What is ClamAV?
ClamAV is an open-source antivirus engine primarily designed for malware detection on Linux and Unix systems. Its GPL license allows free use in personal and enterprise environments. The project includes several tools: the clamd daemon for on-demand scanning, the command-line utility clamscan, and the signature updater freshclam. Thanks to its frequently updated signature database by the community, ClamAV detects viruses, trojans, worms, and other known threats. Although it does not replace commercial solutions in all scenarios, its lightweight nature and ease of integration make it a popular choice for mail servers, gateways, and workstations.
Installation on popular distributions
- On Ubuntu and Debian: sudo apt update && sudo apt install clamav clamav-daemon
- On CentOS and RHEL: sudo epel-release install && sudo yum install clamav clamav-update
- On Fedora: sudo dnf install clamav clamav-update
- On Arch Linux: sudo pacman -S clamav
After installation, it is recommended to start the daemon service with sudo systemctl start clamav-freshclam and enable it to run at boot. In some distributions the daemon package is named clamav-daemon; verify the exact name with your package manager.
Updating the signature database with freshclam
The freshclam component is responsible for downloading the latest malware signatures from the official ClamAV servers. You can run it manually with sudo freshclam or configure it to run automatically in the background via the clamav-freshclam service. It is important to review the configuration file /etc/clamav/freshclam.conf to adjust the update frequency, number of attempts, and proxy if your network requires it. Keeping the database up to date ensures effective detection of the latest threats.
Manual scanning with clamscan
The clamscan tool allows you to scan files and directories on demand. A basic command is sudo clamscan -r /home/usuario, where the -r option enables recursive traversal of subdirectories. To obtain a more detailed report, you can add –bell to make it sound when threats are found and –log=/var/log/clamav/scan.log to save the results. If you want clamscan to automatically delete infected files, use the –remove option, although it is recommended to first review the log to avoid accidental deletions.
Using the clamd daemon for on-demand scanning
The clamd daemon keeps the signature database loaded in memory, which speeds up subsequent scans after the initial start. To use it, ensure the clamd service is active with sudo systemctl start clamav-daemon and sudo systemctl enable clamav-daemon. Then you can launch scans using the clamdscan client, for example: sudo clamdscan /srv/www. This approach reduces CPU load and is ideal in environments where frequent scans are performed, such as file servers or mailboxes.
Scheduling automatic scans with cron
To keep the system malware-free without manual intervention, it is common to create a cron job that runs clamscan or clamdscan periodically. Edit the root crontab with sudo crontab -e and add a line like: 0 2 * * * /usr/bin/clamscan -r / –exclude-dir=/sys –exclude-dir=/proc –exclude-dir=/dev >> /var/log/clamav/cron_scan.log 2>&1. This task will run each day at 02:00, scanning the entire system while excluding virtual filesystems and saving the output to a log. Periodically review the log to detect possible infections.
Integration with mail servers
One of the most common uses of ClamAV is as an antivirus filter in email gateways. Solutions such as Amavis-new, MailScanner, or directly the Postfix milter can invoke clamdscan to scan attachments of incoming and outgoing messages. The typical configuration involves specifying the path to the clamd socket (usually /var/run/clamav/clamd.ctl) and defining actions such as reject, quarantine, or notify the administrator when an infected file is detected. This additional layer protects both end users and the mail infrastructure from spreading malware.
Best practices and performance optimization
- Schedule signature updates during low-usage periods to avoid bandwidth spikes.
- Limit scans to critical directories (e.g., /home, /var/www, /srv) and exclude temporary filesystems.
- Use the –max-filesize and –max-scansize options to prevent excessively large files from consuming resources.
- Monitor CPU and memory usage of the clamd daemon with tools like top or htop and adjust the number of threads if your version allows it.
- Keep the operating system and ClamAV packages up to date to benefit from security and performance improvements.
Resources, documentation, and community
The official ClamAV documentation is available on the website and includes installation guides, command references, and frequently asked questions. Additionally, there are mailing lists, IRC channels, and forums where users and developers share experiences and solutions to specific issues. If you wish to contribute, the source code is hosted on GitHub under the GPL license, allowing you to report bugs, propose improvements, or create custom signatures. Leveraging these resources