From ArchWiki
Jump to: navigation, search

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops it primarily detects Windows viruses and malware.


ClamAV can be installed with package clamav.

Updating database

Update the virus definitions with:

# freshclam

The database files are saved in:


The virus definition updater service is called freshclamd.service. Consider starting it and enabling it to start at boot so that the virus definitions are kept recent.

Starting the daemon

Consider updating the database before starting the service for the first time or you will run into troubles/errors which will prevent ClamAV to start correctly.

The service is called clamd.service. Start it or enable it to start at boot. You will need to run freshclam prior to starting the service.

Testing the software

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl | clamscan -

The output must include:

stdin: Eicar-Test-Signature FOUND

Otherwise; read the Troubleshooting part or ask for help in the Arch Forums.

Adding more databases/signatures repositories

ClamAV can use databases/signature from other repositories or security vendors.

To add the most important ones in a single step install clamav-unofficial-sigsAUR and configure it in /etc/clamav-unofficial-sigs/user.conf.

This will add signatures/databases from e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect,...

Scan for viruses

clamscan can be used to scan certain files, home directory, or an entire system:

$ clamscan myfile
$ clamscan --recursive --infected /home # or -r -i
$ clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

If you would like clamscan to remove the infected file add to the command the --remove option, or you can use --move=/dir to quarantine them.

You may also want clamscan to scan larger files. In this case, append the options --max-filesize=4000M and --max-scansize=4000M to the command. '4000M' is the largest possible value, and may be lowered as necessary.

Using the -l /path/to/file option will print the clamscan logs to a text file for locating reported infections.

Using the milter

Copy /etc/clamav/clamav-milter.conf.sample to /etc/clamav/clamav-milter.conf and adjust it to your needs. For example:

MilterSocket /run/clamav/clamav-milter.sock
MilterSocketMode 660
FixStaleSocket yes
User clamav
PidFile /run/clamav/
TemporaryDirectory /tmp
ClamdSocket unix:/var/lib/clamav/clamd.sock
LogSyslog yes
LogInfected Basic

Create /etc/systemd/system/clamav-milter.service:

Description='ClamAV Milter'

ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf


Enable and start the service.


On-access scanning require the kernel to be compiled with fanotify (kernel >= 3.8).

On-access scanning will scan the file while reading, writing or executing it.

Is it possibile to enable the OnAccessScan editing the /etc/clamav/clamd.conf:

# Enable son-access scan, required clamd service running
ScanOnAccess true

# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /usr
OnAccessMountPath /home/
OnAccessExcludePath /var/log/

# flag fanotify to block any events on monitored files to perform the scan
OnAccessPrevention false

# perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true

# check the UID from the event of fanotify
OnAccessExcludeUID 0

# action to perform when clamav detects a malicious file
# it is possibile to specify ad inline command too
VirusEvent /etc/clamav/detected.zsh

# WARNING: clamd should run as root
User root


#!/usr/bin/env zsh

echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log

if [[ -z $(command -v notify-send) ]]; then
  echo "$alert" {{!}} wall -n
  notify-send "$alert"

If you are using AppArmor it is necessary to allow clamd to run as root:

# aa-complain clamd

Restart/start the service with systemctl restart clamd.service.



Error: Clamd was NOT notified

If you get the following messages after running freshclam:

WARNING: Clamd was NOT notified: Cannot connect to clamd through 
/var/lib/clamav/clamd.sock connect(): No such file or directory

Add a sock file for ClamAV:

# touch /var/lib/clamav/clamd.sock
# chown clamav:clamav /var/lib/clamav/clamd.sock

Then, edit /etc/clamav/clamd.conf - uncomment this line:

LocalSocket /var/lib/clamav/clamd.sock

Save the file and restart the daemon

Error: No supported database files found

If you get the next error when starting the daemon:

LibClamAV Error: cli_loaddb(): No supported database files found
in /var/lib/clamav ERROR: Not supported data format

This happens because of mismatch between /etc/freshclam.conf setting DatabaseDirectory and /etc/clamd.conf setting DatabaseDirectory. /etc/freshclam.conf pointing to /var/lib/clamav, but /etc/clamd.conf (default directory) pointing to /usr/share/clamav, or other directory. Edit in /etc/clamd.conf and replace with the same DatabaseDirectory like in /etc/freshclam.conf. After that clamav will start up succesfully.

Error: Can't create temporary directory

If you get the following error, along with a 'HINT' containing a UID and a GID number:

# can't create temporary directory

Correct permissions:

# chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav