How to installing ClamAV on AlmaLinux, Rocky Linux, or CentOS Stream

ClamAV is a free, open-source antivirus software designed to detect viruses, trojans, and malware on your VPS. This guide explains step by step how to install ClamAV, configure it to start automatically, and schedule daily security scans.

Important: ClamAV can be resource-intensive. It is recommended that your VPS has at least 1 GB of free RAM. You can check available memory using the top command.

---

Installing ClamAV

Step 1: Update the system

sudo dnf -y update

Updating ensures that all system packages and dependencies are up to date before installing ClamAV.

Step 2: Enable the EPEL repository

ClamAV is not included in the default CentOS/AlmaLinux repositories. You must first install the EPEL (Extra Packages for Enterprise Linux) repository:

sudo dnf -y install epel-release

Step 3: Install ClamAV

Once EPEL is enabled, install ClamAV and its necessary components:

sudo dnf -y install clamav clamd clamav-data

This installs the main ClamAV package, the daemon (clamd), and the virus definition database.

---

Enabling Automatic Scanning (ClamAV Daemon)

Step 1: Check SELinux status

Run the command below to check whether SELinux is active:

sudo sestatus

If SELinux is enabled, grant ClamAV the necessary permissions to scan system files:

sudo setsebool -P antivirus_can_scan_system 1 sudo setsebool -P clamd_use_jit 1

Step 2: Edit the scan.conf file

Modify the ClamAV configuration to enable the socket and disable the “Example” line:

sudo sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf sudo sed -i -e "s/#LocalSocket /LocalSocket /" /etc/clamd.d/scan.conf

Step 3: Configure Freshclam (virus database updater)

Freshclam keeps ClamAV’s virus definitions up to date. Enable it by commenting out the “Example” line in its configuration:

sudo sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

Step 4: Update virus definitions

Run the following command to download the latest virus database:

sudo freshclam

If the update completes without errors, ClamAV is now ready to use.

Step 5: Create a Freshclam service

Create a new systemd service file for Freshclam:

sudo nano /usr/lib/systemd/system/freshclam.service

Add the following content:

[Unit] Description=freshclam scanner After=network.target [Service] Type=forking ExecStart=/usr/bin/freshclam -d -c 1 Restart=on-failure PrivateTmp=true [Install] WantedBy=multi-user.target

You can change -c 1 to -c 2 to perform two updates per day.

Step 6: Enable and start ClamAV services

sudo systemctl enable clamd@scan sudo systemctl enable freshclam sudo systemctl start clamd@scan sudo systemctl start freshclam

ClamAV will now run automatically and update itself regularly.

---

Scheduling Automatic Scans (Cron Job)

If you want to reduce memory usage, you can use a cron job instead of keeping the daemon active at all times. This allows you to schedule ClamAV scans at specific times.

Step 1: Create a cron job file

sudo nano /etc/cron.d/clamav-scan

Step 2: Create log files

mkdir /var/log/clamav touch /var/log/clamav/cron-scan.log

Step 3: Add the cron job content

MAILTO=root 0 2 * * * root /usr/bin/clamscan \ --quiet --infected --recursive / \ --exclude-dir=/proc/* \ --exclude-dir=/sys/* \ >> /var/log/clamav/cron-scan.log 2>&1

This command schedules a system-wide scan every day at 2:00 AM. You can change the time, for example to 6:00 PM, by replacing 0 2 * * * with 0 18 * * *.

Note that CPU usage may temporarily spike during a scan, so it’s best to schedule scans during off-peak hours.

---

Manual Scanning with ClamAV

You can perform manual scans using either Clamscan (command-line mode) or ClamD (daemon mode).

Using Clamscan

Run a basic scan using:

clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r /

• -i: Show only infected files
• -r: Perform a recursive scan
• --exclude-dir: Exclude virtual directories

Using ClamD

To scan a specific directory using the ClamD service:

clamdscan --fdpass -i /folder

• --fdpass: Allows scanning with the user’s permissions (e.g., root)
• -i: Shows only infected files
• /folder: The directory you wish to scan

ClamD configuration settings can be modified here:

sudo nano /etc/clamav/clamd.conf

From this file, you can define scan parameters, exclusions, and logging preferences.

---

Conclusion

You have now successfully installed and configured ClamAV on AlmaLinux, Rocky Linux, or CentOS Stream. Your server is now protected with a reliable antivirus system that can perform both automatic and scheduled scans. It is recommended to regularly check your logs and ensure your virus definitions are kept up to date.