Clam AntiVirus (commonly ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner.

Despite the myth, Linux operative systems do get troubled with Virus. They can take down your website, steal data from your database, provoke downtime and havoc. If running email servers, an anti-virus should always be present to prevent the spread of malicious files and other scams.

To install ClamAV on CentOS, we must first install the EPEL repository (Extra Packages for Entreprise Linux). This repository is a free community based repository from the Fedora team which provides 100% high quality software packages for Entreprise Linux distributions such as RHEL (Red Hat Entreprise Linux), CentOS and Scientific Linux.

Preflight & ClamAV Installation Steps

Preparing your installation

Let’s start checking if our system is up-to-date:

yum update -y

And next lets install the EPEL repository:

yum install -y epel-release

Entreprise Linux systems have SELinux (Security Enhanced Linux) installed by default. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

SELinux supports three states:

  • Enforcing – SELinux policy is enforced;
  • Permissive – SELinux prints warnings and logs instead of enforcing;
  • Disabled – No SELinux policy is loaded;

SELinux should be enabled on all production servers. For debugging purposes we will set this to Permissive.

Let’s start by check the SELinux status:


To change the SELinux state persistently we edit its config file and reboot afterwards. The config file is located at /etc/selinux/config

vim /etc/selinux/config
file content
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.

If your SELinux state is other than disabled, you must enable antivirus_can_scan_system so ClamAV can access all files on disk and update its definition files:

setsebool -P antivirus_can_scan_system 1

This step is required as SELinux will block access to the files required for ClamAV to operate.

If not, you may be confronted with errors such as:

During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied

Installing ClamAV

Next lets install ClamAV with the following command:

yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Configuring the ClamD daemon

First we must enable the clamd configuration file located in /etc/clamd.d/scan.conf

The following commands will perform the following:

  • enable the configuration file
  • configure the correct directory for the socket
  • set the ClamAV user
sed -i '/^Example/d' /etc/clamd.d/scan.conf
sed -i 's,LocalSocket /var/run/clamd.<SERVICE>/clamd.sock,LocalSocket /var/run/clamd.scan/clamd.sock,g' /etc/clamd.d/scan.conf
sed -i 's, User <USER>,User clamscan,g' /etc/clamd.d/scan.conf

Enable Freshclam

Freshclam helps keeping the ClamAV database up-to-date. To enable it, we must enable as well.

Perform the following commands:

cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i 's/^Example/d' /etc/freshclam.conf

As we don’t get a service file to enable Freshclam to run as daemon, so we must create one:

touch /usr/lib/systemd/system/clam-freshclam.service
vim /usr/lib/systemd/system/clam-freshclam.service

Paste the following content:

# Run the freshclam as daemon
Description = freshclam scanner
After =

Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true


To start the service while enabling it to start automatically:

systemctl enable --now clam-freshclam

You can verify the status of the freshclam service by running the following command:

systemctl status clam-freshclam
● clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-01-08 18:40:52 BST; 1h 59min ago
Main PID: 979 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─979 /usr/bin/freshclam -d -c 4

Jan 12 18:40:52 systemd[1]: Starting freshclam scanner...
Jan 12 18:40:52 freshclam[979]: freshclam daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 12 18:40:52 freshclam[979]: ClamAV update process started at Mon Sep 23 18:40:52 2019
Jan 12 18:40:52 freshclam[979]: main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jan 12 18:40:52 systemd[1]: Started freshclam scanner.
Jan 12 18:40:52 freshclam[979]: daily.cld is up to date (version: 25581, sigs: 1776056, f-level: 63, builder: raynman)
Jan 12 18:40:52 freshclam[979]: bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Jan 12 18:40:52 freshclam[979]: --------------------------------------

Now, finally, we simply have to enable the clamd@scan service, which will invoke the clamd@.service that requires no alterations.

systemctl enable --now clamd@scan

And to verify the status of the clamd@scan service:

systemctl status clamd@scan
● clamd@scan.service - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled)
Active: activating (start) since Mon 2018-01-08 19:20:51 BST; 1h 0min ago
Docs: man:clamd(8)
Control: 1171 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─1171 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Jan 12 19:20:51 systemd[1]: Starting Generic clamav scanner daemon...
Jan 12 19:20:51 clamd[1171]: Received 0 file descriptor(s) from systemd.
Jan 12 19:20:51 clamd[1171]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 12 19:20:51 clamd[1171]: Running as user clamscan (UID 994, GID 988)
Jan 12 19:20:51 clamd[1171]: Log file size limited to 1048576 bytes.
Jan 12 19:20:51 clamd[1171]: Reading databases from /var/lib/clamav
Jan 12 19:20:51 clamd[1171]: Bytecode: Security mode set to "TrustSigned".

Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment.