You want to protect your computer from viruses. You’ve heard about ClamAV, but you’re unsure how to install and use it on Ubuntu. This tutorial will show you the ropes.
ClamAV is a free and open-source antivirus solution that several high-profile organizations use ClamAV, including Cisco, Google, IBM, McAfee, Microsoft, Sophos & Symantec.
In this tutorial, you will learn how to install ClamAV on Ubuntu and how to use it to scan your system for viruses. You will also learn how to update the database and install the GUI to make scanning easier.
This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have an Ubuntu system ready to go. This tutorial uses Ubuntu 20.04, but any recent version should work fine.
Learning How to Install ClamAV on Ubuntu
The apt package manager is the most convenient way to install ClamAV on Ubuntu. Follow these instructions below.
1. Open a terminal and run the following command to update the package repository index before you install ClamAV on Ubuntu.
2. Run the below command to install ClamAV on Ubuntu. This command installs two packages: clamav and clamav-daemon. The former is the ClamAV scanner, while the latter is a background service that enables on-access scanning.
3. After the installation, confirm the ClamAV version by running the below command.
You will see an output similar to the one below. As of this writing, the current LTS version of ClamAV in the APT repository is 0.103.6.
Updating Virus Definitions/Databases
ClamAV uses virus signature databases to identify malware. These databases receive regular updates with the latest signatures. To stay protected, you must also download these updates and apply them to your ClamAV installation.
By default, the freshclam service will automatically download the database updates once a day when you install ClamAV on Ubuntu. But, you can also manually update the databases. Why update manually? There are two main reasons:
- You want to scan for viruses immediately and don’t want to wait for the automatic update.
- The automatic updater is not working correctly.
Updating the virus definitions is not complicated at all. A built-in command called
freshclam, which is included when you install ClamAV on Ubuntu, can do all the work for you, including downloading the databases and reloading ClamAV.
Below are the steps to update the virus definitions.
1. To update the databases manually, stop the clamav-freshclam service first. This service is responsible for automatic updates. Run the below systemctl command to disable the clamav-freshclam service.
2. Next, run freshclam to download the updates.
3. After the updates, start the clamav-freshclam service so that it will automatically update the databases in the future.
Scanning for Viruses Using the CLI
Now that ClamAV is installed and the databases updated, it’s time to scan your system for viruses. There are two ways to do this: the command line or the graphical user interface.
You can skip to the next section if you want to learn about using the GUI. This section will focus on using the CLI.
clamscan command is the command-line tool for running the virus scan. You can list the options available with the
clamscan command like so.
Running a Directory Scan
While there are many
clamscan options, the ones you’ll use in this section are:
- -i, –infected – Display only the infected files on the screen and will not show clean files. Use this option to suppress
- -r, –recursive – Performs a recursive scan of the folder and subfolders. Do not use this option to limit the scan to the top folder.
--remove - Automatically remove infected files. Be careful when using this option because ClamAV will also remove those files if a false-positive detection happens.
The scan could run from several minutes to hours, depending on how many files you have on your system. You may want to consider running it overnight or while you’re away from the computer.
For example, run the command below to scan your Downloads folder recursively.
After the scan, you’ll get a summary result. As you can see below, the scan found one infected file. And because the –remove option is present, clamscan automatically deleted the file.
Running a File Scan
When you receive or download a file, you can run an on-demand scan to determine if the file is safe. The command is still
clamscan, followed by the file path you want to scan. The
--remove option automatically removes the file if infected.
Scanning for Viruses Using GUI
If you prefer a graphical user interface, you can install the ClamTk application, a lightweight front-end GUI for ClamAV.
Install ClamTk by running the below command.
After the installation, launch the ClamTk application.
The Virus Scanner window opens, showing you the main interface.
Updating Virus Database
1. To update the databases, click on the Update icon.
2. Click Yes to confirm that you want to check and update the databases.
3. When the process is complete, you will see a window similar to the one below. Click Back to return to the main window.
Running a Virus Scan
1. To scan your system for viruses, click on the Scan a file button to scan a specific file. Click on Scan a directory to scan an entire directory. In this example, click Scan a file.
2. Locate the file to scan, select it, and click OK.
3. ClamTk will scan the file and display the results. If the scan finds the file is infected, you can either quarantine or delete the file. In this example, click Quarantine to quarantine the file.
4. The Action Taken changes to Quarantined. Click Close to exit the results.
5. Click Close again to return to the main window.
Scheduling Regular Scans with ClamTk
Setting up a scheduled scan is ideal to ensure a clean system. With ClamTk, scheduling a regular scan is only a few clicks away.
1. Click on Schedule from the main window.
2. A new Scheduler window will open where you can configure the daily update and scan schedule. The time is in a 24-hour format.
Enter the time you want the update to run in the Antivirus signature field. In this example, the update will run at 22:00 every day.
3. Enter the time you want the scan to run in the Scan field. In this example, the scan will run at 23:00 every day.
4. In the Status field, you will see that the daily scan and definition update show as scheduled. Click the Close button to exit the scheduler.
In this tutorial, you’ve learned how to install ClamAV on Ubuntu. You ran the
clamscan command to scan your files and folders for infection. You’ve also learned how to install and use the ClamTk graphical user interface.
Scanning your computer for viruses is an essential maintenance task to keep your system safe from malware. ClamAV is a powerful tool that can help with ensuring a virus-free computer. Best of all, ClamAV is free! Don’t waste time and install ClamAV on Ubuntu now.
— Update: 19-03-2023 — us.suanoncolosence.com found an additional article How to Install and Use ClamAV Antivirus on CentOS/RHEL? from the website woshub.com for the keyword how to install clamav on linux.
ClamAV is an open-source antivirus. It is used to detect viruses, trojans, and malware. It is mostly used on Linux platforms to scan user directories accessible over FTP or Samba, website directories, or emails on mail servers (as an MTA agent).
In this article, we will show how to install, configure and use the ClamAV on a host running a CentOS or RHEL Linux distros.
Installing ClamAV on CentOS/RHEL
ClamAV is not available in basic Linux repos, so you need to use the EPEL repository to install it on your host:
# yum install epel-release -y
After you have installed the repository, you can proceed with the installation of ClamAV packages. To install it, the yum package manager is used (or dnf in CentOS 8):
- Complete Shodan Tutorial | The Search Engine for Hackers
- How to uninstall in kali linux
- RHEL, CentOS 8, and CentOS Stream: Enterprise Linux
- How to use inputs in your shell scripts
- What is RAID in Linux, and How to Configure it
# yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Basic Configuration of ClamAV in Linux
To set up your own ClamAV configuration, delete the default configuration in the /etc/clam.d/scan.conf.
# sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf
Then open the configuration file:
# nano /etc/clamd.d/scan.conf
And uncomment the following line:
You can also uncomment the lines with the settings you need. For example, you can enable logging or configure the maximum number of connections.
The /etc/clamd.d/scan.conf file contains quite a detailed description of all settings.
To update the anti-virus signature databases for ClamAV, you need to use the freshclam. Backup your current configuration file:
# cp /etc/freshclam.conf /etc/freshclam.conf.bak
Then run this command:
# sed -i -e "s/^Example/#Example/" /etc/freshclam.conf
And update your antivirus definitions:
During the update, you may see some errors if you cannot download any updates. Freshclam will automatically find a mirror to download the updates successfully.
To make freshclam automatically check for updates, you may run it with -d parameter:
# freshclam -d — thus, it will check for updates every 2 hours.
To run it easier, create a service file for freshclam:
# nano /usr/lib/systemd/system/freshclam.service
And add the following contents to it:
[Unit] Description = freshclam After = network.target [Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 4 Restart = on-failure PrivateTmp = true RestartSec = 10sec [Install] WantedBy=multi-user.target
Reload the systemd daemon:
# systemctl daemon-reload
Then you can start your service and add it to startup:
Like you did for freshclam, create a service for ClamAV. The configuration file already exists, but you will have to change its name:
# mv /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/clamd.service
To make it more convenient, we have deleted
Also, change the configuration in the file:
[Unit] Description = clamd scanner daemon After = syslog.target nss-lookup.target network.target [Service] Type = forking ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf # Reload the database ExecReload=/bin/kill -USR2 $MAINPID Restart = on-failure TimeoutStartSec=420 [Install] WantedBy = multi-user.target
Then you can run the antivirus service or enable it:
How to Scan for Viruses with ClamAV?
After you have configured the ClamAV antivirus service, you can scan any server directory for viruses (scanner mode). To scan the specified directory for viruses, use the following command:
# clamscan --infected --remove --recursive /var/www/
With these parameters, the antivirus will immediately delete the infected files. If you want to move suspicious files to a separate directory, run the scan using the —move parameter:
# clamscan --infected --recursive --move=/tmp/clamscan /var/www
This command will scan all contents of the specified directory and move suspicious files to /tmp/clamscan.
As we can see, the infected file has been moved to the specified directory:
You can also add the —log=/var/log/clamscan.log parameter to write all information about the scanning process in the log file you have specified:
If you want to exclude some of the directories from scanning, use the —exclude-dir parameter:
# clamscan -i --recursive --move=/tmp/clamscan --log=/var/log/clamscan.log --exclude-dir="/var/www/administrator" /var/www
To scan for viruses regularly, you can configure a cron job with the settings you want.
There is a graphical frontend for the ClamAV antivirus called ClamTk.
— Update: 19-03-2023 — us.suanoncolosence.com found an additional article Install, Configure, and Scan for Viruses on Linux with ClamAV from the website www.putorius.net for the keyword how to install clamav on linux.
Many believe you do not need an antivirus if you use Linux. I am not going to start that debate here. However, in my opinion it is always better to have one and not need it, than to need one and not have it. In this tutorial we are going to show you how to install, configure, and scan for viruses on Linux with ClamAV. ClamAV is a fully open source antimalware toolkit. It is available for almost any operating system, including Windows (ClamWin).
Installing ClamAV on Linux
Let’s start by installing ClamAV and it’s GUI interface ClamTK. This is easily accomplished through your package manager.
- How to install Linux Mint and dual-boot with Windows
- Real time infrastructure monitoring, smart tracking and inventory reporting solution.
- 20 sar command examples in Linux [Cheat Sheet]
- How to use Timeshift to backup and restore Linux Mint
- What sysadmins need to know about Linux permissions
Installing ClamAV on rpm Based Systems (Fedora, Red Hat, etc..)
To install ClamAV and it’s GUI interface on rpm based systems like fedora, simply use dnf and specify the following packages.
[[email protected] ~]$ sudo dnf install clamav clamtk
Installing ClamAV on apt/deb Based Systems (Ubuntu, Debian, Mint, Kali, etc..)
Installing on Debian based systems is just as easy. Just use apt like so:
[email protected]:~$ sudo apt install clamav clamtk
Installing ClamAV Using the Gnome Software GUI
If you prefer to install applications from the GUI you can use the Gnome Software Center. Simply open the Software Center by hitting the Super key and search for software. Select the Software icon to open the application.
Now that software center is open, hit the search feature on the top left and enter ClamTK.
Simply click the ClamTk icon to install it. ClamAV and all other dependencies will be automatically installed.
Updating the ClamAV Virus Definition Database
It is very important to update the virus definition database once the packages are installed. Freshclam is a tool specifically designed for this task. Simply calling it on the command line with update the database.
[[email protected] ~]$ sudo freshclam
You can also update the virus database using the ClamTK GUI. Go into your applications and launch ClamTK. Once it’s open, simply click the “Update” button.
Configuring ClamAV Automatic Signature Database Updates
The ClamAV team says they update the virus signature database approx twice daily. If you do not update the signatures often you can be using an old database. The easiest way to keep the signatures updates is to use the clamav-freshclam service. Let’s start the service and enable it at boot.
Start the clamav-freshclam service:
[[email protected] ~]$ sudo systemctl start clamav-freshclam
Set the clamav-freshclam service to start on boot:
[[email protected] ~]$ sudo systemctl enable clamav-freshclam
Alternatively, you can set freshclam to run whenever you like as a cron job.
How to Scan Files and Directories with ClamAV
Now that we have a basic install of ClamAV, ClamTk, and the virus definition signatures it’s time to run our first scan. You can run a scan from either the command line, or the GUI. I much prefer running the scan from the command line. It seems like you get much more feedback and for some reason it seems to run more efficiently. However, keep reading to learn how to scan for viruses using the command line and GUI.
Virus Scanning Files from the Linux Command Line
ClamAV comes with a command line scanning tool called clamscan. If you want to scan a single file simple pass it as a argument to the clamscan utility.
[[email protected] TEMP]$ clamscan bumper1.jpg /home/savona/Desktop/TEMP/bumper1.jpg: OK ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 2.91 MB Data read: 2.73 MB (ratio 1.06:1) Time: 17.543 sec (0 m 17 s) Start Date: 2022:04:17 08:13:54 End Date: 2022:04:17 08:14:11
Once the scan completes, you will be presented with a scan summary that provides important information. In this case the file was clean.
Let’s download a “test virus” from eicar.org and run a scan against it. This will help familiarize ourselves with what to expect if there is a virus detected. Once the file is downloaded we simple pass the name as an argument to clamscan and see what happens.
[[email protected] ~]$ clamscan eicar_com.zip /home/savona/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 17.499 sec (0 m 17 s) Start Date: 2022:04:17 08:17:27 End Date: 2022:04:17 08:17:44
As you can see, clamscan now shows a FOUND message instead of the OK message. It also says there is one infected file in the scan summary.
NOTE: In the next section we will discuss how to take action on the infected file.
Scanning Directories (and sub-directories) From the Command Line
Scanning directories with clamscan is very intuitive. Simply pass the directory as an argument just like you did with the file. Here is an example of scanning the Pictures directory.
[[email protected] ~]$ clamscan /home/savona/Pictures /home/savona/Pictures/D3E36D4B_source.jpg: OK ...OUTPUT TRUNCATED... /home/savona/Pictures/08-24-50.png: OK ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 1 Scanned files: 25 Infected files: 0 Data scanned: 7.99 MB Data read: 7.57 MB (ratio 1.06:1) Time: 18.023 sec (0 m 18 s) Start Date: 2022:04:17 08:29:17 End Date: 2022:04:17 08:29:35
As you can see in the summary we now scanned 1 directory which contained 25 files. However, I have a folder containing some vacation pictures inside the Pictures directory. In order to scan a directory and all of it’s sub-directories we need to pass the recursive flag. Let’s try the same command but this time pass the
-r option to clamscan telling it to scan into all directories.
[[email protected] ~]$ clamscan -r /home/savona/Pictures /home/savona/Pictures/D3E36D4B_source.jpg: OK ...OUTPUT TRUNCATED... /home/savona/Pictures/Vacation 2021/741344.jpg: OK ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 2 Scanned files: 36 Infected files: 0 Data scanned: 23.82 MB Data read: 22.48 MB (ratio 1.06:1) Time: 21.841 sec (0 m 21 s) Start Date: 2022:04:17 08:34:02 End Date: 2022:04:17 08:34:23
Now it shows that we scanned 2 directories and 36 files.
NOTE: You can also use the
-i option to show only infected files and limit the output.
With this basic knowledge we can run a simple scan on our home directory like so:
[[email protected] ~]$ clamscan -r /home/savona/
Here is the summary output of the first scan on my home directory.
----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 3155 Scanned files: 55746 Infected files: 1 Total errors: 2 Data scanned: 3055.88 MB Data read: 20110.14 MB (ratio 0.15:1) Time: 602.626 sec (10 m 2 s) Start Date: 2022:04:17 08:36:50 End Date: 2022:04:17 08:46:53
As you can see we scanned 3155 directories and 55746 files. Of course it found 1 infected file because we downloaded the test virus in an earlier example.
Likewise, we can scan the whole system by simply passing the root directory as an argument.
[[email protected] ~]$ clamscan -r /
NOTE: Scanning large directories or even whole systems can take quite some time.
There are a lot of options we can use to customize our scans. Nevertheless, we couldn’t possibly cover them all here. In the next section we will cover taking action (move/copy/remove) on infected files.
Virus Scanning Files and Folders from the ClamTK GUI
Scanning a file using ClamTk is a very familiar experience. Simply open the GUI and click the “Scan a File” option. Once the dialog box opens navigate to the file, select it, and click OK.
Once the scan completes you will be shown a similar summary page.
To scan a directory, select the “Scan a directory” option. By default this option will scan recursively. Meaning it will scan the directory and all the sub-directories. This is the opposite behavior of the command line utility.
Remove, Move, or Copy Infected Files
Now we should be fairly comfortable with kicking off a virus scan. But, what do we do if we find an infected file? We basically have three options. You can move the file into a directory of your choice, copy the file somewhere for further analysis, or remove the file.
WARNING: Removing (even moving) files is risky and sometimes causes major issues. You should ALWAYS be sure you know what you are removing.
Before proceeding, I feel it necessary to explain that it is very important to understand the risks involved with working with infected files. We cannot go into great detail here because that alone is a major subject. ANY action taken can have adverse affects. In our opinion, moving a file into a quarantine directory, renaming it, and ensuring it does not have execute permissions is safest for inexperienced users. If you do not feel comfortable making these decisions ask someone for help.
