ClamAV is a free, open-source antivirus program for, amongst other things, the detection of trojans, viruses, and malware on your VPS. In this tutorial, we show you how to install ClamAV in Debian, ensure that ClamAV starts automatically, and your VPS scans daily.
Follow the steps in this article as a root user or user with root rights and connect to your VPS via SSH or the VPS console before continuing.
Installing ClamAV
The installation of ClamAV in Debian is straight forward, and done using the command:
apt -y install clamavDo you want ClamAV to automatically scan your VPS and protect against viruses in real-time? Then also install the ClamAV daemon with the command below.
The daemon uses a reasonable amount of RAM (soon + - 600MB), so it is advisable to at least use an X4-VPS when you install the daemon, or alternatively, only use the basic version together with a Cronjob, see the cronjob instruction later in this article.
apt install -y clamav-daemon
Updating the virus database
ClamAV comes with a tool called Freshclam to update the virus database of ClamAV. Freshclam automatically checks for virus database updates 24 times a day.
Freshclam is automatically executed. Its current state can be checked with:
systemctl status clamav-freshclamIn Debian 9, Freshclam is not automatically started after the installation of ClamAV. You enable FreshClam with the command:
systemctl start clamav-freshclam
Updating manually
If you disable freshclam (with systemctl stop clamav-freshclam) and only want to update manually, you use the command:
freshclamIf you use the above command while freshclam is still active, you will get the following notification:
ERROR: /var/log/clamav/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
Scanning your VPS automatically
Automatic scanning with the ClamAV daemon
If you use the daemon version of ClamAV, the ClamAV daemon (ClamD) automatically runs as a service and will automatically start after a restart of your VPS.
ClamD will not automatically protect your VPS in real time. For this, it uses the additional On-Access Scanning tool. To enable this, first make some adjustments in the ClamD configuration:
Step 1
Open the ClamD configuration
nano /etc/clamav/clamd.conf
Step 2
Add the following content at the bottom of the file (see explanation):
ScanOnAccess yes
OnAccessIncludePath /home
OnAccessIncludePath /etc
OnAccessIncludePath /var- ScanOnAccess yes: enable On-Access scanning
- OnAccessIncludePath: the folders defined here (/home/etc/var) are recursively scanned.
- OnAccessPrevention yes: blocks viruses, if you use 'no', only a notification is made but no action is taken.
There are other options, such as the exclusion of folders with OnAccessExcludePath. More information on all available options can be found on this page and some use cases are discussed here.
Step 3
The changes can only be made when the clamav-daemon service is disabled. So, disable it as follows:
systemctl stop clamav-daemonAre you using Debian 10? If so, use the following two commands before proceeding. ClamAV executes the command in step 4 as the user 'ClamAV'. This user has no rights to the /var/run/ folder (which is a symbolic link to the /run folder) and can't create the folder or the socket file. The commands below solve this.
mkdir /run/clamav/
chmod 777 -R /run/clamav/
Step 4
Start ClamD first and then the associated service:
clamd
systemctl start clamav-daemonIt will take a moment for the start of clamd to be completed.
Debian 10: Having run these commands, the ownership to the files in step 3 are set correctly. Revert the right changes from step 3 with:
chmod 755 -R /run/clamav/
Additional tips:
- You can check the status of the ClamAV daemon with the command:
systemctl status clamav-daemon- The log files can be found in:
nano /var/log/clamav/clamav.log- Clamd has a resource monitor similar to top/htop. You use this with the command:
clamdtop- If you get a message that inotify has exhausted the maximum number of watchpoints, you can add more to it with:
$ echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches
Automatically scan your VPS with a cron job
At the beginning of this article, we indicated that the ClamAV daemon uses quite a bit of RAM. Alternatively, you can choose not to install the ClamAV daemon and create a cronjob with which you automatically carry out the manual ClamAV scan (with a cronjob, you create a task on your VPS to perform one or more assignments at fixed times). This works like as follows:
Step 1
Create a cronjob with the command:
crontab -e
Step 2
For example, give your cronjob the following content:
SHELL=/bin/bash
HOME=/
* */1 * * * date >> /var/log/clamav_log
* */1 * * * In summary, the above does the following:
- The cronjob is executed every hour (defined by * */1 * * *). Do you prefer to scan daily at a specific time? For example, to scan at 18:00 every day you use * 18 * * *. At https://crontab.guru/, you can see how you specify specific times in a cronjob.
- date >> /var/log/clamav_log: this part ensures that every time the cronjob is executed, the date and time of the synchronization is specified in /var/log/clamav_log on a new line at the end of /var/log/clamav_log.
- The Clamscan command is explained in more detail under 'manual scanning with ClamAV'. The addition >> /var/log/clamav_log causes the output to be written to /var/log/clamav_log (below the date and time). This way you can always look back at the scan results using cat /var/log/clamav_log | less.
Running the clamscan command will cause increased use of your hardware as long as the scan is running. Keep this in mind when determining the times at which you have the scan done.
If desired, you can remove the cronjob as follows (removing all crontabs):
crontab -ror you can of course edit the existing cronjob with:
crontab -eYou can check your cronjob itself (without adjusting it) with:
crontab -lPlease note: if you use a custom logfile directory as above, do not forget that to create it (mkdir /var/log/siteupdates).
Scanning your VPS manually
Manual scanning with ClamAV
ClamAV only scans files to which the executing user has rights. Therefore, always scan as root user, or use sudo.
For the manual version you use the command:
clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r /
- With the addition --exclude-dir=/proc/* and --exclude-dir=/sys/* you make sure that ClamAV does not scan these folders. The /proc/ and /sys/ folders are virtual filesystems which, among other things, provide communication between the hardware of your VPS / the processes of your VPS and your OS.
- -i (infected) ensures that only infected files are shown
- -r (recursive) ensures that all underlying folders are scanned
- / indicates that all folders of your VPS are being scanned. You can also use this to scan specific folders, e.g. /etc/
Manual scanning with ClamD
You can also scan your OS manually with the ClamAV daemon, but it has fewer scan options than clamscan and is mainly intended to scan specific folders, not your entire OS at once. The syntax that you can use for this is:
clamdscan--fdpass -i /etc
- --fdpass: the ClamAV daemon is executed by the user ClamAV and has few rights to folders. With –fdpass, you give the rights of the user with whom you are working to clamdscan. If you execute this command as root user, then, with –fdpass, clamdscan thus has rights to scan all folders to which the root user has access.
- -i (infected) ensures that only infected files are shown
- /etc Indicates which folder you want to scan (recursively).
Scanning with ClamD uses the configuration in clamd.conf. You can edit this file to adjust the scanning to your own wishes:
nano /etc/clamav/clamd.conf
This concludes our tutorial on installing and using ClamAV in Debian. Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.