Step-by-Step Installation of ClamAV Antivirus on Linux

We are very diligent about security at IOFLOOD, especially when it comes to securing the information on our customer’s dedicated servers. As we test various antivirus software, we gather our tips and info together so that we may inform others that have similar questions. In today’s article we want to discuss the installation of the antivirus software ClamAV.

ClamAV is renowned for its robust malware detection and scanning capabilities, making it a valuable addition to any Linux environment.
In this tutorial, we will guide you on how to install the ClamAV command on your Linux system. We will show you methods for both APT and YUM-based distributions, delve into compiling ClamAV from source, installing a specific version, and finally, how to use the ClamAV command and ensure it’s installed correctly.

So, let’s dive in and begin installing ClamAV on your Linux system!

TL;DR: How Do I Install ClamAV on Linux?

To install ClamAV on Linux, you need to use the package manager of your distribution. For Debian-based distributions like Ubuntu, use the command sudo apt-get install clamav. On RPM-based distributions like CentOS, use sudo yum install clamav.

Here’s a simple example for Ubuntu:

sudo apt-get update
sudo apt-get install clamav

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# The following additional packages will be installed:
#   clamav-base clamav-freshclam libclamav9
# Suggested packages:
#   clamav-docs
# The following NEW packages will be installed:
#   clamav clamav-base clamav-freshclam libclamav9
# 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
# Need to get 1,167 kB of archives.
# After this operation, 3,577 kB of additional disk space will be used.
# Do you want to continue? [Y/n]

This command will update your package list, install ClamAV and its dependencies. The output shows the packages that will be installed and the disk space they will use.

This is just a basic way to install ClamAV on Linux, but there’s much more to learn about installing and using ClamAV. Continue reading for more detailed information and advanced usage scenarios.

How to Install ClamAV on Linux

ClamAV is an open-source antivirus engine designed for detecting trojans, viruses, malware, and other malicious threats on Linux. It features a command-line scanner, automatic database updates, and a multi-threaded daemon for scanning files in the system.

Installing ClamAV with APT

For Debian-based distributions like Ubuntu, we can install ClamAV using the apt package manager. Let’s start with updating our package list:

sudo apt-get update

# Output:
# Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
# Get:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
# Fetched 88.7 kB in 2s (44.3 kB/s)
# Reading package lists... Done

This command updates the package list in your system. Now, let’s install ClamAV:

sudo apt-get install clamav clamav-daemon

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# The following additional packages will be installed:
#   clamav-base clamav-freshclam libclamav9
# Suggested packages:
#   clamav-docs
# The following NEW packages will be installed:
#   clamav clamav-base clamav-daemon clamav-freshclam libclamav9
# 0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
# Need to get 1,167 kB of archives.
# After this operation, 3,577 kB of additional disk space will be used.
# Do you want to continue? [Y/n]

This command installs ClamAV and its daemon, which allows ClamAV to scan files in the background.

Installing ClamAV with YUM

For RPM-based distributions like CentOS, we can install ClamAV using the yum package manager. Here’s how:

sudo yum install epel-release
sudo yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

# Output:
# Loaded plugins: fastestmirror, ovl
# Loading mirror speeds from cached hostfile
# Resolving Dependencies
# --> Running transaction check
# ---> Package clamav.x86_64 0:0.101.2-1.el7 will be installed
# --> Processing Dependency: clamav-filesystem = 0.101.2-1.el7 for package: clamav-0.101.2-1.el7.x86_64
# ---> Package clamav-data.noarch 0:0.101.2-1.el7 will be installed
# ---> Package clamav-filesystem.noarch 0:0.101.2-1.el7 will be installed
# ---> Package clamav-lib.x86_64 0:0.101.2-1.el7 will be installed
# ---> Package clamav-update.x86_64 0:0.101.2-1.el7 will be installed
# --> Finished Dependency Resolution
# Dependencies Resolved

This command installs ClamAV and its related packages on your CentOS system. The epel-release package is required to access the Extra Packages for Enterprise Linux (EPEL) repository, which contains the ClamAV package.

In the next section, we will cover how to run a basic virus scan and interpret the results.

Installing ClamAV from Source Code

Sometimes, you may need to install ClamAV from its source code. This approach gives you more control over the installation process and can help you install specific versions of ClamAV.

Here’s how you can install ClamAV from source:

wget https://www.clamav.net/downloads/production/clamav-0.103.3.tar.gz
tar -xvzf clamav-0.103.3.tar.gz
cd clamav-0.103.3
./configure
make
sudo make install

# Output:
# clamav-0.103.3/
# clamav-0.103.3/INSTALL
# clamav-0.103.3/AUTHORS
# ...
# make[2]: Leaving directory '/home/user/clamav-0.103.3/libclamav'
# make[1]: Leaving directory '/home/user/clamav-0.103.3'
# /usr/bin/install -c .libs/clamscan /usr/local/bin/clamscan
# ...

This command downloads the ClamAV source code, extracts it, configures the build, compiles the code, and installs ClamAV on your system.

Installing Different Versions of ClamAV

Different versions of ClamAV come with various features and improvements. Therefore, you might want to install a specific version that suits your needs.

Installing Different Versions from Source

To install a different version of ClamAV from source, you just need to specify the version when downloading the source code. For example, to install ClamAV version 0.102.4, you would use:

wget https://www.clamav.net/downloads/production/clamav-0.102.4.tar.gz
tar -xvzf clamav-0.102.4.tar.gz
cd clamav-0.102.4
./configure
make
sudo make install

# Output:
# clamav-0.102.4/
# clamav-0.102.4/INSTALL
# clamav-0.102.4/AUTHORS
# ...
# make[2]: Leaving directory '/home/user/clamav-0.102.4/libclamav'
# make[1]: Leaving directory '/home/user/clamav-0.102.4'
# /usr/bin/install -c .libs/clamscan /usr/local/bin/clamscan
# ...

Installing Different Versions with Package Managers

With package managers like apt and yum, you can install a specific version of ClamAV by appending the version number to the package name. However, the version must be available in the package repository.

Installing Different Versions with APT

On Debian-based distributions like Ubuntu, you can specify the version of ClamAV to install with the apt-get install command:

sudo apt-get install clamav=0.102.4

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# The following packages were automatically installed and are no longer required:
#   clamav-base clamav-freshclam libclamav9
# Use 'sudo apt autoremove' to remove them.
# The following NEW packages will be installed:
#   clamav
# 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
# Need to get 292 kB of archives.
# After this operation, 1,024 B of additional disk space will be used.
# Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 clamav amd64 0.102.4+dfsg-0ubuntu0.18.04.1 [292 kB]
# Fetched 292 kB in 1s (291 kB/s)
# Selecting previously unselected package clamav.
# (Reading database ... 144676 files and directories currently installed.)
# Preparing to unpack .../clamav_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb ...
# Unpacking clamav (0.102.4+dfsg-0ubuntu0.18.04.1) ...
# Setting up clamav (0.102.4+dfsg-0ubuntu0.18.04.1) ...

This command installs ClamAV version 0.102.4 on your system.

Installing Different Versions with YUM

On RPM-based distributions like CentOS, you can also specify the version of ClamAV to install with the yum install command:

sudo yum install clamav-0.102.4

# Output:
# Loaded plugins: fastestmirror, ovl
# Loading mirror speeds from cached hostfile
# Resolving Dependencies
# --> Running transaction check
# ---> Package clamav.x86_64 0:0.102.4-1.el7 will be installed
# --> Processing Dependency: clamav-filesystem = 0.102.4-1.el7 for package: clamav-0.102.4-1.el7.x86_64
# ---> Package clamav-data.noarch 0:0.102.4-1.el7 will be installed
# ---> Package clamav-filesystem.noarch 0:0.102.4-1.el7 will be installed
# ---> Package clamav-lib.x86_64 0:0.102.4-1.el7 will be installed
# ---> Package clamav-update.x86_64 0:0.102.4-1.el7 will be installed
# --> Finished Dependency Resolution
# Dependencies Resolved

This command installs ClamAV version 0.102.4 on your system.

ClamAV Version Comparison

Different versions of ClamAV come with various improvements and features. Here is a comparison of some recent versions:

How to Use and Verify ClamAV

Once you’ve installed ClamAV, it’s time to put it to work. Here’s how you can run a basic virus scan:

clamscan -r /home

# Output:
# /home/user/file.txt: OK
# /home/user/archive.rar: RAR module failure.
# /home/user/document.doc: Doc.Trojan.Valyria-6332141-0 FOUND

# ----------- SCAN SUMMARY -----------
# Known viruses: 8575332
# Engine version: 0.103.3
# Scanned directories: 1
# Scanned files: 3
# Infected files: 1
# Data scanned: 0.00 MB
# Data read: 0.00 MB (ratio 0.00:1)
# Time: 115 secs (1 m 55 s)

This command scans the /home directory recursively (-r). The output shows the scan results for each file and a summary at the end.

Verifying ClamAV Installation

To verify that ClamAV is installed correctly, you can use the clamscan --version command:

clamscan --version

# Output:
# ClamAV 0.103.3/25732/Wed May 26 04:54:25 2021

This command displays the ClamAV version, the virus database version, and the date of the last virus database update.

Alternate Linux Antivirus Solutions

While ClamAV is a robust antivirus solution for Linux, it’s not the only option available. There are other antivirus tools, like Sophos and Comodo, that also provide excellent protection against malicious threats. Let’s explore these alternatives and compare their features, advantages, and disadvantages.

Sophos Antivirus for Linux

Sophos is a well-known name in the world of security. It provides a comprehensive antivirus solution for Linux that’s free for personal use. Here’s how you can install Sophos on Linux:

wget https://downloads.sophos.com/inst/linux/install.sh
chmod +x install.sh
sudo ./install.sh

# Output:
# --2021-07-01 12:00:00--  https://downloads.sophos.com/inst/linux/install.sh
# Resolving downloads.sophos.com (downloads.sophos.com)... 192.0.2.0
# Connecting to downloads.sophos.com (downloads.sophos.com)|192.0.2.0|:443... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: 2833 (2.8K) [application/x-sh]
# Saving to: ‘install.sh’
# ...
# Sophos Anti-Virus for Linux version 9.16.0
# Installation completed.

This command downloads the Sophos installation script, makes it executable, and runs it. The output shows the progress of the installation and confirms the installed version.

Sophos offers real-time scanning and automatic updates. However, it lacks a graphical user interface and might be more resource-intensive than ClamAV.

Comodo Antivirus for Linux

Comodo offers a free antivirus solution for Linux. It features real-time scanning, on-demand scanning, email scanning, and automatic updates. Here’s how you can install Comodo on Linux:

wget https://download.comodo.com/cavmgl/download/installs/1000/standalone/cav-linux_x64.deb
sudo dpkg -i cav-linux_x64.deb

# Output:
# --2021-07-01 12:00:00--  https://download.comodo.com/cavmgl/download/installs/1000/standalone/cav-linux_x64.deb
# Resolving download.comodo.com (download.comodo.com)... 192.0.2.0
# Connecting to download.comodo.com (download.comodo.com)|192.0.2.0|:443... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: 2833 (2.8K) [application/x-sh]
# Saving to: ‘cav-linux_x64.deb’
# ...
# Selecting previously unselected package cav-linux.
# (Reading database ... 144676 files and directories currently installed.)
# Preparing to unpack cav-linux_x64.deb ...
# Unpacking cav-linux (1:2.0.470295.867) ...
# Setting up cav-linux (1:2.0.470295.867) ...

This command downloads the Comodo installation package and installs it using the dpkg command. The output shows the progress of the installation.

Comodo has a more user-friendly interface than ClamAV and Sophos. However, it’s more resource-intensive and might not support all Linux distributions.

Comparing ClamAV, Sophos, and Comodo

Here’s a comparison of ClamAV, Sophos, and Comodo:

While all three antivirus solutions provide excellent protection, the best choice depends on your specific needs and system resources. If you prefer a command-line interface and low resource usage, ClamAV is a great choice. If you prefer a graphical interface, you might want to consider Comodo. If you want a balance between the two, Sophos might be the right choice.

Troubleshooting Issues with ClamAV

Like any software, ClamAV may sometimes throw errors or behave unexpectedly. Here are some common issues you might encounter when using ClamAV and how to resolve them.

ClamAV is Not Updating Virus Definitions

One common issue is that ClamAV does not update its virus definitions, which can leave your system vulnerable to new threats. This issue is usually due to network problems or incorrect system permissions. Here’s how you can manually update ClamAV virus definitions:

sudo freshclam

# Output:
# ClamAV update process started at Wed Jul  7 12:00:00 2021
# main.cvd is up to date (version: 61, sigs: 6607162, f-level: 63, builder: sigmgr)
# daily.cld is up to date (version: 26213, sigs: 3914521, f-level: 63, builder: raynman)
# bytecode.cld is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

This command runs the freshclam utility, which updates ClamAV’s virus definitions. The output shows the update process and confirms that the virus definitions are up to date.

If you’re still having issues, you might want to check your network settings or the permissions of the /var/lib/clamav directory, where ClamAV stores its virus definitions.

ClamAV is Not Scanning Certain Files

Another common issue is that ClamAV does not scan certain files. This issue can occur if ClamAV does not have the necessary permissions to access these files. Here’s how you can run ClamAV with root permissions to scan all files:

sudo clamscan -r /home

# Output:
# /home/user/file.txt: OK
# /home/user/archive.rar: RAR module failure.
# /home/user/document.doc: Doc.Trojan.Valyria-6332141-0 FOUND

# ----------- SCAN SUMMARY -----------
# Known viruses: 8575332
# Engine version: 0.103.3
# Scanned directories: 1
# Scanned files: 3
# Infected files: 1
# Data scanned: 0.00 MB
# Data read: 0.00 MB (ratio 0.00:1)
# Time: 115 secs (1 m 55 s)

This command runs the clamscan command with root permissions, allowing it to scan all files in the /home directory. The output shows the scan results for each file and a summary at the end.

Remember to use sudo sparingly and only when necessary, as it can pose a security risk if used improperly.

ClamAV is Using Too Much CPU

Sometimes, ClamAV might use more CPU resources than expected, particularly during scans or updates. You can limit ClamAV’s CPU usage by adjusting its nice value, which determines its priority level. Here’s how:

sudo renice -n 19 -p $(pgrep clamscan)

# Output:
# 12345 (process ID) old priority 0, new priority 19

This command changes the nice value of the clamscan process to 19, the lowest priority level, reducing its CPU usage. The output shows the process ID and the old and new nice values.

Keep in mind that this might make scans or updates take longer to complete. Also, the renice command only affects running processes, so you’ll need to run it each time you start a new clamscan process.

Linux Antivirus Software Explained

Antivirus software, like ClamAV, is a crucial tool for maintaining system security. It works by scanning files and system activities for patterns that match known malicious threats, commonly referred to as ‘virus signatures’. When a match is found, the antivirus software takes the appropriate action, such as deleting the infected file or blocking the suspicious activity.

Let’s consider a simple example of how ClamAV scans a file:

clamscan infected_file.txt

# Output:
# infected_file.txt: Eicar-Test-Signature FOUND

# ----------- SCAN SUMMARY -----------
# Known viruses: 8575332
# Engine version: 0.103.3
# Scanned directories: 0
# Scanned files: 1
# Infected files: 1
# Data scanned: 0.00 MB
# Data read: 0.00 MB (ratio 0.00:1)
# Time: 15 secs

In this example, ClamAV scans the infected_file.txt file and detects the Eicar-Test-Signature, a harmless signature used for testing antivirus software. The output shows that the file is infected and provides a summary of the scan.

The Importance of Regular Updates and Scans

Regular updates are essential for maintaining the effectiveness of antivirus software. Each update provides the antivirus software with the latest virus signatures, enabling it to detect and remove new threats. Without these updates, the antivirus software might fail to identify recent threats, leaving the system vulnerable.

Here’s how you can update ClamAV’s virus definitions:

sudo freshclam

# Output:
# ClamAV update process started at Fri Jul  9 12:00:00 2021
# main.cvd is up to date (version: 61, sigs: 6607162, f-level: 63, builder: sigmgr)
# daily.cld is up to date (version: 26213, sigs: 3914521, f-level: 63, builder: raynman)
# bytecode.cld is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

In this example, the freshclam command updates ClamAV’s virus definitions. The output shows the update process and confirms that the virus definitions are up to date.

Regular scans are just as important as regular updates. Scans allow the antivirus software to apply the latest virus signatures and detect any threats that might have infiltrated the system. With ClamAV, you can schedule scans using cron jobs or other task scheduling tools.

By understanding these fundamentals, you can better appreciate the role of ClamAV and other antivirus software in maintaining system security.

Significance of Linux System Security

Linux, like any other operating system, is not immune to security threats. While it’s considered more secure than many of its counterparts, it’s still crucial to take proactive steps to protect your system. Antivirus software like ClamAV plays a pivotal role in this regard, providing a line of defense against malware and other threats.

Exploring Firewalls and Intrusion Detection Systems

In addition to antivirus software, other tools can further bolster your system’s security. Firewalls, for instance, monitor and control incoming and outgoing network traffic based on predetermined security rules, providing a barrier between a trusted internal network and untrusted external networks.

Intrusion Detection Systems (IDS), on the other hand, monitor networks or systems for malicious activity or policy violations. Any detected activity or violation is typically reported to an administrator or collected centrally in a security information and event management (SIEM) system.

# Example of a simple firewall rule using UFW (Uncomplicated Firewall) in Linux
sudo ufw deny from 192.0.2.0/24 to any port 22

# Output:
# Rule added
# Rule added (v6)

In this example, the command adds a firewall rule that blocks all incoming traffic from the IP range 192.0.2.0/24 to port 22, which is commonly used for SSH connections. The output confirms that the rule has been added.

While ClamAV, firewalls, and IDS each serve different purposes, they all contribute to a comprehensive security strategy for your Linux system.

Further Resources for Deepening Your Linux Security Knowledge

To delve deeper into Linux security and tools like ClamAV, firewalls, and IDS, here are a few resources:

1. The Linux System Administrator’s Guide: An in-depth guide covering many aspects of system administration, including security.

2. Linux Security: A website dedicated to Linux security news, tips, and tutorials.

3. The Linux Foundation’s Security Training: A course that provides a broad understanding of various security topics on a practical level.

These resources provide a wealth of information that can help you secure your Linux system effectively.

Recap: System Security with ClamAV

In this comprehensive guide, we’ve delved into the process of installing and using ClamAV, a powerful antivirus software for Linux systems. We’ve explored its importance in protecting your system from various threats and how it serves as a vigilant guard for your Linux system.

We began with the basics, demonstrating how to install ClamAV on Linux using package managers like apt and yum. We then moved on to more advanced topics, such as installing ClamAV from source for more control and specific version installation. We also explored how to use ClamAV for basic virus scans and how to verify the installation.

Along the way, we addressed common issues you might encounter when using ClamAV, such as updating virus definitions, scanning certain files, and managing CPU usage. We provided solutions and workarounds to help you navigate these challenges smoothly.

We also looked at alternative antivirus solutions for Linux, such as Sophos and Comodo. Here’s a quick comparison of these antivirus solutions:

Each of these antivirus solutions has its strengths and weaknesses, and the best choice depends on your specific needs and system resources.

Whether you’re a beginner just starting out with ClamAV or an experienced user looking for a refresher, we hope this guide has provided you with a deeper understanding of ClamAV and its capabilities. With this knowledge, you’re well equipped to install, configure, and use ClamAV effectively, enhancing your Linux system’s security. Stay safe and happy computing!