Difference between revisions of "ClamAV"

From ArchWiki
Jump to: navigation, search
m (grammar tweaks)
 
(130 intermediate revisions by 63 users not shown)
Line 1: Line 1:
{{i18n_links_start}}
+
[[Category:Security]]
{{i18n_entry|English|ClamAV}}
+
[[es:ClamAV]]
{{i18n_entry|Español|Cómo instalar y configurar ClamAV Antivirus}}
+
[[fr:CLAMAV]]
{{i18n_links_end}}
+
[[it:ClamAV]]
 +
[[ja:ClamAV]]
 +
[[ko:ClamAV]]
 +
[[pt:ClamAV]]
 +
[[ru:ClamAV]]
 +
[[sr:ClamAV]]
 +
[[zh-hans:ClamAV]]
 +
[https://www.clamav.net Clam AntiVirus] is an open source (GPL) anti-virus toolkit for UNIX.  It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures.
  
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX.  It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.  Because ClamAV's main use is on file/mail servers for Windows desktops it primarily detects Windows viruses and malware.
+
== Installation ==
  
==Installation==
+
[[Install]] the {{Pkg|clamav}} package.
Install with pacman by:
 
# pacman -Sy clamav
 
  
==Configuration==
+
== Updating database ==
To run as a server edit {{Filename|/etc/clamav/clamd.conf}} and {{Filename|/etc/clamav/freshclam.conf}} and comment out the ''Example'' flag.  In {{Filename|/etc/conf.d/clamav}} change the start options from "no" to "yes".
 
  
# change these to "yes" to start
+
Update the virus definitions with:
START_FRESHCLAM="yes"
 
START_CLAMD="yes"
 
  
* To start clamav at boot edit {{Filename|/etc/rc.conf}} and add clamav.
 
 
==Update Database==
 
The daemon needs to be running for the virus update to be updated:
 
# /etc/rc.d/clamav start
 
 
Then update the virus definitions with:
 
 
  # freshclam
 
  # freshclam
  
 
The database files are saved in:
 
The database files are saved in:
 +
 
  /var/lib/clamav/daily.cvd
 
  /var/lib/clamav/daily.cvd
 
  /var/lib/clamav/main.cvd
 
  /var/lib/clamav/main.cvd
 +
/var/lib/clamav/bytecode.cvd
 +
 +
[[Start/enable]] {{ic|clamav-freshclam.service}} so that the virus definitions are kept recent.
 +
 +
== Starting the daemon ==
 +
 +
{{Note|You will need to run {{ic|freshclam}} before starting the service for the first time or you will run into troubles/errors which will prevent ClamAV to start correctly.}}
 +
 +
The service is called {{ic|clamav-daemon.service}}. [[Start]] it and [[enable]] it to start at boot.
 +
 +
== Testing the software ==
 +
 +
In order to make sure ClamAV and the definitions are installed correctly, scan the [https://www.eicar.org/86-0-Intended-use.html EICAR test file] (a harmless signature with no virus code) with clamscan.
 +
 +
$ curl https://www.eicar.org/download/eicar.com.txt | clamscan -
  
==Scan for Viruses==
+
The output '''must''' include:
{{Codeline|clamscan}} can be used to scan certain files, home directory, or an entire system:
+
 
 +
stdin: Eicar-Test-Signature FOUND
 +
 
 +
Otherwise; read the Troubleshooting part or ask for help in the [https://bbs.archlinux.org/ Arch Forums].
 +
 
 +
== Adding more databases/signatures repositories ==
 +
 
 +
ClamAV can use databases/signature from other repositories or security vendors.
 +
 
 +
To add the most important ones in a single step, install {{AUR|clamav-unofficial-sigs}}.
 +
 
 +
This will add signatures/databases from e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect, etc. For the full list of databases, [https://github.com/extremeshok/clamav-unofficial-sigs#description see the description of the GitHub repository].
 +
 
 +
=== Set up clamav-unofficial-sigs ===
 +
 
 +
[[Enable]] the {{ic|clamav-unofficial-sigs.timer}}.
 +
 
 +
This will regularly update the unofficial signatures based on the configuration files in the directory {{ic|/etc/clamav-unofficial-sigs}}.
 +
 