Using the Command Line to Take Action on Infected Files
Here are some basic examples of each action to get you started.
Copy Infected Files to Another Location
Here we will use the
--copy=[/path/to/dir] option to copy infected files to another location. Since this is a copy operation, the infected file will now exist in two locations. Be careful!
[[email protected] ~]$ clamscan -r --copy=/home/savona/quarantine /home/savona/Desktop/TEMP/
[[email protected] ~]$ clamscan -r --copy=/home/savona/quarantine /home/savona/Desktop/TEMP/ /home/savona/Desktop/TEMP/PXL_20220306_153824232.jpg: OK ...OUTPUT TRUNCATED... /home/savona/Desktop/TEMP/eicar_com.zip: copied to '/home/savona/quarantine/eicar_com.zip' ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 2 Scanned files: 20 Infected files: 1 Data scanned: 63.61 MB Data read: 8861.18 MB (ratio 0.01:1) Time: 20.945 sec (0 m 20 s) Start Date: 2022:04:17 09:43:51 End Date: 2022:04:17 09:44:12
As you can see, the infected file was copied to the specified directory.
Move Infected Files to a Quarantine Directory
In this example we use the
--move=[/path/to/dir] option to move infected files to another location. Preferably this would be a quarantine directory.
[[email protected] ~]$ clamscan -r --move=/home/savona/quarantine /home/savona/Desktop/TEMP/
[[email protected] ~]$ clamscan -r --move=/home/savona/quarantine /home/savona/Desktop/TEMP/ /home/savona/Desktop/TEMP/PXL_20220306_153824232.jpg: OK ...OUTPUT TRUNCATED... /home/savona/Desktop/TEMP/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND /home/savona/Desktop/TEMP/eicar_com.zip: moved to '/home/savona/quarantine/eicar_com.zip.001' ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 2 Scanned files: 20 Infected files: 1 Data scanned: 63.61 MB Data read: 8861.18 MB (ratio 0.01:1) Time: 20.393 sec (0 m 20 s) Start Date: 2022:04:17 09:48:55 End Date: 2022:04:17 09:49:15
You can see clamscan moved one file into the specified quarantine directory. It also renamed the file with a
.001 directory as a precaution.
Remove (Delete) Infected Files with clamscan
Here we use the
--remove=[yes/no] option to delete any infected files. We are also using the
-i option here to suppress output of non infected files.
[[email protected] ~]$ clamscan -i -r --remove=yes /home/savona/
Typically removing files from your home directory is safe. I still recommend running a scan and then taking manual action against infected files for inexperienced users.
[[email protected] ~]$ clamscan -i -r --remove=yes /home/savona/ /home/savona/Desktop/TEMP/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND /home/savona/Desktop/TEMP/eicar_com.zip: Removed. /home/savona/quarantine/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND /home/savona/quarantine/eicar_com.zip: Removed. /home/savona/quarantine/eicar_com.zip.001: Win.Test.EICAR_HDB-1 FOUND /home/savona/quarantine/eicar_com.zip.001: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 8611304 Engine version: 0.103.5 Scanned directories: 3158 Scanned files: 57213 Infected files: 3 Total errors: 2 Data scanned: 3022.12 MB Data read: 20096.71 MB (ratio 0.15:1) Time: 624.157 sec (10 m 24 s) Start Date: 2022:04:17 09:54:00 End Date: 2022:04:17 10:04:24
Using the ClamTk GUI to Take Action on Infected Files
When a scan initiated with the ClamTk GUI completes you will be met with a summary screen. If no infected files were found, it will notify you and the only option presented is to close the summary screen. However, if it does find an infected file you will be presented with three options.
The quarantine option will move the file into the default ClamTk quarantine folder and rename it. On my system the default quarantine folder was
/home/savona/.clamtk/viruses. The Delete option will simply delete the file.
Clicking on the Analysis option will allow you to submit the file to Virustotal. If the file has been previously submitted you will be presented with information from other antivirus vendors. This will allow you to make a more informed decision on how to act on this file.
Advanced ClamAV Configurations
This article was not written to cover all options or configurations. It was written as a basic ClamAV primer to help the average Linux user get started. However, it is important to know that there are more advanced configurations. You can run ClamAV as a daemon, configure on-access scans, and use options and regular expressions to narrow down your scan.
Let us know in the comments if you liked this article and would like to see another tutorial on advanced ClamAV configurations.
Resources and Links