Cart

    Sorry, we could not find any results for your search querry.

    Installing and configuring ClamAV in Ubuntu

    ClamAV is a free, open-source antivirus program for, amongst other things, the detection of trojans, viruses, and malware on your VPS. In this tutorial, we show you how to install ClamAV in Ubuntu, ensure that ClamAV starts automatically, and your VPS scans daily. 

    Follow the steps in this article as a root user or user with root rights and connect to your VPS via SSH or the VPS console before continuing.

     

     

    Installing ClamAV

     

    The installation of ClamAV in Ubuntu is straight forward, and done using the command:

    apt -y install clamav

    Do you want ClamAV to automatically scan your VPS and protect against viruses in real-time? Then also install the ClamAV daemon with the command below.

    The daemon uses a reasonable amount of RAM (soon + - 600MB), so it is advisable to at least use an a VPS with 4GB RAM when you install the daemon, or alternatively, only use the basic version together with a Cronjob, see the cronjob instruction later in this article.

    apt install -y clamav-daemon

     

    Updating the virus database

     

    ClamAV comes with a tool called Freshclam to update the virus database of ClamAV. Freshclam automatically checks for virus database updates 24 times a day.

    Freshclam is automatically executed. Its current state can be checked with:

    systemctl status clamav-freshclam

     

    Updating manually 

     

    If you disable freshclam (with systemctl stop clamav-freshclam) and only want to update manually, you use the command:

    freshclam

    If you use the above command while freshclam is still active, you will get the following notification:

    ERROR: /var/log/clamav/freshclam.log is locked by another process
    ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

     

    Scanning your VPS automatically 

     

    Automatic scanning with the ClamAV daemon

    If you use the daemon version of ClamAV, the ClamAV daemon (ClamD) automatically runs as a service and will automatically start after a restart of your VPS.

    ClamD will not automatically protect your VPS in real time. For this, it uses the additional On-Access Scanning tool. To enable this, first make some adjustments in the ClamD configuration: 

     

    Step 1

    Open the ClamD configuration

    nano /etc/clamav/clamd.conf

     

    Step 2 

    Add the following content at the bottom of the file (see explanation):

    ScanOnAccess yes
    OnAccessIncludePath /home
    OnAccessIncludePath /etc
    OnAccessIncludePath /var
    • ScanOnAccess yes: enable On-Access scanning
    • OnAccessIncludePath: the folders defined here (/home/etc/var) are recursively scanned.
    • OnAccessPrevention yes: blocks viruses, if you use 'no', only a notification is made but no action is taken. 

    There are other options, such as the exclusion of folders with OnAccessExcludePath. More information on all available options can be found on this page and some use cases are discussed here.


     

    Step 3

    The changes can only be made when the clamav-daemon service is disabled. So, disable it as follows:

    systemctl stop clamav-daemon

     

    Step 4

    Start ClamD first and then the associated service:

    clamd
    systemctl start clamav-daemon

    It will take a moment for the start of clamd to be completed. 


     

    Additional tips:

    • You can check the status of the ClamAV daemon with the command:
    systemctl status clamav-daemon
    • The log files can be found in:
    nano /var/log/clamav/clamav.log
    • Clamd has a resource monitor similar to top/htop. You use this with the command:
    clamdtop
    • If you get a message that inotify has exhausted the maximum number of watchpoints, you can add more to it with:
    $ echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches

     

    Automatically scan your VPS with a cron job

    At the beginning of this article, we indicated that the ClamAV daemon uses quite a bit of RAM. Alternatively, you can choose not to install the ClamAV daemon and create a cronjob with which you automatically carry out the manual ClamAV scan (with a cronjob, you create a task on your VPS to perform one or more assignments at fixed times). This works like as follows:

     

    Step 1

    Create a cronjob with the command:

    crontab -e

     

    Step 2

    For example, give your cronjob the following content:

    SHELL=/bin/bash
    HOME=/
    * */1 * * * date >> /var/log/clamav_log
    * */1 * * * 

    In summary, the above does the following:

    • The cronjob is executed every hour (defined by * */1 * * *). Do you prefer to scan daily at a specific time? For example, to scan at 18:00 every day you use * 18 * * *. At https://crontab.guru/, you can see how you specify specific times in a cronjob.
    • date >> /var/log/clamav_log: this part ensures that every time the cronjob is executed, the date and time of the synchronization is specified in /var/log/clamav_log on a new line at the end of /var/log/clamav_log.
    • The Clamscan command is explained in more detail under 'manual scanning with ClamAV'. The addition >> /var/log/rsync_log causes the output to be written to /var/log/rsync_log (below the date and time). This way you can always look back at how the synchronization has processed (cat /var/log/rsync_log | less).

    Running the clamscan command will cause increased use of your hardware as long as the scan is running. Keep this in mind when determining the times at which you have the scan done.

    If desired, you can remove the cronjob as follows (removing all crontabs):

    crontab -r

    or you can of course edit the existing cronjob with:

    crontab -e

    You can check your cronjob itself (without adjusting it) with:

    crontab -l

    Please note: if you use a custom logfile directory as above, do not forget that to create it (mkdir /var/log/siteupdates).


     

    Scanning your VPS manually

     

    Manual scanning with ClamAV

    ClamAV only scans files to which the executing user has rights. Therefore, always scan as root user, or use sudo.

    For the manual version you use the command:

    clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r /
    • With the addition --exclude-dir=/proc/* and --exclude-dir=/sys/* you make sure that ClamAV does not scan these folders. The /proc/ and /sys/ folders are virtual filesystems which, among other things, provide communication between the hardware of your VPS / the processes of your VPS and your OS.
    • -i (infected) ensures that only infected files are shown
    • -r (recursive) ensures that all underlying folders are scanned
    • / indicates that all folders of your VPS are being scanned. You can also use this to scan specific folders, e.g. /etc/

     

    Manual scanning with ClamD 

    You can also scan your OS manually with the ClamAV daemon, but it has fewer scan options than clamscan and is mainly intended to scan specific folders, not your entire OS at once. The syntax that you can use for this is:

    clamdscan--fdpass -i /etc
    • --fdpass: the ClamAV daemon is executed by the user ClamAV and has few rights to folders. With –fdpass, you give the rights of the user with whom you are working to clamdscan. If you execute this command as root user, then, with –fdpass, clamdscan thus has rights to scan all folders to which the root user has access.
    • -i (infected) ensures that only infected files are shown
    • /etc Indicates which folder you want to scan (recursively).

    Scanning with ClamD uses the configuration in clamd.conf. You can edit this file to adjust the scanning to your own wishes:

    nano /etc/clamav/clamd.conf

     

    This concludes our tutorial on installing and using ClamAV in Ubuntu. Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us