top of page
Search

ClamAV: Open-Source Antivirus for Your Operational Calm

  • Writer: Aastha Thakker
    Aastha Thakker
  • 9 hours ago
  • 5 min read

Most big companies pay a fortune for private security teams to guard the front door. ClamAV is like the community-hired guard who stands at the back gate for free.


What is ClamAV?


ClamAV (Clam AntiVirus) is an open-source antivirus engine mainly used on Linux servers to detect malware, trojans, viruses, and malicious files.


It doesn’t look fancy. It just scans files and tells you: clean or infected.


It doesn’t “guess” if a file is acting weird (like modern AI-driven antivirus). Instead, it has a massive book of “mugshots” (called signatures). When a file walks by, ClamAV looks at its face, compares it to the book, and if there’s a match, it screams, “Aha! You’re a Trojan!”


  • It’s Open Source: Meaning it’s free and the community keeps it sharp.

  • It’s a Workhorse: It’s most famous for living on email servers, scanning every attachment before it ever hits your inbox.

  • It’s Humble: It doesn’t usually have a flashy “pop-up” window. It often runs in the background (as a “daemon”) or through a command line.


Why should you care?


If you’re running a website or a server, ClamAV is your “Zero-Cost Insurance.”

  • The Pro: It catches the “low-hanging fruit” (known viruses) better than almost anything else.

  • The Con: It’s not great at catching “brand new” viruses that haven’t been photographed yet (zero-days).


The Truth About Resources

If your server has less than 2GB RAM, you might need to:

  • Run scans manually instead of keeping the daemon always on

  • Use clamscan (slower but lighter) instead of clamdscan

  • Schedule scans during off-peak hours

If you’re on a beefier server (4GB+), you won’t even notice it’s there.



Installing ClamAV (Required for your home lab or website)


Why This Guide?


Most ClamAV tutorials read like robot instruction manuals. I want this one to be your actual guide rather than manuals. Here, I have used Ubuntu OS.


Step 1: Freshen Up Your System

sudo apt update && sudo apt upgrade -y

Your computer checks for updates and installs them.


Step 2: Install ClamAV

sudo apt install clamav clamav-daemon -y

You’re getting two things:

  • ClamAV scanner: the detective that finds viruses

  • ClamAV daemon: the security guard that watches in the background


Step 3: Teach It About Viruses

ClamAV needs to learn what viruses look like. First, pause its background service:

sudo systemctl stop clamav-freshclam

Now download the latest “virus encyclopedia”:

sudo freshclam

This takes 1–3 minutes as it downloads thousands of virus signatures. Wake the service back up:

sudo systemctl start clamav-freshclam

Step 4: Does It Work?

clamscan --version

See a version number? You’re golden.


Step 5: Your First Scan

Let’s scan your home folder:

clamscan -r $HOME

What -r means: "Look inside folders, and folders inside those folders, and..." You get it.


Reading the results:

  • Infected files: Bad news found (hopefully zero!)

  • Scanned files: How many files it checked

  • Think of it like a report card for your files


The Fast Scanner (And Why It’s Fast)


There are two ways to scan:


clamscan – The cold start

  • Loads the entire virus database into memory each time

  • Takes ~30 seconds just to start

  • Uses less RAM overall

  • Good for: one-off scans, cron jobs, low-memory servers


clamdscan – The hot start

  • Uses the ClamAV daemon that’s already running in memory

  • Scans start instantly (< 1 second)

  • Uses more RAM (keeps database loaded 24/7)

  • Good for: frequent scans, real-time checking, production servers

clamdscan /path/to/folder

If you’re scanning the same folders repeatedly (like a web uploads directory), clamdscan is your friend. For weekly full-system scans, clamscan is fine.


Auto-Scan While You Sleep


Want ClamAV to scan automatically every Sunday at 2 AM?

crontab -e

Add this line:

0 2 * * 0 clamscan -r $HOME | tee $HOME/clamav_scan_$(date +\%Y-\%m-\%d).log

What’s with the \%? In crontab specifically, the % symbol is special (it means "newline"), so we escape it with \. This tells cron: "No, I literally want the percent sign for the date format."


Now Sunday mornings = automatic security check + a dated report saved to your home folder.


When Things Go Wrong, Troubleshooting Section

Problem 1: freshclam fails with "Can't connect" or "Mirror failed"

Fix:

# Check if you're behind a proxy
sudo nano /etc/clamav/freshclam.conf

# Look for this line and uncomment it if needed:
# HTTPProxyServer yourproxy.com
# HTTPProxyPort 8080

# Or try a different mirror
sudo freshclam --debug

Problem 2: Daemon won't start (systemctl status clamav-daemon shows "failed")

Common causes:

  • Not enough RAM (ClamAV needs ~500MB just to load signatures)

  • Signatures not downloaded yet

# Fix
# Make sure signatures exist
ls -lh /var/lib/clamav/

# You should see main.cvd, daily.cvd, bytecode.cvd
# If missing, run:
sudo freshclam

# Then restart the daemon
sudo systemctl restart clamav-daemon

# Check status
sudo systemctl status clamav-daemon

Problem 3: Scans are painfully slow

Fixes:

  • Use --max-filesize=50M to skip giant files

  • Exclude directories you trust: --exclude-dir=/proc --exclude-dir=/sys

  • Scan specific folders instead of entire system

Example:

clamscan -r --exclude-dir=/proc --exclude-dir=/sys --max-filesize=50M /home

Problem 4: "WARNING: Can't create temporary directory"

# Fix
# ClamAV needs write access to /tmp
sudo chmod 1777 /tmp

# Or specify a different temp directory
clamscan --tempdir=/home/yourusername/tmp -r /path/to/scan

When ClamAV Finds Something Scary


Found an infected file? Delete it automatically:

sudo clamscan -r --remove /path/to/scan

Warning: This deletes files permanently. No “Are you sure?” prompt. Use it like you’d use a real Delete button, carefully.


Keeping It Fresh

Viruses evolve. Update ClamAV’s knowledge weekly:

sudo freshclam

Or better yet, let it update automatically, it’s already set up to do this in the background. You can either use bash scripting, automation or cron tab.


Scanning Windows Executables (.exe Files and more)

ClamAV is frequently used to scan:

  • Uploaded .exe files

  • Email attachments

  • Archived malware

Example:

clamscan suspicious_file.exe

Recursive scan for upload directory:

clamscan -r --include="\.exe$" /var/www/uploads

ClamAV can also scan inside archives like:

  • ZIP

  • RAR

  • TAR

  • GZIP

Which makes it useful for mail servers.


Understanding Signature Databases (Use Official Docs)


Now let’s properly strengthen your technical depth using the official documentation.

ClamAV uses database files such as:

  • main.cvd

  • daily.cvd

  • bytecode.cvd

From the official documentation:

Database formats include:

  • CVD (ClamAV Virus Database)

  • CLD (uncompressed database)

  • Custom signature formats

These databases contain MD5-based signatures, Hash-based detections, Logical signatures, Bytecode signatures.


Creating Your Own Custom Signatures

ClamAV allows you to create your own signature database. Useful when you detect a malicious internal file, you want to block a known unwanted binary, or you are running a SOC lab.


Step 1: Generate Hash of File

sigtool --md5 infected_file.exe

Output:

44d88612fea8a8f36de82e1278abb02f:68:infected_file.exe

Step 2: Create Custom Database File

/var/lib/clamav/local.hdb

Paste the hash entry inside.


Step 3: Reload Database

sudo systemctl restart clamav-daemon

Now ClamAV will detect that file everywhere.

You can even use the method demonstrated in the images.


This is powerful for malware research labs, IR and Internal policy enforcement.

Go ahead and test this on your own, share your errors, learnings, or wins in the comments, or ping me if you hit a wall. See you next Thursday, until then, stay calm and try ClamAV!!

 
 
 

Comments

bottom of page