Clam AntiVirus (commonly ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner.
Despite the myth, Linux operative systems do get troubled with Virus. They can take down your website, steal data from your database, provoke downtime and havoc. If running email servers, an anti-virus should always be present to prevent the spread of malicious files and other scams.
To install ClamAV on CentOS, we must first install the EPEL repository (Extra Packages for Entreprise Linux). This repository is a free community based repository from the Fedora team which provides 100% high quality software packages for Entreprise Linux distributions such as RHEL (Red Hat Entreprise Linux), CentOS and Scientific Linux.
Preflight & ClamAV Installation Steps
Preparing your installation
Let’s start checking if our system is up-to-date:
yum update -y
And next lets install the EPEL repository:
yum install -y epel-release
Entreprise Linux systems have SELinux (Security Enhanced Linux) installed by default. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
SELinux supports three states:
- Enforcing – SELinux policy is enforced;
- Permissive – SELinux prints warnings and logs instead of enforcing;
- Disabled – No SELinux policy is loaded;
SELinux should be enabled on all production servers. For debugging purposes we will set this to
Let’s start by check the SELinux status:
To change the SELinux state persistently we edit its config file and reboot afterwards. The config file is located at
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
If your SELinux state is other than disabled, you must enable
antivirus_can_scan_system so ClamAV can access all files on disk and update its definition files:
setsebool -P antivirus_can_scan_system 1
This step is required as SELinux will block access to the files required for ClamAV to operate.
If not, you may be confronted with errors such as:
During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
Next lets install ClamAV with the following command:
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Configuring the ClamD daemon
First we must enable the clamd configuration file located in
The following commands will perform the following:
- enable the configuration file
- configure the correct directory for the socket
- set the ClamAV user
sed -i '/^Example/d' /etc/clamd.d/scan.conf sed -i 's,LocalSocket /var/run/clamd.<SERVICE>/clamd.sock,LocalSocket /var/run/clamd.scan/clamd.sock,g' /etc/clamd.d/scan.conf sed -i 's, User <USER>,User clamscan,g' /etc/clamd.d/scan.conf
Freshclam helps keeping the ClamAV database up-to-date. To enable it, we must enable as well.
Perform the following commands:
cp /etc/freshclam.conf /etc/freshclam.conf.bak sed -i 's/^Example/d' /etc/freshclam.conf
As we don’t get a service file to enable Freshclam to run as daemon, so we must create one:
touch /usr/lib/systemd/system/clam-freshclam.service vim /usr/lib/systemd/system/clam-freshclam.service
Paste the following content:
# Run the freshclam as daemon [Unit] Description = freshclam scanner After = network.target [Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 4 Restart = on-failure PrivateTmp = true [Install] WantedBy=multi-user.target
To start the service while enabling it to start automatically:
systemctl enable --now clam-freshclam
You can verify the status of the freshclam service by running the following command:
systemctl status clam-freshclam
● clam-freshclam.service - freshclam scanner Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2018-01-08 18:40:52 BST; 1h 59min ago Main PID: 979 (freshclam) CGroup: /system.slice/clam-freshclam.service └─979 /usr/bin/freshclam -d -c 4 Jan 12 18:40:52 web.server.com systemd: Starting freshclam scanner... Jan 12 18:40:52 web.server.com freshclam: freshclam daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Jan 12 18:40:52 web.server.com freshclam: ClamAV update process started at Mon Sep 23 18:40:52 2019 Jan 12 18:40:52 web.server.com freshclam: main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Jan 12 18:40:52 web.server.com systemd: Started freshclam scanner. Jan 12 18:40:52 web.server.com freshclam: daily.cld is up to date (version: 25581, sigs: 1776056, f-level: 63, builder: raynman) Jan 12 18:40:52 web.server.com freshclam: bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg) Jan 12 18:40:52 web.server.com freshclam: --------------------------------------
Now, finally, we simply have to enable the clamd@scan service, which will invoke the clamd@.service that requires no alterations.
systemctl enable --now clamd@scan
And to verify the status of the clamd@scan service:
systemctl status clamd@scan
● email@example.com - Generic clamav scanner daemon Loaded: loaded (/firstname.lastname@example.org; enabled; vendor preset: disabled) Active: activating (start) since Mon 2018-01-08 19:20:51 BST; 1h 0min ago Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Control: 1171 (clamd) CGroup: /email@example.com └─1171 /usr/sbin/clamd -c /etc/clamd.d/scan.conf Jan 12 19:20:51 web.server.com systemd: Starting Generic clamav scanner daemon... Jan 12 19:20:51 web.server.com clamd: Received 0 file descriptor(s) from systemd. Jan 12 19:20:51 web.server.com clamd: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Jan 12 19:20:51 web.server.com clamd: Running as user clamscan (UID 994, GID 988) Jan 12 19:20:51 web.server.com clamd: Log file size limited to 1048576 bytes. Jan 12 19:20:51 web.server.com clamd: Reading databases from /var/lib/clamav Jan 12 19:20:51 web.server.com clamd: Bytecode: Security mode set to "TrustSigned".
Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment.