicar.com

Consequently, if ClamAV detects the EICAR signature, your installation is working correctly.

Common Clamscan Commands

Now that you’ve verified ClamAV works, here are the most common clamscan commands to get you started:

Print ClamAV Help

To view ClamAV’s help section, use:

sudo clamscan -h

Scan a file with ClamAV

Similarly, to scan a specific file, use:

sudo clamscan /home/script.sh

Scan a directory with ClamAV

Likewise, to scan a specific directory, use:

sudo clamscan /home/

Expected output:

/home/user/Documents/report.pdf: OK
/home/user/Downloads/archive.zip: OK
/home/user/Pictures/photo.jpg: OK

----------- SCAN SUMMARY -----------
Known viruses: 8702198
Engine version: 1.4.1
Scanned directories: 42
Scanned files: 156
Infected files: 0
Data scanned: 89.14 MB
Data read: 112.45 MB (ratio 0.79:1)
Time: 12.543 sec (0 m 12 s)
Start Date: 2024:11:28 11:05:22
End Date:   2024:11:28 11:05:35

Show infected files only

Alternatively, to display only infected files, use the -i flag:

sudo clamscan -i /home/

Hide OK files from output

Furthermore, exclude files marked ‘OK’ from the scan results by using:

sudo clamscan -o /home/

Suppress scan summary

Additionally, if you want to suppress the scan summary, use:

sudo clamscan --no-summary /home/

Enable bell notification on detection

Moreover, for an audible alert when malware is detected, use:

sudo clamscan --bell -i /home

Scan directories recursively

Subsequently, to scan directories recursively with subdirectories, use:

sudo clamscan --bell -i -r /home

Save scan report to file

In addition, to save the scan report to a specific file, run:

sudo clamscan --bell -i -r /home -l output.txt

Scan files from list

Correspondingly, scan files listed line-by-line in a specified file with:

sudo clamscan -i -f /tmp/scan

In this case, the /tmp/scan file should contain one file path per line, such as /home/user/file1.pdf on the first line and /home/user/file2.zip on the second.

Automatically remove infected files

Finally, to automatically delete infected files during scanning, use:

sudo clamscan -r --remove /home/USER

However, this permanently deletes the file from your system. As a result, if it’s a false positive, you won’t be able to retrieve the file.

Move infected files to quarantine

Instead of deleting, you can move all files requiring quarantine into a specified location:

sudo clamscan -r -i --move=/home/USER/infected /home/

Remember to replace USER with your actual username. Additionally, before running the scan, create the quarantine directory first with mkdir -p /home/USER/infected.

Limit ClamAV CPU Usage

ClamAV can be CPU-intensive during scanning, which may be problematic for systems with limited or older hardware. Consequently, to limit CPU usage during the scan, use the nice command before each ClamAV command.

For instance, to reduce ClamAV CPU usage, run:

sudo nice -n 15 clamscan --bell -i -r /home

With this setting, ClamAV will maximize CPU usage when nothing else is using the CPU. However, if another process with a higher priority requires CPU, then clamscan will scale down effectively to allow the other process to take priority.

Keep in mind that ClamAV focuses on file-based malware detection. For comprehensive protection, complement it with chkrootkit to detect rootkit modifications and intrusion prevention tools like Fail2ban for comprehensive system security.

Schedule Automatic Scans with Cron

To set up automatic scheduled scans on Fedora Linux, use a task scheduler such as GNOME Schedule or Cron. Essentially, these tools regularly scan your system for malware, eliminating the need for manual scans. To begin, set up scheduled scans with Cron as follows:

First, open the terminal and run the command below to access the crontab configuration file for the current user:

crontab -e

If the command above does not work, install the cronie package first:

sudo dnf install cronie

Next, add a new line with the following format to schedule a daily scan:

0 1 * * * /usr/bin/clamscan -r --quiet --move=/home/USER/infected /home/

This line schedules a daily scan at 1 AM, scanning the /home/ directory recursively and moving infected files to the /home/USER/infected directory. As before, remember to replace USER with your actual username.

Save the file and exit the editor. Immediately, the new scheduled task will take effect. Subsequently, to verify the cron job was added correctly:

crontab -l

Expected output:

0 1 * * * /usr/bin/clamscan -r --quiet --move=/home/USER/infected /home/

Enable On-Access Scanning (Optional)

For more proactive protection, ClamAV supports on-access scanning through the clamonacc service, which monitors file operations in real-time and scans files as they’re accessed. Although this provides more proactive protection, it requires additional configuration and system resources.

On-access scanning can impact system performance, particularly on systems with heavy disk I/O or when building software projects. Test thoroughly before enabling in production environments.

First, ensure the clamd@scan service is running (see the “Configure clamd Daemon for clamdscan” section below). Once confirmed, enable the on-access scanning service:

sudo systemctl enable clamav-clamonacc --now

Then, verify the service is running:

sudo systemctl status clamav-clamonacc

By default, the on-access scanner monitors directories specified by OnAccessIncludePath in /etc/clamd.d/scan.conf, which may include /home. However, if you experience system freezes during software builds or heavy disk operations, you may need to disable on-access scanning or exclude specific directories:

sudo nano /etc/clamd.d/scan.conf

Subsequently, add exclusions for development directories or other high-activity paths:

# Exclude build directories from on-access scanning
OnAccessExcludePath /home/user/projects
OnAccessExcludePath /tmp

After modifying the configuration, restart both services:

sudo systemctl restart clamd@scan clamav-clamonacc

Customizing ClamAV Settings

To customize ClamAV settings, such as adjusting scanner sensitivity or specifying file type filters, edit the configuration file. Specifically, on Fedora, the clamd configuration is located at /etc/clamd.d/scan.conf. Open it with your preferred editor:

sudo nano /etc/clamd.d/scan.conf

Once opened, here are some common settings to customize:

• MaxFileSize: Maximum file size ClamAV will scan (default: 25M)
• MaxScanSize: Maximum data size scanned within archives (default: 100M)
• HeuristicScanPrecedence: Enable heuristic scanning to detect unknown malware (yes/no)

After making changes, be sure to restart the clamd service if you’re using the daemon mode:

sudo systemctl restart clamd@scan

For a complete list of configuration options, consult the official ClamAV documentation or review the comments within the configuration file itself.

Troubleshoot Common ClamAV Issues

These troubleshooting steps were verified on Fedora 40 and 41 with ClamAV 1.4.1. Generally, most solutions apply to all Fedora versions with SELinux enabled and systemd-managed services.

If you encounter issues during installation or while using ClamAV, refer to the following troubleshooting steps that address common error messages with diagnostic commands and verified fixes.

freshclam Fails with Connection Error

If freshclam reports connection failures, the clamav-freshclam service may be holding a lock on the database:

ERROR: Connection with database.clamav.net failed.
Can't connect to database server
ERROR: Update failed.

To resolve this, stop the service before running manual updates:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

Afterward, verify the service is running correctly:

sudo systemctl status clamav-freshclam

Permission Denied When Scanning System Directories

Scanning directories like /root or /var requires root privileges. As a result, without sudo, clamscan skips restricted paths:

/var/log/journal: Permission denied. ERROR
/root/.cache: Permission denied. ERROR

To resolve this issue, simply run scans with sudo to access system directories:

sudo clamscan -r /var

Database Version Mismatch Warnings

If you see warnings about database versions, you need to update both the ClamAV package and virus definitions:

WARNING: Current functionality level = 1, required = 2
WARNING: Some databases require updated version.

In this case, update ClamAV and refresh the database:

sudo dnf upgrade --refresh clamav clamd clamav-update
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

SELinux Blocking ClamAV Operations

Fedora enables SELinux by default, which may prevent ClamAV from scanning certain directories. If scans fail with access denied errors despite using sudo, check the SELinux audit log:

sudo ausearch -m avc -ts recent | grep clam

Accordingly, if SELinux is blocking access, you can temporarily set it to permissive mode for testing:

sudo setenforce 0

For a permanent solution, create a custom SELinux policy module or adjust file contexts for the directories you need to scan. Learn more about managing SELinux on Fedora if you encounter persistent access issues.

clamd@scan Service Fails to Start

If the clamd@scan service fails with permission errors, first check the journal for specific messages:

journalctl --no-pager -u clamd@scan.service -S -5m

Typically, common causes include a stale log file with incorrect ownership. To fix this:

sudo mv /var/log/clamd.scan /var/log/clamd.scan.bak
sudo systemctl restart clamd@scan

Never start clamd manually with sudo clamd while the systemd service is running—this creates conflicts and permission issues. Always use systemctl to manage the daemon.

Maintain ClamAV Installation

Regular maintenance keeps ClamAV effective in protecting your system. Periodically, update the ClamAV binary using:

sudo dnf upgrade --refresh

Furthermore, you can optimize DNF performance and reduce update times by configuring parallel downloads and faster mirrors in your DNF settings.

Beyond updates, maintain ClamAV effectiveness by:

• Regularly monitor ClamAV log files located in /var/log/clamav for any issues or potential threats.
• Check the ClamAV mailing lists and forums for updates, news, or known issues.
• Periodically review and update your ClamAV settings to match your system’s needs and requirements.
• Configure automatic updates with dnf-automatic to keep ClamAV and all system packages current without manual intervention.

For comprehensive protection, combine scheduled ClamAV scans with proper firewall configuration and regular system updates to establish layered security for your Fedora Linux system.

Install ClamTk GUI (ClamAV GUI)

For users who prefer graphical tools, ClamTk is a popular graphical user interface for ClamAV, providing an alternative for those who prefer a GUI over the command line. Therefore, to install ClamTk, run the following command:

sudo dnf install clamtk

After installation, you can launch ClamTk from your application menu or directly from the terminal:

clamtk

From there, the ClamTk interface allows you to scan files and folders, update the virus database, and view scan history through a graphical point-and-click interface. Specifically, look for the main window with tabs for Scanning, Settings, and History.

Configure clamd Daemon for clamdscan

For faster, multi-threaded scanning, you can enable the clamd daemon service to use clamdscan. Initially, add your user to the virusgroup to allow socket access:

sudo gpasswd -a ${USER} virusgroup

Expected output:

Adding user username to group virusgroup

Next, set the appropriate file permissions for directories you want to scan:

sudo setfacl -R -m u:clamscan:r-X,d:u:clamscan:r-X /home

Afterward, enable and start the clamd@scan service:

sudo systemctl enable clamd@scan --now

Then, verify the service is running:

sudo systemctl status clamd@scan

Expected output:

● clamd@scan.service - clamd scanner (scan) daemon
     Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-11-28 11:30:00 EST; 5s ago

Once the daemon starts, you can use clamdscan instead of clamscan:

clamdscan /home/

Log out and log back in after adding yourself to virusgroup for the group membership to take effect. Alternatively, reboot your system to ensure all changes are properly applied.

Remove ClamAV

If you no longer need ClamAV, first disable the service before removing the packages:

sudo systemctl disable clamav-freshclam --now

Subsequently, remove the ClamAV packages:

sudo dnf remove clamav clamd clamav-update

Additionally, for ClamTk GUI users:

sudo dnf remove clamtk

The commands above remove the software but preserve virus databases and configuration files. To completely remove all ClamAV data including virus definitions and logs, delete the following directories. This action is permanent and cannot be undone.

sudo rm -rf /var/lib/clamav
sudo rm -rf /var/log/clamav
sudo rm -rf /etc/clamd.d

Finally, for ClamTk users, also remove the user configuration:

rm -rf ~/.clamtk

Conclusion

ClamAV now scans your Fedora system automatically with daily virus definition updates and scheduled malware checks. Specifically, the clamscan -r -i command recursively scans directories and reports infected files, while the nice command prevents scans from overwhelming CPU resources. For layered security, combine ClamAV with firewall rules, SSH hardening, and automatic system updates. Additionally, desktop users can install the ClamTk GUI for point-and-click scanning without terminal commands.