 +
To update signatures manually, run the following:
 +
 
 +
# clamav-unofficial-sigs.sh
 +
 
 +
To change any default settings, refer and modify {{ic|/etc/clamav-unofficial-sigs/user.conf}}.
 +
 
 +
{{Note|You still must have the {{ic|clamav-freshclam.service}} [[started]] in order to have official signature updates from ClamAV mirrors.}}
 +
 
 +
==== MalwarePatrol database ====
 +
 
 +
If you would like to use the MalwarePatrol database, sign up for an account at https://www.malwarepatrol.net/.
 +
 
 +
In {{ic|/etc/clamav-unofficial-sigs/user.conf}}, change the following to enable this functionality:
 +
 
 +
malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # enter your receipt number here
 +
malwarepatrol_product_code="8" # Use 8 if you have a Free account or 15 if you are a Premium customer.
 +
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
 +
malwarepatrol_free="yes" # Set to yes if you have a Free account or no if you are a Premium customer.
 +
 
 +
Source: https://www.malwarepatrol.net/clamav-configuration-guide/
 +
 
 +
== Scan for viruses ==
 +
 
 +
{{ic|clamscan}} can be used to scan certain files, home directories, or an entire system:
  
 
  $ clamscan myfile
 
  $ clamscan myfile
  $ clamscan -r -i /home
+
  $ clamscan --recursive --infected /home
  $ clamscan -r -i --exclude-dir=^/sys\|^/proc\|^/dev /
+
  $ clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /
 +
 
 +
If you would like {{ic|clamscan}} to remove the infected file add to the command the {{ic|--remove}} option, or you can use {{ic|1=--move=/dir}} to quarantine them.
 +
 
 +
You may also want {{ic|clamscan}} to scan larger files. In this case, append the options {{ic|1=--max-filesize=4000M}} and {{ic|1=--max-scansize=4000M}} to the command. '4000M' is the largest possible value, and may be lowered as necessary.
 +
 
 +
Using the {{ic|1=-l /path/to/file}} option will print the {{ic|clamscan}} logs to a text  file for locating reported infections.
 +
 
 +
== Using the milter ==
 +
 
 +
Milter will scan your sendmail server for email containing virus.
 +
Copy {{ic|/etc/clamav/clamav-milter.conf.sample}} to {{ic|/etc/clamav/clamav-milter.conf}} and adjust it to your needs. For example:
 +
 +
{{hc|/etc/clamav/clamav-milter.conf|2=
 +
MilterSocket /run/clamav/clamav-milter.sock
 +
MilterSocketMode 660
 +
FixStaleSocket yes
 +
User clamav
 +
PidFile /run/clamav/clamav-milter.pid
 +
TemporaryDirectory /tmp
 +
ClamdSocket unix:/var/lib/clamav/clamd.sock
 +
LogSyslog yes
 +
LogInfected Basic
 +
}}
 +
 
 +
Create {{ic|/etc/systemd/system/clamav-milter.service}}:
 +
 
 +
{{hc|/etc/systemd/system/clamav-milter.service|2=
 +
[Unit]
 +
Description='ClamAV Milter'
 +
After=clamav-daemon.service
 +
 
 +
[Service]
 +
Type=forking
 +
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf
 +
 
 +
[Install]
 +
WantedBy=multi-user.target
 +
}}
 +
 
 +
[[Enable]] and [[start]] {{ic|clamav-milter.service}}.
 +
 
 +
== OnAccessScan ==
 +
 
 +
On-access scanning requires the kernel to be compiled with the ''fanotify'' kernel module (kernel >= 3.8). Check if ''fanotify'' has been enabled before enabling on-access scanning.
 +
 
 +
$ zgrep FANOTIFY /proc/config.gz
 +
 
 +
On-access scanning will scan the file while reading, writing or executing it.
 +
 
 +
First, edit the {{ic|/etc/clamav/clamd.conf}} configuration file by adding the following to the end of the file (you can also change the individual options):
 +
 
 +
{{hc|/etc/clamav/clamd.conf|
 +
# Enables on-access scan, requires clamav-daemon.service running
 +
ScanOnAccess true
 +
 
 +
# Set the mount point where to recursively perform the scan,
 +
# this could be every path or multiple path (one line for path)
 +
OnAccessMountPath /usr
 +
OnAccessMountPath /home/
 +
OnAccessExcludePath /var/log/
 +
 
 +
# Flag fanotify to block any events on monitored files to perform the scan
 +
OnAccessPrevention false
 +
 
 +
# Perform scans on newly created, moved, or renamed files
 +
OnAccessExtraScanning true
 +
 
 +
# Check the UID from the event of fanotify
 +
OnAccessExcludeUID 0
 +
 
 +
# Specify an action to perform when clamav detects a malicious file
 +
# it is possible to specify an inline command too
 +
VirusEvent /etc/clamav/detected.sh
 +
 
 +
# WARNING: clamd should run as root
 +
User root
 +
}}
 +
 
 +
Next, create the file {{ic|/etc/clamav/detected.sh}} and add the following. This allows you to change/specify the debug message when a virus has been detected by clamd's on-access scanning service:
 +
 
 +
{{hc|/etc/clamav/detected.sh|2=<nowiki>
 +
#!/bin/bash
 +
PATH=/usr/bin
  
If you'd like {{Codeline|clamscan}} to remove the infected file use the {{Codeline|--remove}} option in the command.
+
alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
 +
 
 +
# Send the alert to systemd logger if exist, othewise to /var/log
 +
if [[ -z $(command -v systemd-cat) ]]; then
 +
echo "$(date) - $alert" >> /var/log/clamav/infected.log
 +
else
 +
# as "emerg", this could cause your DE to show a visual alert. Happen in Plasma. but the next visual alert is much nicer
 +
echo "$alert" | /usr/bin/systemd-cat -t clamav -p emerg
 +
fi
 +
 
 +
#send an alrt to all graphical user
 +
XUSERS=($(who|awk '{print $1$NF}'|sort -u))
 +
 
 +
for XUSER in $XUSERS; do
 +
    NAME=(${XUSER/(/ })
 +
    DISPLAY=${NAME[1]/)/}
 +
    DBUS_ADDRESS=unix:path=/run/user/$(id -u ${NAME[0]})/bus
 +
    echo "run $NAME - $DISPLAY - $DBUS_ADDRESS -" >> /tmp/testlog
 +
    /usr/bin/sudo -u ${NAME[0]} DISPLAY=${DISPLAY} \
 +
                      DBUS_SESSION_BUS_ADDRESS=${DBUS_ADDRESS} \
 +
                      PATH=${PATH} \
 +
                      /usr/bin/notify-send -i dialog-warning "clamAV" "$alert"
 +
done
 +
</nowiki>}}
 +
 
 +
If you are using [[AppArmor]], it is also necessary to allow clamd to run as root:
 +
 
 +
# aa-complain clamd
 +
 
 +
[[Restart]] the {{ic|clamav-daemon.service}}.
 +
 
 +
Source: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
 +
 
 +
== Troubleshooting ==
 +
 
 +
=== Error: Clamd was NOT notified ===
  
==Troubleshooting==
 
 
If you get the following messages after running freshclam:
 
If you get the following messages after running freshclam:
WARNING: Clamd was NOT notified: Can't connect to clamd through
 
/var/lib/clamav/clamd.sock connect(): No such file or directory
 
  
Add a sock file for clamav:
+
{{bc|
 +
WARNING: Clamd was NOT notified: Cannot connect to clamd through
 +
/var/lib/clamav/clamd.sock connect(): No such file or directory
 +
}}
 +
 
 +
Add a sock file for ClamAV:
 +
 
 
  # touch /var/lib/clamav/clamd.sock
 
  # touch /var/lib/clamav/clamd.sock
 
  # chown clamav:clamav /var/lib/clamav/clamd.sock
 
  # chown clamav:clamav /var/lib/clamav/clamd.sock
 +
 +
Then, edit {{Ic|/etc/clamav/clamd.conf}} - uncomment this line:
 +
 +
LocalSocket /var/lib/clamav/clamd.sock
 +
 +
Save the file and [[restart]] {{ic|clamav-daemon.service}}.
 +
 +
=== Error: No supported database files found ===
  
 
If you get the next error when starting the daemon:
 
If you get the next error when starting the daemon:
LibClamAV Error: cli_loaddb(): No supported database files found
+
 
in /var/lib/clamav ERROR: Not supported data format
+
{{bc|
 +
LibClamAV Error: cli_loaddb(): No supported database files found
 +
in /var/lib/clamav ERROR: Not supported data format
 +
}}
 
   
 
   
Run freshclam as root:
+
This happens because of mismatch between {{ic|/etc/clamav/freshclam.conf}} setting {{ic|DatabaseDirectory}} and {{ic|/etc/clamav/clamd.conf}} setting {{ic|DatabaseDirectory}}.
  # freshclam -v
+
{{ic|/etc/clamav/freshclam.conf}} pointing to {{ic|/var/lib/clamav}}, but {{ic|/etc/clamav/clamd.conf}} (default directory) pointing to {{ic|/usr/share/clamav}}, or other directory. Edit in {{ic|/etc/clamav/clamd.conf}} and replace with the same DatabaseDirectory like in {{ic|/etc/clamav/freshclam.conf}}. After that clamav will start up successfully.
 +
 
 +
=== Error: Can't create temporary directory ===
 +
 
 +
If you get the following error, along with a 'HINT' containing a UID and a GID number:
 +
 
 +
# can't create temporary directory
 +
 
 +
Correct permissions:
 +
 
 +
# chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav
 +
 
 +
== Tips and tricks ==
 +
 
 +
=== Run in multiple threads ===
 +
 
 +
When scanning a file or directory from command line using either {{ic|clamscan}} or {{ic|clamdscan}}, only single CPU thread is used to scan the files one-by-one. This may be ok in cases when you don't want your computer to become sluggish while the scan is going on, but if you want to scan a large folder or a USB drive quickly, you may want to use all available CPUs to speed up the process.
 +
 
 +
{{ic|clamscan}} is designed to be single-threaded, so you'd need to use something like {{ic|xargs}} to run the scan in parallel:
 +
 
 +
$ find /home/archie -type f -print | xargs -P 2 clamscan
 +
 
 +
In this example the {{ic|-P}} parameter for {{ic|xargs}} runs {{ic|clamscan}} in up-to 2 processes at the same time. If you have more CPUs available adjust this parameter accordingly. {{ic|--max-lines}} and {{ic|--max-args}} options will allow even finer control of batching the workload across the threads.
 +
 
 +
Use the following version if filenames may contain spaces or other special characters (as USB and ex-Windows drives frequently do):
 +
 
 +
  $ find /home/archie -type f -print0 | xargs -0 -P 2 clamscan
 +
 
 +
{{ic|clamdscan}} uses {{ic|clamd}} daemon to perform scanning. You need to start the {{ic|clamd}} daemon first (see [[#Starting the daemon]]) and then run the following command:
 +
 
 +
$ clamdscan --multiscan --fdpass /home/archie
 +
 
 +
Here the {{ic|--multiscan}} parameter enables {{ic|clamd}} to scan the contents of the directory in parallel using available threads. {{ic|--fdpass}} parameter is required to pass the file descriptor permissions to {{ic|clamd}} as the daemon is running under {{ic|clamav}} user and group.
 +
 
 +
The number of available threads for {{ic|clamdscan}} is determined in {{ic|/etc/clamav/clamd.conf}} via {{ic|MaxThreads}} parameter {{man|5|clamd.conf}}. Even though you may see that the number of {{ic|MaxThreads}} specified is more than one (current default is 10), when you start the scan using {{ic|clamdscan}} from command line and do not specify {{ic|--multiscan}} option, only one effective CPU thread will be used for scanning.
 +
 
 +
== See also ==
 +
 
 +
* [[Wikipedia:ClamAV]]
 +
* [[ClamSMTP]]

Latest revision as of 03:53, 3 September 2018

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures.

Installation

Install the clamav package.

Updating database

Update the virus definitions with:

# freshclam

The database files are saved in:

/var/lib/clamav/daily.cvd
/var/lib/clamav/main.cvd
/var/lib/clamav/bytecode.cvd

Start/enable clamav-freshclam.service so that the virus definitions are kept recent.

Starting the daemon

Note: You will need to run freshclam before starting the service for the first time or you will run into troubles/errors which will prevent ClamAV to start correctly.

The service is called clamav-daemon.service. Start it and enable it to start at boot.

Testing the software

In order to make sure ClamAV and the definitions are installed correctly, scan the EICAR test file (a harmless signature with no virus code) with clamscan.

$ curl https://www.eicar.org/download/eicar.com.txt | clamscan -

The output must include:

stdin: Eicar-Test-Signature FOUND

Otherwise; read the Troubleshooting part or ask for help in the Arch Forums.

Adding more databases/signatures repositories

ClamAV can use databases/signature from other repositories or security vendors.

To add the most important ones in a single step, install clamav-unofficial-sigsAUR.

This will add signatures/databases from e.g. MalwarePatrol, SecuriteInfo, Yara, Linux Malware Detect, etc. For the full list of databases, see the description of the GitHub repository.

Set up clamav-unofficial-sigs

Enable the clamav-unofficial-sigs.timer.

This will regularly update the unofficial signatures based on the configuration files in the directory /etc/clamav-unofficial-sigs.

To update signatures manually, run the following:

# clamav-unofficial-sigs.sh

To change any default settings, refer and modify /etc/clamav-unofficial-sigs/user.conf.

Note: You still must have the clamav-freshclam.service started in order to have official signature updates from ClamAV mirrors.

MalwarePatrol database

If you would like to use the MalwarePatrol database, sign up for an account at https://www.malwarepatrol.net/.

In /etc/clamav-unofficial-sigs/user.conf, change the following to enable this functionality:

malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER" # enter your receipt number here
malwarepatrol_product_code="8" # Use 8 if you have a Free account or 15 if you are a Premium customer.
malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
malwarepatrol_free="yes" # Set to yes if you have a Free account or no if you are a Premium customer.

Source: https://www.malwarepatrol.net/clamav-configuration-guide/

Scan for viruses

clamscan can be used to scan certain files, home directories, or an entire system:

$ clamscan myfile
$ clamscan --recursive --infected /home
$ clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

If you would like clamscan to remove the infected file add to the command the --remove option, or you can use --move=/dir to quarantine them.

You may also want clamscan to scan larger files. In this case, append the options --max-filesize=4000M and --max-scansize=4000M to the command. '4000M' is the largest possible value, and may be lowered as necessary.

Using the -l /path/to/file option will print the clamscan logs to a text file for locating reported infections.

Using the milter

Milter will scan your sendmail server for email containing virus. Copy /etc/clamav/clamav-milter.conf.sample to /etc/clamav/clamav-milter.conf and adjust it to your needs. For example:

/etc/clamav/clamav-milter.conf
MilterSocket /run/clamav/clamav-milter.sock
MilterSocketMode 660
FixStaleSocket yes
User clamav
PidFile /run/clamav/clamav-milter.pid
TemporaryDirectory /tmp
ClamdSocket unix:/var/lib/clamav/clamd.sock
LogSyslog yes
LogInfected Basic

Create /etc/systemd/system/clamav-milter.service:

/etc/systemd/system/clamav-milter.service
[Unit]
Description='ClamAV Milter'
After=clamav-daemon.service

[Service]
Type=forking
ExecStart=/usr/bin/clamav-milter --config-file /etc/clamav/clamav-milter.conf

[Install]
WantedBy=multi-user.target

Enable and start clamav-milter.service.

OnAccessScan

On-access scanning requires the kernel to be compiled with the fanotify kernel module (kernel >= 3.8). Check if fanotify has been enabled before enabling on-access scanning.

$ zgrep FANOTIFY /proc/config.gz

On-access scanning will scan the file while reading, writing or executing it.

First, edit the /etc/clamav/clamd.conf configuration file by adding the following to the end of the file (you can also change the individual options):

/etc/clamav/clamd.conf
# Enables on-access scan, requires clamav-daemon.service running
ScanOnAccess true

# Set the mount point where to recursively perform the scan,
# this could be every path or multiple path (one line for path)
OnAccessMountPath /usr
OnAccessMountPath /home/
OnAccessExcludePath /var/log/

# Flag fanotify to block any events on monitored files to perform the scan
OnAccessPrevention false

# Perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true

# Check the UID from the event of fanotify
OnAccessExcludeUID 0

# Specify an action to perform when clamav detects a malicious file
# it is possible to specify an inline command too
VirusEvent /etc/clamav/detected.sh

# WARNING: clamd should run as root
User root

Next, create the file /etc/clamav/detected.sh and add the following. This allows you to change/specify the debug message when a virus has been detected by clamd's on-access scanning service:

/etc/clamav/detected.sh
#!/bin/bash
PATH=/usr/bin

alert="Signature detected: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"

# Send the alert to systemd logger if exist, othewise to /var/log
if [[ -z $(command -v systemd-cat) ]]; then
	echo "$(date) - $alert" >> /var/log/clamav/infected.log
else
	# as "emerg", this could cause your DE to show a visual alert. Happen in Plasma. but the next visual alert is much nicer
	echo "$alert" | /usr/bin/systemd-cat -t clamav -p emerg
fi

#send an alrt to all graphical user
XUSERS=($(who|awk '{print $1$NF}'|sort -u))

for XUSER in $XUSERS; do
    NAME=(${XUSER/(/ })
    DISPLAY=${NAME[1]/)/}
    DBUS_ADDRESS=unix:path=/run/user/$(id -u ${NAME[0]})/bus
    echo "run $NAME - $DISPLAY - $DBUS_ADDRESS -" >> /tmp/testlog 
    /usr/bin/sudo -u ${NAME[0]} DISPLAY=${DISPLAY} \
                       DBUS_SESSION_BUS_ADDRESS=${DBUS_ADDRESS} \
                       PATH=${PATH} \
                       /usr/bin/notify-send -i dialog-warning "clamAV" "$alert"
done

If you are using AppArmor, it is also necessary to allow clamd to run as root:

# aa-complain clamd

Restart the clamav-daemon.service.

Source: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Troubleshooting

Error: Clamd was NOT notified

If you get the following messages after running freshclam:

WARNING: Clamd was NOT notified: Cannot connect to clamd through 
/var/lib/clamav/clamd.sock connect(): No such file or directory

Add a sock file for ClamAV:

# touch /var/lib/clamav/clamd.sock
# chown clamav:clamav /var/lib/clamav/clamd.sock

Then, edit /etc/clamav/clamd.conf - uncomment this line:

LocalSocket /var/lib/clamav/clamd.sock

Save the file and restart clamav-daemon.service.

Error: No supported database files found

If you get the next error when starting the daemon:

LibClamAV Error: cli_loaddb(): No supported database files found
in /var/lib/clamav ERROR: Not supported data format

This happens because of mismatch between /etc/clamav/freshclam.conf setting DatabaseDirectory and /etc/clamav/clamd.conf setting DatabaseDirectory. /etc/clamav/freshclam.conf pointing to /var/lib/clamav, but /etc/clamav/clamd.conf (default directory) pointing to /usr/share/clamav, or other directory. Edit in /etc/clamav/clamd.conf and replace with the same DatabaseDirectory like in /etc/clamav/freshclam.conf. After that clamav will start up successfully.

Error: Can't create temporary directory

If you get the following error, along with a 'HINT' containing a UID and a GID number:

# can't create temporary directory

Correct permissions:

# chown UID:GID /var/lib/clamav & chmod 755 /var/lib/clamav

Tips and tricks

Run in multiple threads

When scanning a file or directory from command line using either clamscan or clamdscan, only single CPU thread is used to scan the files one-by-one. This may be ok in cases when you don't want your computer to become sluggish while the scan is going on, but if you want to scan a large folder or a USB drive quickly, you may want to use all available CPUs to speed up the process.

clamscan is designed to be single-threaded, so you'd need to use something like xargs to run the scan in parallel:

$ find /home/archie -type f -print | xargs -P 2 clamscan

In this example the -P parameter for xargs runs clamscan in up-to 2 processes at the same time. If you have more CPUs available adjust this parameter accordingly. --max-lines and --max-args options will allow even finer control of batching the workload across the threads.

Use the following version if filenames may contain spaces or other special characters (as USB and ex-Windows drives frequently do):

$ find /home/archie -type f -print0 | xargs -0 -P 2 clamscan

clamdscan uses clamd daemon to perform scanning. You need to start the clamd daemon first (see #Starting the daemon) and then run the following command:

$ clamdscan --multiscan --fdpass /home/archie

Here the --multiscan parameter enables clamd to scan the contents of the directory in parallel using available threads. --fdpass parameter is required to pass the file descriptor permissions to clamd as the daemon is running under clamav user and group.

The number of available threads for clamdscan is determined in /etc/clamav/clamd.conf via MaxThreads parameter clamd.conf(5). Even though you may see that the number of MaxThreads specified is more than one (current default is 10), when you start the scan using clamdscan from command line and do not specify --multiscan option, only one effective CPU thread will be used for scanning.

See also